Firewall Wizards mailing list archives
Air Gap info from Whale's founder
From: Jonathan Braunhut <jonathan () whale-com com>
Date: Mon, 16 Oct 2000 12:24:24 -0400
At 04:19 PM 10/12/00, Rick Smith wrote:
Let me also comment on the following excerpt:
... We are focused only on access from the outside to your applications - we do not deal with your internal
users'
traffic to/from the Internet. Your internal users will still browse out through an Internet firewall.
This is an incredibly bad approach to network security architecture. You don't put a 3 ton safe door over one entrance to the bank vault and a cheap
fire door from Home Depot over the other.
I couldn't agree more, Rick. In the physical world, your security is only as strong as your weakest entry point. Safe doors and fire doors (when breached) admit human traffic in both directions. Adding a 3 ton safe door doesn't do a lot in the real world analogy you posit. Fortunately for all of us, network architectures can be aligned for added security in ways not easily replicated in the real world. When you allow applications to be accessed from the outside, you MUST publish internet-routable IP addresses for access. When these published addresses point to the external side of the e-Gap, you've provided secure access to the back office through a trusted data path. With hardened firewalls for outbound traffic in place (with no published access points and configured not to listen on ANY TCP/IP port), it becomes a great deal harder to even get a toehold on that cheap fire door. And it goes without saying that e-Gaps and firewalls should be deployed as elements in a larger defense-in-depth strategy. --------------------------------------------------------- Jonathan S. Braunhut, | Voice: (201)292-1505 Senior Applications Engineer | Fax: (201)947-9188 Whale Communications | E-Mail: jonathan () whale-com com Parker Plaza | http://www.whale-com.com/ 400 Kelby Street, 15th floor | Fort Lee, NJ 07024 | Note: All comments, views and opinions are mine alone. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Air Gap info from Whale's founder Jonathan Braunhut (Oct 16)
- Re: Air Gap info from Whale's founder David Lang (Oct 18)
- <Possible follow-ups>
- Re: Air Gap info from Whale's founder Jeffery . Gieser (Oct 19)