Firewall Wizards mailing list archives
RE: Re: Air gap technologies
From: <rreiner () fscinternet com>
Date: Fri, 19 Jan 2001 15:17:23 -0500
<flameXML timestamp="2001-01-19T15:03:14-07:00" payloadID="963352994214"> <response author="Richard Reiner in a surly mood"> <responsepart type="opinion"> We may as well all repeat together for the one millionth time: Security is not a FUNCTIONAL concept. Features are nice, but they are not the main point. (Anyone unclear on what I mean by this should see Marcus' 1995 piece on "firewall testing" at http://pubweb.nfr.net/~mjr/pubs/fwtest/index.htm). If we thought about bridges the way some people think about firewalls, all we'd care about would be how wide, how long, and how shiny the paint is. And bridges would be falling into the sea, left and right .... exactly the way web sites allegedly "protected" by firewalls are. What really matters in a perimeter defence (access control / authentication / authorization) system? - Level of assurance - Failure modes - Trust model - Granularity - And lots of other difficult, unglamorous, non-marketable concepts -- like quality, committment, and seriousness More and more, as the commercial infosec world fills up with self-proclaimed experts who have only a shallow smattering of -- usually single-vendor-imparted -- product knowledge and no real depth of understanding (sorry, as indicated above I'm in a surly mood about this as I've had my hands full with some of these people lately, I am not referring to any specific individual), the emphasis is on features and functionality (not to mention pretty interfaces). So long as this goes on, web sites will continue to fall into the sea. </responsepart> <responsepart type="facts"> Where should we look for real differences between Whale's eGap and proxy firewalls? - Level of assurance - Failure modes - Trust model - Granularity - And the rest, as above. Looking at these areas, you'll find that the eGap design and implementation do offer benefits, especially in terms of narrower failures modes, and higher granularity. This isn't global, across-the-board "superiority", by any means ... but for some specific missions, the eGap does a better job than other systems. Conversely, for other missions, Gauntlet and other application proxy firewalls are a better fit. Those doing most of the yelling in this long ongoing "air gap" debate might do well to look a little more closely at Whale's marketing claims, which specifically do NOT suggest that the eGap is a replacement for any type of firewall. Different systems for different requirements. </responsepart> <responsepart type="disclaimer"> I know, respect, and have done business with people at nearly all of the companies involved on the various sides of this debate. </responsepart> </response> </flameXML> _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Air gap technologies, (continued)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 25)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Eilon Gishri (Jan 18)
- Re: Air gap technologies Aleph One (Jan 18)
- Re: Air gap technologies Crispin Cowan (Jan 22)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Eilon Gishri (Jan 24)
- RE: Air gap technologies Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Aleph One (Jan 25)
- Re: Air gap technologies Avi Rubin (Jan 25)