Firewall Wizards mailing list archives
Re: Re: AirGap's... one way protection
From: Joe Nall <joe () nall com>
Date: Wed, 18 Oct 2000 17:50:16 -0500
Jon Squire wrote:
Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of using an e-Gap in a unidirectional mode and why this is different from a firewall. Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host computer. This gives us a safe failure state where we know no data can be transferred out (unless the attacker has physical access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the attacker won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable on the inside interface, but this could pose some other problems.)
You don't need a firewall at all for this, just a one way serial connection and a little bit of software. The problem with the one way approach is that the box doing the pushing doesn't know if the data ever got to the destination. As soon as you add an acknowledgment from the destination, you have a signaling channel back across the interface. Variants of this have been used for decades to push information from low trust environments to high trust environments. They are not popular because they (like the aforementioned e-Gap capability) have _very_ limited utility in the real world. FWIW, I don't buy into the e-Gap marketing at all. It has software based failure modes for anything complicated it does - just like tools based on more general purpose hardware. The proof will be in the exploits (or lack thereof) over time protecting sites of interest. Perhaps a hacking contest with motivating rewards might prove something. Put one in front of an IIS and see how long the IIS remains unviolated. joe _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: AirGap's... one way protection Jon Squire (Oct 18)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 20)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 20)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- <Possible follow-ups>
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 19)
- RE: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 23)