The Sidewinder G2 Security Appliance includes the only firewall that has never had a CERT advisory p

Discussion in 'Computer Security' started by Ipeefreely, Oct 8, 2005.

  1. Ipeefreely

    Ipeefreely Guest

    The Sidewinder G2 Security Appliance is the most comprehensive gateway
    security appliance in the world, with the strongest credentials of any
    leading all-in-one firewall or Unified Threat Management security
    appliance (as tracked by IDC). This market leading Internet security
    appliance delivers protections for applications and networks against
    the entire threat matrix—and at Gigabit speeds. The G2 Security
    Appliance consolidates the widest variety of gateway security
    functions in one system, reducing the complexity of managing a total
    perimeter security solution. These security functions include our
    unprecedented Application Defenses* firewall with embedded anti-virus,
    anti-spam, traffic anomaly detection, IDS/IPS, and a whole host of
    other critical protective features described below.
    The Sidewinder G2 Security Appliance includes the only firewall that
    has never had a CERT advisory posted against it in over 10 years—a
    truly remarkable accomplishment. It has achieved the highest level of
    EAL4+ Common Criteria certification possible, with the largest, most
    in-depth, extensive security target available (far stronger than other
    vendors’ EAL4 ratings). As a result, your Sidewinder G2 provides you
    with defense-in-depth protections against the entire threat matrix
    around the clock.

    *Some Sidewinder G2 Application Defenses features are optional
    modules.

    Overview



    --------------------------------------------------------------------------------
    Perimeter security appliances are experiencing a resurgence of intense
    scrutiny today, particularly devices that include firewall technology.
    Beginning with the Internet boom of the late 1990s, performance was
    the primary metric that drove firewall selection. Security took a back
    seat, allowing vendors with stateful packet inspection to attain a
    leadership market position. Two disturbing trends have begun to swing
    the decision-making pendulum back toward security. First, the number
    of serious flaws in the perimeter security devices themselves,
    including a high number of CERT advisories and root vulnerabilities
    that has caused administrators to spend time on securing their
    firewalls, a device that was supposed to provide them with security,
    not the other way around! More devastating in its effect though is the
    dramatic rise in application level attacks (MSBlaster, MyDoom, Slammer
    and the like) that are slipping through stateful inspection firewall
    technology. This has brought about the advent of additional security
    technologies such as "intrusion prevention systems", and has caused
    organizations all over the world to rethink their firewall decision.
    As a result, a major inflection point is occurring in the perimeter
    security market right now as evidenced by the attention of leading
    analyst firms, Gartner, META, and IDC in particular.
    In response to this inflection point, IDC has defined a new emerging
    security segment, known as UTM, or Unified Threat Management*. IDC has
    begun tracking vendors who provide security appliances in this
    emerging space, which is estimated to far outpace the sales of
    traditional perimeter security devices such as firewalls. In fact, the
    market for UTM security appliances is estimated by IDC to grow to $2
    billion dollars annually by 2008. Most importantly, IDC has recognized
    Secure Computing and the Sidewinder G2 Security Appliance as one of
    the clear leaders in this new segment.

    Because of these new trends and the emerging UTM security segment, it
    is no longer considered good enough to rely on a simple perimeter
    security device such as a firewall that opens and closes connections
    without analyzing the traffic going through. Information Security
    purchasers are beginning to demand that their perimeter security
    devices recognize and actually stop attacks rather than permitting
    them to go through them. Most people believed that stateful inspection
    technology has done this all along—however, it has not and does not
    provide this level of defense—it was never designed to.

    In contrast, from its inception, the Sidewinder G2 Application Defense
    technology has been detecting and stopping attacks for over 10 years.
    It can protect and defend against over 100,000 attacks, including
    protections against attacks that are as yet unknown, because of its
    stringent protocol and RFC controls. More importantly, this
    purpose-built protection does not sacrifice performance—but rather, is
    delivered at the network speeds that you need, even up to gigabit
    processing rates. Organizations need to be protected against the full
    range of threats targeted against networks and applications, and no
    perimeter security appliance is more proven or capable than Secure
    Computing’s application layer security gateway, the Sidewinder G2
    Security Appliance.
     
    Ipeefreely, Oct 8, 2005
    #1
    1. Advertising

  2. <Ipeefreely> wrote in message
    news:...

    <snip>

    Hmm. "Only" is a very large claim. I'm not aware, for example, that any of
    the UK MoD's home-built firewalls have ever been cited - doesn't prove that
    they're invulnerable, of course, just that noone's necessarily got in to
    break them. And then told people about it.

    That said, I'm shocked to discover that my very own Netgear/Zyxel has had an
    advisory posted - so much for that theory :eek:)

    Uh.. hang on a minute: they *have* been cited a number of times,
    http://www.kb.cert.org/vuls/id/AAMN-5BNT9S states that "[no] valuable
    information" can be gained (not quite the same thing as "no information")

    The basic theory seems to be that services are sandboxed (their word), so
    you can lose a service or connection, but not the box. Given that they don't
    appear to have had the entire box compromised at any point, I'll ignore the
    marketing weasel words and give 'em a cautious round of applause. Still
    makes it vulnerable to DoS of specific services, though:

    http://secunia.com/advisories/11278/
    http://secunia.com/advisories/11632/

    Can't find a pricing reference (not usually a good sign!), so I guess that
    I'll be sticking with the old RT-314 for the moment - even if it can be made
    to leak its LAN [DMZ] address [only] to someone else attached to the same
    UBR.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Oct 8, 2005
    #2
    1. Advertising

  3. Ipeefreely

    Ipeefreely Guest

    Uh.. hang on a minute: they *have* been cited a number of times,
    >http://www.kb.cert.org/vuls/id/AAMN-5BNT9S states that "[no] valuable
    >information" can be gained (not quite the same thing as "no information")


    That is the Sidewinder.

    However the Sidewinder G2 (the merge of Sidewinder and Gauntlet)
    have not had any CERT Advisories.

    I am sure that if you call your regional sale manager they can give
    you a price.

    The DoS can be handeled with threshold that can be set up by the
    Administrator. once the threshold is met the IP or IP's will be black
    hold for however you want them to be.




    On Sat, 08 Oct 2005 11:15:44 GMT, "Hairy One Kenobi"
    <abuse@[127.0.0.1]> wrote:

    ><Ipeefreely> wrote in message
    >news:...
    >
    ><snip>
    >
    >Hmm. "Only" is a very large claim. I'm not aware, for example, that any of
    >the UK MoD's home-built firewalls have ever been cited - doesn't prove that
    >they're invulnerable, of course, just that noone's necessarily got in to
    >break them. And then told people about it.
    >
    >That said, I'm shocked to discover that my very own Netgear/Zyxel has had an
    >advisory posted - so much for that theory :eek:)
    >
    >Uh.. hang on a minute: they *have* been cited a number of times,
    >http://www.kb.cert.org/vuls/id/AAMN-5BNT9S states that "[no] valuable
    >information" can be gained (not quite the same thing as "no information")
    >
    >The basic theory seems to be that services are sandboxed (their word), so
    >you can lose a service or connection, but not the box. Given that they don't
    >appear to have had the entire box compromised at any point, I'll ignore the
    >marketing weasel words and give 'em a cautious round of applause. Still
    >makes it vulnerable to DoS of specific services, though:
    >
    >http://secunia.com/advisories/11278/
    >http://secunia.com/advisories/11632/
    >
    >Can't find a pricing reference (not usually a good sign!), so I guess that
    >I'll be sticking with the old RT-314 for the moment - even if it can be made
    >to leak its LAN [DMZ] address [only] to someone else attached to the same
    >UBR.
     
    Ipeefreely, Oct 8, 2005
    #3
  4. <Ipeefreely> wrote in message
    news:p...
    > Uh.. hang on a minute: they *have* been cited a number of times,
    > >http://www.kb.cert.org/vuls/id/AAMN-5BNT9S states that "[no] valuable
    > >information" can be gained (not quite the same thing as "no information")

    >
    > That is the Sidewinder.
    >
    > However the Sidewinder G2 (the merge of Sidewinder and Gauntlet)
    > have not had any CERT Advisories.
    >
    > I am sure that if you call your regional sale manager they can give
    > you a price.


    Well, that's nailed your flag pretty fairly to the mast as goes background
    :eek:)

    OK, so the Sidewinder G2 is a munge of the Sidewinder and Gauntlet? Both of
    which have been exploited, at least to a minor degree, since 2003.

    So how does that make the Sidewinder G2 something that hasn't been cracked
    in *ten years*? This puzzles me.

    As I said, marketing weasel-words aside, it looks to be a pretty good
    solution.

    > The DoS can be handeled with threshold that can be set up by the
    > Administrator. once the threshold is met the IP or IP's will be black
    > hold for however you want them to be.


    Hmm - not sure that's quite what I would call "handled" (restarting a
    service generally drops everyone on that daemon, unless there's a special
    case I'm missing here). Automatic restart, yeah, I know - probably the best
    of a bad set of circumstances.

    How much control does the admin have over this automatic black-holing? And
    how granular is it? And how about DDoS? Or, dread to say, spoofed IPs
    causing a valid set of addresses to be rejected?

