Re: Re: AirGap's... one way protection

[David Lang <david.lang () digitalinsight com>]

-----BEGIN PGP SIGNED MESSAGE-----

huh? what protocol do you run that only moves data in one direction? you
may be able to set it to only allow connections to be originated from one
side, but data does need to flow in both directions.

as for the 'hardware limit' on the data flow, unless it is done in a ASIC
(i.e. no flash or ROM) all you really have done is to say 'well the
ruleset of this firewall reads this key position and if it is in this
position disables these rules' and I have serious doubts as to this being
'unbreakable'

David Lang


 On Wed, 18 Oct 2000, Jon Squire wrote:

> Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an 
> application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of 
> using an e-Gap in a unidirectional mode and why this is different from a firewall.
>
> Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one 
> way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host 
> computer. This gives us a safe failure state where we know no data can be transferred out (unless the attacker has 
> physical access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the 
> attacker won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable 
> on the inside interface, but this could pose some other problems.)
>
> Some examples of a use for the one way configuration of an e-Gap would be receiving confidential customer information 
> (names, addresses, credit cards, etc.) You could pass the credit card information through an e-Gap in a one way 
> fashion. By using this layer of protection, even if an attacker could mount a successful data stream attack they 
> would disclose the information (such as the entire credit card database), they would not have a vector to transfer 
> the information to the outside because the e-Gap would not allow the data to be transferred outbound.
>
> I think the ability to enforce unidirectional transactions in hardware is one of the main differences between Whale's 
> e-Gap and a standard firewall.
>
>
>
> Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBOe4axj7msCGEppcbAQH+OwgAk3V5pFKEn3mVjy9dbu9S4H0cmPlXj/Fe
cbConamSdcXZLS8CmHM2tCjMTIF4ULtwCLj5mTFADRl/HL+hbGKDtL6SJUWu9wNp
v9rJZsAqD7sJ0fPG+9khlcNtGfWOs/PuKFmcbNGhhXm0r9pTYGMvGhJzs7/yjzdn
BRxlUk9SxK2ojCkPMocbdXQcEyeI1c+qHNI5UqI74BHjcTny1Pw16bWvSH8Juixz
zwWRnUKn2atElkWIwM8PgwipOf/13V8u+SagA2DgjVu9E65lGjZIXDR0ae3ZfIGt
PJC2fGI10FzOBeNanjZzXRyw+ymtFNcjX10dgyh3KWjXSqfjgadNfg==
=G8t7
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards