April 2003Test Center: Sidewinder Runs the GauntletSecure Computing creates an impressive solution by merging two leading firewalls into the Sidewinder G2.BY Fred AvolioSecure Computing is making the boisterous claim that its new Sidewinder G2 Firewall is “the world’s strongest firewall/VPN” solution. It’s a bold claim, indeed. The perimeter appliance is the marriage of Secure Computing’s flagship Sidewinder firewall and the Gauntlet firewall that Secure Computing acquired from Network Associates last year. While we can’t endorse Secure Computing’s claim, our tests show that Sidewinder G2 has all the qualities and functions of a world-class enterprise firewall. Around the Box The Sidewinder G2 runs on SecureOS, a hardened version of Unix that Secure Computing built with its patented Type Enforcement, which provides strong separation between the OS and applications and between individual applications. This level of security isn’t a “must have,” but it’s another line of defense that’s exceptionally attractive and unique. The Sidewinder G2 also has built-in VPN functionality. The appliance is IPSec and IKE compliant and ICSA Labs certified. It supports XAUTH and works with X.509 certificates. The VPN works with SafeNet’s SoftRemote client and interoperates with the Certicom MovianVPN client and all ICSA IPSec-certified VPN clients. Easy Setup and Configuration The setup “wizard” walked us through a few questions: firewall serial number to initiate the license, type of firewall (stand-alone or enterprise managed), host name, primary admin and password, names for the internal and external interfaces (called “burbs”), IP address parameters for each, routing defaults, DNS service information, SMTP server, initial state of the firewall (admin services only or standard Internet) and time zone. Within a few minutes, the wizard creates a setup floppy, which automatically configures the firewall for immediate deployment. Administration The Sidewinder G2 Console is a Windows-based program that runs on a desktop computer, allowing the administration of single or multiple firewalls. It presents a Microsoft Management Console-style tree-structure interface, showing the names of all the firewalls that can be managed via an SSL connection. Admins can authenticate to firewalls with username/password, LDAP, Microsoft NT, SafeWord, SecurID and SecureNet Key tokens. The first item on the administration tree is “Rule Elements,” another feature gleaned from GEMS that gives the Sidewinder G2 the ability to customize the deployment of generalized rules. This, in turn, permits rapid deployment of changes to firewall rules, even with many distributed firewalls. Rule Elements fit into three different categories: Network Objects, Users, and User Groups and Service Groups. We used the following Network Objects to build rules, filling in a table and using pull-down menus: subnets “Inside” and “Outside”; hosts called “SMTP host,” “Web Server” and “localhost”; and IP Addresses called “Firewall” and “DNS Server.” “Users and User Groups,” in our setup, was just users “Fred” and “Other.” The values of these subnets are stored in a database and are unique to the particular firewall. This isn’t exciting in a one-firewall environment, but really shines in multiple firewall installations. It allows admins to uniquely apply general rules to each firewall with literally one mouse click. The Sidewinder G2 interface uses Rule Groups. Admins with groups of firewalls running on different sites will appreciate being able to see all the rules laid out in a tree structure or tied together in related clumps. Admins can use this function to pick groups of standard rules to build policies for particular firewalls or particular functions. The name of our active rule group was “Default,” which included the subgroups DNS, which has DNS-specific rules; Mail, with a rule called SMTP_out (for outbound e-mail connections) and SMTP_in; and HTTP, which grouped rules called HTTP_in, HTTP_out and HTTP_SSL_out. Each of these rules related to specific proxies and specified the policy for that proxy. For instance, we specified in HTTP_out that HTTP traffic could flow from any inside address to any outside address with no user authentication. HTTP_in, providing access to an internal Web server, allowed access, but only after user authentication. Sidewinder G2 supports both security proxies and stateful packet filters. Using security proxies provides the ability to do more security analysis. For example, admins can provide HTTP service through the firewall using filtering. A policy can specify what to allow based on IP packet header information. Adding stateful inspection, admins can keep track of additional attributes of the connection (ICMP messages sent, etc.). Using the HTTP proxy, admins can check those same things, plus application-specific properties, in this case controlling HTTP commands (GET, POST, HEAD, PUT, etc.). We wish that we could have added authentication to every proxy. Some allowed authentication, while others didn’t. This is because some network services have a place to slip in extra user authentication (for example, Telnet and FTP), while others don’t (such as RealMedia). Still, we’d like the flexibility and consistency. The only complaint with the GUI is that it sometimes crashed, which may be attributable to our testing a prerelease version. Snapshot Sidewinder G2 Firewall Model 1000 PURPOSE KEY FEATURES
PROS
CONS
VERDICT Granularity and Security In a large enterprise, many people have the same requirements for Internet access. Most can do without difficult-to-secure services, like Microsoft’s NetMeeting. Most avoid using SecSH (Secure Shell), for example. And for the small number who do, most are just fine with the extra security achieved with a proxy. We wanted to deal with just such a situation. In our test environment, we assumed that most people have e-mail, access the Web, use NetMeeting and employ SecSH to remotely administer routers and other devices. We also assumed that one user needs SecSH to update very large multimedia files to the external Web servers and wants to do it at the highest speed possible. In this scenario, an enterprise can allow certain users to employ SecSH for secure copying of data files via proxies, such as copying large audio files to Web servers behind the firewall. We used the already configured and installed SSH proxy (the name of the proxy that handles the SecSH protocol) and also created a packet filter rule called ssh_filter (TCP port 22). We created a Netgroup called “Audio Servers” in Network Objects for the Web servers with audio content and another for IP address objects for the workstations of all the users that had to use the service. We then configured the filter rule to allow connections from AudioClients to AudioServers coming from the internal burb going to the external. This is a big deal. To properly configure a firewall in an environment with so many differing requirements is often nightmarish. Many firewall admins just go with the lowest common denominator. It’s a piece of cake with Sidewinder G2. An impressive security appliance, the Sidewinder G2 Firewall is easy to configure and provides powerful mechanisms to build secure, distributive, deployable policy rules. Secure Computing did a fine job merging these two firewalls to make an even better solution. FRED AVOLIO is president and founder of Avolio Consulting, a Maryland-based security consulting firm, and an Information Security columnist. He was one of the original developers of the Gauntlet firewall. |