RE: Re: Air Gaps vs. Firewalls

[Frederick M Avolio <fred () avolio com>]

I think this is of the main point, though. Simply put, is there a place for 
a device that enforces a provable disconnect between two network (say the 
Internet and the network containing a corporations most precious assets)?

I've no problem with a separate category like "air gap." When I worked at a 
secure facility years ago, we had a computer that was connected to the 
ARPAnet. The  Email and USENET news were dumped to magnetic tape and 
carried to another computer in another room. Could people surf the web? 
Well, no it didn't exist. E-mail? Yes. Just nothing interactive (though it 
could have been done, but it would've been really slow :-)). A firewall? I 
don't think so. Not really.

I am about to teach a firewalls and security class today. I will discuss 
air gap technology and we will talk about places it might make sense. Some 
air gaps have a provable, physical separation at all times. Others have 
provable, one-way only enforcement. Some people have such security 
requirements. I don't classify air gap systems as firewalls because what 
firewalls attempt to do with rules and IP-forwarding control, an air gap 
can do physically.

[Disclosure: I've done some consulting work for an air gap company, but 
have no financial stake in this discussion.]
Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards