[Full-Disclosure] Sidewinder G2

full-disclosure at royds.net full-disclosure at royds.net
Wed Nov 19 01:09:00 GMT 2003 

Two things.
  The Sidewinder firewall was written before qmail, Postfix or other secure
MTA's existed so it used sendmail as the only existing open source MTA at
the time. It would be difficult for most of the customers of Sidewinder to
convert ot another MTA after depending on sendmail for a long time. This is
the main reason it runs sendmail rather than Qmail or Postfix.
   The Sidewinder OS is one of the most secure there is and achieves good
partitoning of processes from each other. It is designed so that one process
being hacked (sendmail for instance) will not cause a breach of security for
the system. Proxies like sendmail do not run as root (since it does not
deliver mail to any account on the Sidewinder itself) so anyone hacking them
gains no further access. This is why it is safer to run it on the Sidewinder
rather than a less secure OS like Linux or Solaris.

-----Original Message-----
From: full-disclosure-admin at lists.netsys.com
[mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Daniel Sichel
Sent: November 17, 2003 2:55 PM
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] Sidewinder G2

Thanks for the input I have received on safe configurations for the
Sidewinder G2. After reading all the responses which pretty universally
confirmed my instinct that it would be less than clever to have sendmail
running on a firewall, I began to doubt that I had heard the tech guy
who recommended it correctly. So I checked the manual which recommends
as most secure the following...
			"Host the DNS and sendmail servers directly on
your firewall. The
			operating system should be better protected
against a wide-range
			of exploits."
				PlanningGD.PDF
				from Secure Computing.

This represents a very different approach than what was suggested here.
Any ideas why? Who is right? BTW, I hope I haven't broken any
intellectual property (the other ugly "IP" in our little world) laws by
reproducing the quote from the manual.  If so I apologize  and plead
ignorance. It is reporduced here ONLY for educational purposes.


Dan Sichel, Network Engineer
Ponderosa Telephone Company
(559) 868-6367

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure is hosted and sponsored by Secunia.