Re: More Air Gap marketing hype

[Roger Marquis <marquis () roble com>]

Richard Reiner, Ph.D <rreiner () fscinternet com> wrote:
> The point is that any traditional application proxy firewall, 
> architected as software running atop a general-purpose operating 
> system, has failure modes in which L2 or L3 isolation fails and the 
> device passes L2 or L3 traffic, effectively becoming a bridge or a 
> router 

Neither, by the same token, is a well configured Unix firewall at risk
of becoming a bridge or router.  This is a red herring.

There are also many firewalls based on closed or otherwise
non-general-purpose operating systems.  This is another red herring.

> That's not a difference in functionality, it's a difference in the 
> level of assurance available that the functionality 

Not really, not at least when you compare apples with apples.  I can
build a FreeBSD-based, one-way, ftp-only firewall that's at least as
secure and probably more robust than the eGap or any other firewall
being mislabeled as "air-gap".

> In short, a well-designed air gap device can provide higher assurance 
> than is possible with an application proxy implemented in software on a 
> general-purpose computer running a general-purpose OS. 

Sure, but then apples never claimed to be more robust than oranges.

IMHO
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards