> OK, so the Sidewinder G2 is a munge of the Sidewinder and Gauntlet?
Personally I doubt that any Gauntlet code made it into G2,
just a few concepts and some of the look-and-feel.
> Both of which have been exploited, at least to a minor degree,
> since 2003.
> So how does that make the Sidewinder G2 something that hasn't
> been cracked in *ten years*? This puzzles me.
The CERT advisory cited indicates that a buffer overflow in the DNS
component of the Sidewinder does the attacker no good, since the "Type
Enforcement" (similar to SELinux, etc) prevents actually doing anything
interesting with an overflow.
Technically, Sidewinder G2 is built on top of a BSD-based OS with
custom filesystem and system/network call access controls. In reality,
you don't have the option to compile and run custom executables, so
it's easier to treat the Sidewinder appliance like a black box with "no
user serviceable parts inside".
> As I said, marketing weasel-words aside,
> it looks to be a pretty good solution.
That pretty much sums up the product.
If you absolutely need a commercial all-in-one firewall appliance,
and you have a huge budget, or you are the government, armed forces,
or a large bank, then the Sidewinder G2 should go on your short list.
I only know one person who uses a G2 to protect his home network :)
> Automatic restart, yeah, I know -
> probably the bestof a bad set of circumstances.
Automatic service restart on the G2 is little different than half a
dozen open source tools (e.g. Bernstein's "daemontools") , only with
less tunability and no access to the source. Actually, that applies to
most of the Sidewinder G2 functionality.
Sometimes, particularly in large organizations, it doesn't matter that
your staff doesn't have the option to tune the system for performance,
to tweak (or even see) the source code, to diagnose and repair security
and other flaws on their own. Sometimes, being locked into only the
features and tunables which the vendor exposes via GUI and a few
limited command-line tools is a feature.
> How much control does the admin have over this automatic black-holing?
> And how granular is it? And how about DDoS?
The thresholds and durations are tunable per-rule and per-service, but
the blackholing is always per-IP address, no way to do subnet masks.
DDoS survivability is good. IIRC, G2 has the same sort of SYN-ACK
proxying/spoofing as OpenBSD and other modern BSDs, so SYN floods are
not passed in to protected servers.
> Or, dread to say,
> spoofed IPs causing a valid set of addresses to be rejected?
For TCP protocols, only reacting to hosts that have completed the
three-way-handshake addresses 99.9999% of the spoofed IP risk.
> You've got me interested, now (although still not for my home network,
>unless it's a helluva lot cheaper than I suspect :o)
I'd venture that Sidewinder is a helluva lot more expensive than you
Moderator, unofficial Sidewinder Users group http://groups.yahoo.com/group/sidewinder-users/