Right. I just got a message from a Whale Communications spokes person
that I won't quote anything from since it was sent directly to me.
Basically, it seems that my initial thoughts hold true.
It is a little bit more complex though, since there are several
products in the range.
Note: I'm in no way saying that the e-gap is a bad product
in comparison to application level filtering firewalls, I'm just saying
that the added security benifits in comparison to a normal ALG might
not be.... A whole lot.
You get a little extra protection since it's not very likely that the
inner e-gap component is compromised, yes, but not a whole lot when
it comes down to data driven attacks.
After all, how often are networks compromised as a result of the
firewall being compromised? Isn't it more often the case that a
server _behind_ the firewall is compromised directly?
The one product in the range I'm thinking of in particular is
the "web shuttle" product, which basically tunnels HTTP data
over the shuttle. (No, there's no TCP/IP involved.)
YES, it apparently does protocol analysis of the HTTP data like
any well behaved application filter should. It's also capable of
authenticating the requests using RADIUS, which is a handy feature.
However, as I said earlier, this does not protect poorly written
applications/CGIs/scripts that the e-gap doesn't know about. In
other words, it is only as good as you configure it to be, which
is no news in this business :-)
The only real reason I keep rambling is that I wouldn't want people
to think that this is the point-and-shoot magic bullet solution
that fixes all.
The web shuttle should be evaluated on its application filtering
merits like other products. I'm not in a position to do this now
since I don't know enough about it.
Also, products like the "file shuttle" may prove to be very
interesting. This is something I could probably use somewhere
and feel confident about. The web shuttle on the other hand...
Uhm... 'nuf said :-)
Zzzzz.. Sorry if I'm making even less sense than I usually do.
It's 5:40 in the morning here, and I didn't wake up early
if you get my drift... Time to hit the sack.
Regards,
Mikael
Mikael Olsson wrote:
>
> (This is a repost from a message I just posted to [EMAIL PROTECTED])
>
> (Disclaimer: This is based on a quick cursory reading of their
> website content, I might be way off here)
>
> The way I see it, Whale Communications have simply separated the
> two halves of an application level gateway (or "transparent proxy")
> by storing the application level data on a SCSI device
> that both halves have access to via separate SCSI cables.
>
> This should indeed guard against any and all TCP/IP level attacks,
> and hopefully guard against the inner half being compromised as
> a result of the outer one being compromised. The latter depends
> on how well written their code is (I'm thinking buffer overruns
> in their "packets" that get passed from the outer half to the
> inner half.)
>
> What it DOES NOT automatically guard against is, for instance,
> virii transmitted by email (in the case of the email gateway)
> or poorly written CGIs on internal web servers (in the case
> of the HTTP gateway)
>
> I'd imagine the old use-phf-to-show-the-passwd-file vulnerability
> will work just fine through the e-gap unless it explicitly knows
> about it and blocks it. All other scripting problems probably
> apply as well.
> Basic point:
> If you put format.exe in your IIS /scripts directory and let
> outside people access it, through an e-gap or not, you're toast.
> (NO i do NOT want wise ass comments saying "No it wont you have
> to pass arguments to it".. Bleurghl. You're missing the point.)
>
> IMNSHO, this makes e-gap just about as effective as your basic
> proxy firewall, albeit with the added protection that complete
> firewall compromise (outer AND inner half) is not as likely as
> with normal firewalls. (Still feasible though).
>
> /Mike
>
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
