Ask Slashdot: Patch Management For Offline Customer Systems?

New submitter Nillerz writes: What, in your experience, is generally the best way to distribute patches in a way so customers can download them, considering that the machines are offline? Are there any software packages (open source preferred) that pretty much allow engineers to upload a patch with a description to a web server, and allow customers with credentials that are registered in LDAP to browse and download them quickly? And if not, how do you distribute patches to air-gapped machines?

Is there even a reason to patch airgapped machines

Assuming that the machine will never, ever be exposed to the Internet, and that physical security ensures arbitrary code will never run on the device, why would you ever patch it?

Re:Is there even a reason to patch airgapped machi

[El_Muerte_TDS]

To fix non-security related bugs.

Download while offline?

How exactly would they download patches from a web server if they are offline?

Re:Download while offline?

[Fwipp]

This whole question is a trainwreck.

"Are there any software packages (open source preferred) that pretty much allow engineers to upload a patch with a description to a web server, and allow customers with credentials that are registered in LDAP to browse and download them quickly?"
If you've already got LDAP set up, you probably already got a network-accessible directory. Just put the patches in there.

Re:Download while offline?

[TsuruchiBrian]

The webserver could be offline as well (i.e. intranet).

Re:Download while offline?

Offline?

I do not think that word means what you think it does...

(with apologies to the princess bride...)

Re:Download while offline?

I believe that WAPT (apt-get for Windows) can do this, it's a piece of software that some French people do and it works real well. The English documentation is not 100% perfect, but it does the work for many situations.

Re: Download while offline?

Exactly. Is this question a joke? The systems are air-gapped. There's only one choice, physical media.

Although, LDAP is mentioned. So are they actually air-gapped? Or are they isolated on a network without connection to the Internet?

Honestly the best way to go about this if they don't have to be truly air-gapped is set up an internal mangement network that has no way to get out to the Internet and no way for devices to query one another with the exception of the managed devices querying the management server for policy and updates.

If the systems have to be truly air-gapped, the obvious answer is to program a robot to go to each system, plug in a USB flash drive, and run the updates. But then you have to enable a USB port on a device that is air-gapped for some reason. And you have I program a robot.

Re:Download while offline?

[TsuruchiBrian]

It does when you know the context of the situation. The reason to have an "offline" or "airgapped" machine is so that it is not able to be hacked into from other untrusted computers on the network (i.e. the internet).

A computer can be completely isolated from other computers, but if you believe this makes the computer secure, then 2 computers talking to each other over an isolated network is also secure.

The distinction between "computers" is artificial anyway. You can have multiple systems running in the same chassis and power supply, and storage, or multiple virtual machines running on the physical machine, etc. The only distinction that actually matters is which parts of a system are trusted or isolated from untrusted systems (e.g. isolated from the internet).

Since there is no advantage to having a computer be isolated from all other computers as opposed to just having a network that is isolated from untrusted networks, it makes sense to treat an "offline" computer as one that is just not connected to the internet for purposes of security and administration.

WSUS

[t0rc]

Stand up 2 WSUS servers, one on a connected network, one on the disconnected network. Download all products and classifications that you need on the connected one, sneakernet them over to the disconnected one and import them. https://technet.microsoft.com/... If you're going to need to patch custom applications, then you're going to need to look into something like Configuration Manager with SCUP if you want to have compliance data for the installation, otherwise you can just create a software distribution package.

sneakernet

[TWX]

Ship encrypted files on flash with instructions for them to call when the media arrives. Provide phone support to walk them through the install process, where you provide the password to the files at that time. Once the patch is installed, walk them through formatting the flash media and mailing it back to you.

If you really want to be fancy, make the installer check for something that is supposed to be on a legitimate customer system before it even prompts for credentials to decrypt the files, to make sure that it is being used on the correct machines and that it actually is the customer calling.

Re:sneakernet

[Obfuscant]

Ship encrypted files on flash with instructions for them to call when the media arrives. Provide phone support to walk them through the install process,

Why bother with encryption? Why not have an automated process where you just put the USB stick in the USB hole and reboot, and the system finds the update and installs it? If you're worried about authenticating the update, sign it.

where you provide the password to the files at that time.

Free clue: if you don't want the user to get the update, don't send him the files. Why bother with a password?

Once the patch is installed, walk them through formatting the flash media and mailing it back to you.

The price for a USB stick is so low these days that it will cost more to manage the mailing and return than the stick is worth. And why do they have to format the media? Just let them delete the file if they want to, and then use the stick.

Re:sneakernet

[Githyanki]

I work at a bank that has airgapped network for credit card processing. Encrypt files because you do not want hackers having the code that is used to process cards. USB and CDRoms are disabled on all systems to keep users out. To physically access the server, I need a manager and security guard to open the door, and they both have to stay there with me the whole time. Upgrades are scheduled weeks to months in advance.

Re:sneakernet

Because I'm an asshole that is going to replace your patch/binary with malware. At least with a password you can quickly tell something went wrong when there is no password requirement anymore.

Re:sneakernet

[tlhIngan]

The price for a USB stick is so low these days that it will cost more to manage the mailing and return than the stick is worth. And why do they have to format the media? Just let them delete the file if they want to, and then use the stick.

NO, you cannot reuse the stick.

First off, the network is probably airgapped for a reason. There are many known attacks to airgaps, and using a USB drive is a great way to infiltrate and exfiltrate information.

Think something like Stuxnet - it infected an airgapped network, and for that to work, the creators probably did tricks to exfiltrate information to get a map of the network layout. If you know someone is going to plug in a USB stick, then stick it into their PC, that's a good way to transfer information out of the airgap - while the USB stick is in, you write all your data to it along with an exploit so the user gets infected when they go format the disk, the information is copied to the user's computer for transmission. And then the exploit is put back on the USB drive in case the PC used can't transmit to the internet.

The only safe way is after the USB stick is used, is to destroy it.

Also, always assume that your airgapped network is infected. There are many instances where this has been the case - even the US Air Force got their drone control computers infected through USB sticks (meant to update map data).

Re:sneakernet

[steelfood]

At the end of the day, the only way to update an airgapped machine is via sneakernet. USB, DVD, 3.5 floppy, it doesn't really matter. If you can beam an update into a machine via say, IR, it wouldn't be air-gapped.

If you have an entire air-gapped network, then any normal package manager would work. Just have to update the server via sneakernet and push the patch out from there.

Re:sneakernet

[techno-vampire]

Ship encrypted files on flash with instructions for them to call when the media arrives.

No. Not on flash. Flash can be intercepted and modified. Send it on a CD/DVD that's not rewritable, and send a hardcopy of the MD5 hash in a second package. Then, before running the update, calculate the hash and compare it by eye with the hardcopy. I won't say that it's impossible for anybody to slip an infection past this, but it's not going to be easy, especially if you send the two parts of the message by different companies.

Re:sneakernet

Which can be done much better with signed software, distribute the public key on your software, and distribute software as an archive, that archive contains 4 files, a file containing a version number, a file containing the software installer/all files, and signatures for both files. To install you check the signatures and then compare the version number to the current version number, if the checksum is valid and the version number is newer then you install the software, Passwords are hackable/sniffable, and don't have the one way uncrackable style that a cryptographic signature gets you.

Re:sneakernet

[TWX]

I was assuming that this was more of a medium-security system. It's offline because it has no reason to be online, as opposed to being offline because it has a specific reason to not be online.

If it has a specific reason to not be online, then I expect that it might not even have an optical drive, depending on what it's used for. If it's that important then it might not even have external USB ports either. A service technician would have to open up the computer to use an internal USB header to interface to whatever media the update is delivered on. No external USB and no externally-accessible media readers mean that those with casual use of the machines (like another comment mentioning a military drone-aircraft application) probably can't physically tamper terribly easily, but the service technician could do whatever is needed.

I did some quick searching to see if anyone makes a single-write PROM on USB; I could not find one. It looks like about four years ago Toshiba announced an SD module that was write-once through the way its onboard controller was programmed, but I couldn't find a source for them, and if it's a matter of programming in the SD controller I'd be concerned that someone sufficiently motivated might still try to tamper with the SD controller to let them then tamper with the contents.

It does look like there's a shortage of modern read-only tech these days, optical disc appears to really be the only game in town and it comes with its own baggage.

Re:sneakernet

[TWX]

The price for a USB stick is so low these days that it will cost more to manage the mailing and return than the stick is worth. And why do they have to format the media? Just let them delete the file if they want to, and then use the stick.

NO, you cannot reuse the stick.

