Ernie,
To start off with, I will admit my bias towards Sidewinder.
1. Firewall-1
This firewall is MUCH faster than the Sidewinder and comparable to the PIX
in speed. I feel that Firewall-1 is more secure (especially the Nokia
solution) than PIX although I do not have a lot of experience with
Firewall-1. Secure Computing claims that it is trivial to send malformed
packets and do other nasty things through Firewall-1 but I don't have any
actual proof of this (and they make Sidewinder so take it with a grain of
salt).
2. PIX
I have done some work installing PIX and I was very disappointed. The GUI
sucked. I did the entire configuration on the command line. IMHO, the
Cisco PIX has a very poor security model that is ill suited to a site with
high security objectives. If you are installing a Cisco PIX that has three
network cards then you assign a number to each card. All higher numbered
cards, by default, can send any traffic to all lower numbered cards. I
think all traffic should be denied that is not specifically allowed.
3. Sidewinder
I know this product very well and, IMHO, whoever called it a Yugo doesn't
know firewalls or UNIX.
The Sidewinder is an application-layer gateway that runs on a trusted
operating system called SecureOS. This is actually BSDI (2.1 kernel for
Sidewinder 4< or 4.0 kernel for Sidewinder 5). The Sidewinder engineers
reviewed the BSDI code for security bugs and placed mandatory access
controls (Type Enforcement) in the OS. Type Enforcement was originally
developed for the NSA as part of a mail machine, SNS - Secure Network
Server, that was allowed to pass mail from a classified network to an
unclassified network. I mean networks with TS/SCI information on them not
just Secret or Confidential information. I have yet to see a firewall
with more application layer proxies than Sidewinder 5.0. It has split DNS.
It also has two sendmail servers for mail relay and some pretty advanced
mail filtering capabilities that slow the box down way to much to use.
Sidewinder 5 has a Squid proxy server and Sidewinder 4< has a CERN proxy
server. There is URL filtering built-in. The firewall rocks and is by far
my favorite. Granted the only other firewalls I have worked with are
SecureZone, Borderware, OS/390 firewall, and PIX. The Sidewinder has
something called a 'burb'. Basically, this is an ACL list for a specific
area of the firewall that will include at least one network card and
possibly some services (Telnet server or SSH server) i.e. internal,
external, dmz. You can have up to 8 burbs. You can also creat ACLs that
limit traffic from one network card (or port) to another network card where
both network cards exist in the same burb so I can run 10 4-port network
cards that allow me to have 40 seperately secured networks. I think this
would slow the box down but it would be kinda cool. The Sidewinder is slow
but has improved in speed a lot with Sidewinder 5. One Sidewinder 4
firewall is suppose to handle a T-3 according to testing but I think 2
T-1's is a more accurate assesment. I don't know exactly how much traffic
Sidewinder 5 is suppose to handle. There is a good load balancing solution
with Radware's Fireproof. The new Sidewinder 5 GUI is much better than the
old GUI. You do need to know UNIX, DNS, and routing as well as a little
bit about Sendmail to adminster this. It is not for the faint-of-heart.
Example of how Type Enforcement works in regards to the Sendmail and DNS
daemons running on Sidewinder.
Type Enforcement isolates processes to certain areas within the OS.
On a 'normal' UNIX box a lot of daemons are run as root. This allows any
command executed by the Sendmail daemon to be executed as root. Hackers
use exploits for Sendmail and DNS so that they can execute commands on a
UNIX box as root. This is why it is very important to keep UNIX Sendmail
and DNS at the current patch level. On the Sidewinder you cannot patch the
Sendmail or DNS servers so you need to wait for Secure Computing to patch
them in a Sidewinder update. This could lead to serious vulnerablities on
the Sidewinder if it were not for Type Enforcement. Type Enforcement acts
a little like extensions to the UNIX file permissions but is much more
secure that UNIX file permissions. Each directory and file on the
Sidewinder has a Type Enforcement which equates to a Type Enforced domain.
The file /etc/mailertable.mta0 has a Type Enforcement of mtac:conf. This
means it is part of the mtac domain and it is a configuration file. Each
daemon is allowed to acces certain domains. Sendmail can access the mtac
domain. Remember, Type Enforcement supercedes root privileges. This means
that even though Sendmail is running as root, it can only access files and
directories that are part of the mtac domain. If a hacker uses a buffer
overflow attack to cause named (DNS daemon) to execute a command then Type
Enforcement has to allow named to execute that command or an 'operation not
permitted' error will be logged. This is true for all of the regular UNIX
commands. This means that even if a hacker gains root from an exploit on
the Sendmail daemon he cannot access anything not allowed by the mtac
domain and he cannot use regular UNIX commands. He would need to penetrate
the Admn domain from the mtac domain without using his normal tools. The
hacker could probably stop the Sendmail or DNS servers from running
properly by using a common exploit but this can be done much easier by
using a Denial-of-Service script.
Regards,
Jeffery Gieser
Ernie Cespedes
<[EMAIL PROTECTED] To: "[EMAIL PROTECTED]"
> <[EMAIL PROTECTED]>
Sent by: cc:
firewalls-owner@List Subject: Firewall Help for ASP
Services
s.GNAC.NET
07/26/2000 01:28 PM
I'm in a situation to investigate and recommend the firewall equipment
needed for our company's Application Services Provider services. We
will be launching the ASP services to our customers in Q4. We have
appx. 150 customers, which at least 25 should be able to use the tools
simultaneously.
This ASP network will be a seperate from our main network and would have
a dedicated T-1. This would allow us to move it to an ISP with a
higher bandwidth in the future.
Our ASP equipment so far:
4 Sun 450r quad cpus with 1GB RAM servers. We're strictly a Sun house,
but will
be porting the software to Linux and HP in the future.
My questions:
Which Firewall product do most companies use for e-business services?
Firewall-1
and Cisco PIX seem to be the norm in my opinion, but any other FW
products besides
these two? We're currently using Sonicwall DMZ for our company's
firewall, but this
little pup was not built for e-business services.
Sidewinder as I recall from previous posts, seems to be another choice
but it was also
called the "Yugo" of Firewalls as compared to FW-1.
Is there a site or references where I can find and learn more about
planning for an ASP site?
Any suggestions what FW equipment to use if "you" were in my shoes?
Thanks,
-Ernie
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
