Re: IBM secureway firewall

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 4 Dec 2002, R. DuFresne wrote:

> Can anyone give me info on this product?
>
> I see IBM claims it's been used by themselves for 10+ years to secure
> their networks, that it's an all in one product, packet filter,
> proxy/circut level gateway, with VPN features, etc.

If it's the current incantation[1] of IBM's old "Secure Network Gateway" 
code, then I think I had one about 9 years ago running on an RS/6000 
under AIX 3.25 (Either on a 55L or a 590 Power2 box.)  At that point in 
time, it was simply a packet filter and SOCKS server for those who thought 
SOCKS was a security solution[2].  It was in the middle of my firewall, 
and was often up for ~2 years at a time until we needed to do things like 
add new interfaces to the box.  

We had the primary architect out to do the original install, first time 
I've met a PhD who could do AWK scripting at the console in real-time, and 
we both learned some stuff :)  It was my understanding at the time that we 
were one of the first large companies to put one up- which wasn't all that 
confidence inspiring.

The product was reasonable, but not exceptional as a packet filter, and I 
had it behind two other layers of filtering, with application layer 
gateways mostly beind it- not because of distrust though- but because of 
defense in depth.  Outside of the obvious packet filtering foibles of the 
time, and AIX's usual idiosyncracies with the ODM stuff (which I mostly 
bypassed whenever possible) it was a stable platform for packet filtering.

There was also a similarly named product that ran under OS/2, and would 
sit in a PC board hosted by an AS/400 system- and my confidence in that 
product was never all that high, but I refused to even evaluate it (given 
my suppositions about OS/2 stack writer availability at the time, I just 
thought it wasn't worth the time.)

It's the only time I've inherited a firewall product rather than chosen 
one that I've personally had to run.  I never had it handling e-mail 
itself because it used Sendmail, and I didn't have it doing DNS- other 
than that, it didn't have anything significantly proxyish at the time AFAIR.

We passed on the chance to upgrade it at some point in the distant past, 
but didn't remove the box from the firewall chain until y2k issues became 
important.

Paul
[0] Your MX is brokenly not accepting mail directly- hopefully this will 
get to you.
[1] Yes, I said it again.
[2] Circuit level gateways suck in terms of trust relationships and 
enforcement boundaries- just like circuit plugboards, they're a 
convenient answer to someone who wants a single trust zone with fully 
trusted clients and who doesn't want to do any "real" security work.  
They're "quick and easy" in the "Pick one, Q&E or secure."
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards