Re: [fw-wiz] IBM secureway firewall

From: Paul D. Robertson (proberts@patriot.net)
Date: 12/05/02


From: "Paul D. Robertson" <proberts@patriot.net>
To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Thu Dec  5 16:33:16 2002

On Wed, 4 Dec 2002, R. DuFresne wrote:

> Can anyone give me info on this product?
>
> I see IBM claims it's been used by themselves for 10+ years to secure
> their networks, that it's an all in one product, packet filter,
> proxy/circut level gateway, with VPN features, etc.

If it's the current incantation[1] of IBM's old "Secure Network Gateway"
code, then I think I had one about 9 years ago running on an RS/6000
under AIX 3.25 (Either on a 55L or a 590 Power2 box.) At that point in
time, it was simply a packet filter and SOCKS server for those who thought
SOCKS was a security solution[2]. It was in the middle of my firewall,
and was often up for ~2 years at a time until we needed to do things like
add new interfaces to the box.

We had the primary architect out to do the original install, first time
I've met a PhD who could do AWK scripting at the console in real-time, and
we both learned some stuff :) It was my understanding at the time that we
were one of the first large companies to put one up- which wasn't all that
confidence inspiring.

The product was reasonable, but not exceptional as a packet filter, and I
had it behind two other layers of filtering, with application layer
gateways mostly beind it- not because of distrust though- but because of
defense in depth. Outside of the obvious packet filtering foibles of the
time, and AIX's usual idiosyncracies with the ODM stuff (which I mostly
bypassed whenever possible) it was a stable platform for packet filtering.

There was also a similarly named product that ran under OS/2, and would
sit in a PC board hosted by an AS/400 system- and my confidence in that
product was never all that high, but I refused to even evaluate it (given
my suppositions about OS/2 stack writer availability at the time, I just
thought it wasn't worth the time.)

It's the only time I've inherited a firewall product rather than chosen
one that I've personally had to run. I never had it handling e-mail
itself because it used Sendmail, and I didn't have it doing DNS- other
than that, it didn't have anything significantly proxyish at the time AFAIR.

We passed on the chance to upgrade it at some point in the distant past,
but didn't remove the box from the firewall chain until y2k issues became
important.

Paul
[0] Your MX is brokenly not accepting mail directly- hopefully this will
get to you.
[1] Yes, I said it again.
[2] Circuit level gateways suck in terms of trust relationships and
enforcement boundaries- just like circuit plugboards, they're a
convenient answer to someone who wants a single trust zone with fully
trusted clients and who doesn't want to do any "real" security work.
They're "quick and easy" in the "Pick one, Q&E or secure."
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation