[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031119010824.ZOWR320036.fep02-mail.bloor.is.net.cable.rogers.com@BillDell>
From: full-disclosure at royds.net (full-disclosure@...ds.net)
Subject: Sidewinder G2
Two things.
The Sidewinder firewall was written before qmail, Postfix or other secure
MTA's existed so it used sendmail as the only existing open source MTA at
the time. It would be difficult for most of the customers of Sidewinder to
convert ot another MTA after depending on sendmail for a long time. This is
the main reason it runs sendmail rather than Qmail or Postfix.
The Sidewinder OS is one of the most secure there is and achieves good
partitoning of processes from each other. It is designed so that one process
being hacked (sendmail for instance) will not cause a breach of security for
the system. Proxies like sendmail do not run as root (since it does not
deliver mail to any account on the Sidewinder itself) so anyone hacking them
gains no further access. This is why it is safer to run it on the Sidewinder
rather than a less secure OS like Linux or Solaris.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Daniel Sichel
Sent: November 17, 2003 2:55 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Sidewinder G2
Thanks for the input I have received on safe configurations for the
Sidewinder G2. After reading all the responses which pretty universally
confirmed my instinct that it would be less than clever to have sendmail
running on a firewall, I began to doubt that I had heard the tech guy
who recommended it correctly. So I checked the manual which recommends
as most secure the following...
"Host the DNS and sendmail servers directly on
your firewall. The
operating system should be better protected
against a wide-range
of exploits."
PlanningGD.PDF
from Secure Computing.
This represents a very different approach than what was suggested here.
Any ideas why? Who is right? BTW, I hope I haven't broken any
intellectual property (the other ugly "IP" in our little world) laws by
reproducing the quote from the manual. If so I apologize and plead
ignorance. It is reporduced here ONLY for educational purposes.
Dan Sichel, Network Engineer
Ponderosa Telephone Company
(559) 868-6367
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists