Firewall Wizards mailing list archives

Air Gaps vs. Firewalls

From: "Mike Bobbitt" <bobbitt () cipherlogic on ca>
Date: Fri, 29 Sep 2000 18:20:41 -0400

Folks,

I've been following the discussion of Air Gaps vs. Firewalls for a bit, and just wanted to chime up with my two cents
worth. (I hope I'm not resurrecting a dead discussion.) There have really been two questions asked here, as far as I
can see.

First, are air gaps different from Firewalls?

In some respects, it's the same as asking is a proxy forwarder different from a packet filter different from an
intelligent router? They can all perform a similar function, but do it through different implementations, and are each
best suited for a specific purpose.

I guess we really need a definitive definition for "Firewall" before we can answer that question in a meaningful way.
(I haven't seen such a beast, but I'm sure it exists.) Since we're probably all working off slightly different
definitions, our view of where an air gap fits is also bound to be different.

Second question: Are air gaps useful?

This one doesn't have a yes/no answer. In some environments, they add value. In some, the don't (or may even be a
detriment). The security organization for each environment should do an independent study to see if anything can be
gained from using an Air Gap.

Whether or not you believe an Air Gap is a Firewall variant, I'm sure security professionals will agree that defence in
depth is an excellent theory to design by. That means that if the hacker gets through your firewall because of
vulnerability X, they (probably) can't use that same vulnerability to breach your air gap. If they now need to
implement vulnerability Y to get through, it makes their job tougher, and yours easier. Pretty basic stuff, and it goes
for using any security system in this manner. In essence, it means your hacker must know more about more systems and be
more sophisticated to be a real threat. Rules out a lot of the script kiddies right there.

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Air Gaps vs. Firewalls Mike Bobbitt (Oct 01)
- Re: Air Gaps vs. Firewalls Mikael Olsson (Oct 01)
- <Possible follow-ups>
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 03)
  - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
    - Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
    - Log monitoring / alerting Jean Caron (Oct 09)
    - RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
    - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Air Gaps vs. Firewalls Mike Bobbitt (Oct 03)
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 04)
  - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)

(Thread continues...)