Firewall Wizards mailing list archives
Re: Re: AirGap's... one way protection
From: Joe Nall <joe () nall com>
Date: Thu, 19 Oct 2000 18:13:18 -0500
Frederick M Avolio wrote:
Agreed, but the number of applications that can live without acknowledgment in transactions won't keep any large companies afloat.Agreed, but the eGap is built to provide a proper response to the client side, while keeping the two sides apart. There is never a time when both sides are connected, and there is no network traffic across the device. Recall, it uses a toggling memory device. Like the separation between you and the person changing your currency on a street corner booth (well, mostly outside of N. America) there is separation> The cash drawer is either inside or outside, never both. (Okay, simple minded, but a decent analogy.)
But you don't need a continuous network connection Step 1) Bad guy sends a HTTP request that includes a buffer overflow attack (or other application weakness exploitation) in the request data. Step 2) e-Gap, or any other proxy will have to forward the request to a back-end server for processing because the proxy doesn't contain the data required to answer the request Step 3) Server is now compromised until the next reboot. It could be rm -rf /'ing the disk before it responds. The weakness is in the application and it's lack of input validation in many cases. The proxy can attempt to validate data before hand-off, but it can't catch everything without perfect knowledge. e-Gap, web proxies and application proxies can clean up most of the network level attacks - but not the application level attacks that have become prevalent. To summarize: *I like approaches that terminate the network connection before the web/mail server and reconstitute it cleanly to minimize attacks on weak server network stacks. e-Gap is one of several such approaches, plug-gw is another. *I like application proxies/firewalls that severely curtail access to the server and server access to the net. e-Gap is one of several. *But you have to validate application data on the way into the server and you have to architect the application in a fail safe manner. No firewall, e-Gap or otherwise can protect a lame application adequately if it has to process data from the public. joe _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: AirGap's... one way protection Jon Squire (Oct 18)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 20)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 20)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- Re: Re: AirGap's... one way protection Frederick M Avolio (Oct 19)
- Re: Re: AirGap's... one way protection Joe Nall (Oct 19)
- <Possible follow-ups>
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 19)
- RE: Re: AirGap's... one way protection Frederick M Avolio (Oct 23)
- RE: Re: AirGap's... one way protection Harris, Tim (Oct 23)