Re: [fw-wiz] Secure Computing Sidewinder? - Firewalls

This is a discussion on Re: [fw-wiz] Secure Computing Sidewinder? - Firewalls ; On Tue, 10 Jun 2008, Paul Hutchings wrote: > When I looked, replacing the ISA Server actually would cost more than > a 210E. Now granted the 210E is the baby of the range, but looking Last time I played ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: [fw-wiz] Secure Computing Sidewinder?

  1. Re: [fw-wiz] Secure Computing Sidewinder?

    On Tue, 10 Jun 2008, Paul Hutchings wrote:

    > When I looked, replacing the ISA Server actually would cost more than
    > a 210E. Now granted the 210E is the baby of the range, but looking


    Last time I played with ISA, it wasn't an application-layer gateway, it
    was a bastardized SOCKS circuit-layer gateway. That means it was doing
    more to enforce what connected than what went through it.

    > I am also impressed with the Sidewinders credentials, I was googling


    There was a school of thought (and I was in it for a long while, though
    not particularly on the Sidewinder implementation) that said that you had
    to trust your firewall and ensure it couldn't be used to harm your
    network, and it couldn't be compromised if you wanted to handle different
    users differently.

    That meant trusted systems implementations. Sidewinder does a good job of
    that, unfortunately in the real world, people decided they'd let
    pretty-much anything tunnel through their firewalls to pretty-much any
    client[1]- so the firewall couldn't ever be the weak link, and therefore
    didn't need to be that difficult to write, validate and administer. Plus
    they decided things like calander applications and MS's single sign on
    beat protecting their servers. So despite the better security model of a
    proxy, packet filters pretty much won the day.


    Paul
    [1] The only redeeming feature I saw of using ISA was enforcing what
    client programs could connect to it, but SRPs are a better way to enforce
    that IMO, and I'd still be wary of not shielding one with another system.
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    http://www.fluiditgroup.com/blog/pdr/
    Art: http://PaulDRobertson.imagekind.com/

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] Secure Computing Sidewinder?

    >>>Last time I played with ISA, it wasn't an application-layer gateway, it*
    >>>was a bastardized SOCKS circuit-layer gateway.* That means it was doing*
    >>>more to enforce what connected than what went through it.


    >>I'd be interested/grateful if you could expand on that?


    Historically, at the time of MS proxy 1 & 2, it was not a gateway routing
    device. It was an http proxy, a SOCKS proxy and a WinSock proxy.

    The WinSock proxy needed a Windows client loaded into each and every client
    PC. This was a shim into the WinSock TCP stack that intercepted and
    forwarded IP packets to the MS Proxy server in a generic (SOCKS-like) way.
    When the packet arrived at MS Proxy, there was a small set of firewall-like
    enforcement rules that would allow or deny based on protocol/port/IP. Then
    it would start an onward session from the Proxy to the destination and
    forward the contents, much like SOCKS does. There was no application
    inspection performed.

    By using the shim into the TCP stack on the client, the application didn't
    have to be proxy-aware or SOCKSified. However any other non-Windows client
    was hosed and had to make sure they could go out via HTTP proxy or SOCKS.

    I cut my teeth on TCP/IP and MS Proxy back in the day, but by the time ISA
    came out (2000?), I had already moved on to a 'real' application-layer
    firewall.



    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread