RSS |
 |
| F E A T U R E | |
| |
Multisite Firewall Management: Not Enterprise-Ready April 3, 2000 Secure Computing Sidewinder 4.1  Sidewinder boasts some interesting security features, such as its SecureOS and network stack segregation, but we found it complicated to install and manage. And the added features contributed mostly complexity instead of serving their intended purpose--to secure traffic passing between networks. Although Sidewinder will block traffic entering your network, you'll need a team of administrators to configure and support the firewall and its proxies. Fortunately, Secure Computing has addressed many of Sidewinder's shortcomings in version 5, which should be available by the time you read this. We also recommend that you have on-staff administrators who can manage sendmail and DNS, because Sidewinder runs these services natively, and they need to be configured to work properly.If you want secure remote management, your only option is to run an X Window application for Windows 95/98/NT along with a VPN client. Of course, you could telnet through the VPN to the firewall if you're comfortable with the Unix shell. This is a proxy firewall that goes to great lengths to secure the OS in the event of a breach. Using the company's Type Enforcement mechanism to segment access to system processes, access is limited to administrators and unauthorized users alike. Because the firewall must communicate with unknown computers directly, there's a chance that the service could be compromised, giving access to the firewall OS. Even if this happens, the intruder could get on the firewall, but that person's access would be severely restricted to the process that was accessed. For example, if a cracker broke through SMTP, that individual would have access only to some of the SMTP files and processes on the firewall. Suprisingly, attacking our Web server though the Sidewinder was a simple matter. Even though we were assured by Secure Computing that the Sidewinder did check HTTP syntax and that it would drop invalid commands, we could telnet to a process running on Port 80 and perform iishack through the Sidewinder. The proxy firewall left our servers vulnerable to application-level attacks. Secure Computing says it is aware of this bug, and that it will be fixed in a patch for version 4.1 and in the new release, version 5. The only nontransparent HTTP proxy does check HTTP syntax, but it's useful only for Web browsers configured to use the proxy. Sidewinder runs a secured version of sendmail on both the internal and external interfaces. By default, they're configured as open mail relays. While this doesn't pose a security risk, it does leave you vulnerable to spammers bouncing mail off your firewall. Poor netiquette. We did configure the firewall so it wouldn't relay e-mail, but this process is covered only in the optional training booklets and not in the main documentation. Secure Computing responded to our concerns by saying that while it could change the default configuration, the company wouldn't spend its resources on such a trivial change when it could be working on new features. While appreciate Secure Computing's candor, we think that is an odd position for a security vendor to take. Sidewinder suffers from weak reporting features. If you want real-time reporting, the only option available is to run the Unix command tail -f on log files and pipe output through grep to filter out garbage. That means keeping a management session open on the firewall, sending event output to an external syslog file, or opening a remote terminal. None of these options is very appealing. A few historical reports can be generated with Sidewinder, but the reports are simply X Window front ends to command-line utilities. That's not exactly a huge leap forward. Sidewinder 4.1, $6,900 for 1-100 users, Secure Computing, (800) 379-4844, (408) 918-6100; fax (408) 918-6101. www.securecomputing.com Send your comments on this article to Mike Fratto at mfratto@nwc.com.
| |
|
PAGE: 1 I 2 I 3 I 4 I 5 I 6 I 7 I 8 I 9 I 10 I 11 | NEXT PAGE |
|
Best of the Web
Data deduplication: Declawing the clones
Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.
Compression, Encryption, Deduplication, and Replication: Strange Bedfellows
One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.
WAN Optimization Whitelists and Blacklists
Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.
WAN Optimization as a Managed Service: It's Not About the Cost
This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.
