Firewall Wizards mailing list archives
RE: Air gap technologies
From: Elad Baron <elad () whale-com com>
Date: Mon, 22 Jan 2001 12:44:42 -0500
By the way these black boxes are still running OS (in example MS based) which can be directly attacked even before we proceed to examine the ability to use content attacks.
We do not run any OS on the e-Gap appliance which is used to seperate the external e-Gap server from the internal e-Gap server (the entire e-Gap system is comprised of 2 servers, software, and the appliance in between) -----Original Message----- From: Eilon Gishri [mailto:eilon () aristo tau ac il] Sent: Tuesday, January 16, 2001 3:58 PM To: Stiennon,Richard Cc: 'Avi Rubin'; firewall-wizards () nfr com Subject: Re: [fw-wiz] Air gap technologies On Tue, Jan 16, 2001 at 01:59:35PM -0500, Stiennon,Richard wrote:
I agree with your analysis Avi. Whale is a strong application firewall
with
granular control over what gets through. The physical air-gap stuff is not as important as the GUI implementation they have developed.
Are there any more products in that area aside from Spearhead ? By the way these black boxes are still running OS (in example MS based) which can be directly attacked even before we proceed to examine the ability to use content attacks.
-----Original Message----- From: Avi Rubin [mailto:rubin () research att com] Sent: Tuesday, January 16, 2001 11:12 AM To: firewall-wizards () nfr com Subject: [fw-wiz] Air gap technologies I had a chance to visit Whale technologies last week. I got a full explanation of the air gap technology and a demo. They referred me to a discussion on this list that took place last September: http://www.nfr.com/pipermail/firewall-wizards/2000-September/subject.html The following comments are as a totally objective observer; I have absolutely no stake in Whale or their products. In fairness to Whale, I think that some of the criticism of the air gap is misdirected. My observation is that the "marketing message" of the product triggered many of the comments on this list. The actual underlying technology is pretty interesting, and I think there is some value there. The main problem is that everybody focuses on the physical switch that shuttles data back and forth, instead on what the overall product has to offer. Given the Whale web site, and marketing material, I did the same thing before my visit, and my first question was, "How is this different from an Ethernet wire?" The answer, that "nobody knows how secure the Ethernet protocol is", seems to hardly justifies the effort. However, when I looked under the covers, I discovered that there is a lot that this product offers, even if you take away the SCSI switch and replace it with a wire. The main weaknesses in most web sites are misconfiguration of the O/S and the server, CGI scripts with unchecked input, and bad administration in general. The air gap (here I'm referring to the internal and external servers, regardless of how they communicate) server separation, forces an administrator to separate security from functionality. I was impressed with the GUI admin interface for defining what is and what is not legal input to a CGI script, dependent on the web page. Also, the internal server is not addressable from the outside, so it is harder for an attacker to exploit O/S bugs. This can all be done with other means, but the Air Gap makes it *easy*. This is important for security, because it makes the admins job easier, and thus they are more likely to get it right. On the internal side, the product does the usual content inspection and checking that any proxy firewall can do, and they are no less resistant to application level attacks than the next guy. However, to me it seems like a real added benefit is that only application level data can flow to the internal network. There is no direct TCP connection and no direct IP connectivity to the protected net. This eliminates all sorts of attacks. The external machine is totally untrusted, but attacks against it amount to denial of service, not compromise of any internal machines. Recovery is straightforward. In summary, I think that the air gap is a very useful platform for providing web service because it reduces the amount of effort and training needed to secure a site. I think that Whale would have much more credibility if they published the technical details of their product in a refereed computer security conference, such as USENIX security or ISOC NDSS. I will recommend that they do so, so that the technical people can see what is really there, and are not limited to commenting on the marketing message, which is intended for customers, and thus has to have its "spin".
-- Eilon Gishri eilon () aristo tau ac il Security Consultant Mobile: +972-54-303595 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Air gap technologies, (continued)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Eilon Gishri (Jan 18)
- Re: Air gap technologies Aleph One (Jan 18)
- RE: Air gap technologies Frank Darden (Jan 18)
- RE: Air gap technologies LeGrow, Matt (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)
- Re: Air gap technologies Crispin Cowan (Jan 22)
- RE: Re: Air gap technologies rreiner (Jan 22)
- RE: Air gap technologies Elad Baron (Jan 24)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 24)
- Re: Air gap technologies Eilon Gishri (Jan 24)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Re: Air gap technologies Predrag Zivic (Jan 24)
- RE: Air gap technologies Bill Stout (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies Avi Rubin (Jan 25)
- RE: Air gap technologies Frank Knobbe (Jan 25)
- RE: Air gap technologies daN. (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
(Thread continues...)