Firewall Wizards mailing list archives
Re: Secure Computing Sidewinder?
From: "K K" <kkadow () gmail com>
Date: Tue, 10 Jun 2008 10:45:11 -0500
On 6/8/08, Paul Hutchings <paul () spamcop net> wrote:
One of the options that I'm looking at is the Secure Computing Sidewinder. On paper it looks like a very nice bit of kit, and reading things such as that it's extensively used by banks and the military etc. instils a lot of confidence in the product.
Up until last week, my employer was a Sidewinder customer, and I still run an unofficial user's group for the product :) We are moving off Sidewinder G2 solely because of the price. After having gone over five years without a serious security incident, my employer does not see the value in keeping "military grade" (their words, not mine) security, and wants to move to a more relaxed perimeter.
I know both ISA and Sidewinder are "Application Layer" firewalls and act as proxies etc. but I'm struggling to get my head around why one might be "better" than the other, I guess I'm a little unclear on exactly what "Application Layer" means tbh despite reading various definitions?
I'm not personally familiar with the current incarnation of the Microsoft ISA. The "Windows Team" in my office is deploying a couple of them specifically because ISA is the only product which claims to have a proxy for MS-RPC, and I am anything but impressed with the ISA, in terms of security, ease-of-use, management, etc. There are many different approaches to designing a firewall, the approach taken by Secure Computing is, in my mind "better" and more thorough than most other "application proxy" firewalls, though this depends to a great extent on how you choose to deploy and how you write your policy. If you don't mind spending more money for more security, I would strongly recommend evaluating Sidewinder, particularly if you already have admins with Unix/BSD skills. If price is a major factor, Secure Computing also sells the simpler "SnapGear" firewalls, and you might consider Juniper's Netscreen as a third, less expensive, option.
My understanding with the Sidewinder is that the proxies receive each packet, tear it apart, inspects it, and then depending on the protocol it drops/discards anything that is dangerous, and in the case of safe content rewrites the packet
Some "stateful inspection packet filters" make this same claim. There are two key differences: 1) While a packet filter does this for each packet individually, while a proxy receives the full streaming connection, tears apart the higher level protocol (e.g. SMTP), does complete fragment reconstruction, and depending on the protocol can drop/discard or repair anything that doesn't comply with the protocol definition. 2) A good proxy doesn't just match against "known bad" traffic, but rather has a model of what good traffic should conform to, and will kill a session of the conversation veers off-topic. Sidewinder also allows you to "relax" certain rules so poorly written clients and servers are not blocked.
and makes the connection itself it so that the source machine never connects directly to the destination, rather the connection always terminates at the Sidewinder, which makes the connection on its behalf?
That is the old school definition of a "proxy" firewall, the historical roots of the Sidewinder. This (full rebuild of the TCP session) approach works very well for an environment where you would want to deny anything but RFC-compliant traffic, and where you have a "that which is not explicitly permitted is denied by default" approach to security. The biggest drawbacks are performance and per-stream overhead. The latest version (v7) still has the full-teardown option, but can also be configured with various optimizations to skip the deepest inspection on the body of certain streams, to avoid the performance hit which is often attributed to proxy firewalls.
I'm also struggling to understand how useful an application layer firewall is when it seemingly is never updated i.e. Microsoft ISA server?
Good point. I've been using Sidewinders since 2001, and Secure Computing has regularly issued updates to the firewall, with detailed release notes explaining what changes are in each update, including new protocol support, changes in protocol behavior, etc.
Our requirements are pretty simple I would imagine: We want to let traffic out, with the source being restricted by IP address or Active Directory user. Mostly standard protocols such as dns/smtp/http/https/ftp where we would expect all traffic to conform to the protocol. In some instances we'll need to open port X to destination Y and would want to simply allow traffic to pass and wouldn't expect a firewall to know what the traffic is as it will be something unique to an application that we're using.
That is all pretty standard.
We want to allow smtp in, as well as a few specific internal websites such as Outlook Web Access etc. which use HTTPS.
One place where Secure Computing shines is in SMTP processing, both in terms of protocol inspection (so your Exchange SMTP servers are less likely to get owned) and in anti-spam (Secure Computing purchased and has integrated IronMail. They also have a HTTPS proxy for inbound HTTPS, and are one of *very* few vendors with a true protocol inspection proxy for SSH.
I'd appreciate any input on the specifics of how the two products differ and how one might be considered "better" than the other both in terms of bottom line security, and our requirements.
Last time I checked, ISA was a Windows server with a firewall bolted on, while the "SecureOS" underlying Sidewinder is a customized BSD designed specifically as a firewall. Both run on PC hardware -- most Sidewinder failures we have had were due to hardware problems -- power supply and drive failures. Kevin _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Secure Computing Sidewinder? Paul Hutchings (Jun 10)
- Re: Secure Computing Sidewinder? ArkanoiD (Jun 10)
- Re: Secure Computing Sidewinder? K K (Jun 10)
- Re: Secure Computing Sidewinder? Paul Hutchings (Jun 11)
- Re: Secure Computing Sidewinder? Paul D. Robertson (Jun 11)
- Re: Secure Computing Sidewinder? Paul Hutchings (Jun 12)
- Re: Secure Computing Sidewinder? lordchariot (Jun 13)
- Re: Secure Computing Sidewinder? Paul Hutchings (Jun 11)
- Re: Secure Computing Sidewinder? Keith A. Glass (Jun 11)
- Re: Secure Computing Sidewinder? Paul D. Robertson (Jun 11)
- Re: Secure Computing Sidewinder? K K (Jun 11)