lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: michaelmas at hush.ai (Michaelmas)
Subject: Re: Sidewinder G2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shawn McMahon wrote:
>Daniel Sichel wrote:
>> "Host the DNS and sendmail servers directly on your firewall. The

>> operating system should be better protected against a wide-range of

>> exploits."
>
>Implementing two of the most common targets of exploit sort of
>eliminates the usefulness of that "better" protection.

Any application proxy firewall is going to face some of these issues.
I do agree 100% that I personally would be more comfortable with a application
proxy firewall product like Sidewinder if they implemented DNS and SMTP
using secure-by-design services rather than using "hardened" BIND and
"hardened" Sendmail on a "secure" BSDI-based OS.


> Return their product and get your money back.

Secure Computing claims that their "SecureOS" with type-enforcement and
other service protection is not vulnerable to the exploits against BIND
and Sendmail, and as such, it is more secure than punching holes in your
firewall and passing the traffic to internal hosts running vulnerable
versions of BIND and Sendmail.

I'm not suggesting that SCC is correct in their defense against this
claim, but they do have a point.


Personally, I would prefer to run a caching DNS service (DJB dnscache,
 chrooted) on OpenBSD as an edge firewall, both to offer some protection
to internal DNS clients, and also to enhance proxy performance on the
firewall itself (by caching DNS results locally).

Unfortunately, there are no commercial products implementing this combination,
 and when you're working with major corporations, a home-brew design
built on "Open Source" components is a tough sell.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj+6hjkACgkQKo6Jkwn+K0hOegCfT4uFSGvIBLla4mF4+q8hlzxK0msA
n0DOhRJXFagc2ZxZ1m9h5TU1srXS
=X8F9
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists