Re: [fw-wiz] IBM secureway firewall

From: Paul D. Robertson (proberts@patriot.net)
Date: 12/05/02


From: "Paul D. Robertson" <proberts@patriot.net>
To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Thu Dec  5 16:33:16 2002

On Wed, 4 Dec 2002, R. DuFresne wrote:

> Can anyone give me info on this product?
>
> I see IBM claims it's been used by themselves for 10+ years to secure
> their networks, that it's an all in one product, packet filter,
> proxy/circut level gateway, with VPN features, etc.

If it's the current incantation[1] of IBM's old "Secure Network Gateway"
code, then I think I had one about 9 years ago running on an RS/6000
under AIX 3.25 (Either on a 55L or a 590 Power2 box.) At that point in
time, it was simply a packet filter and SOCKS server for those who thought
SOCKS was a security solution[2]. It was in the middle of my firewall,
and was often up for ~2 years at a time until we needed to do things like
add new interfaces to the box.

We had the primary architect out to do the original install, first time
I've met a PhD who could do AWK scripting at the console in real-time, and
we both learned some stuff :) It was my understanding at the time that we
were one of the first large companies to put one up- which wasn't all that
confidence inspiring.

The product was reasonable, but not exceptional as a packet filter, and I
had it behind two other layers of filtering, with application layer
gateways mostly beind it- not because of distrust though- but because of
defense in depth. Outside of the obvious packet filtering foibles of the
time, and AIX's usual idiosyncracies with the ODM stuff (which I mostly
bypassed whenever possible) it was a stable platform for packet filtering.

There was also a similarly named product that ran under OS/2, and would
sit in a PC board hosted by an AS/400 system- and my confidence in that
product was never all that high, but I refused to even evaluate it (given
my suppositions about OS/2 stack writer availability at the time, I just
thought it wasn't worth the time.)

It's the only time I've inherited a firewall product rather than chosen
one that I've personally had to run. I never had it handling e-mail
itself because it used Sendmail, and I didn't have it doing DNS- other
than that, it didn't have anything significantly proxyish at the time AFAIR.

We passed on the chance to upgrade it at some point in the distant past,
but didn't remove the box from the firewall chain until y2k issues became
important.

Paul
[0] Your MX is brokenly not accepting mail directly- hopefully this will
get to you.
[1] Yes, I said it again.
[2] Circuit level gateways suck in terms of trust relationships and
enforcement boundaries- just like circuit plugboards, they're a
convenient answer to someone who wants a single trust zone with fully
trusted clients and who doesn't want to do any "real" security work.
They're "quick and easy" in the "Pick one, Q&E or secure."
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation



Relevant Pages

  • Re: software/hardware Firewall tradeoff
    ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
    (comp.security.firewalls)
  • Re: Firewall etc
    ... I look at the log on a FW or personal packet filter to view unsolicited inbound packets that have been blocked and outbound packets being send out due to a solicitation or no solicitation. ... company's firewall offers me better protection and an opportunity to ... I can do the same thing with the Vista packet filter, that is, to create filtering rules for inbound or outbound packets, based on port, protocol, IP or subnet. ... so they can benefit from the higher forms of protections these ...
    (microsoft.public.windows.vista.security)
  • Re: software/hardware Firewall tradeoff
    ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
    (comp.security.firewalls)
  • Re: software/hardware Firewall tradeoff
    ... just there are two options (Firewall: ... The NAT router for home usage is not a FW either. ... Many NAT home routers have a packet filter function, ... If the other program needs ports open on the router, ...
    (comp.security.firewalls)
  • Re: Iptables log analysis tool, not reporting tool?
    ... Absolutely normal and nothing to worry about. ... > from these I can see all hits on the firewall, source address, source ... > network name, ports, hit counts etc. etc. ... iptables is a packet filter and thus - as any packet filter - knows ...
    (comp.security.firewalls)