Re: [fw-wiz] Secure Computing Sidewinder?



On Sun, Jun 8, 2008 at 3:23 AM, Paul Hutchings <paul@xxxxxxxxxxx> wrote:
We currently use Microsoft ISA Server 2006 at the edge of our LAN (we have a
hardware firewall in front of it at our perimeter).

The hardware it runs on is due for replacement, so I'm looking at the
options as we don't use ISA for a specific set of reasons, we basically
"fell" into it.

One of the options that I'm looking at is the Secure Computing Sidewinder.
On paper it looks like a very nice bit of kit, and reading things such as
that it's extensively used by banks and the military etc. instils a lot of
confidence in the product.

I know both ISA and Sidewinder are "Application Layer" firewalls and act as
proxies etc. but I'm struggling to get my head around why one might be
"better" than the other, I guess I'm a little unclear on exactly what
"Application Layer" means tbh despite reading various definitions?

My understanding with the Sidewinder is that the proxies receive each
packet, tear it apart, inspects it, and then depending on the protocol it
drops/discards anything that is dangerous, and in the case of safe content
rewrites the packet and makes the connection itself it so that the source
machine never connects directly to the destination, rather the connection
always terminates at the Sidewinder, which makes the connection on its
behalf?

I'm also struggling to understand how useful an application layer firewall
is when it seemingly is never updated i.e. Microsoft ISA server?

Our requirements are pretty simple I would imagine:

We want to let traffic out, with the source being restricted by IP address
or Active Directory user. Mostly standard protocols such as
dns/smtp/http/https/ftp where we would expect all traffic to conform to the
protocol. In some instances we'll need to open port X to destination Y and
would want to simply allow traffic to pass and wouldn't expect a firewall to
know what the traffic is as it will be something unique to an application
that we're using.

We want to allow smtp in, as well as a few specific internal websites such
as Outlook Web Access etc. which use HTTPS.

I'd appreciate any input on the specifics of how the two products differ and
how one might be considered "better" than the other both in terms of bottom
line security, and our requirements.

cheers,
Paul

The biggest part of security for any system like this lies mostly in
the skill of the staff implementing and maintaining it.

Having said that, my company uses a pair of Sidewinders in HA
(failover) mode, and the more I play with it the more I like it. It
has two different management interfaces available, which are used in
different ways for different things. Most of the daily stuff is done
through a Windows GUI, but there are hidden treasures to be had in the
FreeBSD-based shell that's available at the console or via SSH.

I haven't used ISA - well, not since it was MS Proxy 2.0, anyway - so
can't really comment on it, but I'm sure that it's a fairly reliable
piece of software. I just happen to have a bias against MSFT software,
which I cheerfully admit, and will fight against having to use it in a
security role if I can.

Either will do what you want, I suspect, just fine.

Kurt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: SBS Premium installed - Some configuration questions...
    ... ISA and a hardware firewall are in the same league. ... and only allowing those ports in. ...
    (microsoft.public.windows.server.sbs)
  • Re: Add a firewall box?
    ... but all three facilities he mentions are available from your existing SBS ... Provides a software firewall. ... of the systems mentioned do 'application layer' filtering, which ISA does. ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ...
    (Firewall-Wizards)
  • Re: ISA or ?: Suggestions, please
    ... OMA & Server Activesync - you wont find a hardware firewall capable ... being an Application Layer based firewall ISA is capable of deep ...
    (microsoft.public.isa)
  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
    (Full-Disclosure)