RE: Air gap technologies

[Bill_Royds () pch gc ca]

I appears as if the Whale technology lessens the risk of compromise of the
Application Proxy Box by dividing it into two boxes.
The "Air-gap" appliance is the means of connecting the two boxes but it could
just as easily be shared memory in a 2 CPU box. The real test is whether there
is a way pass exploits through the combinaton (which is possible for things like
the RFP exploits)
and is it possible to readily compromise the second box once you have
compromised the first. This seems to be the advantage over a single box proxy
but I am not sure it has any real advantage in practice. since compromise of the
firewall box itself is the least common vector for attacks.
   So the Air-gap is distinct from a simple ALG but not neccessarily better in
practice because it hardens the the least vulnerable point.




Bill Stout <Bill.Stout () AristaSoft com> on 01/24/2001 09:05:03 PM
                                                              
                                                              
                                                              
 To:      "firewall-wizards@nfr. net (E-mail)"                
          <firewall-wizards () nfr net>                          
                                                              
 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
                                                              
                                                              
                                                              
 Subject: RE: [fw-wiz] Air gap technologies                   
                                                              






There is an air-gap of varying widths between the heads flying over a
magnetic substrate, of wireless LANs or WANs, and satellite communcation.
LAN/WAN cards, hubs and switches often use transformers to isolate
electrical conductivity (such as in CSUs) to protect internal circuitry from
external current (preventing ground current flow between different phases or
circuits).  Just because some Shipley guy is separated from from your
network via a large air-gap, (e.g.; Ricochet modem) it does not mean you're
any safer.

Since air-gaps exist in standard physical communciations media, air-gaps
won't provide any difference in network security.  I believe this logic
nixes the 'Air-gap' phrase as providing any true or theoretical security
advantage.

So ignoring the air-gap 'technology', I'm interested to hear from the list
what percieved and real security advantages Whale products provide over
standard proxy-based firewalls.

Bill Stout
Chief Architect
Aristasoft, Inc


-----Original Message-----
From: Frederick M Avolio [mailto:fred () avolio com]
Sent: Tuesday, January 23, 2001 1:05 PM
To: Aleph One; Crispin Cowan; Stiennon,Richard
Cc: 'Avi Rubin'; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Air gap technologies


At 12:22 PM 1/23/01 -0800, Aleph One wrote:
> What I should have said is that these dual-host systems implemented with a
> physical air gap and dual-host systems implemented via some other type
> of point-to-point connection (such a a serial cable) have the same exact
> security properties.

With the added property that the cable is only ever connected to one side
or the other at a time?

Anyway... I tire of this discussion and I am sort of hoping the moderator
decides to pull the plug. As a friend of mine says, I don't have any dogs
in this fight. I don't want to sound like I am brushing anyone off, but I
am caring less and less whether I convince anyone of my opinion in this.

Fred

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Attachment: att1.eml
Description: