Firewall Wizards mailing list archives

Re: Re: Anti-Defacement Products...

From: Mikael Olsson <mikael.olsson () enternet se>
Date: Wed, 10 May 2000 11:21:34 +0200


...sorry for my late follow-up... i hope it may provide some insight.

Jonathan Squire wrote:


The eGap is a hardware device that physically disconnects your external server
from the inside network, it does not pass Network protocols at all, rather it
just passes the transaction data (the url) through to an inside box that servers
the request. If the external boxes is compromised, the sensitive material (your
web pages) are not exposed to modification, as the external machine does not
contain the content.


This product was subject to a fair amount of scrutiny on the firewalls
mailing
list a while ago. The basic opinion was that for web servers, the eGap
URL
shuttle won't do much more for you than a basic firewall will do. The
greatest 
dangers in web servers are with port 80, or, more specifically, the
processing 
of URLs. 

Since the eGap URL shuttle, by definition, has to pass the URLs to the
web 
server, you aren't really that "separated" from the dangers at hand as
the
marketing drones would have you think.

For instance, the RDS bug that is the source of most NT defacements the
past
6 months or so, would work just fine through the eGap, unless it is
configured
to block the specific RDS-related URLs. All other kinds of SQL fun
(inserting
escape chars in posted forms and querystrings, etc) works just as well,
and 
it won't provide any (added) protection to script engine weaknesses and
its ilk.

That said, according to the Whale Comms people, it is possible to
inspect URLs 
and drop "known bad" ones. However, this is also possible in most
proxy-like 
firewalls, but it is reactive defense (add a filter when the exploit is 
public) rather than proactive (prevent all future weaknesses no matter
their 
nature).

DISCLAIMER 1: I have not used nor evaluated the eGap, but the above
facts have 
been discussed several times over on the firewalls list, and the Whale
sales
reps could not refute the above facts. 
If you think that network layer separation buys you a lot of protection,
by
all means, buy the product. If you think that the dangers lay in the
processing 
of URLs themselves (as I do)... Well :-)

DISCLAIMER 2: Whale Communications also have other eGap products for
other
specific tasks. I have no opinion whatsoever about them. For all I know,
they
may be great products. I have only discussed the URL shuttle in this
e-mail.

Regards,
/Mikael

Current thread:

RE: Re: Anti-Defacement Products... Jonathan Squire (May 05)
- Re: Re: Anti-Defacement Products... Mikael Olsson (May 12)
- <Possible follow-ups>
- RE: Re: Anti-Defacement Products... Predrag Zivic (May 19)