Firewall Wizards mailing list archives

RE: Air gap technologies

From: Elad Baron <elad () whale-com com>
Date: Mon, 22 Jan 2001 13:36:13 -0500

First, being able to specify valid CGI input is a non-trivial task.  If
you understand it well enough to do it right at an intermediate device
then you understand it well enough to make the CGI resistant to
malicious input in the first place.  The work is the same either way. 
Of course, if all you have is an executable from a third party and no
source then it could be beneficial.  But then you run such software at
your own risk anyway.


First, there are some global patterns you never want the
application/web server/app server to receive (e.g. $DATA, ../../,
parameter called DEBUG, [TAB] inside the URL, etc.).
Then there is the extra level of security when you allow ONLY what
the application is expecting. This is not an easy task, and neither
can (nor SHOULD) be fully automated. Whale  has a tool that helps you
to build this rule set by recording all legitimate input presented by
your people and scripts during your QA sessions and compiling it into
relevant rules. Obviously, you will still need to do some fine
tuning, but this is much easier than trying to understand the
application from scratch.

BTW - if you can do a 100% job of input validation at the CGI itself,
go for it.  But in real life this is usually impossible.

Elad Baron
Whale Communications
http://www.whalecommunications.com

-----Original Message-----
From: Paul Cardon [mailto:paul () moquijo com]
Sent: Tuesday, January 16, 2001 2:17 PM
To: Avi Rubin
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Air gap technologies


Avi Rubin wrote:

[SNIP]

I was impressed with the GUI admin
interface for defining what is and what is not legal input to a CGI
script, dependent on the web page. Also, the internal server is not
addressable from the outside, so it is harder for an attacker to exploit
O/S bugs. This can all be done with other means, but the Air Gap makes
it *easy*. This is important for security, because it makes the admins
job easier, and thus they are more likely to get it right.

On the internal side, the product does the usual content inspection and
checking that any proxy firewall can do, and they are no less resistant
to application level attacks than the next guy. However, to me it seems
like a real added benefit is that only application level data can flow
to the internal network. There is no direct TCP connection and no direct
IP connectivity to the protected net. This eliminates all sorts of
attacks. The external machine is totally untrusted, but attacks against
it amount to denial of service, not compromise of any internal machines.
Recovery is straightforward.


A good summary of the positive aspects of the product but they have all
been acknowledged in previous threads.

In summary, I think that the air gap is a very useful platform for
providing web service because it reduces the amount of effort and
training needed to secure a site.


Well, I agree to a certain extent.  There are two areas where it doesn't
really reduce training or effort.

First, being able to specify valid CGI input is a non-trivial task.  If
you understand it well enough to do it right at an intermediate device
then you understand it well enough to make the CGI resistant to
malicious input in the first place.  The work is the same either way. 
Of course, if all you have is an executable from a third party and no
source then it could be beneficial.  But then you run such software at
your own risk anyway.

Second, an administrator still needs to ensure that known
vulnerabilities in the HTTP server software itself are kept up with.  In
the case of IIS this still takes quite a bit of effort and the web
server can still be easily compromised if the admin doesn't patch the
server.  The IIS unicode vulnerability when first released worked just
fine through the AirGap products.  Hopefully, they are using their
content inspection capability to prevent it now, but the next time a
similar problem is discovered there will be a window of opportunity
where AirGap provides the same level of protection as any other firewall
... none.  Administrators need to remember that and not get too
comfortable.

-paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Air gap technologies, (continued)
- - - Re: Air gap technologies Frederick M Avolio (Jan 25)
    - Re: Air gap technologies Crispin Cowan (Jan 25)
    - Re: Air gap technologies Aleph One (Jan 24)
  - Re: Air gap technologies Eilon Gishri (Jan 18)
  - Re: Air gap technologies Aleph One (Jan 18)
- RE: Air gap technologies Frank Darden (Jan 18)
- RE: Air gap technologies LeGrow, Matt (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)
  - Re: Air gap technologies Crispin Cowan (Jan 22)
- RE: Re: Air gap technologies rreiner (Jan 22)
- RE: Air gap technologies Elad Baron (Jan 24)
  - Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 24)
  - Re: Air gap technologies Eilon Gishri (Jan 24)
  - RE: Air gap technologies Marcus J. Ranum (Jan 25)
    - Re: Air gap technologies Aleph One (Jan 25)
- RE: Re: Air gap technologies Predrag Zivic (Jan 24)
- RE: Air gap technologies Bill Stout (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
  - Re: Air gap technologies Avi Rubin (Jan 25)
- RE: Air gap technologies Frank Knobbe (Jan 25)

(Thread continues...)