e-Gap plugs security hole

Hackers searching for sensitive e-commerce transaction data need look no further than the so-called “demilitarized” zone that sits between the Web and the corporate back end, according to Whale Communications Inc.

This threat continues to dog on-line storekeepers, according to Elad Baron, CEO of Whale, a Tel Aviv, Israel-based security vendor.

The problem with conventional e-commerce transactions is when on-line shoppers purchase goods, they assume it’s happening over a secure Web server, Baron said. But what many don’t realize is that the data makes a stopover on the way to the point of processing, at the demilitarized network, still part of the external or untrusted systems of the outside world which links to the back end. Only when it is de-encrypted is it sent through the firewall as a regular transaction.

“This is something that’s very dangerous if someone took over any host on the DMZ,” Baron said.

That’s why he developed the e-Gap Secure URL Transaction Shuttle. Based on Whale’s proprietary AirGap technology, e-Gap consists of two Pentium PCs — one connected to the untrusted network, the other to the trusted — and an intermediary security device that resembles a disk drive.

When a transaction is undertaken, the encrypted information is sent from the Web site to e-Gap’s external server. Transaction-related Web pages aren’t actually stored on the e-Gap server; instead, e-Gap intercepts HTTP protocols and shuttles the request accordingly. The information is then shuttled to the internal e-Gap server via the security device, which links to the servers by SCSI connector cables.

There, the information is decrypted, the user authenticated and the URL is checked. Then, emulating the back office, the e-Gap server accesses the internal database. And the information is sent back to the user in HTML format.

There are no physical connections between trusted and untrusted networks. Sensitive Web pages and the authentication process stay behind the firewall, making them hacker-proof, Baron said.

“[Hackers] cannot do any hacking in, and cannot mess with the content, because the content is encrypted and it’s being decrypted on the trusted side,” he said. “We do not pass any network protocols through this appliance. It’s actually a security appliance which does not pass any TCP/IP.”

And with throughput of more than 100Mbps, e-Gap is unlikely to become a network bottleneck, he added. e-Gap isn’t limited to e-commerce transactions. Whale also promotes the tool for use with customer relationship management applications, on-line banking and bill presentment.

Eitan Olin, a project manager with the Israel Arms Development Authority (RASAEL), a division of the Israeli Ministry of Defence in Haifa, Israel, was charged with installing a beta copy of e-Gap three months ago. Olin is responsible for transferring sensitive military information between classified and unclassified networks, ensuring data from the two don’t mix.

Prior using to e-Gap, RASAEL sent sensitive information via sneakernet, the ultra low-tech method of walking floppy disks from drive to drive.

Olin said it took him one hour to get e-Gap up and running. “It was immediate. We put up the hardware, and immediately it [went to] work,” he said. “[e-Gap] is a hardware solution, and we prefer it because of that.”

e-Gap URL Transaction Shuttle (www.whalecommunications.com/fr_0200.htm) is currently being beta tested, and a full release version and pricing information will be available in about three months.

It will ship with two Pentium II 350MHz PCs and one e-Gap rackmounted device. e-Gap runs on Windows NT and Unix platforms. Supported authentication includes SSL certificates, but can be user defined, and e-Gap supports Ethernet, fast Ethernet and RJ-45/AUI network interfaces.

Whale Communications Inc. can be reached in Fortley, N.J., at 1-877-659-4253.