Gap Technology is a concept founded in common sense. The technology is based on the simple fact that the only way to ensure your protected network is not at risk from an untrusted network, e.g. the Internet, is to physically disconnect your network. Many organizations which have suffered financial loss and damage to their reputation will recognize the attraction of such technology.

E-business and e-commerce, however, rely on providing customers and trading partners with easy access to back-office systems. To compound matters, the information required to be processed in this way is, almost by definition, often business-critical.

Unlike firewalls, with which they are often confused, gap systems create a physical disconnection between networks. Firewalls create a logical disconnection between networks and if this logic fails the connection to the untrusted network is maintained, allowing potential security breaches. The physical disconnection inherent in gap technology ensures that if the logic fails, your trusted network does not remain connected to an untrusted network, thus maintaining security.

A gap system is therefore, one which creates a physical disconnection between networks while allowing them to share information or resources. There are three main methodologies to achieve this:

Real-Time Switch. In this architecture the apparent contradiction of two physically disconnected networks sharing information is achieved by sequential switching. To reduce the process to its core processes the switch connects to one network, reads the data, switches to another network and forwards information to it. The switching occurs at high speeds allowing for real-time operations. To ensure security threats are not simply passed across networks, all data is encoded and checked for viruses etc. before being allowed access to the trusted system.

One-Way Link. This is the most basic gap configuration and creates a ‘read only’ network connection with data transfer possible only from a designated source network to a destination network. A good example of this would be an e-commerce site allowing customer orders to access the trusted network without providing sensitive information to the customer. This will only be appropriate to transactions which can be completed “blind.”

Network Switcher. This is similar to a real-time switch in operation, with the important difference that it does not operate in real-time. This is typically implemented as a card with dual interfaces. Each interface provides a separate network connection and the system ensures that only one can be active at a time.

Spearhead’s AirGAP Model 300 is a hardware and software device that operates as a real-time switch. The device comprises three CPUs: a master, a slave and a content inspection engine. The slave computer is connected to the untrusted network (e.g. the Internet) while the master is connected to the trusted network (e.g. the organization’s LAN).

Information entering the LAN from the Internet is managed as follows. Data is downloaded from the Internet and the TCP/IP session is physically terminated by the slave computer. The data is then stripped of TCP headers and inspected against approved protocol syntax parameters. This raw data is passed through the gap to the master computer where it is encoded and passed to the content checking engine. Once all security checks are completed, including compliance with security policy, the raw data is regenerated by the master computer.

The device offers a transaction speed of 1.0Gbps, which is capable of sustaining an average user base of 500 to 1,000, or up to 4,000 concurrent connections.

The Control Room software allows system administrators to configure and control the AirGAP system. To avoid the risk of interception or deciphering, all communications between the AirGAP and the Control Room are encrypted and authenticated in hard-coded, cryptographic algorithms. The Control Room displays detailed logs of security events as well as information regarding alerts and user authentication.
The set-up for the system took just over an hour, although the test configuration network was reasonably simple and did not involve routing reconfiguration. Once the AirGAP system is switched on it logs in and automatically loads the AirGAP control software. The Control Room software must then be loaded on the relevant server. This is facilitated by an easy-to-follow installation wizard, although it is worth mentioning that if you wish to encrypt the communications between the AirGAP and the Control Room you must obtain a digital certificate and a private key. These can be obtained from authorities such as Verisign or Entrust.

The administration application can now be loaded onto designated computers. There is no restriction on the number of computers this can be installed on, therefore allowing system administrators to ensure efficient accessibility. The Control Room, AirGAP and administrator settings can now be configured to define the organizational infrastructure. The entire installation and configuration process was well documented and well managed by easy-to-use installation wizards. System administrators of medium to large organizations should have no difficulty whatsoever with any aspect of installation or configuration.

AirGAP Model 300 is a turnkey solution aimed at medium to large-sized organizations which have implemented a firewall solution and are now seeking to implement a further level of security on top of this. The AirGAP Model 300 tested is the only one of the range to include content inspection. The other model in the range, the 200, is aimed at companies seeking superior access control and will require a content inspection facility to be added.

The increasing focus on effective security as a business enabler is leading many organizations to augment their firewalls with a further level of security. Organizations who need to provide reassurance to customers and trading partners that their information systems are secure will be well served by the added protection afforded by the AirGAP Model 300.

SC On-Line
SC Magazine
www.scmagazine.com