Re: [fw-wiz] Securing www server w/Oracle back end.
From: Crispin Cowan (crispin@wirex.com)
Date: 04/09/03
- Previous message: Behm, Jeffrey L.: "RE: [fw-wiz] RFC3514 - Evil Bit"
- In reply to: Ben Nagy: "RE: [fw-wiz] Securing www server w/Oracle back end."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Crispin Cowan <crispin@wirex.com> To: Ben Nagy <ben@iagu.net> Date: Wed, 09 Apr 2003 13:52:03 -0700
Ben Nagy wrote:
>>No holes have to be punched through the firewall from DMZ to
>>private zone.
>>
>>
>That seems unlikely. How do these two agents talk? Either they go through
>the firewall or they bypass it using a serial connection / crossover cable,
>USB, magic elves etc. Either is equivalent, in my book.
>
I inferred him to be saying that no *inbound* holes were punched
(nothing outside can make a connection request to the inside) but that
(in typical NATesque fashion) inside machines can make requests out, and
the responses are allowed back in.
So at layer 4, there are no holes in the firewall. But it is a semantic
trick: if you want to compromise this system, you need only put malcode
into some buffer that the inside machine will fetch while polling from
the inside. That is more difficult than via a direct connection, but it
is not (from this description) impossible.
>>Theoretically the setup behaves like an air gap between the
>>client and the web server and is transparent to both. On
>>paper, this looks like a viable solution.
>>
>>
>I think it's the phrase "air gap" that has me riled up, in fact....
>
I agree: when ever I see "air gap", I know that there is *hot* air
involved. A *true* air gap is achieved with wire cutters; everything
else is an application proxy of some kind, at best. Application proxies
are *good*, but they are not magical complete solutions, and I'm much
more inclined to believe the claims when they don't make appeals to
phrases like "air gap."
Crispin
-- Crispin Cowan, Ph.D. http://wirex.com/~crispin/ Chief Scientist, WireX http://wirex.com HP/Trend Micro Immunix Secured Solutions http://h18000.www1.hp.com/products/servers/solutions/iis/ Just say ".Nyet" _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Behm, Jeffrey L.: "RE: [fw-wiz] RFC3514 - Evil Bit"
- In reply to: Ben Nagy: "RE: [fw-wiz] Securing www server w/Oracle back end."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
