RE: Re: Air gap technologies

[<rreiner () fscinternet com>]

<flameXML timestamp="2001-01-19T15:03:14-07:00" 
payloadID="963352994214">

<response author="Richard Reiner in a surly mood">
  <responsepart type="opinion">

We may as well all repeat together for the one millionth time: 

  Security is not a FUNCTIONAL concept.

Features are nice, but they are not the main point.  (Anyone unclear on 
what I mean by this should see Marcus' 1995 piece on "firewall testing" 
at http://pubweb.nfr.net/~mjr/pubs/fwtest/index.htm).

If we thought about bridges the way some people think about firewalls, 
all we'd care about would be how wide, how long, and how shiny the 
paint is.

And bridges would be falling into the sea, left and right .... exactly 
the way web sites allegedly "protected" by firewalls are.

What really matters in a perimeter defence (access control / 
authentication / authorization) system?

 - Level of assurance
 - Failure modes
 - Trust model
 - Granularity
 - And lots of other difficult, unglamorous, non-marketable concepts -- 
like quality, committment, and seriousness

More and more, as the commercial infosec world fills up with 
self-proclaimed experts who have only a shallow smattering of -- 
usually single-vendor-imparted -- product knowledge and no real depth 
of understanding (sorry, as indicated above I'm in a surly mood about 
this as I've had my hands full with some of these people lately, I am 
not referring to any specific individual), the emphasis is on features 
and functionality (not to mention pretty interfaces).

So long as this goes on, web sites will continue to fall into the sea.

 </responsepart>
 <responsepart type="facts">

  Where should we look for real differences between Whale's eGap and 
proxy firewalls?

 - Level of assurance
 - Failure modes
 - Trust model
 - Granularity
 - And the rest, as above.

Looking at these areas, you'll find that the eGap design and 
implementation do offer benefits, especially in terms of narrower 
failures modes, and higher granularity.

This isn't global, across-the-board "superiority", by any means ... but 
for some specific missions, the eGap does a better job than other 
systems.  Conversely, for other missions, Gauntlet and other 
application proxy firewalls are a better fit.

Those doing most of the yelling in this long ongoing "air gap" debate 
might do well to look a little more closely at Whale's marketing 
claims, which specifically do NOT suggest that the eGap is a 
replacement for any type of firewall.  Different systems for different 
requirements.
  </responsepart>
  <responsepart type="disclaimer">
I know, respect, and have done business with people at nearly all of 
the companies involved on the various sides of this debate.
  </responsepart>
</response>
</flameXML>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards