At 11:55 AM 11/10/99 +0100, Mikael Olsson wrote:
>(Disclaimer: This is based on a quick cursory reading of their
> website content, I might be way off here)
It's okay.. it is the Internet. Most postings start with the words, "I am
not expert, but ..." :-)
>The way I see it, Whale Communications have simply separated the
>two halves of an application level gateway (or "transparent proxy")
>by storing the application level data on a SCSI device
>that both halves have access to via separate SCSI cables.
No, it is not "simply" that. It is more. But then you did just a quick,
cursory reading of their web site. :-)
>This should indeed guard against any and all TCP/IP level attacks,
>and hopefully guard against the inner half being compromised as
>a result of the outer one being compromised. The latter depends
>on how well written their code is (I'm thinking buffer overruns
>in their "packets" that get passed from the outer half to the
>inner half.)
It also specifically allows no network path at all between the networks,
and is implemented on a simple device that has no OS to speak of... No it
is NOT LINUX!
>What it DOES NOT automatically guard against is, for instance,
>virii transmitted by email (in the case of the email gateway)
>or poorly written CGIs on internal web servers (in the case
>of the HTTP gateway)
Right, as neither does a firewall. You can, however, scan for such things.
I believe one of their packaged solutions does this. A more than cursory
scan might show that.
>IMNSHO, this makes e-gap just about as effective as your basic
>proxy firewall, albeit with the added protection that complete
>firewall compromise (outer AND inner half) is not as likely as
>with normal firewalls. (Still feasible though).
Mike, your opinion, H or NSH, is based on what you called "a quick cursory
reading" and you admitted you "might be way off here," yet you've come up
with conclusions.
It is not meant to be a replacement for a firewall. I would NOT connect my
back office machines to the Internet, firewall or not, if I could avoid it
because I could always trace a path to the back office. This provides an
alternative.
Anyway, it sounds like I'm defending someone I've already admitted has paid
me money, so my arguing is suspect, no doubt. What I want to do is defend
what I think is a cool technology that might be useful for some and bears
more than a skim if one wants to decide on whether it is real and useful
and wants to debate the merits of the approach. Read the site (if you are
really interested), look at the case studies of real deployments, and then
reject it or accept it with a much lower risk of being "way off." I'd be
interested in your opinion of it.
Fred
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
