Re: Air Gaps vs. Firewalls

[Rick Smith at Secure Computing <rick_smith () securecomputing com>]

I wrote:

> >There ought to be a genuine physical "gap" somewhere instead of just
> electron flux in a bunch of switching transistors. But I'm just old
> fashioned, or a technical nit picker, or paranoid, or something.

At 01:38 AM 10/12/00, Avi Nagar wrote:

> Just very naive to think something like that could be done without any
> electrical connection and still be for online transactions.

If the privacy and integrity the protected information is *so* important, 
and the outside network is *so* threatening that you need a *true* air gap, 
then you are *not* going to be doing on line transactions against that 
information. It would be naive for an e-commerce security architect to do 
that. Commercial applications just don't have such stringent security 
requirements.

> Really wouldn't it be perfect if firewalls and even Sidewinder had no
> fault states or backdoors?

Most sites get attacked for the same reason that retail stores suffer 
financial loss from shoplifting: there is always a sprinkling of criminals 
among your legitimate customers. If you lock out the criminals, you also 
lock out the customers.

In firewalls, this means that you must let certain traffic through in order 
to operate. This in turn lets in some attacks, regardless of the quality of 
the product. Even eGap will do this.

> Combining "air-gap" technology with products such as eGap and good
> firewall solution does provide a better secured practical env. for
> e-business systems that must not put all balls in one basket (firewall),
> plus the increasing security of internal db and applications from
> outside penetration.

In other words, an e-commerce should install both eGap *and* a conventional 
firewall in order to achieve good security? Why? Isn't it just for some 
content filtering features that aren't avaliable on the firewalls you use?

Perhaps it would be worthwhile for you or someone to compare eGap's content 
filtering capabilities with, say, Content Vectoring Protocol.

> >Now, the proprietor might be worried about 'security' and tolerate some
> 'least privilege' to get it. But it's never a goal in itself, except for
> technically oriented security people.
>
> Aiming such a product to every small office web application you may have
> a point, but this is hardly the case on large and complex e-business
> applications.

Give me an example a large scale site that establishes "least privilege" as 
a top level objective akin to the web site's profitability. You can't, 
because least privilege is a third order requirement. It's an incredibly 
powerful concept, but it must be kept in perspective. Maximized least 
privilege might require a large team of on-site operators to be available 
at all times, and that increases operating costs too much. Or it might 
require a complete rewrite of Apache. Probably both, plus a lot of very 
expensive integration.

I've developed infosec systems for some of the most paranoid people on the 
planet, and found that even *they* have their limits when it comes to least 
privilege in a real, deployable system. Commercial sites, even large scale 
ones, have their limits, too.

> Disclosure:  I work for security integration company and we found eGap a
> good complimentary solution for physical separation along with
> adjustable and easy to use content restriction tool.

I'm sure you can do some good things with it for content restriction. But 
you're fooling yourself when you call it "physical separation." It's not.

Rick.
smith () securecomputing com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards