Firewall Wizards mailing list archives

Re: Re: AirGap's... one way protection

From: Joe Nall <joe () nall com>
Date: Thu, 19 Oct 2000 18:13:18 -0500

Frederick M Avolio wrote:

Agreed, but the number of applications that can live without
acknowledgment in transactions won't keep any large companies afloat.


Agreed, but the eGap is built to provide a proper response to the client
side, while keeping the two sides apart. There is never a time when both
sides are connected, and there is no network traffic across the device.
Recall, it uses a toggling memory device. Like the separation between you
and the person changing your currency on a street corner booth (well,
mostly outside of N. America) there is separation> The cash drawer is
either inside or outside, never both. (Okay, simple minded, but a decent
analogy.)

But you don't need a continuous network connection
Step 1) Bad guy sends a HTTP request that includes a buffer overflow
        attack (or other application weakness exploitation) in the
        request data.
Step 2) e-Gap, or any other proxy will have to forward the request to
        a back-end server for processing because the proxy doesn't
        contain the data required to answer the request
Step 3) Server is now compromised until the next reboot. It could be
        rm -rf /'ing the disk before it responds.

The weakness is in the application and it's lack of input validation in
many cases.  The proxy can attempt to validate data before hand-off, but
it can't catch everything without perfect knowledge.  e-Gap, web proxies
and application proxies can clean up most of the network level attacks -
but not the application level attacks that have become prevalent.
To summarize:
 *I like approaches that terminate the network connection before
  the web/mail server and reconstitute it cleanly to minimize
  attacks on weak server network stacks. e-Gap is one of several
  such approaches, plug-gw is another.
 *I like application proxies/firewalls that severely curtail
  access to the server and server access to the net.
  e-Gap is one of several.
 *But you have to validate application data on the way into
  the server and you have to architect the application in a fail
  safe manner.

No firewall, e-Gap or otherwise can protect a lame application
adequately if it has to process data from the public.

joe

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: AirGap's... one way protection Jon Squire (Oct 18)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
  - Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
    - Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
    - Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 20)
    - Re: Re: AirGap's... one way protection Joe Nall (Oct 20)
    - Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- Re: Re: AirGap's... one way protection Adam Shostack (Oct 19)
- Re: Re: AirGap's... one way protection David Lang (Oct 19)
- <Possible follow-ups>
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 19)
- RE: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 23)