Sorry for the delay. I was going thru my mailbox & found one that
I hadn't gotten around to answering.
>I'd like to raise a little issue that seems to be getting lost in
>these "secure OS" discussions. I've heard all kinds of people say
>what Frank says below:
>
>> ... Putting
>> a secure application on top of an insecure O/S leaves you insecure.
>
>This is correct. But I think it's important to understand what "on top"
>means. As I understand it, when Firewall-1 is installed on a Solaris
>machine, the filtering code goes between the driver and the rest of the
>OS. So who cares if the OS is "insecure" when the OS won't see any
>packets it's not supposed to based on the filters that are defined.
>In this case FW-1 is not really installed "on top" of the OS but
>"inside" (or underneath?); a subtle but important distinction.
I disagree and maintain that the O/S is still potentially vulnerable.
One example: Suppose the FW-1 is permitted to receive e-mail from the
Outside (Internet). What happens when a cracker sends a mail which
exploits a sendmail bug & uses it to take control of the firewall.
The next two questions aren't directed to you, rather they are just
food for thought. Wasn't there (yet another) sendmail bug posted
just a couple of months ago? How many times does sendmail have to
be fixed before we don't have any more problems with it?
>
>Craig
>
>>
>> Frank
>> Fortified Networks Inc. - Management & Information Security Consulting
>> Phone: (317) 573-0800 - http://www.fortified.com/fortified
>>
>
>����
>����
>
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Follow-Ups:
|
|
