Re: SCC buys Gauntlet

[firewalls () msg net <firewalls () msg net>]

I just built a new Gauntlet 6.0 firewall on a 280R from two thousand miles
away.  I did the complete build, from OS installation to firewall software
to rule creation, completely remotely, without anybody ever having to
physically touch the box from the moment the power, network, and serial
cables were connected to a fresh chassis.  Took me less than a day.

IMHO, there is no way I could ever do this with Sidewinder on PC hardware.


> I've been running Sidewinders both locally and remotely since 1996.
> You'll probably be pleasantly surprised.

I ran Sidewinder firewalls locally at a 200-person enterprise in 2000,
and was not very happy with them.  Among other issues, there were some
administrative work that could only be done on the local console.  Also, I
found a DoS against the product using ISIC, (A packet-filter testing tool
we developed with Mike Frantzen), appeared to be exercising a very old BSD
IP stack bug that Secure Computing had not fixed in their code tree.

Sure, I've also found DoS against Gauntlet, but both Gauntlet and Sun are
usually good about responding to these issues.


> I nearly uniformly  use Dell rackmount servers, although I've built
> my own PC hardware in a few cases for customers  that had special
> requirements (token ring,  anyone?).  In the last two years on the
> networks I use, we've had three or four Sun disk failures, CPU deaths,
> and at least one memory problem -- during the same time period
> the PC hardware hosting my corporate Sidewinders has been solid as a rock.

I've experienced memory, CPU, and power-supply failures on Dell rackmount
(in a environmentally controlled air- and power-filtered data center) at a 
_much_ higher rate than equivalent failures on Sun hardware.


Of course, the disk failures could happen on any platform, PC or Sparc,
but on every Sun you have built-in support for booting from a mirror drive,
and full serial console control from POST on up.


Our small team in the corp IT organization runs 10 Dell rackmount servers in
the primary Coporate-HQ datacenter, along with a half-dozen Gauntlet systems,
another half-dozen (non-firewall) Sparc systems, and remotely maintain many
other Gauntlet firewalls around the country on various Sun Sparc hardware.

We have a _substantial_ investment in Sun hardware for firewalls, including
many E250 and 280R servers. These servers are a particularly good choice for
remote firewalls due to the 'Remote System Control' hardware which provides
full remote management (including both remote power-down _and_ power-up!).

To get even come near these features on PCs, you pay as much as for Sparc.

There's no way I could trust Dell (or any PC) hardware to the degree I have
confidence in the reliability and maintainability of Sun Sparc.  There is
little chance that secure Computing can convince me to pull out these
mid-range 'multi-CPU multi-gig-memory multi-disk' Sun systems running
Gauntlet and replace them with PC hardware running Sidewinder.
 

> I'm continually amazed when people report that Sidewinder isn't
> sufficiently customizable.  I find it vastly easier to work on than Gauntlet

Sidewinder swiftly hits it's limits in how much customization is possible,
and is very difficult to extend the functions of the firewall host. What do
you do when you need Quad ethernet, etherchannel or gig connectivity?


> or FW-1, primarily because it's much closer to UNIX -- i.e. based on text
> config files which are nearly natural language, rather than 
> proprietary coding languages.

Gauntlet's configuration data in 'netperm-table' isn't close to Unix? Isn't
human-readable?


> What do you need  the systems to do?

I don't trust BIND, I install djb's daemontools and dnscache.  I don't trust
SMAP (for good reason!) or sendmail. I install QMail. I need to do nightly
off-site system backups, I use cron, ufsdump and ssh to push filesystem
images to a remote host over a private backchannel network.


> I got IPsec running >through<  a Sidewinder long before anyone seemed
> to be able to do that on a Gauntlet.

No comment.

 
> Plus, you get the great advantage of not having to build and maintain
> the underlying operating  system, since it's all bundled

Plus you lose the ability to use the features of the underlying operating
system, since it is all bundled and mostly out of your reach. No support
for compiling custom binaries or loading new proxy applications beyond what
Secure Computing sees fit to give you.

If I didn't want to maintain the OS, I'd buy the Gauntlet appliance firewall.


> -- and the joy of  a mandatory access control operating system,
> which amongst other things means that you've got  built in damage control
> against exploits and bugs,  not to mention a new set of alarms and audits
> that will go off when evildoers start misbehaving. 

And the pain of a MAC operating system which makes it almost impossible to
actually use the SecurOS to do anything at the command-line level.
 

> I know my old Gauntlet customers are going to be
> pretty happy, once they get over the shot.
>
> tbird
> Sidewinder evangelist
> no, they don't pay me
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards