lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: full-disclosure at royds.net (full-disclosure@...ds.net)
Subject: Sidewinder G2

Two things.
  The Sidewinder firewall was written before qmail, Postfix or other secure
MTA's existed so it used sendmail as the only existing open source MTA at
the time. It would be difficult for most of the customers of Sidewinder to
convert ot another MTA after depending on sendmail for a long time. This is
the main reason it runs sendmail rather than Qmail or Postfix.
   The Sidewinder OS is one of the most secure there is and achieves good
partitoning of processes from each other. It is designed so that one process
being hacked (sendmail for instance) will not cause a breach of security for
the system. Proxies like sendmail do not run as root (since it does not
deliver mail to any account on the Sidewinder itself) so anyone hacking them
gains no further access. This is why it is safer to run it on the Sidewinder
rather than a less secure OS like Linux or Solaris.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Daniel Sichel
Sent: November 17, 2003 2:55 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Sidewinder G2

Thanks for the input I have received on safe configurations for the
Sidewinder G2. After reading all the responses which pretty universally
confirmed my instinct that it would be less than clever to have sendmail
running on a firewall, I began to doubt that I had heard the tech guy
who recommended it correctly. So I checked the manual which recommends
as most secure the following...
			"Host the DNS and sendmail servers directly on
your firewall. The
			operating system should be better protected
against a wide-range
			of exploits."
				PlanningGD.PDF
				from Secure Computing.

This represents a very different approach than what was suggested here.
Any ideas why? Who is right? BTW, I hope I haven't broken any
intellectual property (the other ugly "IP" in our little world) laws by
reproducing the quote from the manual.  If so I apologize  and plead
ignorance. It is reporduced here ONLY for educational purposes.


Dan Sichel, Network Engineer
Ponderosa Telephone Company
(559) 868-6367

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists