Firewall Wizards mailing list archives
Re: Air gap technologies
From: Adam Shostack <adam () homeport org>
Date: Fri, 26 Jan 2001 11:35:50 -0500
On Fri, Jan 26, 2001 at 03:08:43AM +0000, David Wagner wrote:
| Can you clarify your threat model? Are you trying to defend
| against attackers with physical access to the SCSI bus? (seems
| unlikely) Or, just trying to prevent the external host from
| being able to attack the internal host's protocol stack in case
| the external host gets compromised? (seems more likely, but still
| highly unlikely that this is dominant failure mode for a firewall)
|
| In either case, what's wrong with just using a serial cable?
| It seems just as good for all security purposes that I can think
| of. I'd love to be enlightened, though, if I went wrong somewhere.
Dave hits the nail on the head, but doesn't drive it quite home.
I'd like to understand if the technology in question is a useful
addition into any information security policy and implementation I've
ever encountered. I don't think it is, but I might be wrong. Most
large systems are not at risk because of their firewalls: their
firewalls are strong points in weak ecosystems. Those ecosystems are
at risk because of lack of integrated policies and procedures, weak
physical perimiters, hiring practices, including the use of temps and
systems integrators, poor software engineering practice, the need for
permeable barriers such as remote access, extranets, etc, etc, ad
nasuem.
So, if I, as security officer for a company, am considering an
investment in an "Air Gap" vs some other security investment, is this
the right thing to buy?
If I, as a firewall manager, am considering an investment in an "Air
Gap," is this the best place for my money, or should I invest in
something else? Code reviews for the code thats reachable through the
firewall? Training for those coders? An IDS of some sort?
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Air gap technologies, (continued)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- RE: Re: Air gap technologies Predrag Zivic (Jan 24)
- RE: Air gap technologies Bill Stout (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies Avi Rubin (Jan 25)
- RE: Air gap technologies Frank Knobbe (Jan 25)
- RE: Air gap technologies daN. (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies David Wagner (Jan 25)
- Re: Air gap technologies Adam Shostack (Jan 26)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies David Wagner (Jan 25)
- RE: Air gap technologies Bill_Royds (Jan 25)
- RE: Air gap technologies Elad Baron (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)