Re: [fw-wiz] Secure Computing Sidewinder?

On 6/8/08, Paul Hutchings <paul@xxxxxxxxxxx> wrote:
One of the options that I'm looking at is the Secure Computing Sidewinder.
On paper it looks like a very nice bit of kit, and reading things such as
that it's extensively used by banks and the military etc. instils a lot of
confidence in the product.

Up until last week, my employer was a Sidewinder customer,
and I still run an unofficial user's group for the product :)

We are moving off Sidewinder G2 solely because of the price. After
having gone over five years without a serious security incident, my
employer does not see the value in keeping "military grade" (their
words, not mine) security, and wants to move to a more relaxed

I know both ISA and Sidewinder are "Application Layer" firewalls and act as
proxies etc. but I'm struggling to get my head around why one might be
"better" than the other, I guess I'm a little unclear on exactly what
"Application Layer" means tbh despite reading various definitions?

I'm not personally familiar with the current incarnation of the Microsoft ISA.
The "Windows Team" in my office is deploying a couple of them
specifically because ISA is the only product which claims to have a
proxy for MS-RPC, and I am anything but impressed with the ISA, in
terms of security, ease-of-use, management, etc.

There are many different approaches to designing a firewall, the
approach taken by Secure Computing is, in my mind "better" and more
thorough than most other "application proxy" firewalls, though this
depends to a great extent on how you choose to deploy and how you
write your policy.

If you don't mind spending more money for more security, I would
strongly recommend evaluating Sidewinder, particularly if you already
have admins with Unix/BSD skills.

If price is a major factor, Secure Computing also sells the simpler
"SnapGear" firewalls, and you might consider Juniper's Netscreen as a
third, less expensive, option.

My understanding with the Sidewinder is that the proxies receive each
packet, tear it apart, inspects it, and then depending on the protocol it
drops/discards anything that is dangerous, and in the case of safe content
rewrites the packet

Some "stateful inspection packet filters" make this same claim.

There are two key differences:

1) While a packet filter does this for each packet individually, while
a proxy receives the full streaming connection, tears apart the higher
level protocol (e.g. SMTP), does complete fragment reconstruction, and
depending on the protocol can drop/discard or repair anything that
doesn't comply with the protocol definition.

2) A good proxy doesn't just match against "known bad" traffic, but
rather has a model of what good traffic should conform to, and will
kill a session of the conversation veers off-topic. Sidewinder also
allows you to "relax" certain rules so poorly written clients and
servers are not blocked.

and makes the connection itself it so that the source
machine never connects directly to the destination, rather the connection
always terminates at the Sidewinder, which makes the connection on its

That is the old school definition of a "proxy" firewall, the
historical roots of the Sidewinder. This (full rebuild of the TCP
session) approach works very well for an environment where you would
want to deny anything but RFC-compliant traffic, and where you have a
"that which is not explicitly permitted is denied by default" approach
to security.

The biggest drawbacks are performance and per-stream overhead.

The latest version (v7) still has the full-teardown option, but can
also be configured with various optimizations to skip the deepest
inspection on the body of certain streams, to avoid the performance
hit which is often attributed to proxy firewalls.

I'm also struggling to understand how useful an application layer firewall
is when it seemingly is never updated i.e. Microsoft ISA server?

Good point.

I've been using Sidewinders since 2001, and Secure Computing has
regularly issued updates to the firewall, with detailed release notes
explaining what changes are in each update, including new protocol
support, changes in protocol behavior, etc.

Our requirements are pretty simple I would imagine:

We want to let traffic out, with the source being restricted by IP address
or Active Directory user. Mostly standard protocols such as
dns/smtp/http/https/ftp where we would expect all traffic to conform to the
protocol. In some instances we'll need to open port X to destination Y and
would want to simply allow traffic to pass and wouldn't expect a firewall to
know what the traffic is as it will be something unique to an application
that we're using.

That is all pretty standard.

We want to allow smtp in, as well as a few specific internal websites such
as Outlook Web Access etc. which use HTTPS.

One place where Secure Computing shines is in SMTP processing, both in
terms of protocol inspection (so your Exchange SMTP servers are less
likely to get owned) and in anti-spam (Secure Computing purchased and
has integrated IronMail.

They also have a HTTPS proxy for inbound HTTPS, and are one of *very*
few vendors with a true protocol inspection proxy for SSH.

I'd appreciate any input on the specifics of how the two products differ and
how one might be considered "better" than the other both in terms of bottom
line security, and our requirements.

Last time I checked, ISA was a Windows server with a firewall bolted
on, while the "SecureOS" underlying Sidewinder is a customized BSD
designed specifically as a firewall.

Both run on PC hardware -- most Sidewinder failures we have had were
due to hardware problems -- power supply and drive failures.

firewall-wizards mailing list