Firewall Wizards mailing list archives

RE: Air gap technologies

From: Elad Baron <elad () whale-com com>
Date: Thu, 25 Jan 2001 10:21:01 -0500

So how does it boot, then?

Any computer, to be useful, runs some kind of an operating system.
It may be a program you wrote, or it may be a program someone
else wrote, but if it walks like an operating system and quacks like
an operating system, then it's an operating system.


An operating system defines processes, and governs their activities
(privileges, scheduling, private address space, etc). It also provides
general services that helps processes with communication issues,
synchronization, transparent hardware access, etc.

Like always, the more functionality you give and the wider the area you
cover - the more chances for security holes in the implementation.

The e-Gap appliance DOES NOT have an operating system.  It has only a
micro-controller (8051 compatible) which governs the SCSI controller (used
to implement the memory device). The assembly language code of that
micro-controller is in ROM and can not be changed by software.
Moreover, the logic that disconnects the SCSI wires (i.e., disconnects the
memory device from one side and connects it to the other) is implemented in
CPLDs (logic gate arrays), and is activating analog switches for the
disconnection of the wires.

Obviously, the appliance has no TCP/IP address nor stack. 

The benefit of the above is that even if someone exploited the external
server and is trying to tamper with the SCSI protocol (which was not design
for security!), s/he will not be able to exploit any vulnerability in the
SCSI drivers of the internal e-Gap (if any exist), since s/he will be
talking to an unprogrammable "dumb" device. When the device is disconnected
from the outside and connected to the inside, it is being reset, and a ROM
version of the SCSI protocol is being used to talk to the Internal server.

Does that walk like Windows NT and quack like Unix?
 
 
  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Air gap technologies, (continued)
- - Re: Air gap technologies Crispin Cowan (Jan 22)
- RE: Re: Air gap technologies rreiner (Jan 22)
- RE: Air gap technologies Elad Baron (Jan 24)
  - Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 24)
  - Re: Air gap technologies Eilon Gishri (Jan 24)
  - RE: Air gap technologies Marcus J. Ranum (Jan 25)
    - Re: Air gap technologies Aleph One (Jan 25)
- RE: Re: Air gap technologies Predrag Zivic (Jan 24)
- RE: Air gap technologies Bill Stout (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
  - Re: Air gap technologies Avi Rubin (Jan 25)
- RE: Air gap technologies Frank Knobbe (Jan 25)
  - RE: Air gap technologies daN. (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
  - Re: Air gap technologies David Wagner (Jan 25)
    - Re: Air gap technologies Adam Shostack (Jan 26)
  - Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Bill_Royds (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
  - Re: Air gap technologies Aleph One (Jan 25)

(Thread continues...)