Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Sidewinder G2

From: <full-disclosure () royds net>
Date: Tue, 18 Nov 2003 20:09:00 -0500
Two things.
  The Sidewinder firewall was written before qmail, Postfix or other secure
MTA's existed so it used sendmail as the only existing open source MTA at
the time. It would be difficult for most of the customers of Sidewinder to
convert ot another MTA after depending on sendmail for a long time. This is
the main reason it runs sendmail rather than Qmail or Postfix.
   The Sidewinder OS is one of the most secure there is and achieves good
partitoning of processes from each other. It is designed so that one process
being hacked (sendmail for instance) will not cause a breach of security for
the system. Proxies like sendmail do not run as root (since it does not
deliver mail to any account on the Sidewinder itself) so anyone hacking them
gains no further access. This is why it is safer to run it on the Sidewinder
rather than a less secure OS like Linux or Solaris.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Daniel Sichel
Sent: November 17, 2003 2:55 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Sidewinder G2

Thanks for the input I have received on safe configurations for the
Sidewinder G2. After reading all the responses which pretty universally
confirmed my instinct that it would be less than clever to have sendmail
running on a firewall, I began to doubt that I had heard the tech guy
who recommended it correctly. So I checked the manual which recommends
as most secure the following...
                        "Host the DNS and sendmail servers directly on
your firewall. The
                        operating system should be better protected
against a wide-range
                        of exploits."
                                PlanningGD.PDF
                                from Secure Computing.

This represents a very different approach than what was suggested here.
Any ideas why? Who is right? BTW, I hope I haven't broken any
intellectual property (the other ugly "IP" in our little world) laws by
reproducing the quote from the manual.  If so I apologize  and plead
ignorance. It is reporduced here ONLY for educational purposes.


Dan Sichel, Network Engineer
Ponderosa Telephone Company
(559) 868-6367

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: