Contact:[email protected]
We had some discussion of thier e-Gap product after a consultant brought it to us as a possible solution for something... We requested a demo of it but they weren't willing to let us play with it unless we were planning to buy it already and just wanted to confirm that it worked. Since we never got a hold of the real device, Jon Squire had some quick thoughts and possible theoretical attacks on it.. His main discussion follows as attached. If anyone has actually used this product, we would be interested to hear what you have to say. thanks, larry From: Squire, Jonathan Sent: Tuesday, October 26, 1999 3:00 PM Subject: Squire's take on Air Gap Technologies -- READ FIRST (PART 1) OK since I have a fair amount ot say I'm seperating out my general impression of thier propoganda from my theoretical attack. General Impression: They don't have a lot (READ ANY) real technical infomation about thier implementation available... proabbly for good reason... it's not really a novel idea to transfer data via sneakernet... thier just doing it in hardware... and very fast... which could prove usefull later for an attack.... anyway, moving on... I'm just going to comment on some of the things they say on thier web site... black is them... blue is me Air gap Security Guarantees: To transfer the whole data and nothing but the data To deliver the data to the exact, specified location in your network To let you check the data before it is delivered to that location To guarantee the above promises even if the external unit is compromised by intruders Thier fourth claim is proabbly not possible to guarantee... I'll get into the attack on it in my next email... but that is a very hard claim to make, and one if they put money on it I would be more then happy to take from them. Air gap resembles the security system at an after-hours gas station, where the cashier sits behind bullet-proof glass. At no time is there any direct contact between the cashier and the client, however they can exchange money and payment receipt via a metal tray or drawer. The cashier and the cash register are fully protected against external threats, since there is a complete physical disconnection between the two. air gap draws its inspiration from this type of architecture, in which a transaction can clearly take place, but the trusted network (the cashier and cash register) cannot be easily compromised by the untrusted network (the customer). An "Air Gap" is always kept between the trusted and untrusted networks, however transactions can take place in real-time. Ok real simple attack... and thier system is proabbly dumber... but I can take a stick of dynamite, light it and stick it in the drawer w/ my money.... the drawer contents are to some degree obscured from view until the attendant opens the drawer... if the fuse is short enough... blam! (Bear in mind that I'm aware that I can always use the dyanamite to take out the glass... the point was I sent an attack across the gap security mechanism. Why is air gap technology so secure? Air gap technology is the safest network access security system available because it relies on: - No TCP/IP or network protocols - No physical connection - No operating system air gap allows only a narrow path for specific data or transaction exchange. In this way, air gap prevents any protocol or operating system attack on your back office network. I'll get into this on the technial front in the next email, but you'll see as I paste in some of thier other propganda how they are really playing on FUD and nothing else (they don't offer any proof that it's the safest network access security system available) ... and infact after saying they provide no network access... they say they are... kinda a contradiction isn't it? What are some examples of tailor-made solutions? Tailor-made solutions often involve a self-developed method to break the TCP/IP protocols as they enter the organization. For example, TCP/IP may be changed to the SNA protocol, and then back to TCP/IP, in order to make intrusion more difficult. It is important to realize, however, that there are a percentage of hackers who know these less-used protocols, and will be able to navigate through such a system and take it over. An even larger threat is the complexity of such a solution, which leads to a larger potential for future mistakes and configuration errors, which can allow a hacker a free ride into the internal network. To some degree they are a talor made solution also, they are providing another transport mechanism that "breaks" the TCP/IP protocols... and to use thier words... "that there are a percentage of hackers who know these less-used protocols, and will be able to navigate through such a system and take it over" e-Gap Secure URL Shuttle: What functionalities and benefits does it provide? By utilizing the secure URL shuttle, the URLs that need to access the internal database hide behind the air gap. This configuration prevents a hacker from reaching the highly sensitive web pages, or even knowing that they exist. The authentication server also resides behind the air gap, thus enabling the whole authentication process to take place on the trusted side. The benefits of this architecture are dramatic: The back office is protected since no other protocol is allowed in The authentication server is protected from external attacks and theft of data User authentication can not be falsified by attacking external servers (web,FTP, and so on) The company's server certificate is well protected behind the air gap Easy integration, transparent to SSL and web application SSL is a protocl that is immune (unless you have a couple of crays and a weak encryption key) to man in the middle attacks... so think about it, it's logical that it is just changing the transport mechanism to run over a diffrent protocl.. but not changing the packets, so they need to be reasembled exactly the same (the device is acting as a bridge that does media conversion) since SSL is a bi-directional protocol... this could be a psoible route for a direct atack on the backend system) The e-Gap system also includes dedicated software which resides on both external and internal hosts. The software can do the following: 1) Identify that the memory bank is connected to the host's SCSI Interface 2) Read/Write to the memory bank using standard SCSI level calls 3) "Unlock" the memory bank, at which point the switch can disconnect the memory bank and switch it to the other host. Hmmm... interesting... Didn't they say this is a hardware solution? I'll get into how I think this is actually implemented in part two. Can e-Gap be used instead of a Firewall? Typically e-Gap would be used in addition to a deployed firewall. A firewall is used to protect the "de-militarized zone," which usually contains the company's less sensitive web pages, FTP server, and so on. Whale's e-Gap would complement the firewall by connecting the external web server to the internal secure web server, or the web to the back office. In this way, the sensitive web pages, transactions, authorization and authentication all occur on the trusted, protected side. Well they answer the last question themselves... they are already saying they are providing less security then a firewall. From: Squire, Jonathan Sent: Tuesday, October 26, 1999 3:23 PM Subject: Squire's take on Air Gap Technologies -- READ FIRST (PART 2) OK, now the fun begins... the attacks... and I'l spare you the physical attacks since they just aren't all that interesting... background: based on thier documentation they are a black box... egap-Memory | | | Computer A <-----> e-gap <-----> computer B (yes I know you can control the above arrow directions) the e-gap (black box) is constantly flipping between Computer A <----> egap-Memory and Computer B <---> egap-Memory they state the device only stops this behavior if it senses data being written... which doesn't make complete sense, it's proabbly when data is accessed in the memory cell. The black box does not appear to be completely autonomus... they do state there is software installed on computer A and B (We'll get into the attack on that later) the software does not control the switch from on side to the other... by thier documentation... all it realy does is say "I'm done w/my operation" then the device is free to switch ok some attacks based on the above assumption... DoS attack... continually write to the device so that it never gets a chance to switch Defense: they proabbly know how much memory is in the device and the control software is [hopefully] written in such a manner that it takes this into account and then either causes the context shift, or purges the data and then causes a context shift... we can get around this problem w/ a software attack that will follow... but first the brain dumb SSL style attack... this may apply to other applications as well... but w/o more information (stuff they apparnetly don't want you to know/ask) we'll have to wait for a physical device... SSL attack... SSL was designed to be abel to detect a Man in the middle (defined as someone who intercepts and then forwards on the data) SSL by it's nature is a bi-directional protocl... there is not such thing as one way SSL.. .plain and simple. In order to sit in between an SSL connection... you can't modify the data at all... but you also can't look at it (unless you have a couple of crays and a weak key... or some very good luck) so they are really acting as a bridging device in this case, so functionally they are doing nothing... so this attack reduces into a standard SSL against the web server/application server attack... many SSL web servers are not completly up to date and have holes that can be exploited... many also have possible buffer overflows also exist... compromise the web server... load some arbitrary code that mimics the end point... tunnel what you want through... play on the network you want... etc. PART 3 will follow From: Squire, Jonathan Sent: Tuesday, October 26, 1999 3:23 PM Subject: Squire's take on Air Gap Technologies -- READ FIRST (PART 2) OK, now the fun begins... the attacks... and I'l spare you the physical attacks since they just aren't all that interesting... background: based on thier documentation they are a black box... egap-Memory | | | Computer A <-----> e-gap <-----> computer B (yes I know you can control the above arrow directions) the e-gap (black box) is constantly flipping between Computer A <----> egap-Memory and Computer B <---> egap-Memory they state the device only stops this behavior if it senses data being written... which doesn't make complete sense, it's proabbly when data is accessed in the memory cell. The black box does not appear to be completely autonomus... they do state there is software installed on computer A and B (We'll get into the attack on that later) the software does not control the switch from on side to the other... by thier documentation... all it realy does is say "I'm done w/my operation" then the device is free to switch ok some attacks based on the above assumption... DoS attack... continually write to the device so that it never gets a chance to switch Defense: they proabbly know how much memory is in the device and the control software is [hopefully] written in such a manner that it takes this into account and then either causes the context shift, or purges the data and then causes a context shift... we can get around this problem w/ a software attack that will follow... but first the brain dumb SSL style attack... this may apply to other applications as well... but w/o more information (stuff they apparnetly don't want you to know/ask) we'll have to wait for a physical device... SSL attack... SSL was designed to be abel to detect a Man in the middle (defined as someone who intercepts and then forwards on the data) SSL by it's nature is a bi-directional protocl... there is not such thing as one way SSL.. .plain and simple. In order to sit in between an SSL connection... you can't modify the data at all... but you also can't look at it (unless you have a couple of crays and a weak key... or some very good luck) so they are really acting as a bridging device in this case, so functionally they are doing nothing... so this attack reduces into a standard SSL against the web server/application server attack... many SSL web servers are not completly up to date and have holes that can be exploited... many also have possible buffer overflows also exist... compromise the web server... load some arbitrary code that mimics the end point... tunnel what you want through... play on the network you want... etc. PART 3 will follow Back to the Index