Firewall Wizards mailing list archives
Re: Re: AirGap's... one way protection
From: David Lang <david.lang () digitalinsight com>
Date: Wed, 18 Oct 2000 14:48:51 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- huh? what protocol do you run that only moves data in one direction? you may be able to set it to only allow connections to be originated from one side, but data does need to flow in both directions. as for the 'hardware limit' on the data flow, unless it is done in a ASIC (i.e. no flash or ROM) all you really have done is to say 'well the ruleset of this firewall reads this key position and if it is in this position disables these rules' and I have serious doubts as to this being 'unbreakable' David Lang On Wed, 18 Oct 2000, Jon Squire wrote:
Most of the attention AirGap's (e-Gap) has been getting in the list is focused on wether they are different from an application proxy when used in a bidirectional modes. What does not seem to be addressed is the added benefit of using an e-Gap in a unidirectional mode and why this is different from a firewall. Whale Communications e-Gap can by physically locked (using a key) to allow only a one way transfer of data. This one way communication is implemented in hardware and cannot be changed by an attacker if he compromises the host computer. This gives us a safe failure state where we know no data can be transferred out (unless the attacker has physical access to the e-Gap device.) How many firewalls can absolutely guarantee that if they were taken over, the attacker won't be able to transfer data outbound... (well I suppose you could clip the RX pair on your ethernet cable on the inside interface, but this could pose some other problems.) Some examples of a use for the one way configuration of an e-Gap would be receiving confidential customer information (names, addresses, credit cards, etc.) You could pass the credit card information through an e-Gap in a one way fashion. By using this layer of protection, even if an attacker could mount a successful data stream attack they would disclose the information (such as the entire credit card database), they would not have a vector to transfer the information to the outside because the e-Gap would not allow the data to be transferred outbound. I think the ability to enforce unidirectional transactions in hardware is one of the main differences between Whale's e-Gap and a standard firewall. Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQEVAwUBOe4axj7msCGEppcbAQH+OwgAk3V5pFKEn3mVjy9dbu9S4H0cmPlXj/Fe cbConamSdcXZLS8CmHM2tCjMTIF4ULtwCLj5mTFADRl/HL+hbGKDtL6SJUWu9wNp v9rJZsAqD7sJ0fPG+9khlcNtGfWOs/PuKFmcbNGhhXm0r9pTYGMvGhJzs7/yjzdn BRxlUk9SxK2ojCkPMocbdXQcEyeI1c+qHNI5UqI74BHjcTny1Pw16bWvSH8Juixz zwWRnUKn2atElkWIwM8PgwipOf/13V8u+SagA2DgjVu9E65lGjZIXDR0ae3ZfIGt PJC2fGI10FzOBeNanjZzXRyw+ymtFNcjX10dgyh3KWjXSqfjgadNfg== =G8t7 -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: AirGap's... one way protection Jon Squire (Oct 18)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 20)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 20)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- <Possible follow-ups>
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 19)
- RE: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 23)