RE: Re: Air Gaps vs. Firewalls

[Rick Smith <rick_smith () securecomputing com>]

At 08:32 AM 10/4/00, Frederick M Avolio wrote:

> I think this is of the main point, though. Simply put, is there a place 
> for a device that enforces a provable disconnect between two network (say 
> the Internet and the network containing a corporations most precious assets)?

Absolutely. I liked the air-gap article in Information Security Magazine, 
which did a reasonable job of covering the topic. I'm just a little short 
tempered when a real time continuous data link *without* any physical 
disconnect is called an "air gap." There ought to be a genuine physical 
"gap" somewhere instead of just electron flux in a bunch of switching 
transistors. But I'm just old fashioned, or a technical nit picker, or 
paranoid, or something.

Done correctly, something like e-gap or mandatory access control can 
provide a "sally port" or "man trap" for data to give the system an 
opportunity to interrupt its flow. That interruption provides a perfect 
opportunity for security screening. It's just that I don't think such 
screening is the same as an "air gap." Strictly speaking, I think the e-gap 
sounds like as promising a technology as anything I've heard of. I'm 
skeptical about its commercial prospects, though, since oddball products 
don't tend to get past the small "paranoids" market and into the mainstream.

Disclosure: I work for the manufacturer of Sidewinder, and have had lots to 
do with it over the years. Sidewinder relies on mandatory access control.

Rick.
smith () securecomputing com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards