Full Disclosure mailing list archives

RE: Sidewinder G2

From: "Mike Fratto" <mfratto () nwc com>
Date: Thu, 20 Nov 2003 12:37:41 -0500

So, then I have to ask here;  do you or anyone 
else know of a security incident that compromised the 
perimiter guarded by one of these blackboxen?


Yes, I did. Through the transparent HTTP application proxy in version 4.1,
as I stated in an earlier email but...

And I'd direct 
folks to the sec-focus vuln listings to determine how these 
systems have faired historically say since oh, 1995 or so.


If you not current with security software to the last two years your screwed
anyway. A search at Cert for "Secure Computing" and "Sidewinder: yielded 6
entries, the earliest in 2002. A search at BugTraq db at security focus
showed 0. Hrmmmm. The consistent response at Cert was that the vuln didn't
yield anything useful due to Type Enforement.

The SideWinder is a proxy firewall and it has application support many of
the common protocols like HTTP, SMTP, FTP, telnet, SQL*Net, H.323, T.120,
etc. What you need to remember is that even if the external proxy contains a
vulnerability doesn't mean that traffic will be passed internal hosts. You
also have to remember the limitations if application proxies, many only deal
with protocol headers and don't even look into the protocol payload. So
exploits against vulnerable servers are typically stopped because 1) the
exploit contains characters outside of the set defined by RFC822 (aka binary
characters ASCII 128-255) or can be contained by header length enforcement
(do you really need a HTTP host: header length greater than 50 characters?).
The application proxy can also limit commands to a subset, which is useful,
but makes support for using TLS within SMTP impossible. Now there are still
ways round this type of processing like sending ASCII encoded shellcode, but
you might also bump into those pesky line length issues.

I have tested Sidewinder 4.1, 5.0, and G2 and for the most part it provided
the protective functions that SecureComputing claimed. I tested G2 by trying
to send illegal characters in the headers, overly long header lengths, and
other manipulations none of which passed through to the internal network.

So the real question is not "how secure sidewinder is" (or any product for
that matter). The real question is what protective measures does the
sidewinder provide AND how well are they implemented.

mike

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Sidewinder G2, (continued)
- - Re: Sidewinder G2 Valdis . Kletnieks (Nov 18)
- RE: Sidewinder G2 Patrick Doyle (Nov 18)
  - Re: Sidewinder G2 Michael Gale (Nov 18)
- RE: Sidewinder G2 Kruse, Steve (Nov 18)
  - RE: Sidewinder G2 Brent J. Nordquist (Nov 18)
    - Re: Sidewinder G2 David Maynor (Nov 18)
    - Re: Sidewinder G2 Brent J. Nordquist (Nov 18)
    - Re: Sidewinder G2 Valdis . Kletnieks (Nov 18)
    - Re: Sidewinder G2 David Maynor (Nov 18)
    - RE: Sidewinder G2 Ron DuFresne (Nov 20)
    - RE: Sidewinder G2 Mike Fratto (Nov 20)
    - RE: Sidewinder G2 Ron DuFresne (Nov 25)
  - RE: Sidewinder G2 Mike Fratto (Nov 18)
  - RE: Sidewinder G2 Michal Zalewski (Nov 19)
- RE: Sidewinder G2 Perrymon, Josh L. (Nov 18)
  - Re: Sidewinder G2 Valdis . Kletnieks (Nov 18)
    - Re: Sidewinder G2 Michael Gale (Nov 18)
- RE: Sidewinder G2 Kruse, Steve (Nov 18)
- Re: Sidewinder G2 Michaelmas (Nov 18)
- RE: Sidewinder G2 Schmehl, Paul L (Nov 20)
  - Re: Sidewinder G2 Shawn McMahon (Nov 20)

(Thread continues...)