Excerpts from Firewalls: 26-Oct-93 Re: smail vs. sendmail mjr @
> I think it's a great idea. Unfortunately, it does have some
> problems. I suspect (hope!) you won't see the big financial
> organizations going that route in the near future. For security
> critical data, you *HAVE* to trust the system you're on, or you're
On the contrary, I think we'll see a firestorm of activity in this area,
as secure OLTP enters the UNIX marketplace.
Networked UNIX systems, as we all know, are inherently insecure. But
using UNIX as a font-end to secure systems can be made very secure, and
Yes, you still need to trust your local system. But levels of security
are so greatly enhanced by DCE that standard UNIX system security
becomes something one works around, rather than something one relies
upon to protect data.
In the relevant case of mail on an SMTP host, a gateway can easily be
configured so that incoming messages transfer directly into a secure
filesystem. Authentication passwords are never used or exchanged on the
mail host (all login accounts can be local), so there's no danger of an
intruder gaining authenticated access through listening. As you've
alluded to, an intruder with root privileges could sample user data that
is temporarily buffered on the host. For this reason (and became you'd
like not to restore your system every day) you'd certainly want to keep
root passwords secret. But it is possible, academically, to configure a
system in such a way that leaking the root password won't endanger
unauthorized access to secure data areas.