Apparently Iran is building their own (http://www.theregister.co.uk/2012/08/06/iran_net_block_slips_again/) 'domestic network' for certain ministries in an effort to protect sensitive information.
While speculation over whether this little stunt will ever actually happen continue to pour in, it's clear that this is a more difficult feat than the Iranian government thought as it continues to slip further and further.
This got me thinking... many organizations including parts of the US Government, have tried to have fully air-gapped networks with different degrees of success - so how hard is that... really?
First things first, there are various definitions of 'separate network' at play. When someone says separate network you may think of something we refer to as an air-gapped network, or maybe even GRE-tunnels over existing ethernet ...let's consider separate network to mean physically and logically separate.
This means that every machine that is on your separate network has 1 network interface, it is not routable out to the Internet or any other network... hence an "air gap" where packets can't leap across.
You see, the trouble with saying things like "We're putting in an air-gapped network" is that it's easy to say - but very, very expensive and difficult to actually implement. Imagine how many connections you have both physical and logical on your network.
Now imagine going through and disconnecting all of them that go to peers that can reach the Internet. This is a very daunting task on the outset - now imagine you're making sure that no one ever cross-connects your separate network into an Internet-connected network.
I just don't think it's possible to maintain, even in small pockets. It's entirely too easy for someone to put up a wireless access point, or connect a 3G/4G mobile card into a laptop plugged into a physically air-gapped network.
Then there are the issues with data transfer. Air-gapped networks are difficult to maintain but what happens when you have to transfer data from that air-gapped network to somewhere else. What if you have to install printer drivers or update your anti-virus signatures? Doesn't sound so easy to do now, does it?
You can probably guess I'm not a big believer in disconnected, or air-gapped networks, simply because I believe that in all but the most extreme cases they aren't practical... even if they are possible.
Cross-posted from Following the White Rabbit