Firewall Wizards mailing list archives
Re: Re: Trusted OS...
From: "Civ David R. Sears" <sears () eglin af mil>
Date: Thu, 30 Mar 2000 06:58:30 -0600
I really couldn't let this one go by without comment. First off, I don't want to get into any religious wars over Proxy VS Filtering firewalls. They're a big waste of everyone's time. I have a lot of experience with the differences between FW1 and Sidewinder, since the Air Force has chosen to thrust Secure Computing's solution down our collective throats. We started off using FW1 several years ago (Versions 2.0 and 3.0). The product was mostly stable (although not without problems) and provided adequate logging and protection, while allowing us the flexibility to still accomplish our jobs. We were running an entire air base of 12,000+ users through a single SPARC ultra with no adverse effects. Were we inpenatrable? Hardly. However, we had a manageable solution that provided us with a level of risk we were willing to accept, and we had a single choke point to stop the bad guys. Three years ago, our world changed when we were ordered to use Secure Computing's Sidewinder as the "Air Force Standard" firewall solution. We have had nothing but problems ever since. Most of our problems stem from the fact that Sidewinder is a plausible solution for a small business or small number of users, but doesn't scale to a large base. We currently have four of the silly things trying to do what our old Ultra could handle with ease. ($$$) The logging (one of the most important things on a firewall, IMO) is terrible. When we called Secure Computing and asked them about it, they said, "Oh, no one uses that, use tcpdump." I could go on about the problems we've had, but I think you get the point. If anyone recommends Sidewinder as a firewall solution, run away! Fast! -Dave Senior Systems/Firewall Administrator (NOTE: These are only my opinions and in no way represent the opinions or ideas of the USAF.) Patrick Bryan wrote:
Speaking of Sidewinder, how does it hold up when compared to other firewalls, suchs as Gauntlet and FW1? ----- Original Message ----- From: "Paul McNabb" <mcnabb () argus-systems com> To: <mjr () nfr net> Cc: <firewall-wizards () nfr net> Sent: Tuesday, March 28, 2000 12:57 PM Subject: Re: [fw-wiz] Re: Trusted OS...From mjr () nfr net Thu Mar 23 13:10:30 2000 >Secure Computing - Sidewinder (BSD) Are you sure about that? Secure computing makes a trusted operating system (called LOCK, if I recall correctly) but Sidewinder was based on BSDI with some orange book fairy dust blown on it - I don't think it was a _real_ trusted operating system, just good old BSDI (which is probably better) with some hacks in it to include the domain/type enforcement stuff.Yes, I classify Sidewinder on BSDI as a trusted OS (in addition to the LOCK stuff), because it implements a mandatory access control policy which is universally applied and it provides the ability to control privilege operations, both of which are defining characteristics of a trusted OS (along with the design/implementation process that is intended to meet evaluation criteria). The fact that domain type enforcement is not a Bell-LaPadula model doesn't eliminate it from the running. What is "orange book fairy dust"? paul --------------------------------------------------------- Paul A. McNabb, CISSP Argus Systems Group, Inc. Senior Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
-- -Dave ------ Which is worse: ignorance or apathy? Who knows? Who cares?
Current thread:
- Re: Re: Trusted OS... Paul D. Robertson (Apr 04)
- <Possible follow-ups>
- Re: Re: Trusted OS... Civ David R. Sears (Apr 04)
- Re: Re: Trusted OS... Pere Camps (Apr 10)
- RE: Re: Trusted OS... Michael . Owen (Apr 10)
- Re: Re: Trusted OS... Iván Arce (Apr 10)
- RE: Re: Trusted OS... Starkey, Kyle (Apr 10)
- Re: Re: Trusted OS... Bennett Todd (Apr 10)
- Re: Re: Trusted OS... Rick Smith (Apr 10)
- RE: Re: Trusted OS... Rick Smith (Apr 13)
- RE: Re: Trusted OS... Matthew . Hannigan (Apr 17)