Great Circle Associates Firewalls
(January 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Comparative Reviews
From: Rick Smith <smith @ sctc . com>
Date: Thu, 30 Jan 1997 17:20:25 -0600
To: adelator @ tcgpo . com (Alberto de_la_Torre)
Cc: smith @ sctc . com, firewalls @ greatcircle . com 
adelator @
 tcgpo .
 com (Alberto de_la_Torre) asks:

: It is very interesting that you mention a "challenge" site.  Do all the
: firewall vendors have challenge sites?  Can you post a list of them
: if you know the other firewall vendors who have them?

As far as I know, Sidewinder is the only firewall that's had a long
standing challenge site. I remember a couple others set up temporary
sites, or ran them briefly at conferences and such.

:  In the absence
: of a list of (prior) breaches and their remedies, how can the consumer have
: faith that the firewall vendor will actually report if a breach has
: occurred?  (It would seem better from a marketing point of view to always 
: claim that the challege site has NEVER been breached)

We set up the Sidewinder challenge originally so that anyone who
successfully breached it could unambiguously prove that they had done
so. We put a digitally signed message on an unprotected host on a LAN
behind a Sidewinder and presented a no-password telnet login to anyone
on the Internet who wanted to access it. We left it that way for over
a year, publicized it quite a bit, and watched what happened.

Nobody got through. Every so often I see a message posted by someone
who claimed they "got root" on Sidewinder, but the internal structure
prevents users from bypassing internal protections even if they think
they are root. So, you find people who claim they breached it (loudly
at times) but in fact failed to reach the signed message.

Today's Sidewinder challenge is a web site. We took down the old site
because we *never* sold products with that configuration and it didn't
seem legitimate to use a nonstandard device in our challenge.

There's been an ongoing debate as to the good and bad of challenge
sites (check the archives) though I remain biased in favor of them.
However, the organization has to be ready to face a failure. To get
the most out of a challenge site you need to treat it as a form of
beta testing. You have to keep a close watch on it and make full use
of whatever attack info you get.  We originally expected the
Sidewinder challenge to last a few months before someone found their
way in, but nobody ever did.

: Do the firewall vendors make any attempts to breach each others challenge 
: sites?

I don't think we've ever paid any of our employees to attack
competitors' challenge sites.

Rick.
smith @
 sctc .
 com      secure computing corporation
Indexed By Date Previous: Protecting local news from Suck
From: gvc @ ocsystems . com (G. Vincent Castellano)
Next: Re: [NTSEC] ActiveX, MSIE and Quicken
From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Indexed By Thread Previous: RE: Comparative Reviews
From: Steve Bourgeois <bozz @ milkyway . com>
Next: [no subject]
From: @ltsa01.sa.lucent.com:mghanemi @ ltsa01 . sa . lucent . com
Google
 
Search Internet Search www.greatcircle.com