Firewall Wizards mailing list archives

Air Gap info from Whale's founder

From: Jonathan Braunhut <jonathan () whale-com com>
Date: Mon, 16 Oct 2000 12:24:24 -0400

At 04:19 PM 10/12/00, Rick Smith wrote:

Let me also comment on the following excerpt:

... We are focused only on access from
the outside to your applications - we do not deal with your internal

users'

traffic to/from the Internet. Your internal users will still browse out
through an Internet firewall.

This is an incredibly bad approach to network security architecture. You 
don't put a 3 ton safe door over one entrance to the bank vault and a cheap

fire door from Home Depot over the other.



I couldn't agree more, Rick.  In the physical world, your security is only
as strong as your weakest entry point. Safe doors and fire doors (when
breached) admit human traffic in both directions.  Adding a 3 ton safe door
doesn't do a lot in the real world analogy you posit.

Fortunately for all of us, network architectures can be aligned for added
security in ways not easily replicated in the real world.  When you allow
applications to be accessed from the outside, you MUST publish
internet-routable IP addresses for access.  When these published addresses
point to the external side of the e-Gap, you've provided secure access to
the back office through a trusted data path.  With hardened firewalls for
outbound traffic in place (with no published access points and configured
not to listen on ANY TCP/IP   port), it becomes a great deal harder to even
get a toehold on that cheap fire door.  And it goes without saying that
e-Gaps and firewalls should be deployed as elements in a larger
defense-in-depth strategy.

---------------------------------------------------------
Jonathan S. Braunhut,           | Voice: (201)292-1505  
Senior Applications Engineer    | Fax:   (201)947-9188
Whale Communications            | E-Mail: jonathan () whale-com com
Parker Plaza                    | http://www.whale-com.com/
400 Kelby Street, 15th floor    | 
Fort Lee, NJ 07024              | 

Note: All comments, views and opinions are mine alone.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Air Gap info from Whale's founder Jonathan Braunhut (Oct 16)
- Re: Air Gap info from Whale's founder David Lang (Oct 18)
- <Possible follow-ups>
- Re: Air Gap info from Whale's founder Jeffery . Gieser (Oct 19)