[Full-Disclosure] Sidewinder G2 Thanks and a question or two

From: Daniel Sichel (daniels_at_ponderosatel.com)
Date: 11/19/03

  • Next message: hays_at_ibiblio.org: "Re: [Full-Disclosure] Vulnerability in Terminal.app" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 19 Nov 2003 09:09:27 -0800

    Thanks to all for the good responses which are, to say the least mildly
    disturbing. I WAS looking forward to some good night's sleep, but you
    folks put paid to that!
    <snip>
    >They may find a way AROUND it, or
    >socially engineer their way in, sure. Just not THROUGH it.
    <snip>
    Hmmm. Always a disurbing possibility. But in the famous last words of
    many FORMER network engineers, I don't think my users are that gullible.

    <snip>
    >Basically, version 4.1 failed to do actually do HTTP syntax checking
    making
    >the HTTP proxy a generic proxy in function. So all the HTTP protocol
    >violation style attacks weren't blocked at all. Proved it using tools
    off
    >packetstorm. Told SCC about it and proved it to them as well. Then they
    >verified the problem and issued a patch some months later.
    >
    >Make sure those protection features are actually doing what they claim
    >folks.
    >
    >http://www.networkcomputing.com/1106/1106f16.html?ls=NCJS_1106rt
    >
    >mike

    This was VERY disturbing. Kind of makes Secure's claim look pretty
    stupid. Tried it on any other boxes? Apparetntly secure computing
    expected the web proxy to be in full use. Fortunately, we are a small
    enough operation to do exactly that.

    <snip>
    >Secure Computing claims that their "SecureOS" with type-enforcement and
    >other service protection is not vulnerable to the exploits against BIND
    >and Sendmail, and as such, it is more secure than punching holes in
    your
    >firewall and passing the traffic to internal hosts running vulnerable
    >versions of BIND and Sendmail.
    >
    >I'm not suggesting that SCC is correct in their defense against this
    >claim, but they do have a point.
    <snip>

    I think this is a reasonable claim and your response resonates with me,
    why not use dnscache or tinydns and qmail? The best they could tell me
    was the problem was in the way they virtualized the hardware drivers. It
    makes there OS incompatible with lots of BSD/Linux stuff. I am enough of
    a techie nerd to know that that makes no sense when you ARE able to run
    sendmail and BIND. I guess they just don't see this as a big issue
    because BIND and sendmail run in jails, so what ever process controller
    they use, just restarts them if a hack kills the process. They seem very
    confident about the integrity of their jails and told me I had nothing
    to worry about even if a hacker broke into a root shell in one of them.
    I am not convinced that this would be, to quote the late great Douglas
    Addams, "mostly harmless".

    As part of this project we are looking at TACACS+ or RADIUS in
    conjunction with Safeword Premier Access for authentication along with
    some type of centralized logging host running on our internal network
    under Winblows 2000. Any ideas? Should I put the logging host into it's
    own subnet, on its own interface and only allow NTP and logging traffic
    in? Can I do that and block ALL traffic out? My understanding is that
    syslog traffic runs native as UDP. I am thinking of VPNs from my
    external router, my firewall, and even potentially my Stratus 1 Clock (I
    have one onsite because we are a telco. Sometimes life is good). Any
    ideas?

    Thanks

    Dan Sichel, Network Engineer
    Ponderosa Telephone Company
    (559) 868-6367

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: hays_at_ibiblio.org: "Re: [Full-Disclosure] Vulnerability in Terminal.app"

    Relevant Pages

    • Re: tmux(1) in base
      ... every single FreeBSD installation in the world except those where the ... User surprise was not a sufficient reason not to remove Perl. ... Sendmail, ensuring that they are well integrated into our codebase, ... BIND and Sendmail. ...
      (freebsd-current)
    • Re: Newb questions
      ... I know BIND ... >> and sendmail are there but I keep hearing about potential security problems. ... to avoid qmail in favour of a postfix-based solution. ... It's also mostly unusable without different patches, ...
      (comp.unix.bsd.freebsd.misc)
    • How do I get sendmail working again
      ... Well, after following the instructions at the former link, sendmail will no ... daemon MTA: cannot bind: Address already in use ... whitbap# /etc/rc.d/sendmail start ...
      (freebsd-questions)
    • Re: replacing sendmail with qmail
      ... that Sendmail and bind and so on have their exploits.. ... Freedom of religion. ... To not have or change the different MTA by default in FreeBSD ...
      (freebsd-hackers)
    • Re: SASL Auth -- "no secret in database"
      ... The authentication data should all come out of the same LDAP database. ... However sendmail refuses to play ball. ...
      (comp.mail.sendmail)
    • Quantcast