RE: Air gap technologies

["Robert Graham" <robert_david_graham () yahoo com>]

From: Crispin Cowan
> I would really like to see a response from Frederick or Avi that addresses
Matt
> LeGrow's question:  what fundamental capabilities does the Whale "Air Gap"
have
> that an application proxy does not?  If such a qualitative difference can
be
> defined and defended, then I'll buy the proposition that "air gap" is
meaningful.
> If not, then this is a fancy word for "proxy", and the technical discussion
should
> focus on "why my proxy is better than your proxy."

The two primary differences I read into it were:
1) If you break into the Internet side of the firewall, it is still
virtually impossible to compromise the backside of the firewall (it is split
into two separate machines that do not communicate together over TCP/IP).
2) By default, its HTTP proxy is a little more strict than your average HTTP
proxy, and can therefore help against some data driven attacks.

Personally, I feel that the "Air Gap" is a bunch of hot air (Hot Air Gap).
If you measure it as a black-box, you see communication go through it. The
description of how it stops/starts communication is exactly how you would
describe any half-duplex channel. I can't see the difference between this
"Air Gap" product than simply connecting two boxes together with unbound
TCP/IP stacks using a raw Ethernet protocol (such as the SCSI-over-Ethernet
standard :-).

Certainly, feature #1 is important. There are numerous ways of affecting the
same change, such as jailed/VMed proxies. If you are dead set into splitting
your firewall among two devices, then I would recommend using the custom
protocol over raw Ethernet adapters (with unbound TCP/IP stacks). The
advantage of that is you can put a Sniffer on the wire. While I'm not
necessarily an Open Source proponent, I am a huge believer in getting
visibility into the working of a device.

Feature #2 is also important. Most firewall proxies are not ultra-paranoid.
Your standard HTTP proxy does not provide much protection. Almost any HTTP
proxy providing stricter controls would be an improvement. As I understand
it, this "Air Gap" product provides some protection for data driven attacks
by cleansing HTTP parameters and enforcing rules on subdirectories. Right
now, we aren't seeing a lot of compromised firewalls but we are seeing huge
numbers of data driven attacks against webservers.

In any event, the Air Gap seems to be promising that it will once and for
all protect your backend network from compromise. This is hogwash; as Lance
points out, you must assume that the adversary will penetrate your networks
completely and must protect the backend. The reason this is important is
that nobody has infinite funds. You must choose your defenses wisely; a
costly "Air Gap" compared to jailed proxy servers means you can't deploy as
much protection on the backend.

In short, when I read the full description a few months ago, the stricter
HTTP defaults seemed nice but I could find absolutely no value in the "Air
Gap" functionality. If someone could explain why it is superior to my raw
Ethernet version described above, I'd like to hear it.

Robert Graham
CTO, Network ICE



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards