Firewall Wizards mailing list archives
Re: IBM secureway firewall
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 5 Dec 2002 16:53:16 -0500 (EST)
On Wed, 4 Dec 2002, R. DuFresne wrote:
Can anyone give me info on this product? I see IBM claims it's been used by themselves for 10+ years to secure their networks, that it's an all in one product, packet filter, proxy/circut level gateway, with VPN features, etc.
If it's the current incantation[1] of IBM's old "Secure Network Gateway" code, then I think I had one about 9 years ago running on an RS/6000 under AIX 3.25 (Either on a 55L or a 590 Power2 box.) At that point in time, it was simply a packet filter and SOCKS server for those who thought SOCKS was a security solution[2]. It was in the middle of my firewall, and was often up for ~2 years at a time until we needed to do things like add new interfaces to the box. We had the primary architect out to do the original install, first time I've met a PhD who could do AWK scripting at the console in real-time, and we both learned some stuff :) It was my understanding at the time that we were one of the first large companies to put one up- which wasn't all that confidence inspiring. The product was reasonable, but not exceptional as a packet filter, and I had it behind two other layers of filtering, with application layer gateways mostly beind it- not because of distrust though- but because of defense in depth. Outside of the obvious packet filtering foibles of the time, and AIX's usual idiosyncracies with the ODM stuff (which I mostly bypassed whenever possible) it was a stable platform for packet filtering. There was also a similarly named product that ran under OS/2, and would sit in a PC board hosted by an AS/400 system- and my confidence in that product was never all that high, but I refused to even evaluate it (given my suppositions about OS/2 stack writer availability at the time, I just thought it wasn't worth the time.) It's the only time I've inherited a firewall product rather than chosen one that I've personally had to run. I never had it handling e-mail itself because it used Sendmail, and I didn't have it doing DNS- other than that, it didn't have anything significantly proxyish at the time AFAIR. We passed on the chance to upgrade it at some point in the distant past, but didn't remove the box from the firewall chain until y2k issues became important. Paul [0] Your MX is brokenly not accepting mail directly- hopefully this will get to you. [1] Yes, I said it again. [2] Circuit level gateways suck in terms of trust relationships and enforcement boundaries- just like circuit plugboards, they're a convenient answer to someone who wants a single trust zone with fully trusted clients and who doesn't want to do any "real" security work. They're "quick and easy" in the "Pick one, Q&E or secure." ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IBM secureway firewall R. DuFresne (Dec 05)
- Re: IBM secureway firewall Paul D. Robertson (Dec 05)
- Re: IBM secureway firewall firegod (Dec 05)
- Re: IBM secureway firewall firegod (Dec 06)
- <Possible follow-ups>
- Re: IBM secureway firewall Marcus J. Ranum (Dec 05)
- Re:IBM secureway firewall gattaca (Dec 06)
- Re:IBM secureway firewall Peter Bruderer (Dec 07)