Firewall Wizards mailing list archives
Re: Air Gap info from Whale's founder
From: David Lang <david.lang () digitalinsight com>
Date: Mon, 16 Oct 2000 16:36:24 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- As you describe the e-gap, I am not seeing anything that it does that a standard proxy based firewall doesn't also do. instead of positioning yourself as being so much better then the packet filter variaties, can you say why you are any better then the proxy ones? David Lang On Mon, 16 Oct 2000, Jonathan Braunhut wrote:
Date: Mon, 16 Oct 2000 12:24:24 -0400 From: Jonathan Braunhut <jonathan () whale-com com> To: firewall-wizards () nfr net Cc: Elad Baron <elad () whale-com com>, Rebecca Steinberg Herson <rebecca () whale-com com>, Glen Myers <glenm () whale-com com> Subject: [fw-wiz] Air Gap info from Whale's founder At 04:19 PM 10/12/00, Rick Smith wrote:Let me also comment on the following excerpt:... We are focused only on access from the outside to your applications - we do not deal with your internalusers'traffic to/from the Internet. Your internal users will still browse out through an Internet firewall.This is an incredibly bad approach to network security architecture. You don't put a 3 ton safe door over one entrance to the bank vault and a cheapfire door from Home Depot over the other.I couldn't agree more, Rick. In the physical world, your security is only as strong as your weakest entry point. Safe doors and fire doors (when breached) admit human traffic in both directions. Adding a 3 ton safe door doesn't do a lot in the real world analogy you posit. Fortunately for all of us, network architectures can be aligned for added security in ways not easily replicated in the real world. When you allow applications to be accessed from the outside, you MUST publish internet-routable IP addresses for access. When these published addresses point to the external side of the e-Gap, you've provided secure access to the back office through a trusted data path. With hardened firewalls for outbound traffic in place (with no published access points and configured not to listen on ANY TCP/IP port), it becomes a great deal harder to even get a toehold on that cheap fire door. And it goes without saying that e-Gaps and firewalls should be deployed as elements in a larger defense-in-depth strategy. --------------------------------------------------------- Jonathan S. Braunhut, | Voice: (201)292-1505 Senior Applications Engineer | Fax: (201)947-9188 Whale Communications | E-Mail: jonathan () whale-com com Parker Plaza | http://www.whale-com.com/ 400 Kelby Street, 15th floor | Fort Lee, NJ 07024 | Note: All comments, views and opinions are mine alone. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQEVAwUBOeuQ+z7msCGEppcbAQErfgf/VFQOrv9n+pK1ZI1SJcJmhC6kmTWDaZyw rLYRcti9riZmNa5BSzRRpLeVPL7b415UD4U+a1OjESwo1yITqyX+RqUX3qor8N/K FKpB6zK8fs3JXfuzQCkepXIS4yNSWSHGxFFBO/EuIKsMppF6HkGNudjB2NtkwxJJ /S9T4D6Fm1b9NRghiLMKaiheHVNfG4ItkkpUH4jF5nS2Yqq3E7SryfzLxpZNOfBA kbEse2LO6W+EY7VljV1PnYqZJ3U9YKhAOFzlSEU9Nz/vnll/DO+mWzEkpbdzYnwv xk0LLwE9RSIaCMJ7OSICu8G9ijMD22Gs7Yq+9H0TdshBoHbdL2cKXw== =GMdG -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Air Gap info from Whale's founder Jonathan Braunhut (Oct 16)
- Re: Air Gap info from Whale's founder David Lang (Oct 18)
- <Possible follow-ups>
- Re: Air Gap info from Whale's founder Jeffery . Gieser (Oct 19)