The Sidewinder G2 Security Appliance includes the only firewall that has never had a CERT advisory p

The Sidewinder G2 Security Appliance is the most comprehensive gateway
security appliance in the world, with the strongest credentials of any
leading all-in-one firewall or Unified Threat Management security
appliance (as tracked by IDC). This market leading Internet security
appliance delivers protections for applications and networks against
the entire threat matrix—and at Gigabit speeds. The G2 Security
Appliance consolidates the widest variety of gateway security
functions in one system, reducing the complexity of managing a total
perimeter security solution. These security functions include our
unprecedented Application Defenses* firewall with embedded anti-virus,
anti-spam, traffic anomaly detection, IDS/IPS, and a whole host of
other critical protective features described below.
The Sidewinder G2 Security Appliance includes the only firewall that
has never had a CERT advisory posted against it in over 10 years—a
truly remarkable accomplishment. It has achieved the highest level of
EAL4+ Common Criteria certification possible, with the largest, most
in-depth, extensive security target available (far stronger than other
vendors’ EAL4 ratings). As a result, your Sidewinder G2 provides you
with defense-in-depth protections against the entire threat matrix
around the clock.

*Some Sidewinder G2 Application Defenses features are optional
modules.

Overview



--------------------------------------------------------------------------------
Perimeter security appliances are experiencing a resurgence of intense
scrutiny today, particularly devices that include firewall technology.
Beginning with the Internet boom of the late 1990s, performance was
the primary metric that drove firewall selection. Security took a back
seat, allowing vendors with stateful packet inspection to attain a
leadership market position. Two disturbing trends have begun to swing
the decision-making pendulum back toward security. First, the number
of serious flaws in the perimeter security devices themselves,
including a high number of CERT advisories and root vulnerabilities
that has caused administrators to spend time on securing their
firewalls, a device that was supposed to provide them with security,
not the other way around! More devastating in its effect though is the
dramatic rise in application level attacks (MSBlaster, MyDoom, Slammer
and the like) that are slipping through stateful inspection firewall
technology. This has brought about the advent of additional security
technologies such as "intrusion prevention systems", and has caused
organizations all over the world to rethink their firewall decision.
As a result, a major inflection point is occurring in the perimeter
security market right now as evidenced by the attention of leading
analyst firms, Gartner, META, and IDC in particular.
In response to this inflection point, IDC has defined a new emerging
security segment, known as UTM, or Unified Threat Management*. IDC has
begun tracking vendors who provide security appliances in this
emerging space, which is estimated to far outpace the sales of
traditional perimeter security devices such as firewalls. In fact, the
market for UTM security appliances is estimated by IDC to grow to $2
billion dollars annually by 2008. Most importantly, IDC has recognized
Secure Computing and the Sidewinder G2 Security Appliance as one of
the clear leaders in this new segment.

Because of these new trends and the emerging UTM security segment, it
is no longer considered good enough to rely on a simple perimeter
security device such as a firewall that opens and closes connections
without analyzing the traffic going through. Information Security
purchasers are beginning to demand that their perimeter security
devices recognize and actually stop attacks rather than permitting
them to go through them. Most people believed that stateful inspection
technology has done this all along—however, it has not and does not
provide this level of defense—it was never designed to.

In contrast, from its inception, the Sidewinder G2 Application Defense
technology has been detecting and stopping attacks for over 10 years.
It can protect and defend against over 100,000 attacks, including
protections against attacks that are as yet unknown, because of its
stringent protocol and RFC controls. More importantly, this
purpose-built protection does not sacrifice performance—but rather, is
delivered at the network speeds that you need, even up to gigabit
processing rates. Organizations need to be protected against the full
range of threats targeted against networks and applications, and no
perimeter security appliance is more proven or capable than Secure
Computing’s application layer security gateway, the Sidewinder G2
Security Appliance.

 

<Ipeefreely> wrote in message

<snip>

Hmm. "Only" is a very large claim. I'm not aware, for example, that any of
the UK MoD's home-built firewalls have ever been cited - doesn't prove that
they're invulnerable, of course, just that noone's necessarily got in to
break them. And then told people about it.

