lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <190DFDD2F99A65469B4B15D3658C0D2B36B654@ptc6.ponderosatel.com> From: daniels at ponderosatel.com (Daniel Sichel) Subject: Sidewinder G2 Thanks and a question or two Thanks to all for the good responses which are, to say the least mildly disturbing. I WAS looking forward to some good night's sleep, but you folks put paid to that! <snip> >They may find a way AROUND it, or >socially engineer their way in, sure. Just not THROUGH it. <snip> Hmmm. Always a disurbing possibility. But in the famous last words of many FORMER network engineers, I don't think my users are that gullible. <snip> >Basically, version 4.1 failed to do actually do HTTP syntax checking making >the HTTP proxy a generic proxy in function. So all the HTTP protocol >violation style attacks weren't blocked at all. Proved it using tools off >packetstorm. Told SCC about it and proved it to them as well. Then they >verified the problem and issued a patch some months later. > >Make sure those protection features are actually doing what they claim >folks. > >http://www.networkcomputing.com/1106/1106f16.html?ls=NCJS_1106rt > >mike This was VERY disturbing. Kind of makes Secure's claim look pretty stupid. Tried it on any other boxes? Apparetntly secure computing expected the web proxy to be in full use. Fortunately, we are a small enough operation to do exactly that. <snip> >Secure Computing claims that their "SecureOS" with type-enforcement and >other service protection is not vulnerable to the exploits against BIND >and Sendmail, and as such, it is more secure than punching holes in your >firewall and passing the traffic to internal hosts running vulnerable >versions of BIND and Sendmail. > >I'm not suggesting that SCC is correct in their defense against this >claim, but they do have a point. <snip> I think this is a reasonable claim and your response resonates with me, why not use dnscache or tinydns and qmail? The best they could tell me was the problem was in the way they virtualized the hardware drivers. It makes there OS incompatible with lots of BSD/Linux stuff. I am enough of a techie nerd to know that that makes no sense when you ARE able to run sendmail and BIND. I guess they just don't see this as a big issue because BIND and sendmail run in jails, so what ever process controller they use, just restarts them if a hack kills the process. They seem very confident about the integrity of their jails and told me I had nothing to worry about even if a hacker broke into a root shell in one of them. I am not convinced that this would be, to quote the late great Douglas Addams, "mostly harmless". As part of this project we are looking at TACACS+ or RADIUS in conjunction with Safeword Premier Access for authentication along with some type of centralized logging host running on our internal network under Winblows 2000. Any ideas? Should I put the logging host into it's own subnet, on its own interface and only allow NTP and logging traffic in? Can I do that and block ALL traffic out? My understanding is that syslog traffic runs native as UDP. I am thinking of VPNs from my external router, my firewall, and even potentially my Stratus 1 Clock (I have one onsite because we are a telco. Sometimes life is good). Any ideas? Thanks Dan Sichel, Network Engineer Ponderosa Telephone Company (559) 868-6367
Powered by blists - more mailing lists