Re: Re: Trusted OS...

["Civ David R. Sears" <sears () eglin af mil>]

I really couldn't let this one go by without comment.

First off, I don't want to get into any religious wars over Proxy VS
Filtering firewalls.  They're a big waste of everyone's time.

I have a lot of experience with the differences between FW1 and
Sidewinder, since the Air Force has chosen to thrust Secure Computing's
solution down our collective throats.

We started off using FW1 several years ago (Versions 2.0 and 3.0).  The
product was mostly stable (although not without problems) and provided
adequate logging and protection, while allowing us the flexibility to
still accomplish our jobs.  We were running an entire air base of
12,000+ users through a single SPARC ultra with no adverse effects. 
Were we inpenatrable?  Hardly.  However, we had a manageable solution
that provided us with a level of risk we were willing to accept, and we
had a single choke point to stop the bad guys.

Three years ago, our world changed when we were ordered to use Secure
Computing's Sidewinder as the "Air Force Standard" firewall solution. 
We have had nothing but problems ever since.

Most of our problems stem from the fact that Sidewinder is a plausible
solution for a small business or small number of users, but doesn't
scale to a large base.  We currently have four of the silly things
trying to do what our old Ultra could handle with ease.  ($$$)  The
logging (one of the most important things on a firewall, IMO) is
terrible.  When we called Secure Computing and asked them about it, they
said, "Oh, no one uses that, use tcpdump."

I could go on about the problems we've had, but I think you get the
point.  If anyone recommends Sidewinder as a firewall solution, run
away!  Fast!


-Dave
Senior Systems/Firewall Administrator

(NOTE: These are only my opinions and in no way represent the opinions
or ideas of the USAF.)





Patrick Bryan wrote:
> Speaking of Sidewinder, how does it hold up when compared to other
> firewalls, suchs as Gauntlet and FW1?
>
> ----- Original Message -----
> From: "Paul McNabb" <mcnabb () argus-systems com>
> To: <mjr () nfr net>
> Cc: <firewall-wizards () nfr net>
> Sent: Tuesday, March 28, 2000 12:57 PM
> Subject: Re: [fw-wiz] Re: Trusted OS...
>
> > >  From mjr () nfr net  Thu Mar 23 13:10:30 2000
> > >
> > >  >Secure Computing - Sidewinder (BSD)
> > >
> > >  Are you sure about that? Secure computing makes a trusted operating
> > >  system (called LOCK, if I recall correctly) but Sidewinder was based
> > >  on BSDI with some orange book fairy dust blown on it - I don't think
> > >  it was a _real_ trusted operating system, just good old BSDI (which is
> > >  probably better) with some hacks in it to include the domain/type
> > >  enforcement stuff.
> >
> > Yes, I classify Sidewinder on BSDI as a trusted OS (in addition to the
> > LOCK stuff), because it implements a mandatory access control policy
> > which is universally applied and it provides the ability to control
> > privilege operations, both of which are defining characteristics of a
> > trusted OS (along with the design/implementation process that is intended
> > to meet evaluation criteria).  The fact that domain type enforcement is
> > not a Bell-LaPadula model doesn't eliminate it from the running.
> >
> > What is "orange book fairy dust"?
> >
> > paul
> >
> > ---------------------------------------------------------
> > Paul A. McNabb, CISSP           Argus Systems Group, Inc.
> > Senior Vice President and CTO   1809 Woodfield Drive
> > mcnabb () argus-systems com        Savoy, IL 61874 USA
> > TEL 217-355-6308
> > FAX 217-355-1433                "Securing the Future"
> > ---------------------------------------------------------

-- 

-Dave

------

Which is worse: ignorance or apathy?  Who knows?  Who cares?