CyberGuard Corp. has rebuilt its flagship firewall/VPN software on top of a Linux platform, and has started encouraging its customers to migrate to the new system, which promises more flexibility over the longer term.
The three new TSP, or Total Stream Protection, appliances see CyberGuard abandon SCO Group Inc.’s Unixware 2.3 operating system for CG Linux, a new custom-made hardened Linux based on Red Hat 8 and the 2.4 kernel.
CyberGuard director of product management Andy Tate said the switch means the firm no longer needs to pay royalties to use Unixware, and that Cyberguard engineers no longer need to write their own Unixware drivers when new hardware is introduced.
The changes take effect in version 6 of the CyberGuard software. Version 5 will become referred to as legacy or classic CyberGuard, and the company will start to migrate existing customers onto the new platform.
It’s not going to happen overnight, but we had to get the product out there and mature it, said Tate. The company will support customers of the old platform for at least the next couple of years, Tate said.
While there are drawbacks from such a bold strategy shift, the move to Linux means that the company will be able to introduce bigger and better firewalls in future, Tate said.
AES acceleration, IPv6 support and active/active high availability are on the drawing board for future releases, as is a blade architecture. These features would not have been possible under the previous operating environment, he said.
The new TSP appliances have new algorithms for dealing with threats up and down the OSI stack, according to the company.
There are some hurdles to be overcome for the new platform to gain widespread adoption, however, Tate admitted.
Global Command Center, CyberGuard’s centralized management console, will not support v6 at first. In November, GCC will be upgraded to support monitoring of the new firewalls, but full two-way support will not be added until sometime in 2005.
The new firewalls have not yet received Common Criteria certifications, which some buyers, mainly government, require. Tate said the TSP line have already been submitted for EAL4 and FIPS evaluations.
Some features are also missing from the new software. VLAN support, UPS support, ATM support, a SIP proxy and multicast support are not in the first version of the appliances, but will be added quickly, Tate said.
One of CyberGuard’s claims to fame is that it has never had a published vulnerability about its products, unlike most firewall vendors. It remains to be seen if the change of OS to Linux, which often has vulnerabilities found in it, will change this.
But CG Linux implements RSBAC, Rules Set Based Access Control, an access control framework for the Linux kernel that provides a way to restrict users and program components from running unauthorized code.
Most of the vulnerabilities listed against stock Linux would most likely be mitigated by RSBAC, Tate said.