First off, the network is probably airgapped for a reason. There are many known attacks to airgaps, and using a USB drive is a great way to infiltrate and exfiltrate information.

Think something like Stuxnet - it infected an airgapped network, and for that to work, the creators probably did tricks to exfiltrate information to get a map of the network layout.

The only safe way is after the USB stick is used, is to destroy it.

That's part why I suggested formatting and then sending it back, if the method of couriering the media is secure then the originating party can inspect the flash (as formatting isn't terribly thorough) but formatting it might stop the malware from actually executing on a random third-party's computer if something happens and the media is lost. I suppose that is inadequate in some applications though. Maybe a way to preserve the USB media for forensic inspection would be to have a literal bin like hospitals use for sharps disposal where the used media are deposited, to be collected periodically by someone that will forensically analyze them to check the health of the air-gapped network before destroying them.

Also, always assume that your airgapped network is infected. There are many instances where this has been the case - even the US Air Force got their drone control computers infected through USB sticks (meant to update map data).

I'm a bit disappointed in the lack of PROM options these days. It seems like it's making this more difficult than it used to be, especially with the demise of conventional serial and parallel.

Re:sneakernet

[Obfuscant]

The only safe way is after the USB stick is used, is to destroy it.

If you can't trust your vendor to not send you malware on a USB stick, you don't put it into the airgapped system in the first place, and then you find a different vendor. So I guess "USB stick" as a way of getting data into an airgapped system is not acceptable. That would seem to apply to other methods of entering an update except, perhaps, getting a printed sheet of paper with source code on it. You first have your programming experts look through the source code, then they type it in and recompile.

Also, always assume that your airgapped network is infected.

Then you have to always assume that anything the vendor sends you with an update is infected and you can't do updates. "Encyption" gets you nothing, nor will signatures or checksums.

I think you have to figure out the level of security you're trying to achieve, and I don't see in the question being asked that there is any special security concern involved, only that the system to be updated is not online. There are any number of reasons for that besides "we're running mission critical top secret stuff on it."

In any case, a vendor requiring that the customer format and return the USB stick is ridiculous. USB sticks cost so little these days that managing such a system will eat up any cost savings very quickly, and if the customer doesn't want to format it then what business is it of the vendor? I commented on a VENDOR requirement, not what good practice for the customer might or might not be.

Re:sneakernet

[Obfuscant]

That's part why I suggested formatting and then sending it back, if the method of couriering the media is secure then the originating party can inspect the flash (as formatting isn't terribly thorough)

And just what good to the customer is it if you inspect a formatted USB stick and find nothing on it? I suppose you did a full byte-level dump on it before sending it and are going to compare to see if any of the blocks outside the filesystem management ones are different. And if you find something, does that just mean that the system wrote a file to it, or is it a sign of infection? Do you call the customer in a panic, just to have him tell you "yeah, we copied the system log files onto it since we were there and had the space on the stick"?

but formatting it might stop the malware from actually executing on a random third-party's computer if something happens and the media is lost.

Why is that the vendor's problem?

I'm a bit disappointed in the lack of PROM options these days. It seems like it's making this more difficult than it used to be, especially with the demise of conventional serial and parallel.

What makes you think "conventional serial and parallel" can't be used to download malware? And PROM is cheap, but why would you think that PROM can't be used to install malware?

I think you're over-reading the question. Nobody said this was a nuclear weapons manufacturing system that needed top-secret security. It's just not online.

Re:sneakernet

[Obfuscant]

That's why I said "If you are worried about authenticating the update, sign it." You replace my patch with malware. You put a password on the encrypted file that you got from some other customer after I told it to him. Bingo, you have an "encrypted" patch that has the right password. You win.

You don't have my private key to sign it with. When the signature doesn't match, you don't win. No password needed. No encryption needed.

Re:sneakernet

[Obfuscant]

It does look like there's a shortage of modern read-only tech these days, optical disc appears to really be the only game in town and it comes with its own baggage.

It's a buck for a blank CD-ROM, or less. It has no more baggage than a USB stick. If you don't have a USB port on the system and are going to have to open the box to plug a USB header onto the MB, then plug a USB CD into it. It's YOUR verified CD reader so there's no issue with it having malware.

And if you say you can't trust the CD from the vendor to be malware free, then you need to explain why you would trust a USB PROM to be malware free from the vendor.

Re:sneakernet

[gutoandreollo]

> make sure that it is being used on the correct machines and that it actually is the customer calling. I once read (my guess would be reddit's Tales From Tech Support) about people sending off sealed hacks with a rubber chicken rigged to the rack doors, with express instructions to NEVER OPEN THE RACK, and call if something happened. Any time someone called regarding a rubber chicken, support could tell right away their warranty was void, since they could only know this if the did the one thing they were told not to do.

Re:sneakernet

Don't listen to the guy who thinks MD5 hashes are a good idea.

Re:sneakernet

CDs can be intercepted and replaced. hashes can be used to verify stuff on flash too.

Re:sneakernet

If you are using RPMs, it is possible to sign them. That works out better than an MD5 hash from a security standpoint (stronger than MD5) and from a user standpoint (the hash is checked at install time, unless a user explicitly disables that).

Captcha = intrude

Re:sneakernet

[TsuruchiBrian]

Why even have an airgapped network? They are all infected just like every other network. - That's the conclusion you should reach if you actually assumed airgapped networks are infected.

Re:sneakernet

[TsuruchiBrian]

The only true way to protect an airgapped machine is write-only memory.

Re:Sneakernet

[TsuruchiBrian]

And if you don't have a thumb drive, there are probably a bunch just strewn about the parking lot.

Re:sneakernet

[whit3]

It does look like there's a shortage of modern read-only tech these days, optical disc appears to really be the only game in town and it comes with its own baggage.

It's a buck for a blank CD-ROM, or less. It has no more baggage than a USB stick. And if you say you can't trust the CD from the vendor to be malware free, then you need to explain why you would trust a USB PROM to be malware free from the vendor.

It gets a bit more complicated, trusting a USB PROM; a CD filesystem can be end-user inspected and its MD5 checksum matched. A USB device, though, could include a PROM and a virtual keyboard with a script of malicious commands... or a transmitter or receiver.

So you can trust YOUR USB device, but not one that came in the mail; the mail has man-in-the-middle vulnerability that you cannot work around by matching a checksum. Secure data must arrrive on a CD or similarly transparent medium, that doesn't support the range of sneaky things that come in USB boxes.

Easy

[wbr1]

And if not, how do you distribute patches to air-gapped machines?

Sneakernet + authorized tech + calendar/ticket tracking

Re:Is there even a reason to patch airgapped machi

[allquixotic]

Or maybe you might have an airgapped "kiosk", with a keyboard and/or mouse and a dedicated application running modal (so it can't be bypassed to access the OS, perhaps without some hardware hacking). If it's non-networked, or only networked locally to some other system on-site, but still accessible to "users" who aren't fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.), you might want to patch it *for* security vulnerabilities, such as "if the user presses Ctrl+Alt+Del, they can access the desktop" (or something equally based on the concept of user input -> system access). That would be an example of a software-based security exploit on airgapped equipment.

I'm pretty sure...

...that a randomly generated nonsense question just slipped by Ask Slashdot's editorial board.

Am I really that old?

[Yaztromo]

Am I really getting so old that people find this to be a legitimate question?

Have I really been doing this for so long that there are now people who don't remember a time when disconnected machines was the norm?

Am I the only one left here who remembers (for example) dialling for hours to get into the local IBM-run BBS to download the 21 diskette images needed to update OS/2 2.1 to the latest patch level, digging into the cabinet for several boxes of diskettes, de-imaging each and every one of those diskettes (my machine had two 3.5" floppies -- I could manage two at once!), rebooting off the first disk, and then feeding diskettes into the machine one at a time as prompted to update it?

Honestly -- this is a long solved problem. Some of the technologies have changed (you probably don't need 21 USB thumb drives to contain your patch), but the basic idea remains: provide a downloadable patch image suitable for your application, have customers download it to a USB drive of sufficient size, and then have them boot from the drive or run a script or application from the drive to apply the patches.

And if you're in some industry where you worry about your patches getting out into the wild or need to ensure patch security/validity (where hashes aren't good enough) or something odd like that, put your images onto USB thumb drives yourself and ship them to your customers physically (encrypted, if you have some reason to be uber-paranoid).

Now get off my lawn!

Yaz

Re:Am I really that old?

[Richard+Steiner]

You're getting grumpy, old man. :-)

Re:Am I really that old?

[Yaztromo]

You're getting grumpy, old man. :-)

I'd reply, but I'm too busy shaking my fist and venting my anger at a passing small, fluffy white cloud.

Yaz

swap drives

[John+Bresnahan]

I worked on an airplane-based system, and we had removable hard drives which we swapped any time we had to update the software. This way, each upgrade also restored the system to a pristine condition.

I've also done this with CD-ROMs. One nice thing about booting and running from a CD-ROM is that it's impossible for it to be "hacked" (short of creating a new version and sneaking it in to the physical machine).

What corporations do

What companies do is set who is responsible to update such PC/server whatever. Notification is send via email,software is available for download on company website. Trained engineer needs to download it, transfer, install.

I also know that they don't do it for a year or two but that is other story.

Re:Is there even a reason to patch airgapped machi

...but still accessible to "users" who aren't fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.), you might want to patch it *for* security vulnerabilities...

It amazes me that CEOs are perceived by anyone to be anointed with some sort of perfect trustworthiness or for that matter ANY level of trustworthiness higher than any other employee.

WSUS Offline

[Mr.Intel]

For Windows machines, I use WSUS Offline. It also comes in handy when I'm at a customer site and their internet is so slow that I can't patch a single machine in a day. Yes, there are still areas of the world where DSL is sold less than a Mbps download.

Re:WSUS Offline

Yes, there are still areas of the world where DSL is sold less than a Mbps download.

Like in downtown Seattle. Residential 1.5 Mbps DSL with CenturyLink is more than $70 per month.

Re:WSUS Offline

[rjforster]

Yep. WSUS Offline for the windows boxes (although most of my offline windows installations are XP VMs so they are already as fully patched as they are ever going to be). Then we have an Umbongo server that serves all the Umbongo patches to the various offline workstations that host the VMs. A download script and a bit of rsyncing and the update server stays fresh.
The only issues are the rare times someone needs a MS patch that isn't covered by WSUS Offline, in which case they deal with it manually using MBSA.
Actually the hardest bit is getting the old-as-hills patches for various tools that we need to run. But running them offline doesn't make getting them in the first place any worse.

MBSA + WSUS CAB File

[ItsPaPPy]

Microsoft has a product called Microsoft Baseline Security Analyzer, when you combine it with the WSUS CAB file, it will output an XML file of all patches installed and (more importantly) not installed on your machine.

With some small scripting (VBS, Powershell, etc), you parse the XML and find the needed patches in a patch repository.

Then you can remotely push all of that out via PS-Remoting or PSExec, and your offline/air-gapped network can stay patched.

Re:Is there even a reason to patch airgapped machi

[onkelonkel]

Maybe it was a typo. - "users" who _ARE_ fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.). Because around here we assume the CEO is no more computer aware than the guy guarding the loading dock.

rpm/yum deb/apt ?

[TsuruchiBrian]

I feel like I must be missing something important...

Re:rpm/yum deb/apt ?

[TsuruchiBrian]

I guess technically I should have said "dpkg/apt"

Re:rpm/yum deb/apt ?

[sconeu]

What part of offline and airgapped did you have a problem understanding?

Re:rpm/yum deb/apt ?

[TsuruchiBrian]

First of all you can install .rpm and .deb packages without being "online". Secondly you can be "airgapped" (i.e. not connected to the internet), and still install software using yum and apt from a server on an intranet, and actually this is quite convenient as it allows you to install software updates on many different machines simultaneously.

Maybe you should be more knowledgeable before you decide to act like a prick.

Re:rpm/yum deb/apt ?

[sconeu]

And look at the subject.

It's implicit that GP is not talking about .rpms and .debs, but rather the yum and apt files. And yes, you can run an airgapped intranet (I've done it myself for classified data), but it pushes back the question one level.

How do you get said updates onto the airgapped network?

Re:rpm/yum deb/apt ?

[TsuruchiBrian]

It's implicit that GP is not talking about .rpms and .debs, but rather the yum and apt files.

I have read this sentence 5 times, and I still have no idea what you are talking about.

And yes, you can run an airgapped intranet (I've done it myself for classified data),

congratulations

but it pushes back the question one level.
How do you get said updates onto the airgapped network?

How do you get anything on to an airgapped network? You don't have many options which makes this easy. Write once optical media (e.g. CDR, DVDR, BDR), provides the most security, as it prevents one avenue for data to escape the airgapped network (presumably the reason for the airgap in the first place).

To a person who has run an airgapped intranet for classified data, I would have assumed that part was obvious.

Furthermore, from the description, it is the customer is the one dealing with the data crossing the airgap. What I am suggesting is that the format of the data crossing the airgap should be .rpm or .deb files. They can install those packages directly, or put them on an intranet server and have the updates applied with yum or apt.

Re:rpm/yum deb/apt ?

[sconeu]

Pardon me. Yum and apt applications, not files.

How do you get anything on to an airgapped network? You don't have many options which makes this easy. Write once optical media (e.g. CDR, DVDR, BDR), provides the most security, as it prevents one avenue for data to escape the airgapped network (presumably the reason for the airgap in the first place).

Which is what the story poster was asking. There was no need for yum or apt.

Re:rpm/yum deb/apt ?

[TsuruchiBrian]

Which is what the story poster was asking. There was no need for yum or apt.

If you read what the story poster wrote, he/she was asking about software packages that allow patches to be uploaded to servers where customers could download them, *and* how to distribute them on airgapped machines.

the software packages I am recommending are versatile package management systems (dpkg, rpm), that also come with tools for distribution of packages (apt, yum).

Once the software update package files are passed the airgap, they still need to be installed. If one were to set up an apt/yum server on the airgapped network, it would make updating lots of machines much easier.

So no apt/yum are not necessary. I am *recommending* them as tools that provide potential benefits over the situation that would exist without them.

Re:rpm/yum deb/apt ?

[sconeu]

You know what, I may have misinterpreted the story poster's question. Let's let it be, because there's no point to arguing here.

Cee-dee?

Why can't you just put it on a cd and give them the cd?

Re:Is there even a reason to patch airgapped machi

...but still accessible to "users" who aren't fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.), you might want to patch it *for* security vulnerabilities...

It amazes me that CEOs are perceived by anyone to be anointed with some sort of perfect trustworthiness or for that matter ANY level of trustworthiness higher than any other employee.

The person to whom you are replying obviously is a corporatist Amerikan with an unholy alliance with Satan...I mean Wall Street Bankers.

Just use Stuxnet

[140Mandak262Jamuna]

It somehow jumped the air gap and ended up in the industrial controllers in the Qum nuclear facility in Iran. It will find a way to get to your customers.

Re:Just use Stuxnet

[Macman408]

Yeah, I was gonna suggest this. Just put your update on a USB thumb drive with a rootkit, leave a few out in the parking lot, and wait. Someone will plug it in, at which point your drive can take over the machine and update it!

At that point, you might also consider installing something else to help dodge the air gap to make future updates for your customer even easier; for example, try data transmission via ultrasonic frequencies to another compromised^w updated machine with a network connection!

Windows Patching?

[cyberblob]

Hate to plug a windows product.. but we use shavlik protect with cloud.
It allows you to control what is patched and handles laptop users who don't always connect via VPN often.

The product needs work to work in larger environments. GUI is sometimes a little confusing too. Things are not where you would expect them for easy use.
It also patches our ESXi environment.

Re:Windows Patching?

And just how the hell do you expect to use shavlik to patch air gapped systems?

Patching connected systems is a well known problem. But the poster isn't asking about patching connected systems.

Did you even read the fucking 3 sentences in the fucking submission?

OpenBSD

Easy to patch, robust, secure and scalable. Just do it!

Yabba dabba doo

[Karmashock]

You have to have someone upload the patches to the airgapped machines using the sneakernet.

I'm not quite getting what we're talking about here? Operating system patches? or program patches?

Program patches are frequently offered in an offline format and MS offers patches like that as well.

So I don't get what we're talking about here. What are we patching?

To paraphrase Samuel L... Be specific, motherfucker.

git?

[godrik]

If you are patching at the code level, I believe that git is a very good option. Because the git repository can be moved as a standard directory and essentially contains all the patches and history. So even if the customer as custom patches, they can probably easily rebuild around it.

And since a git repository is essentially a directory, you can simply put it on a disk or flash drive and send it by snail mail or courier.

wsus

Wsus. Easy enough.

Just use git bundle

[complete+loony]

git bundle create <file> <git-rev-list-args>

Red Hat Satellite

5.x supports 'disconnected' mode, and 6.1 will support it.

apt-offline

For Debian and derivatives, there is apt-offline. Allows you to write current patch state on an unattached machine to external media, and then get new patches and download them from an Internet connected machine. It can share a common cache dir on the removable media for multiple machines, so you don't have to download the same patch more than once.

