How Practical is a Disconnected Network?

Monday, September 10, 2012

Rafal Los


Apparently Iran is building their own ( 'domestic network' for certain ministries in an effort to protect sensitive information.  

While speculation over whether this little stunt will ever actually happen continue to pour in, it's clear that this is a more difficult feat than the Iranian government thought as it continues to slip further and further.  

This got me thinking... many organizations including parts of the US Government, have tried to have fully air-gapped networks with different degrees of success - so how hard is that... really?

First things first, there are various definitions of 'separate network' at play.  When someone says separate network you may think of something we refer to as an air-gapped network, or maybe even GRE-tunnels over existing ethernet ...let's consider separate network to mean physically and logically separate.  

This means that every machine that is on your separate network has 1 network interface, it is not routable out to the Internet or any other network... hence an "air gap" where packets can't leap across.

You see, the trouble with saying things like "We're putting in an air-gapped network" is that it's easy to say - but very, very expensive and difficult to actually implement. Imagine how many connections you have both physical and logical on your network.  

Now imagine going through and disconnecting all of them that go to peers that can reach the Internet.  This is a very daunting task on the outset - now imagine you're making sure that no one ever cross-connects your separate network into an Internet-connected network.

I just don't think it's possible to maintain, even in small pockets.  It's entirely too easy for someone to put up a wireless access point, or connect a 3G/4G mobile card into a laptop plugged into a physically air-gapped network.

Then there are the issues with data transfer.  Air-gapped networks are difficult to maintain but what happens when you have to transfer data from that air-gapped network to somewhere else.  What if you have to install printer drivers or update your anti-virus signatures?  Doesn't sound so easy to do now, does it?

You can probably guess I'm not a big believer in disconnected, or air-gapped networks, simply because I believe that in all but the most extreme cases they aren't practical... even if they are possible.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Risk Management Methodologies Government Iran internet Network Security Mitigation Air Gap
Post Rating I Like this!
Lucian Andrei For a normal business/dept it is very unlikely that this will succeed. But, there are some particular cases where this isolation might be possible. If a military like dept will try to do this there are big chances that they will succeed. I know of one government department where the users have to acknowledge for all the scripts running on their browsers. If you'll go to you'll have to accept almost seven scripts. This makes Internet browsing impossible. They have different PCs, on a totally isolated network, that they use to browse the Internet.

In my opinion, the main obstacle to accomplish total isolation is the users discipline. In Iran I doubt that this will be a problem, because an user that will broke the rules might very easy end up at the end of a rope, convicted as a traitor.

Rafal Los @Lucian - good points, thanks for following up.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.