re: Air Gap technology

[<rreiner () fscinternet com>]

Having recently had the opportunity to work directly with one of the 
Air Gap products (the eGap from Whale Communications), I've followed 
this thread with interest.

Surprisingly, many people seem to have missed one of the major factors 
which make Air Gap products such as the eGap interesting and useful.

First, however, it's important to note that those who say that there is 
no hard high-level functional difference between what the eGap does, 
and what an ordinary application proxy does, are quite correct.  Both a 
traditional application proxy and an air gap product provide access 
controls; both block all L2 and L3 traffic; both selectively move 
upper-layer traffic across a trust boundary by non-L3 means (in a 
traditional application proxy this is selective buffer-copying; in an 
air gap, specialized hardware is involved).  [But see Note* below, 
because even though there isn't a high-level theoretical difference at 
this level, the actual functionality is quite different.]

However, as they say,  "security is not a functional concept".  Meaning 
that security is equally about isolation or compartmentalization (which 
is achieved through authentication, authorization, content controls, 
and much related functionality) and about assurance or trust that the 
isolation functions are robust and correct (which is not about 
functionality at all).

The point is that any traditional application proxy firewall, 
architected as software running atop a general-purpose operating 
system, has failure modes in which L2 or L3 isolation fails and the 
device passes L2 or L3 traffic, effectively becoming a bridge or a 
router -- the software can have a bug, the administrator can make a 
mistake, or the device can be subverted through a buffer overflow, 
format-string overflow, etc.

Technologies such as Whale's eGap don't have this easily-reachable 
failure mode.  If there actually is a failure mode in which the eGap 
device is so compromised that it begins to operate as a bridge or 
router -- quite unlikely, since it would require some pretty fancy 
footwork to pass Ethernet frames or IP datagrams over a solid state 
SCSI disk -- any such is certainly in a much more remote region of the 
total state space of the device than the analogous failure is in the 
state space of a conventional application proxy firewall.

That's not a difference in functionality, it's a difference in the 
level of assurance available that the functionality will robustly 
continue to be what is desired and expected, under a wide range of 
conditions.

In short, a well-designed air gap device can provide higher assurance 
than is possible with an application proxy implemented in software on a 
general-purpose computer running a general-purpose OS.

Richard


Note* - A less theoretical, but equally real, benefit of the eGap 
device is in the level of validation which the device is capable of 
applying to application data.  The granularity is extremely high -- to 
the point of applying controls to the length or contents of responses 
to HTML forms (i.e. HTTP POST bodies), or to URLs, or to HTTP query 
strings, etc.  This is a level of granularity which to my knowledge is 
not equally by any conventional application proxy.  This functionality 
COULD be duplicated by a conventional application proxy (although it 
hasn't been).  But such a proxy would still not have the enhanced 
assurance characteristics of the eGap device.

--
.
. Richard Reiner, Ph.D.
. FSC Internet Corp. / SecureXpert Labs
. The FSC Building, 188 Davenport Rd.,
. Toronto, Ontario, Canada  M5R 1J2
. +1 416 921 4280, Fax +1 416 966 2451
. rreiner () fscinternet com, rreiner () securexpert com
. www.fscinternet.com, www.securexpert.com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards