RE: FW: Is this for real (e-Gap from Whale Communications)

[Rick Smith <rick_smith () securecomputing com>]

At 10:29 PM 11/11/1999 -0500, Frederick M Avolio wrote: 
>>>>
> Of course, we still use firewalls, even with this fatal flaw. I don't think anyone should look at e-Gap or any single device as the Holy Grail. Just another interesting possibility in the arsenal.
<<<<

I admit I said "fatal flaw" and it was a reaction (excessive perhaps) to the PR on their Web site that suggested they were offering something significantly different than the alternatives.

I suppose I expected to see a certain amount of policy enforcement embedded within the security device itself. But if I read things correctly, it looks as if the policy enforcement will fall on the gateway computer connected to the "trusted" side of the e-gap. This reduced my enthusiasm since I'd have liked to see *some* enforcement on the device itself.

I'm getting the impression that the real challenge today is in our attempts to describe the types of information content we want to pass or block. The "fatal flaw" is that we have to pass some traffic or our systems are worthless. *How* we pass the data (carrier pigeons, bouncing SCSI switches, type enforced subjects, Unix proxy processes, whatever) seems to be lost in the noise except as far as it impacts throughput or helps to judge the good traffic from the bad.

But I admit there are DOD guard applications where I'd seriously look at that device even though the end users would gripe about the extra boxes when they airlift. Until I look closer I'm not sure if it provides a real security improvement or it simply gives the accreditor a pleasing distraction. It *is* interesting or we wouldn't be wasting so many words on it, eh?




Rick.
smith () securecomputing com
"Internet Cryptography" at http://www.visi.com/crypto/