home news blogs forums events research newsletter whitepapers careers


Network Computing Network Computing Network Computing
HOT PICKS

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |
APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



Security
R E V I E W  
Application-Level Firewalls: Smaller Net, Tighter Filter

  March 21, 2003
  By Mike Fratto


>> continued from previous page

Secure Computing Corp.
TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
Introduction
arrow
Testing App-Level Firewalls
arrow
Secure Computing Corp.
arrow
Check Point Software Technologies FireWall-1 NG FP3
arrow
Other Products Reviewed
arrow
Executive Summary
arrow
How We Tested
arrow
Glossary & Web Links
arrow
Report Card

Sidewinder G2 Sidewinder G2 is the first new version from Secure Computing since the purchase of the Gauntlet firewall from Network Associates. Sidewinder still installs with a hardened BSDI 4.3 OS with type enforcement, but nearly all configuration is done through the installation wizard or the Sidewinder management GUI. Gone are the days when you had to be a Bind/DNS/Sendmail guru to properly set up the firewall. Secure Computing has done a nice job of easing the product's installation process while preserving its security strengths.

About the only security problem we found is that the HTTP proxy doesn't support URL string pattern blocking. Such support is handy as a stopgap to block the latest URL-specific worm while you are patching your Web servers. But aside from a couple of foibles, Sidewinder still strikes a nice balance between protection and performance.

Sidewinder's protections come from its application proxies. It provided the best protection mechanisms for both H.323 and DNS. Sidewinder can selectively block H.323 codecs and T.120 functions, such as chat, application sharing and videoconferencing. This provides much finer control over how H.323 is used.


For DNS protection, Sidewinder uses a hardened Bind 9 DNS server and it can be configured as a hosted split-DNS or transparent-DNS proxy. Split DNS makes a noncaching DNS server available to the outside world that is used to resolve only those addresses that are published. A second caching DNS server is used for internal clients trying to resolve hosts both internally and externally. Splitting the DNS means external users will never reach internal DNS servers. An added benefit of using Bind 9 is that when the DNS server gets a response to a query that contains an alias (CNAME) to another host name, the DNS server will try to resolve the alias rather than trust the response. That blocked our attempt to poison our internal DNS server. In all the other firewalls we tested, cache corruption of our internal DNS server was successful.



SideWinder Admin Console

click to enlarge

The management GUI is radically different from earlier versions of Sidewinder and does take some getting used to. The only real down side is rule management. Firewall rules are created and then added to groups. Groups are combined into a firewall policy. The order of the groups and the order of the rules in the groups determines the rule order in the resulting policy. When we viewed the active policy, we couldn't edit any of the rules nor could we determine what group a rule belonged to. We had to keep track of it ourselves. We have enough details to remember--the admin console should do that for us. Also, the real-time logging still leaves much to be desired. Manually scanning syslog entries is fine for experienced administrators, but not for novices.

When it comes to performance numbers, the Sidewinder can handle a ridiculous number of concurrent connections--30 KB, second only to the Firebox 4500. Microsoft's ISA came in at a respectable 10 KB. The rate for connections per second came in at 800 in our testing. Sidewinder did a bit better than Check Point's FireWall-1 in the bandwidth test with HTTP application filtering enabled. However, when we ran the same test using stateful packet filtering, it only yielded an increase of 10 Mbps. In comparison, FireWall-1's stateful packet filtering screamed. After working with Secure Computing engineers, we determined the bottleneck was with memory allocation, for which we had no workaround.

Sidewinder G2, Secure Computing Corp., (800) 379-4944, (408) 979-6100. www.securecomputing.com


start top  Testing App-Level Firewalls Check Point Software Technologies FireWall-1 NG FP3 





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Purchase Today: $299
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch


Microsite of the Week


Powerful Information at Your Fingertips



techweb
Online Communities TechWebInformationWeekLight ReadingIntelligent EnterprisebMightyNetwork ComputingDark ReadingDigital LibraryWall Street & Technology
Byte & SwitchNo JitterInternet EvolutionLight Reading's Cable Digital NewsContentinopleUnStrungBank Systems & TechnologyAdvanced TradingInsurance & Technology
Face-to-Face Events
InteropWeb 2.0 ExpoWeb 2.0 SummitVoiceConBlack HatCSISoftwareEntrprise 2.0 ConferenceGTEC
Mobile Business Expo
InformationWeek 500 ConferenceBuy Side Trading XchangeBuy Side Trading SummitBank Executive SummitInsurance Executive SummitTelcoTVEthernet ExpoOptical Expo
Magazines  
InformationWeekWall Street & TechnologyInsurance & TechnologyBank Systems & TechnologyAdvanced TradingMSDNTechNetSmart EnterpriseThe Architecture JournalDatabase Magazine
 
Research & Analyst Services  
Heavy ReadingInformationWeek ReportsInformationWeek Analytics
 
   
   
App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights