Firewall Wizards mailing list archives
RE: Air gap technologies
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Wed, 24 Jan 2001 23:31:07 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Okay, I have not looked at the product, but I did follow the description, and here are some thoughts. - From what I understand, that gap-thingy is more or less two proxies connected with an alternate medium (let's take that serial cable Aleph mentioned). Let's compare that to a traditional proxy (or FW). If a traditional proxy gets compromised from the Internet, there are three modes. Either it fails open (ouch), or it fails shut. If it fails shut, the question is where is shuts off, access may still be possible, and with scripts you might be able to revive the dead interface. The third mode is that the proxy does not fail, and you successfully gained access to it, in which case you are in familiar territory, namely you have an Ethernet interface on the internal side that you can control (send packets, launch sniffers, etc). The air gap proxy would probably behave the same way: It either fails open (ouch again), fails shut, or leaves you with access. In the last case, you are not in familiar territory, and you have no clue how to operate that interface (serial, parallel, scsi?), and you have no clue as to what protocol is spoken on that interface. But I see this only as security through obscurity because a) given enough time you can figure out the interface and the protocol (leaving aside the fact that you would be investigated and service would be restored before you can figure out the protocol), or b) you can examine what's left of the system and deduce the access that way (after all, the software running the box must come from somewhere). So, this concept might be a tad more secure that a normal proxy, but it is not the golden egg you image when you hear the word air gap. However, I believe such an air gap (literally!) is possible. Imagine a proxy combo connected via serial cable (for example). Imagine the serial cable A connecting the internal proxy and 'a mystery box', and cable B connection the mystery device and the external proxy. The external proxy, in normal working condition, sends a heartbeat to the device, which is nothing else than a RELAY kept alive by the heartbeat. Should the proxy get compromised, and normal routines providing security (and the heartbeat) are terminated, then the missing heartbeat would cause the device to actually fail shut (in other words, cause the relay to open). And there you have it! An air gap between the relay contacts! You internal network is safe. Resetting the system would require operator intervention where the operator has to push and hold a button on the device until the proxy has been restarted and the heartbeat is beating again. Doesn't this sound like a nice, little weekend project? ;) Regards, Frank
-----Original Message----- From: Aleph One [mailto:aleph1 () underground org] Sent: Tuesday, January 23, 2001 2:23 PM [...] As an intelligent consumer of security products I am more likely to purchase a product from a vendor that does not use such gimmicks from among a set of equivalent products, and I would encourage others to do likewise.
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOm+6G5ytSsEygtEFEQLcuwCaAiqcmC9/FI+047aeR3/vvND6xvUAn3eq 8uaOVgefcFVsBENhvb/zYhy1 =KAOM -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Air gap technologies, (continued)
- RE: Air gap technologies Elad Baron (Jan 24)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 24)
- Re: Air gap technologies Eilon Gishri (Jan 24)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Re: Air gap technologies Predrag Zivic (Jan 24)
- RE: Air gap technologies Bill Stout (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies Avi Rubin (Jan 25)
- RE: Air gap technologies Frank Knobbe (Jan 25)
- RE: Air gap technologies daN. (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies David Wagner (Jan 25)
- Re: Air gap technologies Adam Shostack (Jan 26)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies David Wagner (Jan 25)
- RE: Air gap technologies Bill_Royds (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 24)