Firewall Wizards mailing list archives

Re: Air Gap vs. firewall

From: Crispin Cowan <crispin () wirex com>
Date: Fri, 22 Sep 2000 15:23:46 -0700

a burbatsky wrote:

I am trying to get a handle on the difference between an air gap appliance
and a firewall.

In an article in Information Security magazine,
(//www.infosecuritymag.com/july2000/coverstory.htm)the article defines the
following:

?A firewall is the logical disconnection of two physically connected net
works, while a gap is a physical disconnection of two logically connected
networks.?

Is this semantics or is there a real difference between the two?


Yes, there's a difference:

   * air gap:  there really is no physical connection, so no data at all gets
     through.  None.  Nada.  Zippo.
   * firewall:  there is only a logical disconnect.  You are trusting the
     correctness of the logic in the firewall itself to actually prevent the
     connections it has been programmed to prevent.  You are further assuming
     that you are *safe* from the packets that you have programmed the
     firewall to admit.  Note that this assumption is dubious, at best, if
     the admitted data includes e-mail with Word attachments.

Also note that there are some firewall companies who market their
technologies as "air gap" firewalls http://www.whalecommunications.com/

They are not really the same thing as a true air gap.  Rather, this firewall
looks like this:

-----ether-------|CPU|---|SCSI Drive|---|CPU|------ether

The "outside" CPU accepts packets and places the data on a disk.  The
"inside" CPU reads the data off the disk.

This achieves pretty much the same safety as your standard application proxy
firewall, e.g. Axent Raptor:

   * both pass no packets from outside to inside
   * both re-assemble packets up to the application layer before passing data
     inside

The only difference is the use of a disk drive to pass the application data
inside.  I see little to no security value in this approach:  it just slows
things down and adds expense.

Caveat:  this is just my personal opinion from having browesed the web site.
People from Whale Comm. can probably do a better job than I can of explaining
why this is a good idea.

Oh, and regarding this article
http://www.infosecuritymag.com/july2000/coverstory.htm

It looks like crap to me.  Michael Bobbit appears to be buying in to the hype
that "air gap" firewalls are acutally different from application proxies.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org
                Olympics:  The Corruption Games




_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Air Gap vs. firewall a burbatsky (Sep 22)
- Re: Air Gap vs. firewall Marcus J. Ranum (Sep 22)
- Re: Air Gap vs. firewall Crispin Cowan (Sep 23)
- RE: Air Gap vs. firewall Ofir Arkin (Sep 23)
- Re: Air Gap vs. firewall Joseph S D Yao (Sep 23)
- <Possible follow-ups>
- Re: Air Gap vs. firewall Steven M. Bellovin (Sep 23)
- RE: Air Gap vs. firewall David Bovee (Sep 23)
- Air Gap VS. Firewall Campbell Family (Sep 25)
  - Re: Air Gap VS. Firewall Crispin Cowan (Sep 26)
    - Re: Air Gap VS. Firewall Marcus J. Ranum (Sep 26)
- RE: Air Gap VS. Firewall Paz (Sep 26)