RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Karl Mueller (karlm_at_acshelp.com)
Date: 05/05/04

  • Next message: Ben Nagy: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: "'Paul D. Robertson'" <paul@compuwar.net>
    Date: Wed, 5 May 2004 10:06:53 -0400
    
    

    Maybe one reason is this the trend to route mission critical info over the
    Internet (albeit over VPN tunnels). We'd like to say that you MUST use
    private lines for really secure information, but money tends to talk in
    these situations. Since a lot of networks span multiple sites, and WAN
    prices don't scale well, buisnesses are turning to the Internet and VPNs as
    a way to make their sites well-connected without the cost of a full-mesh FRS
    or private-line network. Of course a well-configured VPN router will block
    all traffic that does not come through the tunnel, this is still not an 'air
    gap' since you're still physically connected to the Internet. In this case,
    one small config error on your firewall/VPN endpoint opens up your entire
    network to the Internet.

    --Karl

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul D.
    Robertson
    Sent: Wednesday, May 05, 2004 8:25 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Worms, Air Gaps and Responsibility

    Hospitals, banks, the U.K. Coast Guard... The damage from the latest
    Microsoft-based worm isn't as widespread as that from the last one, but it's
    pretty darned bad in point cases.

    Why do people continue to connect critical production networks to
    user/administrative networks?

    Surely networking equipment is cheap enough that a real honest air gap (not
    some marketingspeak switch thingie) isn't all that difficult to deploy?

    Air gaps make great firewalls. They rarely need upgrading, they're
    low-power and low-heat, and they're less filling and taste great.

    Worst-case, a few low-end firewalls to segment the users off from the
    production stuff should be a no-brainer these days.

    All the money, effort and time people are spending on IDS, IPS, and all the
    other buzzword-compliant devices, and yet we still don't have good solid
    separation and segmentation in places where, one would expect that the
    responsibility for running a critical network would require some level of
    protection to be displayed.

    Paul
    ----------------------------------------------------------------------------
    -
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ben Nagy: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • RE: [fw-wiz] Worms, Air Gaps and Responsibility
      ... > Internet (albeit over VPN tunnels). ... > one small config error on your firewall/VPN endpoint opens up your entire ... And the present state of VPN madness does not, often mitigate much risk, ...
      (Firewall-Wizards)
    • Jeff L. -- networking question -- slightly OT
      ... I want to connect 2 wired networks securely via the internet and am ... considering VPN routers. ... Both networks are wired, and at different locations. ...
      (alt.internet.wireless)
    • RE: What could this icmp mean?
      ... VPN connection. ... What could this icmp mean? ... We have networks connected trough VPN ... one internet line. ...
      (Security-Basics)
    • RE: [fw-wiz] Worms, Air Gaps and Responsibility
      ... > Internet (albeit over VPN tunnels). ... Since a lot of networks span multiple sites, ... Paul D. Robertson "My statements in this message are personal opinions ...
      (Firewall-Wizards)
    • Re: Remote desktop sharing
      ... Both SBS2000 networks are on 192.168.16.x, so does that knock out a VPN? ... the two SBS LANs will need to be on separate ... >> a WinXPpro TS login to the internet). ...
      (microsoft.public.backoffice.smallbiz2000)