[fw-wiz] Secure Computing Sidewinder? - Firewalls

This is a discussion on [fw-wiz] Secure Computing Sidewinder? - Firewalls ; We currently use Microsoft ISA Server 2006 at the edge of our LAN (we have a hardware firewall in front of it at our perimeter). The hardware it runs on is due for replacement, so I'm looking at the options ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [fw-wiz] Secure Computing Sidewinder?

  1. [fw-wiz] Secure Computing Sidewinder?

    We currently use Microsoft ISA Server 2006 at the edge of our LAN (we
    have a hardware firewall in front of it at our perimeter).

    The hardware it runs on is due for replacement, so I'm looking at the
    options as we don't use ISA for a specific set of reasons, we
    basically "fell" into it.

    One of the options that I'm looking at is the Secure Computing
    Sidewinder. On paper it looks like a very nice bit of kit, and
    reading things such as that it's extensively used by banks and the
    military etc. instils a lot of confidence in the product.

    I know both ISA and Sidewinder are "Application Layer" firewalls and
    act as proxies etc. but I'm struggling to get my head around why one
    might be "better" than the other, I guess I'm a little unclear on
    exactly what "Application Layer" means tbh despite reading various
    definitions?

    My understanding with the Sidewinder is that the proxies receive each
    packet, tear it apart, inspects it, and then depending on the
    protocol it drops/discards anything that is dangerous, and in the
    case of safe content rewrites the packet and makes the connection
    itself it so that the source machine never connects directly to the
    destination, rather the connection always terminates at the
    Sidewinder, which makes the connection on its behalf?

    I'm also struggling to understand how useful an application layer
    firewall is when it seemingly is never updated i.e. Microsoft ISA
    server?

    Our requirements are pretty simple I would imagine:

    We want to let traffic out, with the source being restricted by IP
    address or Active Directory user. Mostly standard protocols such as
    dns/smtp/http/https/ftp where we would expect all traffic to conform
    to the protocol. In some instances we'll need to open port X to
    destination Y and would want to simply allow traffic to pass and
    wouldn't expect a firewall to know what the traffic is as it will be
    something unique to an application that we're using.

    We want to allow smtp in, as well as a few specific internal websites
    such as Outlook Web Access etc. which use HTTPS.

    I'd appreciate any input on the specifics of how the two products
    differ and how one might be considered "better" than the other both
    in terms of bottom line security, and our requirements.

    cheers,
    Paul
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] Secure Computing Sidewinder?

    No, being "application layer proxy" means there is no such thing as
    a packet for the inspection engine. It means the firewall terminates
    tcp session by itself and starts new one on the behalf of client.
    So it does not matter how data is distributed among packets.

    And it is still useful even if you do not have up to date signature database
    of "known bad things". With Sidewinder, you do, however.

    On Sun, Jun 08, 2008 at 11:23:49AM +0100, Paul Hutchings wrote:
    >
    > I know both ISA and Sidewinder are "Application Layer" firewalls and
    > act as proxies etc. but I'm struggling to get my head around why one
    > might be "better" than the other, I guess I'm a little unclear on
    > exactly what "Application Layer" means tbh despite reading various
    > definitions?
    >
    > My understanding with the Sidewinder is that the proxies receive each
    > packet, tear it apart, inspects it, and then depending on the
    > protocol it drops/discards anything that is dangerous, and in the
    > case of safe content rewrites the packet and makes the connection
    > itself it so that the source machine never connects directly to the
    > destination, rather the connection always terminates at the
    > Sidewinder, which makes the connection on its behalf?
    >
    > I'm also struggling to understand how useful an application layer
    > firewall is when it seemingly is never updated i.e. Microsoft ISA
    > server?
    >
    > Our requirements are pretty simple I would imagine:
    >
    > We want to let traffic out, with the source being restricted by IP
    > address or Active Directory user. Mostly standard protocols such as
    > dns/smtp/http/https/ftp where we would expect all traffic to conform
    > to the protocol. In some instances we'll need to open port X to
    > destination Y and would want to simply allow traffic to pass and
    > wouldn't expect a firewall to know what the traffic is as it will be
    > something unique to an application that we're using.
    >
    > We want to allow smtp in, as well as a few specific internal websites
    > such as Outlook Web Access etc. which use HTTPS.
    >
    > I'd appreciate any input on the specifics of how the two products
    > differ and how one might be considered "better" than the other both
    > in terms of bottom line security, and our requirements.
    >
    > cheers,
    > Paul
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >
    > email protected and scanned by AdvascanTM - keeping email useful -
    > www.advascan.com
    >


    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] Secure Computing Sidewinder?

    On Sun, Jun 8, 2008 at 3:23 AM, Paul Hutchings wrote:
    > We currently use Microsoft ISA Server 2006 at the edge of our LAN (we have a
    > hardware firewall in front of it at our perimeter).
    >
    > The hardware it runs on is due for replacement, so I'm looking at the
    > options as we don't use ISA for a specific set of reasons, we basically
    > "fell" into it.
    >
    > One of the options that I'm looking at is the Secure Computing Sidewinder.
    > On paper it looks like a very nice bit of kit, and reading things such as
    > that it's extensively used by banks and the military etc. instils a lot of
    > confidence in the product.
    >
    > I know both ISA and Sidewinder are "Application Layer" firewalls and act as
    > proxies etc. but I'm struggling to get my head around why one might be
    > "better" than the other, I guess I'm a little unclear on exactly what
    > "Application Layer" means tbh despite reading various definitions?
    >
    > My understanding with the Sidewinder is that the proxies receive each
    > packet, tear it apart, inspects it, and then depending on the protocol it
    > drops/discards anything that is dangerous, and in the case of safe content
    > rewrites the packet and makes the connection itself it so that the source
    > machine never connects directly to the destination, rather the connection
    > always terminates at the Sidewinder, which makes the connection on its
    > behalf?
    >
    > I'm also struggling to understand how useful an application layer firewall
    > is when it seemingly is never updated i.e. Microsoft ISA server?
    >
    > Our requirements are pretty simple I would imagine:
    >
    > We want to let traffic out, with the source being restricted by IP address
    > or Active Directory user. Mostly standard protocols such as
    > dns/smtp/http/https/ftp where we would expect all traffic to conform to the
    > protocol. In some instances we'll need to open port X to destination Y and
    > would want to simply allow traffic to pass and wouldn't expect a firewall to
    > know what the traffic is as it will be something unique to an application
    > that we're using.
    >
    > We want to allow smtp in, as well as a few specific internal websites such
    > as Outlook Web Access etc. which use HTTPS.
    >
    > I'd appreciate any input on the specifics of how the two products differ and
    > how one might be considered "better" than the other both in terms of bottom
    > line security, and our requirements.
    >
    > cheers,
    > Paul


    The biggest part of security for any system like this lies mostly in
    the skill of the staff implementing and maintaining it.

    Having said that, my company uses a pair of Sidewinders in HA
    (failover) mode, and the more I play with it the more I like it. It
    has two different management interfaces available, which are used in
    different ways for different things. Most of the daily stuff is done
    through a Windows GUI, but there are hidden treasures to be had in the
    FreeBSD-based shell that's available at the console or via SSH.

    I haven't used ISA - well, not since it was MS Proxy 2.0, anyway - so
    can't really comment on it, but I'm sure that it's a fairly reliable
    piece of software. I just happen to have a bias against MSFT software,
    which I cheerfully admit, and will fight against having to use it in a
    security role if I can.

    Either will do what you want, I suspect, just fine.

    Kurt
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  4. Re: [fw-wiz] Secure Computing Sidewinder?

    I've got mixed feelings here. . . SidewinderG2 is a descendant of Gauntlet,
    amongst others (Sidewinder and Cyberguard also are part of the current G2,
    as I recall. . .).

    I really liked Gauntlet: rock-solid, easy to configure and maintain. I
    still HAVE a copy of 6.0 on the shelf in my library, back from when NAI
    owned it. . .

    I'm less sanguine about Secure Computing: their service, in my experience,
    is marginal, and the price is exceptionally high, both to get in and for
    maintenance. . .

    It's the only true proxying firewall left that I'm aware of, at least that's
    commercially available here in the States. . .

    Recommendation: none. You're going to have to weigh your security needs and
    budget on this one, Can't help you there. . .

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  5. Re: [fw-wiz] Secure Computing Sidewinder?

    On Tue, 10 Jun 2008, Keith A. Glass wrote:

    > It's the only true proxying firewall left that I'm aware of, at least that's
    > commercially available here in the States. . .


    Watchgaurd's products still have functional proxies in them, it's
    unfortunate that they seem to have decided that only Windows users can
    administer them- that's the only thing that stops me from making the
    recommendation to most clients- firing up a Windows VM to change one rule
    is a major PITA.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    http://www.fluiditgroup.com/blog/pdr/
    Art: http://PaulDRobertson.imagekind.com/

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  6. Re: [fw-wiz] Secure Computing Sidewinder?

    On Tue, Jun 10, 2008 at 7:53 PM, Keith A. Glass wrote:
    > I'm less sanguine about Secure Computing: their service, in my experience,
    > is marginal


    We've received very good service/support from SCUR, from Tier-1
    through engineering.
    The majority of the feature requests we've submitted have been
    incorporated into the current Sidewinder V7 release, so I'm really not
    happy about having to migrate away from proxy firewalling.


    > and the price is exceptionally high, both to get in and for maintenance. . .


    No argument here.
    Worse yet, the "appliance" firewalls are Dell hardware...
    But maintenance renewal doesn't actually cover hardware -- once the
    initial Dell support expired, we had to buy a separate Dell contract.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread