RE: Re: Link from DMZ to Internal Apps

["Benjamin P. Grubin" <bgrubin () pobox com>]

> -----Original Message-----
> From: firewall-wizards-admin () nfr com 
> [mailto:firewall-wizards-admin () nfr com] On Behalf Of Uri Lichtenfeld
> Sent: Tuesday, February 19, 2002 11:38 AM
> To: 'firewall-wizards () nfr com'
> Subject: Re: Re: [fw-wiz] Link from DMZ to Internal Apps
>
>
> Dear Guess Who,
>
> The first thing to realize that there is no one panacea 
> solution that will
> end all your woes and solve all your problems. I think you 
> should consider
> looking at a product called e-Gap e-Business by Whale 
> Communications. It
> attempts to address the very same issues you raised of publishing web
> applications from unknown or "not 100% reliable" sources securely and
> without the requirement of VPN tools. Again, this product is 
> a good quick
> solution to help solve most of the issues but its no replacement to a
> complete plan with policies, planning and education in place.

Nice brochure.  You folks might want to coordinate with each other so
only one person advertises your product on a technical list per
question.

> The idea of the product is that it provides full protection 
> from all aspects
> of web hacking. Everything from protection of the network layer to the
> application layer (while including authentication and 
> encryption). There's

"Full protection from all aspects of web hacking"?  Most firewall
marketing said precisely this 7 years ago.  I've done a lot of looking
at the technology, and honestly there's a wealth of application-layer
attacks that still work through "air gap" technology.  While it may
prevent most if not all network-layer attacks, there is still the
question of seemingly valid application traffic that causes a DoS or
security breach.  

The only advantage of an "air gap" versus an application proxy on a
secure platform that I've ever been able to truly reconcile is the
absolute "fail open" state (fail open being to fail in such a way that
it is impossible to pass traffic).  If anything, an application proxy
gives you more flexibility to do additional inspection.  I'm open to
non-marketing explanations of the power of an "air gap" other than (1)
fail open, which is of dubious value, since a fail closed state for a
secure application proxies is about as likely as pigs flying, or (2) the
other dubious distinction of allowing one to circumvent a requirement
for highly classified networks that they be physically separated.

I'm open to Whale people (or SpearHead) trying to explain the advantages
over an application proxy running on a secure platform (how about a
blow-by-blow against Argus Systems' proxy technology, for instance).
I'm would also encourage anyone using these systems in a production
environment, and willing to provide some feedback on manageability,
performance, flexibility, reporting, etc to do so.

I've always considered these systems somewhat of a marketing gimmick.
Some use SCSI (whale), some use a magic chip (SpearHead--who it seems
now calls their technology "Reflective Gap" whatever that's supposed to
mean) but at the end of the day, it's still a proxy at a premium price.

Cheers,
Benjamin P. Grubin, CISSP, GIAC


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards