Google

Air Gap

Air Gap

Contact:[email protected]

We had some discussion of thier e-Gap product after a consultant brought it
to us as a possible solution for something... We requested a demo of it but
they weren't willing to let us play with it unless we were planning to buy
it already and just wanted to confirm that it worked. Since we never got a
hold of the real device, Jon Squire had some quick thoughts and possible
theoretical attacks on it.. His main discussion follows as attached. If
anyone has actually used this product, we would be interested to hear what
you have to say.
thanks,
larry
From: Squire, Jonathan
Sent: Tuesday, October 26, 1999 3:00 PM
Subject: Squire's take on Air Gap Technologies -- READ FIRST (PART 1)
OK since I have a fair amount ot say I'm seperating out my general
impression of thier propoganda from my theoretical attack.

General Impression:
They don't have a lot (READ ANY) real technical infomation about thier
implementation available... proabbly for good reason... it's not really
a novel idea to transfer data via sneakernet... thier just doing it in
hardware... and very fast... which could prove usefull later for an
attack.... anyway, moving on...

I'm just going to comment on some of the things they say on thier web
site... black is them... blue is me


Air gap Security Guarantees:

To transfer the whole data and nothing but the data
To deliver the data to the exact, specified location in your network
To let you check the data before it is delivered to that location
To guarantee the above promises even if the external unit is
compromised by intruders

Thier fourth claim is proabbly not possible to guarantee... I'll get into
the attack on it in my next email... but that is a very hard claim to make,
and one if they put money on it I would be more then happy to take from
them.

Air gap resembles the security system at an after-hours gas station, where
the cashier sits behind bullet-proof glass. At no time is there any direct
contact between the cashier and the client, however they can exchange
money and payment receipt via a metal tray or drawer. The cashier and the
cash register are fully protected against external threats, since there is a
complete physical disconnection between the two. air gap draws its
inspiration from this type of architecture, in which a transaction can
clearly take place, but the trusted network (the cashier and cash register)
cannot be easily compromised by the untrusted network (the customer). An
"Air Gap" is always kept between the trusted and untrusted networks, however
transactions can take place in real-time.
Ok real simple attack... and thier system is proabbly dumber...
but I can take a stick of dynamite, light it and stick it in the drawer w/
my money.... the drawer contents are to some degree obscured from view until
the attendant opens the drawer... if the fuse is short enough... blam!
(Bear in mind that I'm aware that I can always use the dyanamite to take
out the glass... the point was I sent an attack across the gap security
mechanism.


Why is air gap technology so secure?

Air gap technology is the safest network access security system
available because it relies on:
- No TCP/IP or network protocols
- No physical connection
- No operating system

air gap allows only a narrow path for specific data or transaction exchange.
In this way, air gap prevents any protocol or operating system attack on
your back office network.

I'll get into this on the technial front in the next email, but you'll see
as I paste in some of thier other propganda how they are really playing on
FUD and nothing else (they don't offer any proof that it's the safest
network access security system available) ... and infact after saying they
provide no network access... they say they are... kinda a contradiction
isn't it?

What are some examples of tailor-made solutions?
Tailor-made solutions often involve a self-developed method to
break the TCP/IP protocols as they enter the organization. For
example, TCP/IP may be changed to the SNA protocol, and then
back to TCP/IP, in order to make intrusion more difficult. It
is important to realize, however, that there are a percentage
of hackers who know these less-used protocols, and will be able
to navigate through such a system and take it over. An even larger
threat is the complexity of such a solution, which leads to a
larger potential for future mistakes and configuration errors,
which can allow a hacker a free ride into the internal network.

To some degree they are a talor made solution also, they are providing
another transport mechanism that "breaks" the TCP/IP protocols... and
to use thier words... "that there are a percentage of hackers who know
these less-used protocols, and will be able to navigate through such
a system and take it over"

e-Gap Secure URL Shuttle: What functionalities and benefits does it
provide?
By utilizing the secure URL shuttle, the URLs that need to
access the internal database hide behind the air gap. This
configuration prevents a hacker from reaching the highly
sensitive web pages, or even knowing that they exist.

The authentication server also resides behind the air gap, thus
enabling the whole authentication process to take place on the
trusted side.

The benefits of this architecture are dramatic:
The back office is protected since no other protocol is allowed in
The authentication server is protected from external attacks and
theft of data User authentication can not be falsified by attacking
external servers (web,FTP, and so on) The company's server
certificate is well protected behind the air gap Easy integration,
transparent to SSL and web application SSL is a protocl that is
immune (unless you have a couple of crays and a weak encryption
key) to man in the middle attacks... so think about it, it's
logical that it is just changing the transport mechanism to run
over a diffrent protocl.. but not changing the packets, so they
need to be reasembled exactly the same (the device is acting as a
bridge that does media conversion) since SSL is a bi-directional
protocol... this could be a psoible route for a direct atack on
the backend system)

The e-Gap system also includes dedicated software which resides on both
external and internal hosts. The software can do the following:

1) Identify that the memory bank is connected to the host's SCSI
Interface
2) Read/Write to the memory bank using standard SCSI level calls
3) "Unlock" the memory bank, at which point the switch can
disconnect the memory bank and switch it to the other host.


Hmmm... interesting... Didn't they say this is a hardware solution? I'll
get into how I think this is actually implemented in part two.

Can e-Gap be used instead of a Firewall?

Typically e-Gap would be used in addition to a deployed firewall. A firewall
is used to protect the "de-militarized zone," which usually contains the
company's less sensitive web pages, FTP server, and so on. Whale's e-Gap
would complement the firewall by connecting the external web server to the
internal secure web server, or the web to the back office. In this way, the
sensitive web pages, transactions, authorization and authentication all
occur
on the trusted, protected side.

Well they answer the last question themselves... they are already saying
they are providing less security then a firewall.
From: Squire, Jonathan
Sent: Tuesday, October 26, 1999 3:23 PM
Subject: Squire's take on Air Gap Technologies -- READ FIRST (PART 2)
OK, now the fun begins... the attacks... and I'l spare you the physical
attacks since they just aren't all that interesting...

background:
based on thier documentation they are a black box...

egap-Memory
|
|
|
Computer A <-----> e-gap <-----> computer B

(yes I know you can control the above arrow directions)

the e-gap (black box) is constantly flipping between Computer A <---->
egap-Memory and Computer B <---> egap-Memory
they state the device only stops this behavior if it senses data being
written... which doesn't make complete sense, it's proabbly when data is
accessed in the memory cell. The black box does not appear to be completely
autonomus... they do state there is software installed on computer A and B
(We'll get into the attack on that later) the software does not control the
switch from on side to the other... by thier documentation... all it realy
does is say "I'm done w/my operation" then the device is free to switch

ok some attacks based on the above assumption...
DoS attack...
continually write to the device so that it never gets a chance to switch

Defense:
they proabbly know how much memory is in the device and the control software
is [hopefully] written in such a manner that it takes this into account and
then either causes the context shift, or purges the data and then causes a
context shift... we can get around this problem w/ a software attack that
will follow... but first the brain dumb SSL style attack... this may apply
to other applications as well... but w/o more information (stuff they
apparnetly don't want you to know/ask) we'll have to wait for a physical
device...


SSL attack...

SSL was designed to be abel to detect a Man in the middle (defined as
someone who intercepts and then forwards on the data) SSL by it's nature is
a bi-directional protocl... there is not such thing as one way SSL.. .plain
and simple.

In order to sit in between an SSL connection... you can't modify the data at
all... but you also can't look at it (unless you have a couple of crays and
a weak key... or some very good luck) so they are really acting as a
bridging device in this case, so functionally they are doing nothing... so
this attack reduces into a standard SSL against the web server/application
server attack... many SSL web servers are not completly up to date and have
holes that can be exploited... many also have possible buffer overflows also
exist... compromise the web server... load some arbitrary code that mimics
the end point... tunnel what you want through... play on the network you
want... etc.

PART 3 will follow
From: Squire, Jonathan
Sent: Tuesday, October 26, 1999 3:23 PM
Subject: Squire's take on Air Gap Technologies -- READ FIRST (PART 2)
OK, now the fun begins... the attacks... and I'l spare you the physical
attacks since they just aren't all that interesting...

background:
based on thier documentation they are a black box...

egap-Memory
|
|
|
Computer A <-----> e-gap <-----> computer B

(yes I know you can control the above arrow directions)

the e-gap (black box) is constantly flipping between Computer A <---->
egap-Memory and Computer B <---> egap-Memory
they state the device only stops this behavior if it senses data being
written... which doesn't make complete sense, it's proabbly when data is
accessed in the memory cell. The black box does not appear to be completely
autonomus... they do state there is software installed on computer A and B
(We'll get into the attack on that later) the software does not control the
switch from on side to the other... by thier documentation... all it realy
does is say "I'm done w/my operation" then the device is free to switch

ok some attacks based on the above assumption...
DoS attack...
continually write to the device so that it never gets a chance to switch

Defense:
they proabbly know how much memory is in the device and the control software
is [hopefully] written in such a manner that it takes this into account and
then either causes the context shift, or purges the data and then causes a
context shift... we can get around this problem w/ a software attack that
will follow... but first the brain dumb SSL style attack... this may apply
to other applications as well... but w/o more information (stuff they
apparnetly don't want you to know/ask) we'll have to wait for a physical
device...


SSL attack...

SSL was designed to be abel to detect a Man in the middle (defined as
someone who intercepts and then forwards on the data) SSL by it's nature is
a bi-directional protocl... there is not such thing as one way SSL.. .plain
and simple.

In order to sit in between an SSL connection... you can't modify the data at
all... but you also can't look at it (unless you have a couple of crays and
a weak key... or some very good luck) so they are really acting as a
bridging device in this case, so functionally they are doing nothing... so
this attack reduces into a standard SSL against the web server/application
server attack... many SSL web servers are not completly up to date and have
holes that can be exploited... many also have possible buffer overflows also
exist... compromise the web server... load some arbitrary code that mimics
the end point... tunnel what you want through... play on the network you
want... etc.

PART 3 will follow


Back to the Index