To keep a critical network safe, a common practice has traditionally been to establish an air gap – in other words, disconnect that network from “untrusted” or less secure networks, the internet, and the outside world. When an air gap is established, the risk of cyberattack drops dramatically and security focus shifts to guns, gates, and guards.
To take a step back, just what kinds of “critical networks” are we talking about here? Usually a confidential government enclave, critical infrastructure operational technology (OT) networks such as nuclear power and oil/gas production, and also core banking networks, economic data enclaves, cryptocurrency custodians, and data storage vaults of all kinds.
These types of networks cannot afford any level of compromise or loss of operational assurance. So, once they implement an air gap, problem solved, right? Not so fast. You’ll notice I said the risk of cyberattack “drops” and not that it completely disappears. Humans are fallible, mistakes can be made, and threats can still be introduced to these networks via removable media, compromised devices, and software updates.
Therefore, these organizations have recognized a need for advanced security information and event management (SIEM) or intrusion detection system (IDS) capabilities to protect the secure network, even with an air-gapped architecture. In implementing these technologies, these organizations have also recognized that it’s important to have the ability to get that SIEM data *out* of the secure network. Why?
- Staffing Costs: If they don’t move the data, they need to duplicate the SOC staff inside the secure network, 24×7.
- SIEM Effectiveness: They need to move data outside the secure network to achieve “single pane of glass” monitoring and get maximum benefit from a SIEM.
- Archiving Requirements: Like other operational data inside the secure network, they can’t rely on a single site to preserve data; they need a backup.
You might be thinking, “I thought the whole point of this story was that we need to disconnect our critical network from everything! It sounds like we are back where we started. Doesn’t connecting SIEM/IDS data defeat the point?” Fortunately, we can safely get data to the outside world. There are (at least) four ways to move SIEM/IDS data out of a secure network to a Security Operations Center (SOC) or other external network for monitoring (on-prem or cloud):
|PROS|| || || || |
|CONS|| || || || |
Of these approaches, sneaker-net has many security and efficiency problems but is still in common use (believe it or not). One of the most common ways to mitigate the sneaker-net security issues outlined above is through the use of security scanning kiosks, such as the Tresys XD Air, which scan and filter data from removable media before it is introduced to a secure environment. However, if portable media are not required, the sneaker-net approach could potentially add more time and effort, and the latter three connected approaches are more efficient.
The primary means for securely achieving the connected approaches is to implement data diodes to guarantee one-way flow of data. Firewalls are not acceptable for this purpose because they are both inherently bidirectional (although they can be configured to be one-way), and operate via software that, like the humans who wrote it, is fallible. Firewalls can also be reconfigured with the right credentials, whereas data diodes enforce one-way traffic at the hardware layer — data can never flow in the opposite direction because the hardware to do so does not exist in the device.
In order to turn a two-way protocol (such as those used in all kinds of SIEM and IDS systems, as well as many common industrial protocols) into a one-way connection, proxy servers and specialized software allow data diodes to mimic the source and destination to the networks on each side, while only transferring data from one side of the diode to the other. There are even solutions that orchestrate the use of data diodes to enable two-way communications for IDS functions that simply cannot work without an ability to respond on the same session.
How do you handle security monitoring for your secure networks? We would love to hear your feedback.
SIDEBAR: SOFTWARE UPDATES
How should we handle software updates and upgrades for our air-gapped network? At some point, there will almost inevitably be a need to introduce new software, patches, or other executables into the secure network. The safest way is to enforce a one-way data path, via data diodes with filtering and hash checking before data is permitted to pass across the boundary. This method ensures that the software is authentic and that no malware or unauthorized files can flow into the secure network.