Firewall Wizards mailing list archives
RE: Air gap technologies
From: Frank Darden <fdarden () locked com>
Date: Tue, 16 Jan 2001 22:45:51 -0500
hrm.. we looked at a competitor of Whale.. none of these "Air Gap" manufacturers can distill down the "value" that their products provide.. I've spent 6 months researching these technologies... looks like a fad to me -----Original Message----- From: Avi Rubin [mailto:rubin () research att com] Sent: Tuesday, January 16, 2001 11:12 AM To: firewall-wizards () nfr com Subject: [fw-wiz] Air gap technologies I had a chance to visit Whale technologies last week. I got a full explanation of the air gap technology and a demo. They referred me to a discussion on this list that took place last September: http://www.nfr.com/pipermail/firewall-wizards/2000-September/subject.html The following comments are as a totally objective observer; I have absolutely no stake in Whale or their products. In fairness to Whale, I think that some of the criticism of the air gap is misdirected. My observation is that the "marketing message" of the product triggered many of the comments on this list. The actual underlying technology is pretty interesting, and I think there is some value there. The main problem is that everybody focuses on the physical switch that shuttles data back and forth, instead on what the overall product has to offer. Given the Whale web site, and marketing material, I did the same thing before my visit, and my first question was, "How is this different from an Ethernet wire?" The answer, that "nobody knows how secure the Ethernet protocol is", seems to hardly justifies the effort. However, when I looked under the covers, I discovered that there is a lot that this product offers, even if you take away the SCSI switch and replace it with a wire. The main weaknesses in most web sites are misconfiguration of the O/S and the server, CGI scripts with unchecked input, and bad administration in general. The air gap (here I'm referring to the internal and external servers, regardless of how they communicate) server separation, forces an administrator to separate security from functionality. I was impressed with the GUI admin interface for defining what is and what is not legal input to a CGI script, dependent on the web page. Also, the internal server is not addressable from the outside, so it is harder for an attacker to exploit O/S bugs. This can all be done with other means, but the Air Gap makes it *easy*. This is important for security, because it makes the admins job easier, and thus they are more likely to get it right. On the internal side, the product does the usual content inspection and checking that any proxy firewall can do, and they are no less resistant to application level attacks than the next guy. However, to me it seems like a real added benefit is that only application level data can flow to the internal network. There is no direct TCP connection and no direct IP connectivity to the protected net. This eliminates all sorts of attacks. The external machine is totally untrusted, but attacks against it amount to denial of service, not compromise of any internal machines. Recovery is straightforward. In summary, I think that the air gap is a very useful platform for providing web service because it reduces the amount of effort and training needed to secure a site. I think that Whale would have much more credibility if they published the technical details of their product in a refereed computer security conference, such as USENIX security or ISOC NDSS. I will recommend that they do so, so that the technical people can see what is really there, and are not limited to commenting on the marketing message, which is intended for customers, and thus has to have its "spin". Avi -- http://avirubin.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Air gap technologies, (continued)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 25)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Crispin Cowan (Jan 22)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Eilon Gishri (Jan 24)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)