Dropbox is free

or email the patch if small enough

Sneakernet

[Khyber]

You're OFFLINE, bust out the thumb drive, image it, and start making your rounds to ensure they are properly applied like a good IT guy.

Provide an auto-installing download at ONE source

I'm not sure what else your problem is. Give them a patch file. What the fuck?

gnu

tarball

Re:Is there even a reason to patch airgapped machi

[davester666]

No, the CEO will be even less computer aware than that guy. Most likely, the CEO will have his secretary print out his email. And read it to him.

"Ask" section is getting dumber and dumber :(

[kosmosik]

> What [...] is generally the best way to distribute patches

Patches for what? For PC operating systems? PC software? Embeded computers?

> in a way so customers can download them, considering
> that the machines are offline?

Well you can't download anything when you are offline. You mean that customers download the patches, put it on removable media and install them on their machines...

> Are there any software packages (open source preferred) that pretty much
> allow engineers to upload a patch with a description to a web server, and allow
> customers with credentials that are registered in LDAP to browse and download
> them quickly?

Yeah like SFTP server for uploading and web server (f.e. Apache with LDAP modules) for customers?

What exactly are you asking?

MIF "message" mode??

[laurencetux]

when the drive starts up have a message come up "Good[Morning|Afternoon|Evening] Mr %name% Your mission if you decide to accept it is to patch this system with the included files. As always if you or anyone on your team ..." and then when the patching program completes

"This message will self destruct in 5 seconds"

this will prevent reuse of the media

I've only had to deal with this on one project

[msobkow]

I've only had to deal with air-gapped machines on one project, but we used to send out engineers/developers to upgrade those machines. They were security-critical, so we couldn't have customer support staff getting root access to do upgrades, and they were too operationally-critical to trust to automated update disks (not USB sticks -- those can be modified in shipping.)

So we sent staff to do the installs and updates. Not that there was a huge client base, and it was a pricey project, so the cost was negligable. But the customers were not willing to have anyone other than a trained technician doing the upgrades who was ready to deal with any "situations" that might arise. And they did arise -- twice.

Had we not had technicians on site during those issues, the customers would have been down for at least a day while staff were flown out, and we would have been lynched.

unidirectional gateways

[aginter]

We see our customers using a few technologies routinely to update "air gapped" networks, to apply updates from standard sources: Anti-virus vendors, Microsft, etc. - no special software is used on the patch/update repository:

(1) If safety is the goal (eg: power plant control networks, train control systems) people deploy a Waterfall FLIP. The FLIP unidirectionally replicates industrial servers to external networks so corporate users can see the data, and reverses direction on a schedule to pull updates. When oriented out of the network, the FLIP hardware is physically unable to send any signal or attack back into the control system network. The orientation reverses on a schedule, typically only briefly because we don't want to let the corporate replicas fall too far behind the industrial sources. When oriented back into the protected network, the FLIP software reaches out and pulls updates from AV, Microsoft, Linux and other vendors periodically, the software checks crypto / signatures as configured, does virus scans, and pushes good updates into the protected network. The FLIP software on the protected/inside/receiving network repeats the checks and sends clean updates to a WSUS, AV server or other repository on the control system network.

(2) If confidentiality is the goal (eg: a classified network), deploy a Unidirectional Security Gateway oriented into the protected network. The gateway software automatically pulls updates as above and sends them through the gateway hardware into the protected network. Nothing ever gets out - the gateway hardware prevents any signal or message from ever reaching the external network / Internet.

We see a lot of people doing manual updates as well. A Unidirectional Gateway replicates servers from a safety-critical or reliability-critical control system network out into corporate. When updates of the control system are needed, those updates are pulled manually from whatever website and crypto signatures and other authentications are checked manually on a corporate workstation, and approved updates are written to removable media. The most cautious customers use CD-ROM instead of USB, because of the CPUs and hackable firmware embedded in all USB gear. They carry the media to a workstation on an isolated "cleansing" network. They scan it again with anti-virus, and again check crypto signatures & hashes. They burn a copy to brand new media, throwing the old one away. They carry the new CD/media into a dedicated control system test network. They install and test the update. When it passes test, they carry the update to the live control system network.