Re: Air Gap info from Whale's founder

[David Lang <david.lang () digitalinsight com>]

-----BEGIN PGP SIGNED MESSAGE-----

As you describe the e-gap, I am not seeing anything that it does that a
standard proxy based firewall doesn't also do. instead of positioning
yourself as being so much better then the packet filter variaties, can you
say why you are any better then the proxy ones?

David Lang

 On Mon, 16 Oct 2000,
Jonathan Braunhut wrote:

> Date: Mon, 16 Oct 2000 12:24:24 -0400
> From: Jonathan Braunhut <jonathan () whale-com com>
> To: firewall-wizards () nfr net
> Cc: Elad Baron <elad () whale-com com>,
>      Rebecca Steinberg Herson <rebecca () whale-com com>,
>      Glen Myers <glenm () whale-com com>
> Subject: [fw-wiz] Air Gap info from Whale's founder
>
> At 04:19 PM 10/12/00, Rick Smith wrote:
>
> > Let me also comment on the following excerpt:
>
> > > ... We are focused only on access from
> > > the outside to your applications - we do not deal with your internal
> users'
> > > traffic to/from the Internet. Your internal users will still browse out
> > > through an Internet firewall.
>
> > This is an incredibly bad approach to network security architecture. You 
> > don't put a 3 ton safe door over one entrance to the bank vault and a cheap
>
> > fire door from Home Depot over the other.
>
>
> I couldn't agree more, Rick.  In the physical world, your security is only
> as strong as your weakest entry point. Safe doors and fire doors (when
> breached) admit human traffic in both directions.  Adding a 3 ton safe door
> doesn't do a lot in the real world analogy you posit.
>
> Fortunately for all of us, network architectures can be aligned for added
> security in ways not easily replicated in the real world.  When you allow
> applications to be accessed from the outside, you MUST publish
> internet-routable IP addresses for access.  When these published addresses
> point to the external side of the e-Gap, you've provided secure access to
> the back office through a trusted data path.  With hardened firewalls for
> outbound traffic in place (with no published access points and configured
> not to listen on ANY TCP/IP   port), it becomes a great deal harder to even
> get a toehold on that cheap fire door.  And it goes without saying that
> e-Gaps and firewalls should be deployed as elements in a larger
> defense-in-depth strategy.
>
> ---------------------------------------------------------
> Jonathan S. Braunhut,           | Voice: (201)292-1505  
> Senior Applications Engineer    | Fax:   (201)947-9188
> Whale Communications            | E-Mail: jonathan () whale-com com
> Parker Plaza                    | http://www.whale-com.com/
> 400 Kelby Street, 15th floor    | 
> Fort Lee, NJ 07024              | 
>
> Note: All comments, views and opinions are mine alone.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBOeuQ+z7msCGEppcbAQErfgf/VFQOrv9n+pK1ZI1SJcJmhC6kmTWDaZyw
rLYRcti9riZmNa5BSzRRpLeVPL7b415UD4U+a1OjESwo1yITqyX+RqUX3qor8N/K
FKpB6zK8fs3JXfuzQCkepXIS4yNSWSHGxFFBO/EuIKsMppF6HkGNudjB2NtkwxJJ
/S9T4D6Fm1b9NRghiLMKaiheHVNfG4ItkkpUH4jF5nS2Yqq3E7SryfzLxpZNOfBA
kbEse2LO6W+EY7VljV1PnYqZJ3U9YKhAOFzlSEU9Nz/vnll/DO+mWzEkpbdzYnwv
xk0LLwE9RSIaCMJ7OSICu8G9ijMD22Gs7Yq+9H0TdshBoHbdL2cKXw==
=GMdG
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards