Firewall Wizards mailing list archives

Re: Re: AirGap's... one way protection

From: Joe Nall <joe () nall com>
Date: Wed, 18 Oct 2000 17:50:16 -0500

Jon Squire wrote:


Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an 
application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of 
using an e-Gap in a unidirectional mode and why this is different from a firewall.

Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one 
way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host 
computer. This gives us a safe failure state where we know no data can be transferred out (unless the attacker has 
physical access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the 
attacker won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable 
on the inside interface, but this could pose some other problems.)


 You don't need a firewall at all for this, just a one way serial
connection and a little bit of software. The problem with the one way
approach is that the box doing the pushing doesn't know if the data ever
got to the destination.  As soon as you add an acknowledgment from the
destination, you have a signaling channel back across the interface.
 Variants of this have been used for decades to push information from
low trust environments to high trust environments.  They are not popular
because they (like the aforementioned e-Gap capability) have _very_
limited utility in the real world.
 FWIW, I don't buy into the e-Gap marketing at all.  It has software
based failure modes for anything complicated it does - just like tools
based on more general purpose hardware.  The proof will be in the
exploits (or lack thereof) over time protecting sites of interest.  
 Perhaps a hacking contest with motivating rewards might prove
something. Put one in front of an IIS and see how long the IIS remains
unviolated.

joe

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: AirGap's... one way protection Jon Squire (Oct 18)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
  - Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
    - Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
    - Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 20)
    - Re: Re: AirGap's... one way protection Joe Nall (Oct 20)
    - Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- Re: Re: AirGap's... one way protection Adam Shostack (Oct 19)
- Re: Re: AirGap's... one way protection David Lang (Oct 19)
- <Possible follow-ups>
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 19)
- RE: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 23)