Secure Computing’s Sidewinder Firewall Impervious To Critical UNIX Vulnerability
Sidewinder’s Patented Type Enforcement(tm) Architecture Thwarts Complete System Compromise Attack Detailed in CERT® Advisory CERT-2001-21
SAN JOSE, CA, July 31, 2001 – Secure Computing Corporation (NASDAQ: SCUR), a leading provider of enterprise access control solutions, today announced that its Sidewinder(tm) firewall and VPN gateway is not susceptible to the serious vulnerability that was reported in the recent CERT Advisory, CERT-2001-21. The Advisory reported that systems running versions of telnetd derived from BSD source code are vulnerable to an attack allowing unauthorized, complete, system access.
Telnetd is an application commonly used for remote administration and is generally included in commercial UNIX operating systems. The telnetd vulnerability referenced is not applicable to Sidewinder as a result of disciplined security software design practices in combination with Secure Computing’s patented Type Enforcement(tm) technology. Sidewinder’s telnetd services are greatly restricted due to both known and theoretical vulnerabilities. This least privilege design renders the attack described in the CERT-2001-21 Advisory useless. In addition, Sidewinder’s operating system, SecureOS(tm), built on Secure’s Type Enforcement technology, has further defenses against this attack that would trigger multiple security violations.
Specifically, the attack first attempts to start a shell process. Sidewinder’s embedded Type Enforcement security rules prevent telnetd from replicating itself and accessing the system shell programs. Even without this embedded, tamper proof rule in place, other Type Enforcement rules also defend against this attack. As an example, the new shell would need administrative privileges and those privileges are not available to the telnetd services.
“Our competitors are rushing to develop and issue patches to address this vulnerability. Because Sidewinder integrates a secure operating system, SecureOS, there’s nothing to patch,” said Mike Gallagher, vice president and general manager of the Network Security Division at Secure Computing. “Most firewalls can protect you against known vulnerabilities. Only Sidewinder, with its fundamental defense-in-depth architecture, can protect you against tomorrow’s vulnerabilities, today.”
Sidewinder’s fundamental defense-in-depth architecture was first released to the market in 1995. Since that time, Sidewinder has demonstrated its superiority over competitors’ react-and-patch security solutions, which have continuously exposed mission critical networks to the attack du jour.
Sidewinder is the world’s strongest firewall, and with its powerful VPN gateway delivers an impenetrable network shield without sacrificing ease of use, reliability and scalability. The strength of Sidewinder was further demonstrated recently when it was the first firewall accepted into evaluation against Common Criteria’s highest Evaluation Assurance Level available for firewalls, EAL4+ which included EAL5 components. Sidewinder’s hybrid architecture combines stateful inspection, application filtering, IPSec-certified VPN and real-time intrusion alerts into one simple software package that runs on low-cost Intel® hardware. At the hardened core of Sidewinder is SecureOS, a performance-optimized, highly secure operating system built with Secure Computing’s patented Type Enforcement technology. The result is uncompromised perimeter defense that is easy to deploy and manage across any enterprise.
About Secure Computing
Headquartered in San Jose, CA, Secure Computing Corporation (NASDAQ: SCUR) is a leading provider of enterprise access control solutions. Secure Computing software products and services control access to applications and networks based on user authentication and authorization to market-leading VPNs, firewalls, Web servers and embedded devices. Secure Computing’s worldwide partners and customer base are counted among the Fortune 50 in financial services, healthcare, telecom, communications, manufacturing, technology and Internet service providers, as well as some of the largest agencies of the United States government. For more information, visit the Secure Computing Web site at www.securecomputing.com.
All trademarks, trade names or service marks used or mentioned herein belong to their respective owners.
This press release contains forward-looking statements relating to the statement that the Sidewinder firewall and VPN gateway is not susceptible to the serious vulnerability that was addressed in the recent CERT Advisory, CERT-2001-21, and such statement involves a number of risks and uncertainties. Among the important factors that could cause actual results to differ materially from those indicated by such forward-looking statements are technical difficulties, undetected software errors or bugs, delays in product development, changes in customer requirements and the risk factors detailed from time to time in Secure Computing’s periodic reports and registration statements filed with the Securities and Exchange Commission.