Firewall Wizards mailing list archives
RE: Re: Air Gaps vs. Firewalls
From: <rreiner () fscinternet com>
Date: Sun, 1 Oct 2000 15:57:29 -0400
mikael.olsson () enternet se write:
A lot has been said about the "unparalleled granularity" of these boxes. To those of you who argue for its benefits, I feel I'll have to ask "just how granular is it?". Will the URL shuttle, for instance, protect me against the mistakes of the average ASP/perl/php consultant, who fails to scrub queries passed to database engines? Without me having to work just as hard with the application layer filters as the consultant had to do to get those scripts working in the first place?
Yep. You can configure an eGap to limit the length, or the contents (via full regex matching) of an URL, any query-string data (e.g. from HTTP GET), and any field in an HTTP POST body (i.e. the user-supplied data filled into an HTML form). You can't do that with other, simpler, HTTP proxies. And the eGap box makes it pretty easy. Certainly much easier than hand-crafting validation logic in ASP/PHP/Perl/whatever. Since the typical ASP-coder errors are things like improper validation of forms data, with consequences such as allowing user-crafted SQL queries to execute, an eGap admin can work from the same spec as the developers and provide independant validation of user-entered data, and thereby enforce a nicely localized set of controls wrapped around the application code. If the developers make some effort to validate properly too, that's all the better... but you no longer have to rely on their code (all too often written under time pressure and not properly reviewed) as your sole layer of defence. Sounds like a good thing to me... Richard -- . . Richard Reiner, Ph.D. . FSC Internet Corp. / SecureXpert Labs . The FSC Building, 188 Davenport Rd., . Toronto, Ontario, Canada M5R 1J2 . +1 416 921 4280, Fax +1 416 966 2451 . rreiner () fscinternet com, rreiner () securexpert com . www.fscinternet.com, www.securexpert.com . ============================================ This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Air Gaps vs. Firewalls Mike Bobbitt (Oct 01)
- Re: Air Gaps vs. Firewalls Mikael Olsson (Oct 01)
- <Possible follow-ups>
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 03)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
- Log monitoring / alerting Jean Caron (Oct 09)
- RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Frederick M Avolio (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)