[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200311182051.hAIKpEIi050278@mailserver2.hushmail.com>
From: michaelmas at hush.ai (Michaelmas)
Subject: Re: Sidewinder G2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shawn McMahon wrote:
>Daniel Sichel wrote:
>> "Host the DNS and sendmail servers directly on your firewall. The
>> operating system should be better protected against a wide-range of
>> exploits."
>
>Implementing two of the most common targets of exploit sort of
>eliminates the usefulness of that "better" protection.
Any application proxy firewall is going to face some of these issues.
I do agree 100% that I personally would be more comfortable with a application
proxy firewall product like Sidewinder if they implemented DNS and SMTP
using secure-by-design services rather than using "hardened" BIND and
"hardened" Sendmail on a "secure" BSDI-based OS.
> Return their product and get your money back.
Secure Computing claims that their "SecureOS" with type-enforcement and
other service protection is not vulnerable to the exploits against BIND
and Sendmail, and as such, it is more secure than punching holes in your
firewall and passing the traffic to internal hosts running vulnerable
versions of BIND and Sendmail.
I'm not suggesting that SCC is correct in their defense against this
claim, but they do have a point.
Personally, I would prefer to run a caching DNS service (DJB dnscache,
chrooted) on OpenBSD as an edge firewall, both to offer some protection
to internal DNS clients, and also to enhance proxy performance on the
firewall itself (by caching DNS results locally).
Unfortunately, there are no commercial products implementing this combination,
and when you're working with major corporations, a home-brew design
built on "Open Source" components is a tough sell.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj+6hjkACgkQKo6Jkwn+K0hOegCfT4uFSGvIBLla4mF4+q8hlzxK0msA
n0DOhRJXFagc2ZxZ1m9h5TU1srXS
=X8F9
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists