Although you can purchase the Sidewinder firewall package as a software-only product, the version we looked at was one of the increasing number of “appliance” firewalls on the market – an all-in-one bundle that includes both the software and an appropriate server, in our case a Dell PowerEdge 2650. Because we had the appliance version, there was no effort required to set up the firewall machine itself – it came pre-installed with all the necessary kit and software. The operating system of choice is BSD/OS, which comes as no surprise given that this also underpinned Secure Computing’s BorderWare in the old days). Aside from the firewall itself, there are two other software packages on the CD, which you install to a Windows PC. One is the Enterprise Manager, which can be used to manage a collection of Sidewinders around a network and the other is the Management Tools suite, which is used to define the settings of an individual machine. To get up and running, you run the Configuration Wizard, which is a simple process of walking through a dozen or so screens. The wizard is used to define the basic settings of the firewall (IP addresses, introductory permission settings, default IP routers and so on) and save them to a diskette. When the appliance starts up it reads this information from the diskette as part of the initial setup process, so you need to make a configuration diskette before you turn the box on. Once you’ve dealt with the basic config process, management is done over the LAN via the Admin Console, a Windows application. Although you can configure the unit to permit admin connections, both from inside and outside, you’d generally only allow connections from inside the LAN. Reaching out...
Before you can use the firewall you need to license it. This involves an immense amount of faffing about, filling in a pointless Windows form, going to a website, filling in a Web form (with the same information you just filled in on the Windows form), saving the software key to a file, importing the file into the Admin Console, then rebooting the firewall. All the time the firewall is sitting beeping at you, trying to tell you “Hey, I’m not working because I’m not licensed yet” (indeed). As this point I should admit I have never come across such a obtuse system and the only reason I didn’t chuck the thing out of the window was because the licensing task is a one-off process. Once the firewall is actually working, life improves. The management tool uses the usual Explorer-like hierarchical list of options down the left-hand-side with the main detail pane on the right, and it’s pretty easy to find the bits you want to use. Policy Configuration comprises Rule Elements (you can define users, services, host computers and so on) and the Rules themselves (what user/group/host can communicate using what service[s] to what host). The idea of Service Groups is a nice one – you can define a group of services that can be used in a rule – so you could have a “power users” service set with Web, FTP, NetMeeting and so on, and a “peasant users” set with just email. Services Configuration controls the proxy services (there’s an impressive list of about 40 different proxy servers you can use, from SMTP to AOL), built-in servers (as it’s a Unix-like OS, you get things like the Sendmail mail transporter thrown in), DNS (the firewall can pass DNS requests to a separate DNS or can be told to act as your DNS itself), IP routing, Authentication (the unit can use an impressive range of methods to authenticate users, including LDAP, Windows NT authentication, built-in password files or one-time keys such as SecurID), Public/Private key Certificate Management, and URL blocking. With the exception of the last item, which seems to use the standard Squid package, the configuration screens are acceptably non-cryptic; to my mind, there’s a little too much emphasis on being able to edit low-level text-based configuration files with the URL blocking feature. The configuration screens for the VPN server are among the more usable we’ve come across. As we always say when we’re talking about VPN servers, there’s probably no such thing as a simple VPN configuration screen, because to have a secure VPN you have to muck about with cryptic-looking keys and loads of encryption-related TLAs. The Sidewinder’s certainly above average in this respect with its VPN control panels. The reporting facilities are more extensive than many (Netscreen take note), and there are many, many built-in reports. Although we did manage to get some reports out of the system – and they are well laid-out and informative – this wasn’t without (a) a number of instances where it made us give the admin username and password again; and (b) several “Index out of range” errors. The admin screens appear to be written as a set of Python scripts, rather than as (say) a Windows app or an MMC bolt-on, and so perhaps the problem was with the Python interpreter throwing a tantrum; not that this is any excuse, though, as our test machine was a simple Windows 2000 Pro PC with all the latest service packs and patches. (Note to Secure Computing: it’s slow – five or six seconds between clicking OK after entering the user ID before the password box appears – and you start to wonder whether it’s forgotten you’re there). The Firewall Administration section covers all the fundamental parameters of the firewall – the stuff you defined initially with the configuration wizard, plus some extra stuff such as high availability (which lets you have a pair of Sidewinders in a failover setup). There’s also a Software Management section here, where you can bolt in options or add patches that you’ve obtained from Secure Computing’s website. At the end of the menu is a Tools section, in which you can reconfigure the email and DNS services, and choose whether to use an external server or the built-in functionality for each. There are many aspects of the Sidewinder G2 we like. We like firewalls based on Unix-like operating systems, which leads us to approve of appliance-based packages because you don’t have hardware compatibility problems (one of BorderWare’s failings was that you had to buy some pretty esoteric, and sometimes quite antique hardware to make it work, because BSD/OS’s driver support was limited). And we’re very impressed with the extensive list of proxies, the well-thought-out user and service group concepts, the apparently simple-to-configure failover support, and the excellent support for a wide range of user authentication methods. But the administration screens suck. We’re talking industrial-strength Dyson here. Being bagless, no matter how much it’s sucked already, it keeps on sucking just as hard. The layout of the various options is actually very good, and it’s probably easier than, say, a SmoothWall or a NetScreen to remember where stuff is (and the VPN setup screens are very nice, as we’ve said). But why are the two items in the Tools menu not with the other service setup items? They seem to have been bolted on with no thought. Why did we get errors on the reporting screens? Why did we have to keep entering the admin username and password to get into reporting options? Why have they not put a nicer, more comprehensive GUI on the Squid configuration system instead of simply letting you edit text config files? Why is the whole thing so slow? (Okay, we know the answer to that one, it’s probably because it’s interpreted Python scripts rather than compiled Windows binaries). And why on earth is it so involved to licence the damn thing in the first place? Secure Computing has let itself down with the administration screens on this product. With a better front-end, we would probably be raving about it. As it is, we just can’t find it in ourselves to say “Go buy one” because the Netscreen, SmoothWall, GNATBox, Firewall-1, even the Cisco PIX are all more usable, GUI-wise.

OUR VERDICT

A firewall should, obviously, have all the facilities you’re looking for (you may or may not require VPN, integration into your corporate directory structure, etc) so check the feature list. Consider also whether you need a pair of devices in failover mode. The administration software should also be usable, since the harder something is to configure, the easier it is to misconfigure.