Firewall Wizards mailing list archives
Re: Re: AirGap's... one way protection
From: Adam Shostack <adam () homeport org>
Date: Wed, 18 Oct 2000 19:41:43 -0400
Could you explain what is physically locked? Is some data connection broken at the hardware level, or is the Whale box reacting to a hardware setting by changing its functionality in software? If the connection is really broken, and data only flows one way, how do you ensure that it has been reliably written? Adam On Wed, Oct 18, 2000 at 05:06:24AM -0500, Jon Squire wrote: | Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of using an e-Gap in a unidirectional mode and why this is different from a firewall. | | Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host computer. This gives us a safe failure state where we know no data can be transferred out (unless the attacker has physical access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the attacker won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable on the inside interface, but this could pose some other problems.) | | Some examples of a use for the one way configuration of an e-Gap would be receiving confidential customer information (names, addresses, credit cards, etc.) You could pass the credit card information through an e-Gap in a one way fashion. By using this layer of protection, even if an attacker could mount a successful data stream attack they would disclose the information (such as the entire credit card database), they would not have a vector to transfer the information to the outside because the e-Gap would not allow the data to be transferred outbound. | | I think the ability to enforce unidirectional transactions in hardware is one of the main differences between Whale's e-Gap and a standard firewall. | | | | Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com | | _______________________________________________ | firewall-wizards mailing list | firewall-wizards () nfr com | http://www.nfr.com/mailman/listinfo/firewall-wizards -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: AirGap's... one way protection Jon Squire (Oct 18)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 20)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 20)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- <Possible follow-ups>
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 19)
- RE: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 23)