Firewall Wizards mailing list archives

Re: Air Gap vs. firewall

From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 22 Sep 2000 21:02:34 -0400

In message <4.3.1.2.20000922200440.00a84800@localhost>, "Marcus J. Ranum" write
s:

"A firewall is the logical disconnection of two physically connected net 
works, while a gap is a physical disconnection of two logically connected 
networks."


If you can surf the web or get E-mail through it, it's a firewall.

There've been a number of firewalls billed as "air gap" that are
actually involved proxies in which traffic is gatewayed over
some means other than a network (e.g.: a private bus) and/or
packets (e.g.: some kind of de-encapsulation re-encapsulation)
but the bottom line is that if you can surf the web through it,
or get E-mail you're probably not much more secure than with a
conventional firewall.


Not "much" more secure?  With any sort of reasonable firewall (and, of 
course, policy), your Web browser and your mailer run neck-and-neck for 
which is the biggest security hole.  Melissa, who loves you, votes for 
the mailer, but the plethora of Javascript holes in "typical" clients 
tilts the scale back towards the Web browser.

                --Steve Bellovin



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Air Gap vs. firewall a burbatsky (Sep 22)
- Re: Air Gap vs. firewall Marcus J. Ranum (Sep 22)
- Re: Air Gap vs. firewall Crispin Cowan (Sep 23)
- RE: Air Gap vs. firewall Ofir Arkin (Sep 23)
- Re: Air Gap vs. firewall Joseph S D Yao (Sep 23)
- <Possible follow-ups>
- Re: Air Gap vs. firewall Steven M. Bellovin (Sep 23)
- RE: Air Gap vs. firewall David Bovee (Sep 23)
- Air Gap VS. Firewall Campbell Family (Sep 25)
  - Re: Air Gap VS. Firewall Crispin Cowan (Sep 26)
    - Re: Air Gap VS. Firewall Marcus J. Ranum (Sep 26)
- RE: Air Gap VS. Firewall Paz (Sep 26)