Firewall Wizards mailing list archives

RE: Re: Air Gaps vs. Firewalls

From: <rreiner () fscinternet com>
Date: Sun, 1 Oct 2000 15:57:29 -0400

mikael.olsson () enternet se write:

A lot has been said about the "unparalleled
granularity" of these boxes. To those of you who argue
for its benefits, I feel I'll have to ask "just how
granular is it?". Will the URL shuttle, for instance, 
protect me against the mistakes of the average 
ASP/perl/php consultant, who fails to scrub queries 
passed to database engines? Without me having to work
just as hard with the application layer filters as the
consultant had to do to get those scripts working
in the first place?


Yep.  You can configure an eGap to limit the length, or the contents 
(via full regex matching) of an URL, any query-string data (e.g. from 
HTTP GET), and any field in an HTTP POST body (i.e. the user-supplied 
data filled into an HTML form).  You can't do that with other, simpler, 
HTTP proxies.  And the eGap box makes it pretty easy.  Certainly much 
easier than hand-crafting validation logic in ASP/PHP/Perl/whatever.

Since the typical ASP-coder errors are things like improper validation 
of forms data, with consequences such as allowing user-crafted SQL 
queries to execute, an eGap admin can work from the same spec as the 
developers and provide independant validation of user-entered data, and 
thereby enforce a nicely localized set of controls wrapped around the 
application code.

If the developers make some effort to validate properly too, that's all 
the better... but you no longer have to rely on their code (all too 
often written under time pressure and not properly reviewed) as your 
sole layer of defence.

Sounds like a good thing to me...

Richard

--
.
. Richard Reiner, Ph.D.
. FSC Internet Corp. / SecureXpert Labs
. The FSC Building, 188 Davenport Rd.,
. Toronto, Ontario, Canada  M5R 1J2
. +1 416 921 4280, Fax +1 416 966 2451
. rreiner () fscinternet com, rreiner () securexpert com
. www.fscinternet.com, www.securexpert.com
.
============================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Air Gaps vs. Firewalls Mike Bobbitt (Oct 01)
- Re: Air Gaps vs. Firewalls Mikael Olsson (Oct 01)
- <Possible follow-ups>
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 03)
  - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
    - Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
    - Log monitoring / alerting Jean Caron (Oct 09)
    - RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
    - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Air Gaps vs. Firewalls Mike Bobbitt (Oct 03)
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 04)
  - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
    - RE: Re: Air Gaps vs. Firewalls Frederick M Avolio (Oct 04)
    - RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)

(Thread continues...)