InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

December 7, 1998

Sidewinder Update Puts More Bite Into Firewalls

Secure Computing's upgrade offers stability, versatility for a price

By Keith Schultz

First Look

n today's fragmented network-security market, there are a lot of different devices to choose from; you need to make sure that the system you choose is both reliable and, above all, secure. Secure Computing Corp.'s Sidewinder Security Server 4.0 is just such a system. It can handle any security policy you throw at it, and provides a stable platform for that policy. Just be prepared to dedicate a PC with loads of resources to get the best performance.

Sidewinder is positioned as a high-end security solution that's designed for enterprise environments that require the highest level of security. Typically, you will find Sidewinder in government, defense, banking, finance, health-care, telecom, utilities, and high-tech and manufacturing organizations that need to ensure confidentiality, integrity, and availability of their critical data and services.

Secure Computing originally developed the base security technology incorporated into Sidewinder to provide network security for critical government computing systems. Sidewinder has become the firewall of choice in the Department of Defense and is the market-share leader in federal government.

Version 4.0 of Sidewinder Security Server holds on to a lot of what made version 3.0 so successful, and adds improvements to its virtual private network functionality and the number of Internet services it supports. Also new to Sidewinder 4.0 is automatic failover support. This means that if your primary Sidewinder firewall should fail, a second hot-standby Sidewinder will take over and function exactly as the primary one did. The secondary Sidewinder mimics everything from the security profile to the actual IP address of the primary firewall. Be prepared to spend an additional $5,000 for this feature.

Like previous versions of Sidewinder, the heart of the system is the highly modified BSD Unix operating system. The security functions of Sidewinder are blended into the operating system, not just placed on top of it as an application. Secure's Type Enforcement technology helps secure the operating system as well as enforce mandatory access control while denying any access to the root user account. Type Enforcement places all Internet services in control domains. Each domain is self-contained and granted permission to access only specific file types and areas of the operating system. This limits the effect a subverted application can have on the system and isolates the other control domains from the effects of the flawed application.

Sidewinder Security Server 4.0 works with the standard list of Internet service proxies, including Telnet, HTTP, FTP, SSL, NNTP, America Online, X Windows, RealAudio, Gopher, WAIS, Whois, POP, SMTP, and SNMP. New to version 4.0 are X.500/X.400 and Oracle proxies--and if you have a custom application that you need to pass, Secure includes generic TCP and UDP proxies you can tweak to meet your needs. The only traffic Sidewinder has trouble with is streaming multimedia. You can pass older RealAudio streams, but not the newer G2 format. Also, users of Microsoft's NetMeeting program will be unable to connect through the firewall.

While application filters are the primary forms of security, Sidewinder now comes with packet filtering capabilities, too. Packet filtering is an easily foiled form of protection, but in some cases you need to use it.

Stay In Control
To successfully manage all of these features requires a management tool and sophisticated access controls. The management console is an X Windows application that lets you manage your local Sidewinder firewall. The user interface is well-organized and easy to navigate, even for a Sidewinder novice. You can even set up SNMP agent software to allow Sidewinder to be monitored by any SNMP-compliant network-management stations. Make sure all your policies are in place before turning on the SNMP clients. Failure to do so could open up your system to outsiders using SNMP monitoring software. Centralized management of other Sidewinder firewalls is done through the optional Sidewinder Central management platform.

Your security policy is determined by entries in the Access Control List database. The ACL lets you manage your network resources based on source or destination interface, network object type or group, type of connection, type of requested network (Internet) service, user authentication, and time of day. User authentication can be standard passwords or strong authentication such as Lockout DES challenge and response (available in the basic Sidewinder package), Lockout Fortezza (available as a premium add-on), or external authentication servers such as Secure's SafeWord Authentication Server, Axent Technology's Defender Security Server, and Security Dynamics' ACE/Server.

Another key feature set is the advanced filtering mechanisms. You can block potentially hostile Java applets from entering the network and also filter Web content. One feature I was happy to see is

E-mail filtering. You can filter E-mail messages based on binary attachment type, by keyword, and by overall size. This can help protect your users from malicious inbound file attachments and also help keep confidential files inside the firewall. Unfortunately, this filter support is a $5,000 option.

While virtual private networking support is another premium feature with Sidewinder, it's worth the investment. Sidewinder is fully IPSec compliant and includes DES, 3DES and RC4-128 encryption. Inside, you'll also find Internet Key Exchange public-key management, X.509 certificates, and support for certificate authorities. Sidewinder can automatically link to Netscape's certificate authority and will be able to link to Entrust's certificate authority in the future. Remote users can tunnel in to the firewall using Secure's SecureClient ($2,975 for 25 users) client-side VPN software.

To make sure that Sidewinder is really up to the task of protecting your network, I attacked it from a hacker PC using Internet Security Systems' SafeSuite 5.0. Using SafeSuite, I scanned the external network interface card using a modified Heavy Scan script. SafeSuite didn't detect any security breaches or vulnerabilities, and passed the firewall with flying colors.

In firewalls, as with many other things, it's true that you get what you pay for. Sidewinder Security Server 4.0 won't come cheaply after you purchase the necessary add-ons--but you can be assured that the firewall you're getting is well worth the cost.