RE: Air gap technologies

[Frank Darden <fdarden () locked com>]

hrm.. we looked at a competitor of Whale.. none of these "Air Gap"
manufacturers can distill down the "value" that their products provide..
I've spent 6 months researching these technologies... looks like a fad to me

-----Original Message-----
From: Avi Rubin [mailto:rubin () research att com]
Sent: Tuesday, January 16, 2001 11:12 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Air gap technologies


I had a chance to visit Whale technologies last week. I got a full
explanation of the air gap technology and a demo. They referred me to a
discussion on this list that took place last September:

http://www.nfr.com/pipermail/firewall-wizards/2000-September/subject.html

The following comments are as a totally objective observer; I have
absolutely no stake in Whale or their products. 

In fairness to Whale, I think that some of the criticism of the air gap
is misdirected. My observation is that the "marketing message" of the
product triggered many of the comments on this list. The actual
underlying technology is pretty interesting, and I think there is some
value there.

The main problem is that everybody focuses on the physical switch that
shuttles data back and forth, instead on what the overall product has to
offer. Given the Whale web site, and marketing material, I did the same
thing before my visit, and my first question was, "How is this different
from an Ethernet wire?" The answer, that "nobody knows how secure the
Ethernet protocol is", seems to hardly justifies the effort.

However, when I looked under the covers, I discovered that there is a
lot that this product offers, even if you take away the SCSI switch and
replace it with a wire. The main weaknesses in most web sites are
misconfiguration of the O/S and the server, CGI scripts with unchecked
input, and bad administration in general. The air gap (here I'm
referring to the internal and external servers, regardless of how they
communicate) server separation, forces an administrator to separate
security from functionality. I was impressed with the GUI admin
interface for defining what is and what is not legal input to a CGI
script, dependent on the web page. Also, the internal server is not
addressable from the outside, so it is harder for an attacker to exploit
O/S bugs. This can all be done with other means, but the Air Gap makes
it *easy*. This is important for security, because it makes the admins
job easier, and thus they are more likely to get it right.

On the internal side, the product does the usual content inspection and
checking that any proxy firewall can do, and they are no less resistant
to application level attacks than the next guy. However, to me it seems
like a real added benefit is that only application level data can flow
to the internal network. There is no direct TCP connection and no direct
IP connectivity to the protected net. This eliminates all sorts of
attacks. The external machine is totally untrusted, but attacks against
it amount to denial of service, not compromise of any internal machines.
Recovery is straightforward.

In summary, I think that the air gap is a very useful platform for
providing web service because it reduces the amount of effort and
training needed to secure a site.

I think that Whale would have much more credibility if they published
the technical details of their product in a refereed computer security
conference, such as USENIX security or ISOC NDSS. I will recommend that
they do so, so that the technical people can see what is really there,
and are not limited to commenting on the marketing message, which is
intended for customers, and thus has to have its "spin".

Avi


-- 
http://avirubin.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards