Re: AirGap's... one way protection

["Jon Squire" <jsquirelists () eudoramail com>]

Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an 
application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of using 
an e-Gap in a unidirectional mode and why this is different from a firewall.

Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one 
way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host computer. 
This gives us a safe failure state where we know no data can be transferred out (unless the attacker has physical 
access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the attacker 
won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable on the 
inside interface, but this could pose some other problems.)

Some examples of a use for the one way configuration of an e-Gap would be receiving confidential customer information 
(names, addresses, credit cards, etc.) You could pass the credit card information through an e-Gap in a one way 
fashion. By using this layer of protection, even if an attacker could mount a successful data stream attack they would 
disclose the information (such as the entire credit card database), they would not have a vector to transfer the 
information to the outside because the e-Gap would not allow the data to be transferred outbound.

I think the ability to enforce unidirectional transactions in hardware is one of the main differences between Whale's 
e-Gap and a standard firewall.



Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards