[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: [Sidewinder] Transparent and non transparent proxies.
From: sidewinder () adeptech ! com
Date: 2005-05-11 16:34:00
Message-ID: 190DFDD2F99A65469B4B15D3658C0D2B0103326E () ptc6 ! ponderosatel ! com
[Download RAW message or body]
>
> "2) This functionality was intentionally moved into the rules on
> Sidewinder."
>
> Again, if a design is inferior, the fact that it was done
> intentionally does
> not make it good.
>
> "I mean, do you trust Sidewinder rules in the first place?
>
> Yes and no. Of course, if implemented *correctly* *AND* *CONFIGURED*
> *CORRECTLY* everything is presumably fine, anyway. But, code is *not*
> perfect, and neither are folks who configure firewall rules (myself
> included). A mistake that cannot be made is foolproof. A
> transparent proxy
> that will not operate as a non-transprent proxy makes certain mistakes
> impossible to make.
Seperating the two proxies would only reduce, not eliminate this risk.
It is still quite possible
to select the wrong proxy when building rules, I am not sure separating
the two is worth the effort involved, not to mention the scope for
errors in programming that could make the cure worse than the disease.
> My point is that asking the HTTP proxy to do two different
> things at the
> same time is inherently risky -- the risk comes along with
> the benefit.
I would think that the real risk is mostly (as you mentioned above) in
the coding. Is there any review of that done? Do we users participate or
have any ability to monitor that process? After all a QC failure here
hurts us a lot more than it hurts the vendor. On the other side, so far
Secure seems to be the only vendor with an (almost) unblemished track
record in this area. Checkpoint, Pix, Sonicwall etc. all look like Swiss
cheese compared to the Sidewinder. Having said that, while I was at
Interop I read a report that claimed to have successfully passed
exploits through a Sidewinder, but I am not sure if that was correct or
exactly what was meant by that.
> If sendmail were pefectly implemented, it would not be risk
> either. We all
> know how that story turns out.
>
Sigh, good old Qmail. When will Secure come over from the dark side and
embrace the one true MTA? :)
Dan Sichel
Network Engineer
Ponderosa Telephone
daniels@ponderosatel.com (559) 868-6367
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic