Firewall Wizards mailing list archives
Re: Air gap technologies
From: Aleph One <aleph1 () underground org>
Date: Tue, 23 Jan 2001 12:22:48 -0800
On Tue, Jan 23, 2001 at 01:58:56PM -0500, Frederick M Avolio wrote:
At 03:28 PM 1/22/01 -0800, Aleph One wrote:They are functionally identical to systems implemented without an "air gap". A better name would be something along the lines of a "dual-host proxies" or a "peephole proxies".And, I think, this is why communication like this is sometimes very difficult. I refer to the mailing list, not an air gap. *OF COURSE* it is functionally equivalent. The question is always HOW that function is achieved. That is fundamental to any discussion like this. A stateful inspection firewall is functionally equivalent to a proxy-based firewall. How they achieve security is exactly the important difference.
It was an error on my part to use the term 'functionally identical'. You are correct that these new devices are functionally equivalent to proxy-based firewalls, and this is why they should be considered as part of the application proxy product space. What I should have said is that these dual-host systems implemented with a physical air gap and dual-host systems implemented via some other type of point-to-point connection (such a a serial cable) have the same exact security properties. In particular the property that the internal host and network not be compromised if the external host is compromised. So again, since the system with the physical air gap provides the same security properties that the other dual-host proxies provide I am inclined to conclude that the addition of a physical gap to the system was done for reasons other than security. That the physical gap was added for the express marketing purpose of having an excuse to call the system and 'air gap' and associate the well known security properties of an 'air gap' with the product whether or not the product truly has them. As an intelligent consumer of security products I am more likely to purchase a product from a vendor that does not use such gimmicks from among a set of equivalent products, and I would encourage others to do likewise.
Fred Avolio Consulting, Inc. 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US +1 410-309-6910 (voice) +1 410-309-6911 (fax) http://www.avolio.com/
-- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: What is a proxy?, (continued)
- RE: What is a proxy? Andreas Haug (Jan 25)
- Re: What is a proxy? Gary Flynn (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Message not available
- Re: What is a proxy? Marcus J. Ranum (Jan 25)
- Message not available
- pcanywhere encryption hermit1 (Jan 26)
- Re: pcanywhere encryption Crist Clark (Jan 29)
- Re: pcanywhere encryption Randy Witlicki (Jan 29)
- Re: pcanywhere encryption Adam Shostack (Jan 29)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 25)
- Re: Air gap technologies Aleph One (Jan 24)