Firewall Wizards mailing list archives
RE: Air gap technologies
From: Elad Baron <elad () whale-com com>
Date: Mon, 22 Jan 2001 13:36:13 -0500
First, being able to specify valid CGI input is a non-trivial task. If you understand it well enough to do it right at an intermediate device then you understand it well enough to make the CGI resistant to malicious input in the first place. The work is the same either way. Of course, if all you have is an executable from a third party and no source then it could be beneficial. But then you run such software at your own risk anyway.
First, there are some global patterns you never want the application/web server/app server to receive (e.g. $DATA, ../../, parameter called DEBUG, [TAB] inside the URL, etc.). Then there is the extra level of security when you allow ONLY what the application is expecting. This is not an easy task, and neither can (nor SHOULD) be fully automated. Whale has a tool that helps you to build this rule set by recording all legitimate input presented by your people and scripts during your QA sessions and compiling it into relevant rules. Obviously, you will still need to do some fine tuning, but this is much easier than trying to understand the application from scratch. BTW - if you can do a 100% job of input validation at the CGI itself, go for it. But in real life this is usually impossible. Elad Baron Whale Communications http://www.whalecommunications.com -----Original Message----- From: Paul Cardon [mailto:paul () moquijo com] Sent: Tuesday, January 16, 2001 2:17 PM To: Avi Rubin Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Air gap technologies Avi Rubin wrote: [SNIP]
I was impressed with the GUI admin interface for defining what is and what is not legal input to a CGI script, dependent on the web page. Also, the internal server is not addressable from the outside, so it is harder for an attacker to exploit O/S bugs. This can all be done with other means, but the Air Gap makes it *easy*. This is important for security, because it makes the admins job easier, and thus they are more likely to get it right. On the internal side, the product does the usual content inspection and checking that any proxy firewall can do, and they are no less resistant to application level attacks than the next guy. However, to me it seems like a real added benefit is that only application level data can flow to the internal network. There is no direct TCP connection and no direct IP connectivity to the protected net. This eliminates all sorts of attacks. The external machine is totally untrusted, but attacks against it amount to denial of service, not compromise of any internal machines. Recovery is straightforward.
A good summary of the positive aspects of the product but they have all been acknowledged in previous threads.
In summary, I think that the air gap is a very useful platform for providing web service because it reduces the amount of effort and training needed to secure a site.
Well, I agree to a certain extent. There are two areas where it doesn't really reduce training or effort. First, being able to specify valid CGI input is a non-trivial task. If you understand it well enough to do it right at an intermediate device then you understand it well enough to make the CGI resistant to malicious input in the first place. The work is the same either way. Of course, if all you have is an executable from a third party and no source then it could be beneficial. But then you run such software at your own risk anyway. Second, an administrator still needs to ensure that known vulnerabilities in the HTTP server software itself are kept up with. In the case of IIS this still takes quite a bit of effort and the web server can still be easily compromised if the admin doesn't patch the server. The IIS unicode vulnerability when first released worked just fine through the AirGap products. Hopefully, they are using their content inspection capability to prevent it now, but the next time a similar problem is discovered there will be a window of opportunity where AirGap provides the same level of protection as any other firewall ... none. Administrators need to remember that and not get too comfortable. -paul _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Air gap technologies, (continued)
- Re: Air gap technologies Frederick M Avolio (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 25)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Eilon Gishri (Jan 18)
- Re: Air gap technologies Aleph One (Jan 18)
- RE: Air gap technologies Frank Darden (Jan 18)
- RE: Air gap technologies LeGrow, Matt (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)
- Re: Air gap technologies Crispin Cowan (Jan 22)
- RE: Re: Air gap technologies rreiner (Jan 22)
- RE: Air gap technologies Elad Baron (Jan 24)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 24)
- Re: Air gap technologies Eilon Gishri (Jan 24)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Re: Air gap technologies Predrag Zivic (Jan 24)
- RE: Air gap technologies Bill Stout (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies Avi Rubin (Jan 25)
- RE: Air gap technologies Frank Knobbe (Jan 25)