Firewalls: Re: IBM's NetSP Secured Network Gateway

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IBM's NetSP Secured Network Gateway
From:	afx @ ibm . de (Andreas Siegert)
Date:	Mon, 9 Jan 1995 16:32:53 +0100 (CET)
To:	adam @ bwh . harvard . edu (Adam Shostack)
Cc:	xuthus @ dss . gov . au, Firewalls @ GreatCircle . COM
In-reply-to:	<199501090531 . AAA17519 @ bwh . harvard . edu> from "Adam Shostack" at Jan 9, 95 00:31:24 am

This is me as a beta customer of the gateway...

> | Has anyone had any experience with IBM's NetSP Secured Network Gateway?
> | Anybody want to make any comments about it? positive? negative?
> 
> 	The product manager was kind enough to send me a copy of the
> manual.  (Scott Baumann (sbaumann @
 vnet .
 ibm .
 com)) Its a socks based
> bastion system, with support for several smartcards systems.  It runs
> on an rs/6000, with aix 3.2.5.

Actually it contains also a complete packet filter with logging.
And for those that can not run socksified clients, there are proxy ftp and
telnet daemons.

> 	Overall, it seemed to be a decent system.  It used code from
> outside IBM, and seemed to be a decent first pass at building a
> firewall.  I had a number of criticisms, which I'll mention, but it
> did seem to be a decent basis on which to build.

The only outside thing is socks as far as I know, the filter and the proxies
are from internal systems that have been running for quite some time serving
thousands of users. 

But I agree. It is a good basic system to built a firewall with.
And I also do not like some of the details...

> 	1.  Its a SMIT installable image.  Theres very little said
> about cutting down AIX bloat & suid's.  The manual does mention
> cutting whats in inetd.conf.  However, I think AIX is way too big to
> be trusted.
You really don't need to install much for the firewall. And I wouldn't.

> 	2.  It uses IBM's sendmail.  Not ucb 8.6.9, not smap, smail or
> anything else, but sendmail.
Yup, I would have liked to see a different solution....

> 	3.  Nothing like tripwire seems to be included.
Hmm. The initial product does not use it by default (I hope future ones will),
but have you checked the TCB in AIX? It is a pretty nifty inegrety checker
once configured propperly.

Unfortuantely the current docs don't cover it, but when adding the AIX audit
facility you can get a realtime trace fo a lot of events. On my gateway
systems this includes write access to any configuration file. With the right
setup you have a realtime trace of hot events.
 (AIX audit > syslog > remote syslog > swatch)

> 	4.  No high speed network adapters (I noted a lack of FDDI and
> ATM)
I think that is just the manual, it should work on any IP connection, haven't
tested it yet though.

> 	5.  The manual didn't cover testing enough.
Yup, that one could be better.

cheers
afx

-- 
Andreas Siegert / Postmaster   IBM Deutschland GmbH   |   Never grep a yacc
AIX Field Support Center       Anzinger Strasse 29    |   by the i-node!
Internet: afx @
 ibm .
 de           D-81671 Muenchen       |   Opinions are my own,
VNET: AFX @
 IPNET                Voice: (49)-(89)-4504-4509 not IBM's.

References:

Re: IBM's NetSP Secured Network Gateway
From: Adam Shostack <adam @ bwh . harvard . edu>

Indexed By Date	Previous:	Re: IBM's NetSP Secured Network Gateway From: Frank Wortner <frank @ prodigy . com>
Indexed By Date	Next:	TCP/IP Firewall System Comparisons From: roosekj @ freedom . msfc . nasa . gov (kathryn Roose)
Indexed By Thread	Previous:	Re: IBM's NetSP Secured Network Gateway From: Frank Wortner <frank @ prodigy . com>
Indexed By Thread	Next:	ISS scanning from tostada.engr.ucdavis.edu From: syshtg @ gsusgi2 . gsu . edu (Tom Gillman)