Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Karl Mueller" <karlm () acshelp com>
Date: Wed, 5 May 2004 10:06:53 -0400
Maybe one reason is this the trend to route mission critical info over the Internet (albeit over VPN tunnels). We'd like to say that you MUST use private lines for really secure information, but money tends to talk in these situations. Since a lot of networks span multiple sites, and WAN prices don't scale well, buisnesses are turning to the Internet and VPNs as a way to make their sites well-connected without the cost of a full-mesh FRS or private-line network. Of course a well-configured VPN router will block all traffic that does not come through the tunnel, this is still not an 'air gap' since you're still physically connected to the Internet. In this case, one small config error on your firewall/VPN endpoint opens up your entire network to the Internet. --Karl -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D. Robertson Sent: Wednesday, May 05, 2004 8:25 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Worms, Air Gaps and Responsibility Hospitals, banks, the U.K. Coast Guard... The damage from the latest Microsoft-based worm isn't as widespread as that from the last one, but it's pretty darned bad in point cases. Why do people continue to connect critical production networks to user/administrative networks? Surely networking equipment is cheap enough that a real honest air gap (not some marketingspeak switch thingie) isn't all that difficult to deploy? Air gaps make great firewalls. They rarely need upgrading, they're low-power and low-heat, and they're less filling and taste great. Worst-case, a few low-end firewalls to segment the users off from the production stuff should be a no-brainer these days. All the money, effort and time people are spending on IDS, IPS, and all the other buzzword-compliant devices, and yet we still don't have good solid separation and segmentation in places where, one would expect that the responsibility for running a critical network would require some level of protection to be displayed. Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Worms, Air Gaps and Responsibility Paul D. Robertson (May 05)
- RE: Worms, Air Gaps and Responsibility Karl Mueller (May 05)
- RE: Worms, Air Gaps and Responsibility R. DuFresne (May 05)
- RE: Worms, Air Gaps and Responsibility Ben Nagy (May 05)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 05)
- Re: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 05)
- Re: Worms, Air Gaps and Responsibility Einar Indridason (May 06)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 05)
- Re: Worms, Air Gaps and Responsibility Mason (May 06)
- Re: Worms, Air Gaps and Responsibility Chris Pugrud (May 07)
- Re: Worms, Air Gaps and Responsibility Rogan Dawes (May 07)
- Re: Worms, Air Gaps and Responsibility Mordechai T. Abzug (May 06)
(Thread continues...)
- RE: Worms, Air Gaps and Responsibility Karl Mueller (May 05)