Date: 10 Nov 1998 11:10:06 -0500 From: Chris Shenton <cshenton@uucom.com> To: "brianmcg" <bmcgroarty@high-voltage.com> Cc: "questions@freebsd.org" <questions@FreeBSD.ORG> Subject: Re: FreeBSD 2.2.7-RELEASE - validating security Message-ID: <86lnljzfz5.fsf@samizdat.uucom.com> In-Reply-To: "brianmcg"'s message of Tue, 10 Nov 1998 5:52 -0600 References: <19981110055405612-47f124e@high-voltage.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"brianmcg" <bmcgroarty@high-voltage.com> writes: > My employer plans on moving from Novell and cc:Mail to NT4 and Exchange. > I'm concerned with Exchange's stability, so I'm pushing IT on the idea of a > FreeBSD box for internal mail and news (our "bulletin boards"). Good, you should be. Besides, they don't yet make PII-800Mhz systems yet :-) > Last night I installed and configured qpopper and innd successfully, > and even on a little 486/66 they seem to perform quite nicely, > standing up against a pair of mean Pentiums trying to throttle the > little box with heavy mail and news posting loops. We're a company > of about 60, and I think a Pentium 100 in a back closet somewhere > should be ample to support all that we do. You're using this for *internal* news groups, right? Not planning on putting a global feed onto a 486 I hope. I would think what you propose would be fine. It should be easy to size disk, taking into account space in a /var partition for incoming and outgoing mail; same for news. Give it enough memory to run all this stuff. If you're running a nameserver on it, give it more cuz DNS wants to cache information it acquires about external domains. > The last aspect I'd like to test is security. I've got my test box > up and running as newtoy.com on the net presently, and next week I > hope to make a public posting offering $100 out of pocket to the > first person who can get in and retrieve either mail or news from my > machine and tell me how they did it. If the configuration stands up > in that kind of a hostile environment, I would feel confident that > it would be secure against curious co-workers on our isolated > network. If you track any of the security lists, I think you'll find that you can't prove security by offering a bounty like this. It's usually used as a marketing ploy by vendors. Just cuz no one wants to hack into it today doesn't mean you won't become vulnerable tomorrow. I don't think it's a useful test. Better to put the time and money into some security analysis. You might want to set up the box and check out what ISS and Ballista think of it; they're commercial tools. You can also use the free but aging SATAN, or the newer SAINT scanners against it. Check out the new free tool Nessus, too -- it seems to be growing rapidly. > Before I do this, I'd like to know if there are any known security > issues with the Walnut Creek distribution of 2.2.7-RELEASE or the > included ports of qpopper and innd. Any pointers would be -very- > much appreciated. And if NewToy survives the test with all its > little secrets intact, I'll gladly make that $100 a contribution to > the FreeBSD efforts instead. ;) There have been issues with 2.2.7, and every other OS on the planet. And there have been issues with qpopper recently, on all platforms, and it's been fixed. Check the lists for details. But IMHO FreeBSD is the easiest OS to secure for a variety of reasons all relating to open source. Lots of eyes have looked at the code, good guys looking for holes, bad guys looking for exports. The distribution is more controlled than some other popular free UNIX-like operating systems :-) and this in my mind reduces chaos, a good thing for security. You can track 2.2-STABLE with CVSUP and stay up the minute with your entire operating source code, compiling in fixes as soon as they emerge. This is a *massive* win, IMHO. This doesn't help, tho, with many of the most common exploits -- which are typically due to improperly configured systems. I have a habit of bringing up a new box, disabling inetd and everything I can't demonstrably prove I must run (nfs, rpcbind, sendmail, etc -- where appropriate), then installing SSH. Then I don't need telnet and ftp and all my passwords and other traffic are encrypted and my hosts can use cryptographically significant mutual authentication. If you wanna get punk, set up packet filters with FreeBSD's built-in ipfw, or the ipfilter package. Then you might wanna consider stopping bad guys at your border: packet filters on your router, a real firewall (home grown with fwtk is OK too!), etc. But this gets way beyond the example you site: is NT or FreeBSD more secure for an email and news server. It begins to address the enterprise. You should consider getting on the freebsd-security list, too. Good luck persuading your keepers. I find it all to rare that actual facts and logic can swap people brainwashed by a multi-billion-dollar marketing and propaganda machine, and that so-called IT people who don't want to read will always prefer colorful grope-n-poke interfaces to something robust. PS: is there anything wrong with your Novell and cc:Mail? or is it just management's idea of a fashion statement to abandon a system that that works well and jump on the NT-lemming bandwagon? Sigh... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86lnljzfz5.fsf>