I know that "air gap" system security is a concept that goes back decades, but it's been talked about recently as a mechanism to protect against advanced attacks. Can you please explain how best to employ this tactic in a contemporary enterprise network, and under what circumstances is it worth the trouble to do so?
Ask the expert
Perplexed about network security? Send your network security-related questions today! (All questions are anonymous)
Whenever I hear the air gap method proposed as a possible security strategy, I feel a strange mix of skepticism and intrigue. On one hand, I just can't see how this would be feasible in anything other than a small home network. But on the other hand, the devil's advocate in me seems to whisper, "Or could it?"
For those who aren't familiar with the concept, an air gap is a physical separation between a computer (or network of computers) and the Internet. The benefit is that the air gap prevents Internet attacks from affecting the separated computer, but of course the tradeoff is that in this day and age, not having Internet access severely limits what a computer can do.
In a recent article in Wired, security commentator Bruce Schneier listed 10 things to keep in mind to employ the air gap method successfully, from only connecting the device to the Internet during configuration and installing the minimum software necessary to turning off all auto-run features and encrypting everything that gets moved on or off of the computer.
While I agree in large part with Schneier's list, I would like to add a few items that I think are crucial in the successful implementation of this method:
1. Only store your most sensitive information in an air-gapped system. While what is considered sensitive data will vary from organization to organization, it is unfeasible to require employees to trek back and forth to the air-gapped computer for seemingly mundane data.
2. Run a constant Wireshark capture on the air-gapped system. While doing this on a regularly connected network device would result in a large pcap file and a noticeable degradation in Wireshark's performance, in an air-gapped system the Wireshark capture should be relatively non-existent. If security administrators happen to see packets flying across the screen, deeper analysis should be conducted immediately. Note: One caveat should be inserted here. Security administrators may still see a small number of packets captured by Wireshark depending on what software is installed on the system. For example, antimalware software is often programmed to reach out periodically to one of its trusted domains in order to receive updates. Fortunately, the number of packets captured should be diminutive and therefore easy to filter.
3. Before anyone is allowed to access and/or make changes to the air-gapped system, be sure to create a baseline snapshot of the operating system and all its files. Then, after each transaction conducted on the system by an end user, security administrators should run Regshot (if the system is Windows) or some other comparable tool to determine what changes, if any, were made to the system as a result of the previous employee's transaction. Invariably something will change, but this can help detect malicious activity.
4. A competent malware analyst should be on hand at all times. In the event that malware is detected on the air-gapped system, an experienced professional should be immediately available to avert any possible catastrophes.
This was first published in February 2014