Re: SCC buys Gauntlet

[Jeffery.Gieser () minnesotamutual com]

Kevin,

#What I would like to see is for Secure Computing to port the best features
#of Sidewinder into Gauntlet, using Sparc hardware and trusted Solaris 8/9
#for 'mandatory access control'.

     I highly doubt this will happen.  They will port the good features of
Guantlet into Sidewinder.  Secure Computing cannot support two products
that are as similar as Guantlet and Sidewinder.  Secure Computing has
thought about porting Sidewinder over to SPARC hardware and I think it
would be cool but the project is always killed due to lack of
interest/money.  I personally think the MAC features provided by Type
Enforcement (TE) are much better than those in trusted Solaris.  Granted
this is just my opinion but Secure Computing has put a lot of work into TE.
The original TE design for an OS called LOCKix was created to meet or
exceed all A1 specifications for the NSA.

#Also, I found a DoS against the product using ISIC, (A packet-filter
testing tool

I would venture to guess that there is a DOS attack for every computer ever
built.

#I ran Sidewinder firewalls locally at a 200-person enterprise in 2000, and
was not very #happy with them.

     There is a big difference between the Sidewinder in 2000 and the
Sidewinder in 2002.  They have improved a lot of things.  The GUI in the
newest Sidewinder is much better than the GUI in Guantlet.  The command
line in both is pretty equal since they are both UNIX based.

#Sidewinder swiftly hits it's limits in how much customization is possible,
and is very #difficult to extend the functions of the firewall host. What
do you do when you need Quad #ethernet, etherchannel or gig connectivity?

     The Sidewinder, expecially in V5.2, offers a lot more hardware support
than it did in 2000.  The big reason for this is that Sidewinder upgraded
the BSD kernel from V2.1 to V4.1.  There are plenty of network connectivity
options and the PC hardware is not such a pain to set up anymore.  It still
isn't SPARC but you can loadbalance.

#I don't trust BIND, I install djb's daemontools and dnscache.  I don't
trust SMAP (for #good reason!) or sendmail. I install QMail.

     If you buy into TE and the whole trusted operating system concept then
running BIND or Sendmail on a TOS system is a lot more secure than running
it on a vanilla UNIX system.  The Sendmail/DNS flaws that allow you to root
a box on vanilla UNIX cannot be used to root the box on Sidewinder.  Once
again there has been discussion at Secure Computing about using packages
other than BIND or Sendmail but because of the security of TE and the
functionality of BIND and Sendmail the Sindwinder has not been switched
over.

#I need to do nightly off-site system backups, I use cron, ufsdump and ssh
to push #filesystem images to a remote host over a private backchannel
network.

     I home brewed my on scripts to do backups as well on Sidewinder.  It
isn't very difficult.  You may not be allowed to install some of your
favorite tools but you can use what is provided to get the job done in a
secure manner.

#Plus you lose the ability to use the features of the underlying
operatingsystem, since it #is all bundled and mostly out of your reach. No
support for compiling custom binaries or #loading new proxy applications
beyond what Secure Computing sees fit to give you.

     Once again, TE would be useless if you could install any packages you
wanted to on the Sidewinder because flaws in those packages would bypass
TE.  It would be nice to see some stuff on Sidewinder that currently isn't
there but you can say that about any product.  The firewall is very
customizable from a passing traffic standpoint.  I can get any brain dead
protocol upper management insists on through it just fine =)  You cannot
load anything you want onto the box but in most cases this is a good thing.

     It would be nice to see them open up TE so that you sould write your
own application level proxies and tie them into TE.  I think the big reason
they don't want to do this is the bad press aspect of having somebody screw
up TE on their Sidewinder and having the box compromised because of it.

#If I didn't want to maintain the OS, I'd buy the Gauntlet appliance
firewall.

     The problem is most people who run firewalls do not have the expertise
to SECURELY maintain the OS.  You are not the average firewall admin.  It
is also pretty nice for those of us who have the expertise but not the time
to use the Sidewinder and not worry so mcuh about the underlining OS.

     It sounds like there are some very specific things that you want your
firewall to do and the Sidewinder cannot be allowed to do them because of
TE.  This doesn't make the Sidewinder a poor firewall.  It just means it
may not be the right firewall for you. If your needs change then look at it
again.  I have always been very satisfied with the Sidewinder.


Regards,
Jeffery Gieser


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards