Firewall Wizards mailing list archives
RE: Re: Link from DMZ to Internal Apps
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Wed, 20 Feb 2002 21:49:45 -0500
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of Uri Lichtenfeld Sent: Tuesday, February 19, 2002 11:38 AM To: 'firewall-wizards () nfr com' Subject: Re: Re: [fw-wiz] Link from DMZ to Internal Apps Dear Guess Who, The first thing to realize that there is no one panacea solution that will end all your woes and solve all your problems. I think you should consider looking at a product called e-Gap e-Business by Whale Communications. It attempts to address the very same issues you raised of publishing web applications from unknown or "not 100% reliable" sources securely and without the requirement of VPN tools. Again, this product is a good quick solution to help solve most of the issues but its no replacement to a complete plan with policies, planning and education in place.
Nice brochure. You folks might want to coordinate with each other so only one person advertises your product on a technical list per question.
The idea of the product is that it provides full protection from all aspects of web hacking. Everything from protection of the network layer to the application layer (while including authentication and encryption). There's
"Full protection from all aspects of web hacking"? Most firewall marketing said precisely this 7 years ago. I've done a lot of looking at the technology, and honestly there's a wealth of application-layer attacks that still work through "air gap" technology. While it may prevent most if not all network-layer attacks, there is still the question of seemingly valid application traffic that causes a DoS or security breach. The only advantage of an "air gap" versus an application proxy on a secure platform that I've ever been able to truly reconcile is the absolute "fail open" state (fail open being to fail in such a way that it is impossible to pass traffic). If anything, an application proxy gives you more flexibility to do additional inspection. I'm open to non-marketing explanations of the power of an "air gap" other than (1) fail open, which is of dubious value, since a fail closed state for a secure application proxies is about as likely as pigs flying, or (2) the other dubious distinction of allowing one to circumvent a requirement for highly classified networks that they be physically separated. I'm open to Whale people (or SpearHead) trying to explain the advantages over an application proxy running on a secure platform (how about a blow-by-blow against Argus Systems' proxy technology, for instance). I'm would also encourage anyone using these systems in a production environment, and willing to provide some feedback on manageability, performance, flexibility, reporting, etc to do so. I've always considered these systems somewhat of a marketing gimmick. Some use SCSI (whale), some use a magic chip (SpearHead--who it seems now calls their technology "Reflective Gap" whatever that's supposed to mean) but at the end of the day, it's still a proxy at a premium price. Cheers, Benjamin P. Grubin, CISSP, GIAC _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Link from DMZ to Internal Apps Guess Who (Feb 18)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)
- Re: Link from DMZ to Internal Apps R. DuFresne (Feb 19)
- Re: Link from DMZ to Internal Apps Rick Smith at Secure Computing (Feb 21)
- <Possible follow-ups>
- RE: Link from DMZ to Internal Apps Carl Friedberg (Feb 18)
- Re: Link from DMZ to Internal Apps Joseph Steinberg (Feb 19)
- Re: Re: Link from DMZ to Internal Apps Uri Lichtenfeld (Feb 19)
- RE: Re: Link from DMZ to Internal Apps Benjamin P. Grubin (Feb 20)
- RE: Re: Link from DMZ to Internal Apps Ames, Neil (Feb 21)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)