Re: Re: AirGap's... one way protection

[Adam Shostack <adam () homeport org>]

Could you explain what is physically locked?  Is some data connection
broken at the hardware level, or is the Whale box reacting to a
hardware setting by changing its functionality in software?

If the connection is really broken, and data only flows one way, how
do you ensure that it has been reliably written?

Adam


On Wed, Oct 18, 2000 at 05:06:24AM -0500, Jon Squire wrote:
| Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an 
application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of using 
an e-Gap in a unidirectional mode and why this is different from a firewall.
| 
| Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one 
way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host computer. 
This gives us a safe failure state where we know no data can be transferred out (unless the attacker has physical 
access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the attacker 
won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable on the 
inside interface, but this could pose some other problems.)
| 
| Some examples of a use for the one way configuration of an e-Gap would be receiving confidential customer information 
(names, addresses, credit cards, etc.) You could pass the credit card information through an e-Gap in a one way 
fashion. By using this layer of protection, even if an attacker could mount a successful data stream attack they would 
disclose the information (such as the entire credit card database), they would not have a vector to transfer the 
information to the outside because the e-Gap would not allow the data to be transferred outbound.
| 
| I think the ability to enforce unidirectional transactions in hardware is one of the main differences between Whale's 
e-Gap and a standard firewall.
| 
| 
| 
| Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com
| 
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards () nfr com
| http://www.nfr.com/mailman/listinfo/firewall-wizards

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards