Re: FWTK and smap/smapd

[Paul Robertson <proberts () patriot net>]

On Wed, 17 Jul 2002, Frederick M Avolio wrote:

> The real problem with something like smap/smapd is that it uses Sendmail at 
> all. Remember Sendmail (postfix, et al) supports IT ALL. On an e-mail 

[sometimes the moderator approves things so he can heckle ;)]

> gateway to the Internet, we don't (shouldn't) need that. We can make some 
> assumptions, which simplify things considerably. And if we don't mind 
> passing outbound e-mail to our ISP, things get even simpler. There's just 
> no money in it. And of course given a choice of  "secure-er" or faster we 
> take faster.

While I agree generally with what you say, I'd like to point out the 
biggest advantage of Open Source- you can rip out massive ammounts of code 
that isn't particularly necessary.  These days, if you're running a 
corporate gateway, you need *lots* of functionality for mail (mostly for 
blocking and rewriting) and a good deal of that needs to happen up-front 
(arguments as to if "up front" needs to be the firewall or not are not 
addressed in this memo[1].)

For at least one of the examples, it's relatively easy to rip out large 
ammounts of non-essential code (by module, by function...)

While you're still left with a lot more code than with something like 
smap- you get at least some assurance that you've taken away a lot of 
potential badness/inappropriateness.

Paul
[1] I abhor the "security is not addressed" RFC stuff.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards