Re: Air gap technologies

[Paul Cardon <paul () moquijo com>]

Avi Rubin wrote:

[SNIP]

> I was impressed with the GUI admin
> interface for defining what is and what is not legal input to a CGI
> script, dependent on the web page. Also, the internal server is not
> addressable from the outside, so it is harder for an attacker to exploit
> O/S bugs. This can all be done with other means, but the Air Gap makes
> it *easy*. This is important for security, because it makes the admins
> job easier, and thus they are more likely to get it right.
>
> On the internal side, the product does the usual content inspection and
> checking that any proxy firewall can do, and they are no less resistant
> to application level attacks than the next guy. However, to me it seems
> like a real added benefit is that only application level data can flow
> to the internal network. There is no direct TCP connection and no direct
> IP connectivity to the protected net. This eliminates all sorts of
> attacks. The external machine is totally untrusted, but attacks against
> it amount to denial of service, not compromise of any internal machines.
> Recovery is straightforward.

A good summary of the positive aspects of the product but they have all
been acknowledged in previous threads.

> In summary, I think that the air gap is a very useful platform for
> providing web service because it reduces the amount of effort and
> training needed to secure a site.

Well, I agree to a certain extent.  There are two areas where it doesn't
really reduce training or effort.

First, being able to specify valid CGI input is a non-trivial task.  If
you understand it well enough to do it right at an intermediate device
then you understand it well enough to make the CGI resistant to
malicious input in the first place.  The work is the same either way. 
Of course, if all you have is an executable from a third party and no
source then it could be beneficial.  But then you run such software at
your own risk anyway.

Second, an administrator still needs to ensure that known
vulnerabilities in the HTTP server software itself are kept up with.  In
the case of IIS this still takes quite a bit of effort and the web
server can still be easily compromised if the admin doesn't patch the
server.  The IIS unicode vulnerability when first released worked just
fine through the AirGap products.  Hopefully, they are using their
content inspection capability to prevent it now, but the next time a
similar problem is discovered there will be a window of opportunity
where AirGap provides the same level of protection as any other firewall
... none.  Administrators need to remember that and not get too
comfortable.

-paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards