RE: Sidewinder G2

["Kruse, Steve" <Steve.Kruse () lakelandgov net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My $.02 worth with a disclaimer:  I previously worked for Secure
Computing.  I have no vested interest in them now; I don't even own
stock in SCC any more.  With that said...

Part of Secure Computing's problem over the years is their inability
to make the Type Enforcement(TE) and Mandatory Access Control
technology understandable to the masses.  The Sidewinder technology,
and its use of TE to sandbox those few services it does run, makes
the device (so far at least) impossible to break through.  There
isn't a "root" to own in a running box. Even if you could
successfully do something to sendmail, the very WORST that could
happen is your mail would be broken.  Nothing else is or could be in
any way compromised.

An earlier post (see Paul Niranjan's) in this thread pointed out
quite well why there should be no fear.  While the article that was
posted had a lot of marketing overtones (to put it nicely,) what was
said is correct.  The version of sendmail is small and so tightly
locked down that it is unlikely to be exploitable in any fashion.  No
root or elevation in privilege is possible.  No way to break through
to other services including the core firewall operations or rule
sets.   

Sidewinder is trusted in some of the most intensely secure places
within the government and industry, and I don't know of any
successful hacks against it. Repeated "hacker challenges" by Secure
Computing against the Sidewinder have proven it hasn't been
compromised.  If someone can prove they've broken through one OTHER
than through the stupidity of someone configuring a rule wrong, I'd
sure love to hear about it.  I believe in Sidewinder to the max after
having worked with them for awhile.  Before you dismiss the
Sidewinder, you really should spend some time up on their web site,
and in particular read a couple of their white papers on Type
Enforcement.  That may help you understand the technology behind it a
little better.  The Sidewinder isn't cheap and it isn't the fastest,
but it is one of the most secure around.  If a gazillion packets a
second gets you hot and bothered, go with someone else.  If high
security does it for you, Sidewinder is a better choice.

Ok...so maybe that was $.03 worth!  Sorry.

Steve Kruse
J. Stephen Kruse, CISSP
Chief Information Security Officer
City of Lakeland, Florida
http://www.lakelandgov.net
mailto:steve.kruse () lakelandgov net
PGP Fingerprint: 20FF 54A6 AFA0 5492 8830  9687 3314 D77D DFC7 D848
 

> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
> Sent: Tuesday, November 18, 2003 9:54 AM
> To: Michael Gale
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Sidewinder G2 
>
>
> On Mon, 17 Nov 2003 15:44:01 MST, Michael Gale 
> <michael () bluesuperman com>  said:
>
> > I believe two of the most secure firewalls are Cisco Pix and the
> > BorderWare Firewall. Cisco does not offer any services and 
> Borderware
> > offers a few for small business and are very restrictive.
>
> For a machine that doesn't have any services, the Cisco PIX 
> is infamous
> for breaking SMTP. Google for 'cisco pix smtp' and let me 
> know if you still
> think the PIX doesn't have services on it.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP7pFXTMU133fx9hIEQJsZwCg7j7mLmvhBiE875iiKDuVoE7JEbMAn2XQ
1Xqqebh00XrTiBnNBs4hjh8c
=GUfB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html