Firewall Wizards mailing list archives

Re: Air gap technologies

From: Aleph One <aleph1 () underground org>
Date: Tue, 23 Jan 2001 12:22:48 -0800

On Tue, Jan 23, 2001 at 01:58:56PM -0500, Frederick M Avolio wrote:

At 03:28 PM 1/22/01 -0800, Aleph One wrote:

They
are functionally identical to systems implemented without an "air gap".
A better name would be something along the lines of a "dual-host
proxies" or a "peephole proxies".


And, I think, this is why communication like this is sometimes very 
difficult. I refer to the mailing list, not an air gap. *OF COURSE* it is 
functionally equivalent. The question is always HOW that function is achieved.

That is fundamental to any discussion like this. A stateful inspection 
firewall is functionally equivalent to a proxy-based firewall. How they 
achieve security is exactly the important difference.


It was an error on my part to use the term 'functionally identical'. You
are correct that these new devices are functionally equivalent to proxy-based
firewalls, and this is why they should be considered as part of the 
application proxy product space.

What I should have said is that these dual-host systems implemented with a 
physical air gap and dual-host systems implemented via some other type
of point-to-point connection (such a a serial cable) have the same exact
security properties. In particular the property that the internal host
and network not be compromised if the external host is compromised.

So again, since the system with the physical air gap provides the same
security properties that the other dual-host proxies provide I am inclined
to conclude that the addition of a physical gap to the system was done
for reasons other than security. That the physical gap was added for
the express marketing purpose of having an excuse to call the system
and 'air gap' and associate the well known security properties of an
'air gap' with the product whether or not the product truly has them.

As an intelligent consumer of security products I am more likely to
purchase a product from a vendor that does not use such gimmicks
from among a set of equivalent products, and I would encourage others
to do likewise.

Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice)       +1 410-309-6911 (fax)
http://www.avolio.com/


-- 
Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: What is a proxy?, (continued)
- - - RE: What is a proxy? Andreas Haug (Jan 25)
    - Re: What is a proxy? Gary Flynn (Jan 25)
    - Re: Air gap technologies Crispin Cowan (Jan 24)
    - Message not available
    - Re: What is a proxy? Marcus J. Ranum (Jan 25)
    - Message not available
    - pcanywhere encryption hermit1 (Jan 26)
    - Re: pcanywhere encryption Crist Clark (Jan 29)
    - Re: pcanywhere encryption Randy Witlicki (Jan 29)
    - Re: pcanywhere encryption Adam Shostack (Jan 29)
    - Re: Air gap technologies Aleph One (Jan 24)
    - Re: Air gap technologies Frederick M Avolio (Jan 24)
    - Re: Air gap technologies Aleph One (Jan 24)
    - Re: Air gap technologies Frederick M Avolio (Jan 24)
    - Re: Air gap technologies Crispin Cowan (Jan 24)
    - Re: Air gap technologies Frederick M Avolio (Jan 25)
    - Re: Air gap technologies Crispin Cowan (Jan 25)
    - Re: Air gap technologies Aleph One (Jan 24)
  - Re: Air gap technologies Eilon Gishri (Jan 18)
  - Re: Air gap technologies Aleph One (Jan 18)
- RE: Air gap technologies Frank Darden (Jan 18)
- RE: Air gap technologies LeGrow, Matt (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)

(Thread continues...)