Firewall Wizards mailing list archives
Re: Securing www server w/Oracle back end.
From: Crispin Cowan <crispin () wirex com>
Date: Wed, 09 Apr 2003 13:52:03 -0700
Ben Nagy wrote:
I inferred him to be saying that no *inbound* holes were punched (nothing outside can make a connection request to the inside) but that (in typical NATesque fashion) inside machines can make requests out, and the responses are allowed back in.No holes have to be punched through the firewall from DMZ to private zone.That seems unlikely. How do these two agents talk? Either they go through the firewall or they bypass it using a serial connection / crossover cable, USB, magic elves etc. Either is equivalent, in my book.
So at layer 4, there are no holes in the firewall. But it is a semantic trick: if you want to compromise this system, you need only put malcode into some buffer that the inside machine will fetch while polling from the inside. That is more difficult than via a direct connection, but it is not (from this description) impossible.
I agree: when ever I see "air gap", I know that there is *hot* air involved. A *true* air gap is achieved with wire cutters; everything else is an application proxy of some kind, at best. Application proxies are *good*, but they are not magical complete solutions, and I'm much more inclined to believe the claims when they don't make appeals to phrases like "air gap."Theoretically the setup behaves like an air gap between the client and the web server and is transparent to both. On paper, this looks like a viable solution.I think it's the phrase "air gap" that has me riled up, in fact....
Crispin -- Crispin Cowan, Ph.D. http://wirex.com/~crispin/ Chief Scientist, WireX http://wirex.com HP/Trend Micro Immunix Secured Solutions http://h18000.www1.hp.com/products/servers/solutions/iis/ Just say ".Nyet" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Securing www server w/Oracle back end. George J. Jahchan, Eng. (Apr 09)
- RE: Securing www server w/Oracle back end. Ben Nagy (Apr 09)
- Re: Securing www server w/Oracle back end. Crispin Cowan (Apr 09)
- RE: Securing www server w/Oracle back end. Ben Nagy (Apr 09)