For the record
The reward for completing the Sidewinder Challenge has not
changed! Someone erroneously posted a message saying that
the reward for completing the challenge at DEFCON was $5000.
The reward still remains a black nylon flight jacket with the
Sidewinder logo on it.
In response to some of the discussion this has generated I thought
I would answer a few of the concerns that have been raised.
CONCERN 1. Setting up a challenge site does not provide sufficient testing,
All a challenge site does is test how good the attackers are.
We do NOT test the Sidewinder system by setting up a challenge site.
We have a Systems test group that does systems testing. They
work independently from the developers to test the functionality
and security of the system.
CONCERN 2. What good is the challenge, because it is not set up like
a firewall.
[Note, for those not familiar with the Sidewinder challenge, we let you
login to the Challenge system and from there you have to get to a machine
on the internal network. The DEFCON challenge is going to be more
difficult and set up more like a firewall]
The Secure Computing Sidewinder challenge focuses on testing the type
enforcement technology, not the firewall capability. Type enforcement
is what we use to protect sensitive data, applications, and network
interfaces in the firewall product. Why do we focus on type
enforcement? First off we want people to look at the system. If it
was set up like a firewall only the successful people see inside the
system. A firewall challenge is more difficult and attackers would
lose interest quickly. Believe it or not we wanted to give the
hackers a chance to break into the system. The standard Sidewinder
firewall product was modified to produce a Sidewinder challenge system
that gives the hackers three key advantages:
- A login account on the firewall (demo with no password)
Normally users do not have accounts on Sidewinder.
- Four access violations before they are logged out
On the Sidewinder firewall one violation causes a user to be logged out.
- Loose Unix administration
Rather than remove every piece of software on the system and tighten
security so hackers have nothing to work with, we left many Unix
programs on the challenge system, including a compiler. On the
Sidewinder firewall programs that are not needed are removed.
People can get inside the challenge system and look around. We
have had approximately 10 people get 'root' access. Since type
enforcement is underneath the Unix permissions it doesn't do them
any good. The attacker is still constrained by the underlying
type enforcement constraints.
As a result we get to learn what kind of attacks people are using
against Unix systems. More importantly this shows that type enforcement
is a useful tool in preventing system compromises.
The biggest reason to create a challenge site that is different from
the Sidewinder firewall product is to protect our customers. If there
ever was a successful attack found on the Sidewinder challenge site it
could not be used directly on the Sidewinder firewall. The challenge
site is currently based on a pre 1.0 release of Sidewinder. Currently
we are shipping 2.0 systems, and upgrading all our customers to 2.0
systems. We monitor the challenge site everyday and if someone finds
a vulnerability we can respond immediately by closing the
vulnerability and notifying all our customers.
The DEFCON firewall challenge is more difficult than the Sidewinder
Challenge. While it looks more like the the Sidewinder firewall product
we are only running the DEFCON challenge for a short period time, and
it will be closely monitored.
CONCERN 3. Is the Challenge a serious learning tool or a Marketing tactic?
The answer is both. We learn about attacks on Unix operating system. People
who login to the challenge site learn about type enforcement. If you
are considering buying a firewall system what better way to evaluate it
than to login and kick the virtual tires.
Dan Thomsen
Secure Computing
thomsen @
sctc .
com
|
|
