Firewall Wizards mailing list archives
RE: Air gap technologies
From: "Robert Graham" <robert_david_graham () yahoo com>
Date: Mon, 22 Jan 2001 00:57:30 -0800
From: Crispin Cowan
I would really like to see a response from Frederick or Avi that addresses
Matt
LeGrow's question: what fundamental capabilities does the Whale "Air Gap"
have
that an application proxy does not? If such a qualitative difference can
be
defined and defended, then I'll buy the proposition that "air gap" is
meaningful.
If not, then this is a fancy word for "proxy", and the technical discussion
should
focus on "why my proxy is better than your proxy."
The two primary differences I read into it were: 1) If you break into the Internet side of the firewall, it is still virtually impossible to compromise the backside of the firewall (it is split into two separate machines that do not communicate together over TCP/IP). 2) By default, its HTTP proxy is a little more strict than your average HTTP proxy, and can therefore help against some data driven attacks. Personally, I feel that the "Air Gap" is a bunch of hot air (Hot Air Gap). If you measure it as a black-box, you see communication go through it. The description of how it stops/starts communication is exactly how you would describe any half-duplex channel. I can't see the difference between this "Air Gap" product than simply connecting two boxes together with unbound TCP/IP stacks using a raw Ethernet protocol (such as the SCSI-over-Ethernet standard :-). Certainly, feature #1 is important. There are numerous ways of affecting the same change, such as jailed/VMed proxies. If you are dead set into splitting your firewall among two devices, then I would recommend using the custom protocol over raw Ethernet adapters (with unbound TCP/IP stacks). The advantage of that is you can put a Sniffer on the wire. While I'm not necessarily an Open Source proponent, I am a huge believer in getting visibility into the working of a device. Feature #2 is also important. Most firewall proxies are not ultra-paranoid. Your standard HTTP proxy does not provide much protection. Almost any HTTP proxy providing stricter controls would be an improvement. As I understand it, this "Air Gap" product provides some protection for data driven attacks by cleansing HTTP parameters and enforcing rules on subdirectories. Right now, we aren't seeing a lot of compromised firewalls but we are seeing huge numbers of data driven attacks against webservers. In any event, the Air Gap seems to be promising that it will once and for all protect your backend network from compromise. This is hogwash; as Lance points out, you must assume that the adversary will penetrate your networks completely and must protect the backend. The reason this is important is that nobody has infinite funds. You must choose your defenses wisely; a costly "Air Gap" compared to jailed proxy servers means you can't deploy as much protection on the backend. In short, when I read the full description a few months ago, the stricter HTTP defaults seemed nice but I could find absolutely no value in the "Air Gap" functionality. If someone could explain why it is superior to my raw Ethernet version described above, I'd like to hear it. Robert Graham CTO, Network ICE _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Air gap technologies Avi Rubin (Jan 16)
- Re: Air gap technologies Paul Cardon (Jan 18)
- <Possible follow-ups>
- RE: Air gap technologies Stiennon,Richard (Jan 16)
- Re: Air gap technologies Crispin Cowan (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)
- Re: Air gap technologies Crispin Cowan (Jan 19)
- Re: Air gap technologies Avi Rubin (Jan 19)
- RE: Air gap technologies Robert Graham (Jan 22)
- What is a proxy? Robert Graham (Jan 24)
- RE: What is a proxy? Andreas Haug (Jan 25)
- Re: What is a proxy? Gary Flynn (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Message not available
- Re: What is a proxy? Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 18)
- Message not available
- pcanywhere encryption hermit1 (Jan 26)
- Re: pcanywhere encryption Crist Clark (Jan 29)
- Re: pcanywhere encryption Randy Witlicki (Jan 29)
- Re: pcanywhere encryption Adam Shostack (Jan 29)
- Re: Air gap technologies Aleph One (Jan 24)