RE: Sidewinder G2

[Ron DuFresne <dufresne () winternet com>]

On Thu, 20 Nov 2003, Mike Fratto wrote:

> > So, then I have to ask here;  do you or anyone
> > else know of a security incident that compromised the
> > perimiter guarded by one of these blackboxen?
>
> Yes, I did. Through the transparent HTTP application proxy in version 4.1,
> as I stated in an earlier email but...

Yes, I saw your posting on this after I responded...

> > And I'd direct
> > folks to the sec-focus vuln listings to determine how these
> > systems have faired historically say since oh, 1995 or so.
>
> If you not current with security software to the last two years your screwed
> anyway. A search at Cert for "Secure Computing" and "Sidewinder: yielded 6
> entries, the earliest in 2002. A search at BugTraq db at security focus
> showed 0. Hrmmmm. The consistent response at Cert was that the vuln didn't
> yield anything useful due to Type Enforement.


currency is a must for any IT related realm, if not especially security, I
agree...and currency with the tools and toys one is supporting and
maintaining specifically is a must.

> The SideWinder is a proxy firewall and it has application support many of
> the common protocols like HTTP, SMTP, FTP, telnet, SQL*Net, H.323, T.120,
> etc. What you need to remember is that even if the external proxy contains a
> vulnerability doesn't mean that traffic will be passed internal hosts. You
> also have to remember the limitations if application proxies, many only deal
> with protocol headers and don't even look into the protocol payload. So
> exploits against vulnerable servers are typically stopped because 1) the
> exploit contains characters outside of the set defined by RFC822 (aka binary
> characters ASCII 128-255) or can be contained by header length enforcement
> (do you really need a HTTP host: header length greater than 50 characters?).
> The application proxy can also limit commands to a subset, which is useful,
> but makes support for using TLS within SMTP impossible. Now there are still
> ways round this type of processing like sending ASCII encoded shellcode, but
> you might also bump into those pesky line length issues.


My understanding of proxies, development and use of, is that the deeper
one looks into the packets the more latency that is introduced and thus
the slower responses can be handed off.  A give and take kind of issue.
Thus, many proxies have little depth to their decision making concerning
traffic passed through them, and thus their capabilities.  This has been a
constant topic in many of the firewall related list for years.  Of course,
this tends to put proxies on a par lower then some IDS's in the depth of
their packet inspection.  Thus, we remain an industry of layers.

> I have tested Sidewinder 4.1, 5.0, and G2 and for the most part it provided
> the protective functions that SecureComputing claimed. I tested G2 by trying
> to send illegal characters in the headers, overly long header lengths, and
> other manipulations none of which passed through to the internal network.
>
> So the real question is not "how secure sidewinder is" (or any product for
> that matter). The real question is what protective measures does the
> sidewinder provide AND how well are they implemented.

Cool, your definition fits better then mine, with an addendum perhaps;

how well the vendor responds to issues and problems with their
device/code.  Seems the secure computing folks responded well to your
findings and addressed then quickly, which is a good sign for them and
their product.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html