[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Whale's AirGap technology [was: RE: does anyone know about this thing?]

To: "'mmotyka@lsil.com'" <mmotyka@lsil.com>, "'pcapelli@nsec.net'" <pcapelli@nsec.net>
Subject: Whale's AirGap technology [was: RE: does anyone know about this thing?]
From: Elad Baron <elad@whale-com.com>
Date: Sat, 19 Jun 1999 15:07:16 +0200
Cc: "'cypherpunks@toad.com'" <cypherpunks@toad.com>
Sender: owner-cypherpunks@toad.com

> Please let me clarify a bit about Whale's AirGap technology:
> 
> e-Gap (Whale's product based on AirGap technology) is not a general
> purpose firewall. It intends to be a secure path from the Internet (more
> precisely, from the DMZ) to the back office resources. It is intended for
> ON-LINE applications. It has no moving parts in it (the disk is memory
> based storage device, not a magnetic one), and hardware throughput is
> 160Mbs minus overheads. 
> e-Gap consists of two computers and a switched storage device. One host is
> connected to the DMZ and one is connected to the production network. The
> switched disk is flipping between the two hosts rapidly and shuttling the
> data. It can not be attached to both hosts at the same time. 
> 
> The system allows the organization to put its secure web server (https)
> behind the Air Gap, on the trusted side. e-Gap external machine catches
> https requests and shuttles the SSL encrypted data (no TCP headers) to the
> trusted side via the switched storage device. e-Gap internal machine then
> decrypts the data, authenticates it, and passes it for processing to an
> internal WEB server. URL filtering and inspection is done on the internal
> e-Gap host.
> 
> The results - Server's private key is protected on trusted side;
> Authentication database is protected on trusted side; firewall needs not
> to be opened for inbound connections to databases; database queries
> originate from trusted side; no TCP/IP or any other networking protocol is
> involved (and hence - can be exploited); no operating system vulnerability
> can be exploited.
> And of course - no direct connection between outside and inside, even at
> the physical layer.
> 
> Elad Baron
> CTO
> Whale communications
> 
> 
> 
> 
> 
>      To: mmotyka@lsil.com 
>      Subject: Re: does anyone know about this thing? 
>      From: anon2206@hushmail.com 
>      Date: Fri Jun 18 16:02:19 GMT+03:00 1999 
>      Cc: cypherpunks@toad.com 
>      Old-Subject: Re: does anyone know about this thing? 
>      Sender: owner-cypherpunks@Algebra.COM 
> 
> 
> it's not a question of content filtering, it's a question of the fact that
> because  there is no physical connection at all between inside and
> outside, what would otherwise be malicious instructions from a compromised
> outside arrive inside as dumb raw data.
> The filtering is entirely up to you.
> It also has 2 keys on the front panel that can be switched over to
> physically prevent either data-in or out.
> I admit to an unfortunately loose definition of attack-proof in my first
> missive, however.
> I meant "from without", rather than "from within"
>         on Wed, 16 Jun 1999 11:26:11 -0700 Michael Motyka wrote:
> > http://www.whale-com.com/home.htm
> > is it really attack-proof?
> >
> >Nothing is attack-proof.
> >
> >And why is this content filtering method so special?
> >
> >Isn't the inside-job always a possibility? Assume the inside system gets
> >infected then some process on the inside could run anything through
> >e-mail or http. The handy-dandy diagram shows all of the usual services.
> >There is data exchange and the content controller can't know
> >everything.  
> >What was the main economic value of whales?
> 
> 
>    
> Get HushMail. The world's first free, fully encrypted, web-based email
> system.
> Speak freely with HushMail.... http://www.hushmail.com
>

Prev by Date: No Subject
Next by Date: GET CLIENTS
Prev by thread: UNSUBSCRIBLE ME FROM THE LIST.....
Next by thread: Jiggawhat Jiggawho?
Index(es):
- Date
- Thread