Firewall Wizards mailing list archives

RE: Worms, Air Gaps and Responsibility

From: "Karl Mueller" <karlm () acshelp com>
Date: Wed, 5 May 2004 10:06:53 -0400

Maybe one reason is this the trend to route mission critical info over the
Internet (albeit over VPN tunnels). We'd like to say that you MUST use
private lines for really secure information, but money tends to talk in
these situations. Since a lot of networks span multiple sites, and WAN
prices don't scale well, buisnesses are turning to the Internet and VPNs as
a way to make their sites well-connected without the cost of a full-mesh FRS
or private-line network. Of course a well-configured VPN router will block
all traffic that does not come through the tunnel, this is still not an 'air
gap' since you're still physically connected to the Internet. In this case,
one small config error on your firewall/VPN endpoint opens up your entire
network to the Internet.

--Karl

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D.
Robertson
Sent: Wednesday, May 05, 2004 8:25 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Worms, Air Gaps and Responsibility

Hospitals, banks, the U.K. Coast Guard...  The damage from the latest
Microsoft-based worm isn't as widespread as that from the last one, but it's
pretty darned bad in point cases.

Why do people continue to connect critical production networks to
user/administrative networks?

Surely networking equipment is cheap enough that a real honest air gap (not
some marketingspeak switch thingie) isn't all that difficult to deploy?

Air gaps make great firewalls.  They rarely need upgrading, they're
low-power and low-heat, and they're less filling and taste great.

Worst-case, a few low-end firewalls to segment the users off from the
production stuff should be a no-brainer these days.

All the money, effort and time people are spending on IDS, IPS, and all the
other buzzword-compliant devices, and yet we still don't have good solid
separation and segmentation in places where, one would expect that the
responsibility for running a critical network would require some level of
protection to be displayed.

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Worms, Air Gaps and Responsibility Paul D. Robertson (May 05)
- RE: Worms, Air Gaps and Responsibility Karl Mueller (May 05)
  - RE: Worms, Air Gaps and Responsibility R. DuFresne (May 05)
- RE: Worms, Air Gaps and Responsibility Ben Nagy (May 05)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 05)
- Re: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 05)
  - Re: Worms, Air Gaps and Responsibility Einar Indridason (May 06)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 05)
  - Re: Worms, Air Gaps and Responsibility Mason (May 06)
  - Re: Worms, Air Gaps and Responsibility Chris Pugrud (May 07)
    - Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 07)
- Re: Worms, Air Gaps and Responsibility Mordechai T. Abzug (May 06)

(Thread continues...)