Firewall Wizards mailing list archives
Re: Air Gaps vs. Firewalls
From: Rick Smith at Secure Computing <rick_smith () securecomputing com>
Date: Thu, 12 Oct 2000 09:59:12 -0500
I wrote:
>There ought to be a genuine physical "gap" somewhere instead of just electron flux in a bunch of switching transistors. But I'm just old fashioned, or a technical nit picker, or paranoid, or something.
At 01:38 AM 10/12/00, Avi Nagar wrote:
Just very naive to think something like that could be done without any electrical connection and still be for online transactions.
If the privacy and integrity the protected information is *so* important, and the outside network is *so* threatening that you need a *true* air gap, then you are *not* going to be doing on line transactions against that information. It would be naive for an e-commerce security architect to do that. Commercial applications just don't have such stringent security requirements.
Really wouldn't it be perfect if firewalls and even Sidewinder had no fault states or backdoors?
Most sites get attacked for the same reason that retail stores suffer financial loss from shoplifting: there is always a sprinkling of criminals among your legitimate customers. If you lock out the criminals, you also lock out the customers.
In firewalls, this means that you must let certain traffic through in order to operate. This in turn lets in some attacks, regardless of the quality of the product. Even eGap will do this.
Combining "air-gap" technology with products such as eGap and good firewall solution does provide a better secured practical env. for e-business systems that must not put all balls in one basket (firewall), plus the increasing security of internal db and applications from outside penetration.
In other words, an e-commerce should install both eGap *and* a conventional firewall in order to achieve good security? Why? Isn't it just for some content filtering features that aren't avaliable on the firewalls you use?
Perhaps it would be worthwhile for you or someone to compare eGap's content filtering capabilities with, say, Content Vectoring Protocol.
>Now, the proprietor might be worried about 'security' and tolerate some 'least privilege' to get it. But it's never a goal in itself, except for technically oriented security people. Aiming such a product to every small office web application you may have a point, but this is hardly the case on large and complex e-business applications.
Give me an example a large scale site that establishes "least privilege" as a top level objective akin to the web site's profitability. You can't, because least privilege is a third order requirement. It's an incredibly powerful concept, but it must be kept in perspective. Maximized least privilege might require a large team of on-site operators to be available at all times, and that increases operating costs too much. Or it might require a complete rewrite of Apache. Probably both, plus a lot of very expensive integration.
I've developed infosec systems for some of the most paranoid people on the planet, and found that even *they* have their limits when it comes to least privilege in a real, deployable system. Commercial sites, even large scale ones, have their limits, too.
Disclosure: I work for security integration company and we found eGap a good complimentary solution for physical separation along with adjustable and easy to use content restriction tool.
I'm sure you can do some good things with it for content restriction. But you're fooling yourself when you call it "physical separation." It's not.
Rick. smith () securecomputing com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: Air Gaps vs. Firewalls, (continued)
- Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
- Log monitoring / alerting Jean Caron (Oct 09)
- RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Frederick M Avolio (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Air Gaps vs. Firewalls Rick Smith at Secure Computing (Oct 14)
- Re: Air Gaps vs. Firewalls Talisker (Oct 20)