That said, I'm shocked to discover that my very own Netgear/Zyxel has had an
advisory posted - so much for that theory )

Uh.. hang on a minute: they *have* been cited a number of times,
http://www.kb.cert.org/vuls/id/AAMN-5BNT9S states that "[no] valuable
information" can be gained (not quite the same thing as "no information")

The basic theory seems to be that services are sandboxed (their word), so
you can lose a service or connection, but not the box. Given that they don't
appear to have had the entire box compromised at any point, I'll ignore the
marketing weasel words and give 'em a cautious round of applause. Still
makes it vulnerable to DoS of specific services, though:

http://secunia.com/advisories/11278/
http://secunia.com/advisories/11632/

Can't find a pricing reference (not usually a good sign!), so I guess that
I'll be sticking with the old RT-314 for the moment - even if it can be made
to leak its LAN [DMZ] address [only] to someone else attached to the same
UBR.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

 

Uh.. hang on a minute: they *have* been cited a number of times,

That is the Sidewinder.

However the Sidewinder G2 (the merge of Sidewinder and Gauntlet)
have not had any CERT Advisories.

I am sure that if you call your regional sale manager they can give
you a price.

The DoS can be handeled with threshold that can be set up by the
Administrator. once the threshold is met the IP or IP's will be black
hold for however you want them to be.

 

Well, that's nailed your flag pretty fairly to the mast as goes background
)

OK, so the Sidewinder G2 is a munge of the Sidewinder and Gauntlet? Both of
which have been exploited, at least to a minor degree, since 2003.

So how does that make the Sidewinder G2 something that hasn't been cracked
in *ten years*? This puzzles me.

As I said, marketing weasel-words aside, it looks to be a pretty good
solution.

Hmm - not sure that's quite what I would call "handled" (restarting a
service generally drops everyone on that daemon, unless there's a special
case I'm missing here). Automatic restart, yeah, I know - probably the best
of a bad set of circumstances.

How much control does the admin have over this automatic black-holing? And
how granular is it? And how about DDoS? Or, dread to say, spoofed IPs
causing a valid set of addresses to be rejected?

You've got me interested, now (although still not for my home network,
unless it's a helluva lot cheaper than I suspect )

H1K

 

It's actually a pretty nice product - though uncrackable is a bit of a
marketing spin.

It's based on a modified and zoned version of BSD Unix. It's not cheap
though for something with gigabit interfaces (one of the models is
basically at dull 1850 and they want an extra £1,000 to give it a
redundant power supply). Ouch!

A large corp would expect to pay something like £20,000 for a suitable
enterprise version.

They have produced a cheaper cut down version on basically a dull
celeron office pc which makes me laugh as it has an atx power supply
that won't auto power back on in the face of a powercut. Not good when
you admin an exterprise firewall half-way arround the globe!

All in all they are pretty good products and better than a slap in the
face with a wet fish...

HTH,

P.

 

Personally I doubt that any Gauntlet code made it into G2,
just a few concepts and some of the look-and-feel.

The CERT advisory cited indicates that a buffer overflow in the DNS
component of the Sidewinder does the attacker no good, since the "Type
Enforcement" (similar to SELinux, etc) prevents actually doing anything
interesting with an overflow.

Technically, Sidewinder G2 is built on top of a BSD-based OS with
custom filesystem and system/network call access controls. In reality,
you don't have the option to compile and run custom executables, so
it's easier to treat the Sidewinder appliance like a black box with "no
user serviceable parts inside".

That pretty much sums up the product.
If you absolutely need a commercial all-in-one firewall appliance,
and you have a huge budget, or you are the government, armed forces,
or a large bank, then the Sidewinder G2 should go on your short list.

I only know one person who uses a G2 to protect his home network

Automatic service restart on the G2 is little different than half a
dozen open source tools (e.g. Bernstein's "daemontools") , only with
less tunability and no access to the source. Actually, that applies to
most of the Sidewinder G2 functionality.

Sometimes, particularly in large organizations, it doesn't matter that
your staff doesn't have the option to tune the system for performance,
to tweak (or even see) the source code, to diagnose and repair security
and other flaws on their own. Sometimes, being locked into only the
features and tunables which the vendor exposes via GUI and a few
limited command-line tools is a feature.

The thresholds and durations are tunable per-rule and per-service, but
the blackholing is always per-IP address, no way to do subnet masks.
DDoS survivability is good. IIRC, G2 has the same sort of SYN-ACK
proxying/spoofing as OpenBSD and other modern BSDs, so SYN floods are
not passed in to protected servers.

For TCP protocols, only reacting to hosts that have completed the
three-way-handshake addresses 99.9999% of the spoofed IP risk.

I'd venture that Sidewinder is a helluva lot more expensive than you
suspect


Kevin Kadow