I mentioned before (on the firewalls list) that I received out-of-band mail from Whale; I just got permission to forward it publicly. Here goes: (2 pieces of email) ---------8<------------- From: "Elad Baron" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: Re: Air Gap? Date: Thu, 11 Nov 1999 15:43:42 -0500 Hi, Please feel free to post my previous response to you (I am not on the list directly). You are absolutely right that it is not a point-and-shoot magic bullet solution that fixes all. We are talking about vertical solutions to specific problems. We are not a general purpose FW. Once you limit the scope of the problem, you can provide a better and safer solution, and avoid terrible consequences of misconfigurations. Regards, Elad ------------8<--------------- From: "Elad Baron" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: [Fwd: Fwd: Re: Air Gap?] Date: Wed, 10 Nov 1999 21:51:00 -0500 All, My name is Elad Baron and I'm the CTO of Whale Communications. I'd like to clear up some of the confusion you have raised. The e-Gap system consists of two hosts. One is typically connected to the DMZ and one is connected to the back office network. Yes - each one of the hosts is standard, running standard OS and TCP/IP stack so it can communicate with its own network in a standard fashion. The point is that the transport between the two hosts is not TCP/IP based, it is not build over an operating system, and it keeps the two networks electronically disconnected at all times. It is a proprietary hardware which consist of a SCSI switch and a SCSI based memory device. The switch connects the memory device to one host while disconnecting it from the other host (using analog switches on all SCSI wires). The two hosts never share the device at the same time. The switch toggle the memory device between the two hosts, and the software over these hosts utilizes this memory as a carrier for the transactions. Our assumption is that any host which is connected to the Internet can and will be hacked, so we assume that even our own external e-GAP host is taken over. Even if that happens, the hacker can not penetrate to the inside network, since the e-Gap switch does not have any programmable elements and hence, can not be taken over (it is stateless). The data that is passed is not TCP/IP packets. We are passing only application level data. Most important, we inspect the data on the internal host. Unlike a firewall/proxy where if the firewall/proxy server is taken over the content inspection can be bypassed (it's only done by software) - we can guarantee that all data will be inspected since it's done an "Air gap away" from the hacker. True - we can not assure that a certain datum is "good" or "bad" - but we can guarantee it will be inspected the way you wanted, and that nothing else will piggyback on this secure path. For example, in the file shuttle, we pass complete files from the external host to the internal host. In the internal host, we check that these files are digitally signed correctly to authenticate them. The encryption key is stored on the internal host, unreachable from the outside. With the URL shuttle, we pass HTTPS data, decrypt it on the internal host, check the validity of the URLs, check if these URLs are part of the internal application, add authentication (e.g., call RADIUS) and eventually emulate a browser to call the real web server which resides on the internal network. The IP address of the real web server, as well as the corporate certificate and its private key are all kept safely on the trusted network. With regard to your question about the difference from a proxy server - one difference relays on the fact that we went one step further and separated the security into two physical hosts. This allows us to put one in the "outside" network and one in the "internal" network, and have all the sensitive information and work done on the trusted side. With proxy server you still have the issue of where to place it - if you place it in the internal network you must open your firewall to direct TCP/IP connections from the Internet to your internal network. If you place it on the DMZ, you must open your firewall from the DMZ to the back office, and place sensitive information such as your private key and authentication DB on the dangerous DMZ. Another feature of the e-Gap switch is a "one way" mode, used for highly secured environment, where data can not flow in the undesired direction. This allows data upload to classified networks w/o risking a leakage of sensitive information. I hope that made things a little bit clearer. Feel free to ask me any questions you may still have. Regards, Elad ---------------8<-------------- -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
