Date: 10 Nov 1998 11:10:06 -0500 From: Chris Shenton <cshenton@uucom.com> To: "brianmcg" <bmcgroarty@high-voltage.com> Cc: "questions@freebsd.org" <questions@FreeBSD.ORG> Subject: Re: FreeBSD 2.2.7-RELEASE - validating security Message-ID: <86lnljzfz5.fsf@samizdat.uucom.com> In-Reply-To: "brianmcg"'s message of Tue, 10 Nov 1998 5:52 -0600 References: <19981110055405612-47f124e@high-voltage.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"brianmcg" <bmcgroarty@high-voltage.com> writes:
> My employer plans on moving from Novell and cc:Mail to NT4 and Exchange.
> I'm concerned with Exchange's stability, so I'm pushing IT on the idea of a
> FreeBSD box for internal mail and news (our "bulletin boards").
Good, you should be. Besides, they don't yet make PII-800Mhz systems yet :-)
> Last night I installed and configured qpopper and innd successfully,
> and even on a little 486/66 they seem to perform quite nicely,
> standing up against a pair of mean Pentiums trying to throttle the
> little box with heavy mail and news posting loops. We're a company
> of about 60, and I think a Pentium 100 in a back closet somewhere
> should be ample to support all that we do.
You're using this for *internal* news groups, right? Not planning on
putting a global feed onto a 486 I hope. I would think what you
propose would be fine. It should be easy to size disk, taking into
account space in a /var partition for incoming and outgoing mail; same
for news. Give it enough memory to run all this stuff. If you're
running a nameserver on it, give it more cuz DNS wants to cache
information it acquires about external domains.
> The last aspect I'd like to test is security. I've got my test box
> up and running as newtoy.com on the net presently, and next week I
> hope to make a public posting offering $100 out of pocket to the
> first person who can get in and retrieve either mail or news from my
> machine and tell me how they did it. If the configuration stands up
> in that kind of a hostile environment, I would feel confident that
> it would be secure against curious co-workers on our isolated
> network.
If you track any of the security lists, I think you'll find that you
can't prove security by offering a bounty like this. It's usually used
as a marketing ploy by vendors. Just cuz no one wants to hack into it
today doesn't mean you won't become vulnerable tomorrow. I don't think
it's a useful test. Better to put the time and money into some
security analysis.
You might want to set up the box and check out what ISS and Ballista
think of it; they're commercial tools. You can also use the free but
aging SATAN, or the newer SAINT scanners against it. Check out the
new free tool Nessus, too -- it seems to be growing rapidly.
> Before I do this, I'd like to know if there are any known security
> issues with the Walnut Creek distribution of 2.2.7-RELEASE or the
> included ports of qpopper and innd. Any pointers would be -very-
> much appreciated. And if NewToy survives the test with all its
> little secrets intact, I'll gladly make that $100 a contribution to
> the FreeBSD efforts instead. ;)
There have been issues with 2.2.7, and every other OS on the
planet. And there have been issues with qpopper recently, on all
platforms, and it's been fixed. Check the lists for details.
But IMHO FreeBSD is the easiest OS to secure for a variety of reasons
all relating to open source. Lots of eyes have looked at the code,
good guys looking for holes, bad guys looking for exports. The
distribution is more controlled than some other popular free UNIX-like
operating systems :-) and this in my mind reduces chaos, a good thing
for security.  You can track 2.2-STABLE with CVSUP and stay up the
minute with your entire operating source code, compiling in fixes as
soon as they emerge. This is a *massive* win, IMHO.
This doesn't help, tho, with many of the most common exploits -- which
are typically due to improperly configured systems. I have a habit of
bringing up a new box, disabling inetd and everything I can't
demonstrably prove I must run (nfs, rpcbind, sendmail, etc -- where
appropriate), then installing SSH. Then I don't need telnet and ftp
and all my passwords and other traffic are encrypted and my hosts can
use cryptographically significant mutual authentication.  If you wanna
get punk, set up packet filters with FreeBSD's built-in ipfw, or the
ipfilter package.
Then you might wanna consider stopping bad guys at your border: packet
filters on your router, a real firewall (home grown with fwtk is OK
too!), etc. But this gets way beyond the example you site: is NT or
FreeBSD more secure for an email and news server. It begins to address
the enterprise.
You should consider getting on the freebsd-security list, too. 
Good luck persuading your keepers. I find it all to rare that actual
facts and logic can swap people brainwashed by a multi-billion-dollar
marketing and propaganda machine, and that so-called IT people  who
don't want to read will always prefer colorful grope-n-poke interfaces
to something robust.
PS: is there anything wrong with your Novell and cc:Mail? or is it
    just management's idea of a fashion statement to abandon a system that
    that works well and jump on the NT-lemming bandwagon? Sigh...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86lnljzfz5.fsf>