    You've got me interested, now (although still not for my home network,
    unless it's a helluva lot cheaper than I suspect :eek:)

    H1K
     
    Hairy One Kenobi, Oct 8, 2005
    #4
  5. Ipeefreely

    Guest

    It's actually a pretty nice product - though uncrackable is a bit of a
    marketing spin.

    It's based on a modified and zoned version of BSD Unix. It's not cheap
    though for something with gigabit interfaces (one of the models is
    basically at dull 1850 and they want an extra £1,000 to give it a
    redundant power supply). Ouch!

    A large corp would expect to pay something like £20,000 for a suitable
    enterprise version.

    They have produced a cheaper cut down version on basically a dull
    celeron office pc which makes me laugh as it has an atx power supply
    that won't auto power back on in the face of a powercut. Not good when
    you admin an exterprise firewall half-way arround the globe!

    All in all they are pretty good products and better than a slap in the
    face with a wet fish...

    HTH,

    P.
     
    , Oct 8, 2005
    #5
  6. Ipeefreely

    Guest

    H1K wrote:

    > OK, so the Sidewinder G2 is a munge of the Sidewinder and Gauntlet?


    Personally I doubt that any Gauntlet code made it into G2,
    just a few concepts and some of the look-and-feel.


    > Both of which have been exploited, at least to a minor degree,
    > since 2003.
    >
    > So how does that make the Sidewinder G2 something that hasn't
    > been cracked in *ten years*? This puzzles me.


    The CERT advisory cited indicates that a buffer overflow in the DNS
    component of the Sidewinder does the attacker no good, since the "Type
    Enforcement" (similar to SELinux, etc) prevents actually doing anything
    interesting with an overflow.

    Technically, Sidewinder G2 is built on top of a BSD-based OS with
    custom filesystem and system/network call access controls. In reality,
    you don't have the option to compile and run custom executables, so
    it's easier to treat the Sidewinder appliance like a black box with "no
    user serviceable parts inside".


    > As I said, marketing weasel-words aside,
    > it looks to be a pretty good solution.


    That pretty much sums up the product.
    If you absolutely need a commercial all-in-one firewall appliance,
    and you have a huge budget, or you are the government, armed forces,
    or a large bank, then the Sidewinder G2 should go on your short list.

    I only know one person who uses a G2 to protect his home network :)


    > Automatic restart, yeah, I know -
    > probably the bestof a bad set of circumstances.


    Automatic service restart on the G2 is little different than half a
    dozen open source tools (e.g. Bernstein's "daemontools") , only with
    less tunability and no access to the source. Actually, that applies to
    most of the Sidewinder G2 functionality.

    Sometimes, particularly in large organizations, it doesn't matter that
    your staff doesn't have the option to tune the system for performance,
    to tweak (or even see) the source code, to diagnose and repair security
    and other flaws on their own. Sometimes, being locked into only the
    features and tunables which the vendor exposes via GUI and a few
    limited command-line tools is a feature.



    > How much control does the admin have over this automatic black-holing?
    > And how granular is it? And how about DDoS?


    The thresholds and durations are tunable per-rule and per-service, but
    the blackholing is always per-IP address, no way to do subnet masks.
    DDoS survivability is good. IIRC, G2 has the same sort of SYN-ACK
    proxying/spoofing as OpenBSD and other modern BSDs, so SYN floods are
    not passed in to protected servers.


    > Or, dread to say,
    > spoofed IPs causing a valid set of addresses to be rejected?


    For TCP protocols, only reacting to hosts that have completed the
    three-way-handshake addresses 99.9999% of the spoofed IP risk.


    > You've got me interested, now (although still not for my home network,
    >unless it's a helluva lot cheaper than I suspect :eek:)


    I'd venture that Sidewinder is a helluva lot more expensive than you
    suspect ;)


    Kevin Kadow
    --
    Moderator, unofficial Sidewinder Users group
    http://groups.yahoo.com/group/sidewinder-users/
     
    , Oct 8, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alan Lee
    Replies:
    16
    Views:
    709
    Martin Bilgrav
    Jul 23, 2003
  2. Pavlov
    Replies:
    0
    Views:
    453
    Pavlov
    Apr 21, 2004
  3. Boomer
    Replies:
    1
    Views:
    812
    Hugh Lilly
    Aug 27, 2003
  4. Ramon F Herrera
    Replies:
    7
    Views:
    664
    DA Morgan
    Mar 3, 2007
  5. WhzzKdd

    Firewall Appliance Suggestions?

    WhzzKdd, Aug 21, 2007, in forum: Computer Support
    Replies:
    14
    Views:
    887
    Leythos
    Aug 22, 2007
Loading...

Share This Page