Firewall Wizards mailing list archives

Re: Secure Computing Sidewinder?

From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 11 Jun 2008 13:43:24 -0400 (EDT)

On Tue, 10 Jun 2008, Paul Hutchings wrote:

When I looked, replacing the ISA Server actually would cost more than  
a 210E.  Now granted the 210E is the baby of the range, but looking


Last time I played with ISA, it wasn't an application-layer gateway, it 
was a bastardized SOCKS circuit-layer gateway.  That means it was doing 
more to enforce what connected than what went through it.

I am also impressed with the Sidewinders credentials, I was googling


There was a school of thought (and I was in it for a long while, though 
not particularly on the Sidewinder implementation) that said that you had 
to trust your firewall and ensure it couldn't be used to harm your 
network, and it couldn't be compromised if you wanted to handle different 
users differently.

That meant trusted systems implementations.  Sidewinder does a good job of 
that, unfortunately in the real world, people decided they'd let 
pretty-much anything tunnel through their firewalls to pretty-much any 
client[1]- so the firewall couldn't ever be the weak link, and therefore 
didn't need to be that difficult to write, validate and administer.  Plus 
they decided things like calander applications and MS's single sign on 
beat protecting their servers.  So despite the better security model of a 
proxy, packet filters pretty much won the day.


Paul
[1] The only redeeming feature I saw of using ISA was enforcing what 
client programs could connect to it, but SRPs are a better way to enforce 
that IMO, and I'd still be wary of not shielding one with another system.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Secure Computing Sidewinder? Paul Hutchings (Jun 10)
- Re: Secure Computing Sidewinder? ArkanoiD (Jun 10)
- Re: Secure Computing Sidewinder? K K (Jun 10)
  - Re: Secure Computing Sidewinder? Paul Hutchings (Jun 11)
    - Re: Secure Computing Sidewinder? Paul D. Robertson (Jun 11)
    - Re: Secure Computing Sidewinder? Paul Hutchings (Jun 12)
    - Re: Secure Computing Sidewinder? lordchariot (Jun 13)
  - Re: Secure Computing Sidewinder? Keith A. Glass (Jun 11)
    - Re: Secure Computing Sidewinder? Paul D. Robertson (Jun 11)
    - Re: Secure Computing Sidewinder? K K (Jun 11)
- Re: Secure Computing Sidewinder? Kurt Buff (Jun 10)