| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: michaelmas at hush.ai (Michaelmas) Subject: Re: Sidewinder G2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shawn McMahon wrote: >Daniel Sichel wrote: >> "Host the DNS and sendmail servers directly on your firewall. The >> operating system should be better protected against a wide-range of >> exploits." > >Implementing two of the most common targets of exploit sort of >eliminates the usefulness of that "better" protection. Any application proxy firewall is going to face some of these issues. I do agree 100% that I personally would be more comfortable with a application proxy firewall product like Sidewinder if they implemented DNS and SMTP using secure-by-design services rather than using "hardened" BIND and "hardened" Sendmail on a "secure" BSDI-based OS. > Return their product and get your money back. Secure Computing claims that their "SecureOS" with type-enforcement and other service protection is not vulnerable to the exploits against BIND and Sendmail, and as such, it is more secure than punching holes in your firewall and passing the traffic to internal hosts running vulnerable versions of BIND and Sendmail. I'm not suggesting that SCC is correct in their defense against this claim, but they do have a point. Personally, I would prefer to run a caching DNS service (DJB dnscache, chrooted) on OpenBSD as an edge firewall, both to offer some protection to internal DNS clients, and also to enhance proxy performance on the firewall itself (by caching DNS results locally). Unfortunately, there are no commercial products implementing this combination, and when you're working with major corporations, a home-brew design built on "Open Source" components is a tough sell. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj+6hjkACgkQKo6Jkwn+K0hOegCfT4uFSGvIBLla4mF4+q8hlzxK0msA n0DOhRJXFagc2ZxZ1m9h5TU1srXS =X8F9 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists