Network Computingwww.networkcomputing.com

I installed and tested Sidewinder 5 on our Syracuse University Real-World Labs®. I especially liked the new secure remote-management tool, advanced HTTP and T.120 filtering and enhanced VPN support. Sidewinder 5 stands on better footing to compete for your security dollars against established products from Axent Technologies, Check Point Software Technologies and Cisco Systems.

Once I installed Sidewinder 5 on our server, I ran Cobra, Sidewinder's Microsoft Windows-based GUI, from our Windows 2000 workstation. Much of the GUI is retained in this new version, but there are subtle differences. However, not all the configuration features are available in Cobra, so advanced features, such as SSH and tweaking the Squid caching proxy, must be done on the command line. This mixed management paradigm is a holdover from previous versions of Sidewinder. Cobra can communicate without encryption or over SSL (Secure Sockets Layer). I used both and found a minimal lag in management performance using SSL. Multiple firewalls can be opened simultaneously using Cobra, but in this release multiunit management is only useful for failover because each firewall will have the exact same address and rule base. Version 5 also supports OpenSSH 1.5 for secure telnet. Secure Computing also extended the product's e-mail filtering capability, letting you filter e-mail based on key words, binary file, file size and virus scanning using any CVP (Content Vectoring Protocol) server.

When I installed the firewall, I chose to have all services shut down by default--arguably the most secure installation method. Then I added ACL (access control lists) to allow traffic trough the firewall. New to this version, the proxies perform NAT (Network Address Translation) by default, though disabling NAT is just a simple configuration change. When configuring ACLs for HTTP proxy, options go beyond the usual source and destination network and ports. Advanced configuration options lets you specify the HTTP methods, such as get and post, that the ACL will let pass. For example, you can let internal users surf the Web but stop them from posting forms or downloading files.

I found that I could break through version 4.1 of Sidewinder using a buffer-overflow attack aimed at unpatched Microsoft Internet Information Server (IIS) 4.0 Web servers, leaving Web servers completely vulnerable even with the firewall in place. Version 5 (and version 4.2 update) blocks these types of attacks by checking URL syntax and by letting you define a maximum URL length. I ran iishack (developed by eEye Digital Security) against IIS server and Sidewinder successfully blocked the attack. Sidewinder can block common buffer-overflow attacks against the Web server because the overflow doesn't conform to HTTP syntax and many overflows send long URLs. However, no firewall can block common application-layer attacks that exploit weaknesses in CGI (Common Gateway Interface) applications. I also tried to profile the firewall using nmap 2.13 (beta) and found the services that I was proxying.

Secure Computing improved the product's VPN capabilities by adding certificate support and much more advanced configuration options. Not only can the firewall generate certificates for VPN users, Sidewinder 5 also supports online registration with Netscape Certificate Server and manual certification has been successfully tested with Entrust and Baltimore. Not all the VPN functionality was available in the beta version I tested. Sidewinder 5 offers three VPN modes based on who is connecting via the VPN. Fixed mode is used when the VPN gateway IP addresses are known ahead of time, which is common in LAN-to-LAN VPNs. Dynamic gateway and client modes are aimed at endpoints that have dynamic IP addresses and are using certificates for authentication and identification. I created a fixed-mode VPN with Secure Computing's test gateway because of my network's fixed IP addresses.

Setting up the VPN was a simple matter and no more difficult than the process is with other firewall products. However, I had to take a few extra steps because Sidewinder is a proxy firewall. The first step in setting up a VPN is negotiating and exchanging the keys used to secure the session. IKE (Internet Key Exchange) runs on UDP Port 500 so I first had to start the IKE daemon on the burbs (interfaces) that would be receiving the IKE negotiation. Next, I had to add an ACL allowing the IKE exchange to get to the firewall. Then I set up the security association (SA) that defined the acceptable cryptographic parameters, identification and authentication measures and other IPsec (IP security) protocol features.

Secure Computing has made some significant and much needed changes on reporting and logging. Sidewinder 5 dumps logging information to a raw data file and a SQL database. By default the ASCII logs are no longer enabled because of the performance hit taken writing out every line item. Sidewinder 5 adds utilities that will process the raw data logs on the command line for real-time processing. It's the same data, just a different tool to get at it. Daily reports about events, such as network probes, access violations as well as status reports--regarding the amount of traffic by service, host and destination, for example--are generated and sent via e-mail. I also ran these reports interactively on the command line. Secure Computing is also working with third-party reporting vendors, such as WebTrends, to off-load report processing. At this time, a vendor is able to query Sidewinder for data, but Secure Computing added a utility that will process the SQL database and create a file in WebTrends Extended Logfile Format (WEFL) and ftp to the WebTrends server for processing.

Vendor Info:
Sidewinder 5 Upgrade, $2,995; new licenses start at $2,900 for 25 concurrent connections, $6,900 for 100 concurrent connections and $19,900 for unlimited concurrent connections.

Secure Computing, Corp., (800) 379-4944; fax (408) 918-6101.
www.securecomputing.com.

Send your comments on this article to Mike Fratto at mfratto@nwc.com.