Slashdot Mirror
Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
SneakerNET?
"Tempers are wearing thin. Let's just hope some robot doesn't kill everybody." --Bender
Is it 1998?
Is Futurepower still alive? That guy is a nutjob.
I'm going to answer the question even though Futurepower(R) is a schizophrenic nutjob. The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.
Firewall?
Really, the manufacturers track threats and release mitigations better than you can, and are built for exactly what you're asking. Daisy-chain ones from different vendors if you're really anal.
"National Security is the chief cause of national insecurity." - Celine's First Law
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/
Kinda like Sandboxie. Speaking of which, sandboxie?
My Other Computer Is A Data General Nova III.
Data Diode aka unidirectional network.
Look up Owl Cyber Defense. These one way transfers are sued in the DoD and Intel Communities to move data up to classified networks. Be they're not cheap. A cheap an easy way, wire snips and cutting the return wire in the CAT5....essentially turning everything into one way UDP.
Do you have any ideas about improving the example above?
How about making it simpler? Why do you need a bunch of Raspberry Pi computers? What could they do that 1 modern x64 computer can't? Or even just 1 Raspberry Pi computer if you don't need the extra processing power.
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
You dont need the internet, get out while you can. Also make sure to kill the lan/phone wires with fire, or else it doesnt work.
Or 10pcs with 3.5 inch floppy drives, all running same norton antivirus, and you pass data through that config before you enter the network. Case.. malware and shit.
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Why use multiple computers? What's the problem with Virtualization? Virtualize the firewall, slap on a tight-ass linux with bare minimums to perform routing/firewalling for the host machine. Works great for me. Very tiny attack surface (SSH at the very most, if even that.)
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
https://en.wikipedia.org/wiki/Unidirectional_network
I have seen these used with great success in very important networks.
There are many solutions each with its own pros and cons. But without understanding what it is you are doing you are really wasting everyones time. Go into the details and help us understand the purpose and situation to what it is you wish to achieve and /. will do it's best to help you.
Those who can, do. Those who cannot, sue.
Privileged Access Workstation. a secure locked down and hardened machine which then runs VM's for each of the networks with appropriate restrictions on each. Provides the user with convenience while still providing hardened configuration and separation.
Most security tools slow you unlike hosts (& most malware uses hostnames) via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what u NATIVELY have in the IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
http://www.raytheon.com/capabilities/rtnwcm/groups/gallery/documents/digitalasset/rtn_216064.pdf
Almost never have I ever seen a secure network that needed to get information in from the internet. sending it outward? yes. and that is easily done with a one way ethernet cable. 100% hacker proof even if you got the 100 best hackers in the world together and told them the address of the switch it was plugged into as well as the port number, they will never be able to get into the system on the other end.
But get information in to that secure network? what for? Every single high security network I have seen is high security to protect the information or control system within. not the other way around.
2 NICs on internet facing PC.
2nd NIC is to secure computer.
A hardware firewall between the 2 computers that allows only single direction UDP from a single port
Proprietary protocol to send the data from 1st PC to 2nd. Manual resend (view error messages on 2nd screen) to determine a file or packet needs to be resent.
Of course, what's the point. All data on the 2nd PC was once on the first PC, so all of it can still be viewed or altered.
What security do you think this is providing?
Data transfers from insecure systems to secure systems is done through a one way cross domain data transfer system. Basically it's a separate system consisting of firewalls, intrusion detection and malware scanners that restricts inputs to specific sources and content (by IP, port, protocol, and data type).
In the secure systems world cross domain systems are on dedicated machines that are very tightly controlled.
But for private use you could probably whip something up using ESX to host virtual firewalls and malware scanners. I'd still put it in a separate box.
Also, you need to consider what kind of data you are transferring. Data types that typically contain mobile code are insanely more risky and are usually banned from low to high transfer so no ,exe, activeX, macros, java, etc.
What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?
Print it out and type it back into the computer you want to transfer it to.
Windows computers on the isolated network...
If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.
Anons need not reply. Questions end with a question mark.
WAN -> Firewall -> Firewall -> LAN. Each firewall from a different company, and some tinkering with the router configuration to make even compromised computers not sure where they are.
Also helps if you use machines with a completely alien architecture to what everyone else is running. Viva la Alpha, MIPS, etc. It's not that you can't attack them, it's just that your custom forged 'PC' is now in the .000000000000001% bracket of commonality with everything else out there. Do you know how much of a bastard it is to setup cross-platform compilers (with a recent version of GCC)? How about writing code for an architecture you can only emulate (need to go buy the machine, cost you a little; plus running an Alpha can triple your power costs, both in the electricity it uses to power itself and the amount of AC you need to stop sweating while being in the same room as it)? And you still have to go back to school to relearn things like memory management as things work a little different in the Alpha world than the x86 / x64 world.
linux is getting less secure. starting to look more like windows with lots of mystery processes running all the time.
a secure setup would require an as yet un-available operating system that distinguishes between software and files. i call it utopia
You need to go much simpler, for a lot of reasons. Humans need to use it. Humans need to choose to use it. Humans need to not go around it.
I think you need to base your solution around a presumed-infected node. I find working with the weeds to be better than trying to design a planter that weeds can't find.
Given "Machine A" as the user's actual workstation, internal, no outside access.
Given "Machine B" as the external-facing node, with whatever internet access you deem necessary, and we'll presume that it gets infected as a matter of routine. Maybe you wipe it daily, maybe you virtualize it. Maybe you leave it infected because it just doesn't matter.
I think you design a solution to transfer files from B to A. I've never heard of any malware jumping through an FTP connection. So maybe you transfer from B to A via a simple FTP connection (probably connecting from A to B). A simple batch-file script can do just as well.
This presumes that the file analysis is done on B. Otherwise, you could FTP from B to C (connection initiated from C), analyze it. If it's good, FTP from C to A, otherwise wipe C, just in case.
The point is, A has access to B and C, but B and C have no access to A.
Please stop posting random schitzo's thoughts on /.
Getting the interwebs to do their homework for them,
Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/
Malwarebytes hpHosts' hosts/RECOMMENDS me!
Brocke Wilders of WILDERS' SECURITY does inferior clone of MY work http://www.wilderssecurity.com/threads/hosts-block.378901/
Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/ "Host file accessing the Internet - particularly browsing the Web - is actually faster... Spybot Search & Destroy offer lists of known malicious servers to add a layer of defense against trojans & other forms of malware"
Steve Gibson endorses hosts https://www.grc.com/sn/sn-045.htm/
OReilly hosts security -> http://oreilly.com/pub/a/windows/2004/03/30/hosts.html/ & hosts speed -> http://www.oreillynet.com/pub/a/network/excerpt/winxphacks_chap1/index1.html?page=3/
APK
P.S.=> So WHO THE HELL ARE YOU COMPARED TO THEM? A no balls UNIDENTIFIABLE do nothing jealous "ne'er-do-well" troll (& you know it)... apkb
You can build a gigabit one-way link out of three fiber optic transceivers for a few hundred dollars.
Place a tinfoil hat on each machine on your network. Voila! Problem solved.
UUCP perhaps?
* https://en.wikipedia.org/wiki/UUCP
Set up a RFC1819 non-routable Ethernet connection between the "inside" and "outside" hosts. Firewall the "inside" so only connections to tcp/540 are allowed.
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
* YOU just took MY cock up your ass (along w/ EATING YOUR WORDS weasel)...
APK
P.S.=> Don't worry - MORE are coming next post... lol! apk
I support APK's stand on the hosts file by Trax3001BBS
Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid by JazzLad
APK's monolithic hosts file is looking pretty good by Culture20
ABP is insufficient as a solid hosts file does everything that APK reminds us about by fast turtle
APK isn't wrong by cfalcon
APK, I know people give you a lot of shit regarding hosts, but please don't ever stop by nasredin
You need APK's hosts file by Teun
APK solution STILL relevant by Thud457
you're right about hosts files by drinkypoo
APK
P.S.=> They're in addition to https://ask.slashdot.org/comments.pl?sid=10771127&cid=54665469 in my last post + 1,000's worldwide - there's no arguing w/ success OR denying you put my cock right up YOUR ass fool, lol (how's EATING YOUR WORDS taste?)... apk
Like he is going to solve his problem with Slashdot queries...
Understand how their staff get/got into networks/sites going back to the 1950's and what could be expected into the 2020's.
Work out what products and services are now for sale or have been found in the wild and could be used to extract your secure data.
Methods are shared with other "trusted" nations, staff keep methods get sold/kept for later private sector work.
Very advanced and unexpected methods are on the open market, back market, out in the wild.
Look at how governments failed to secure their own data and why.
Internet-facing computers had plain text data so it could be shared with trusted contractors and other agencies.
Internet connected computers got found doing interesting things and interesting people collected all tools on "secure" staging systems by following the networks back.
A USB stick gets dropped around a site of interest so staff walk in and bypass all security.
Nobody smart thought to test the "modem" or "hard disk" or just trusted the altered computer hardware that got "shipped" in.
A company hires staff without vetting and staff walk out will all the data.
A company finds a very secure building but low cost cleaning staff hold doors open for "workers" who can use an elevator and tell a nice story about needing to get back in to their office.
A nice sale is made of advance private sector crypto that is junk due to government backdoors.
Work out who wants your secrets. Another nation? Your own nation? Competitor? Someone who can afford to hire ex and former clandestine service professionals? A long term dual citizen?
Groups on the internet with no funding but who have unlimited time and very advanced skills?
A cult? Faith? Political groups? Private sector competition? SJW with funding?
What will they want? Collect it all? Some files? Production work? Prototypes and concepts? Will they have an expert to guide them in your network? Or have to collect everything and sort/sell/copy later?
Look back at how the NSA and GCHQ finally learned how to kept their secrets in the 1970-80's
What did the security services finally get right and understand after decades of walk outs and complex staff issues? What failed with all the trust in contractors after the 1990's?
If your company or data is interesting or has value someone is going to be looking. Down a network, a walk in from the street or as new staff.
Keep your secrets using compartmentalization.
If a server needs to have internet facing work, make sure its only for that project. If it has to have everything on it, hire a really good cryptographer.
Someone who is working for you, not with the government, not part time for a university, not as contractor, not some outside brand, not for some other nation.
Try and secure your work and use the networks the best you can.
Try and keep any future projects away from the production networks.
Think about your modems, your storage, what hardware got "shipped" in over the years? Other nations and the clandestine services thought of all that.
Set up really interesting fake projects and see who asks or looks?
Mid and low ranking staff ask too many questions hinting at terms they should not know? Do they just want a promotion or are they trying to get access?
CCTV shows new people wondering around at strange times?
A USB device found? Someone wanting to do charity work or to sell something been on site a lot? They want to give a quick presentation from a usb stick?
Staff getting amazing new friends who really want to see their office? Data is collected by placing a trusted physical device internally well past any average protection.
After a while a type writer, paper, a vault and guards could be a good idea for the best ideas.
Fill your computer networks with encrypted bait and see what walks in or out.
Domestic spying is now "Benign Information Gathering"
1. keep the isolated network completely disconnected from everything else in terms of networking interfaces and protocols
2. use only modem-based file transfers to periodically dial and *pull* curated files from the internet-facing computers (e.g. using xmodem/ymodem protocols)
This is you, lol saying: "Thank you Sir, may I have another?" https://it.slashdot.org/comments.pl?sid=10770685&cid=54665383/
* YES YOU CAN!
APK
P.S.=> "Ask & ye SHALL, receive" my cock dead up in your ass, lol - & then you ate your words 2x too https://ask.slashdot.org/comments.pl?sid=10771127&cid=54665469/ + https://ask.slashdot.org/comments.pl?sid=10771127&cid=54665509/ to top it off to make me laugh @ watching you dance as you play yourself? Oh, say it ain't so - you can't PAY for this kind of amusement... apk
Set up your isolated network and set up your internet-connected computer. Join them with a serial cable. Download stuff on the internet connected computer, transfer it to the private network using zmodem.
If virtualization is too risky, maybe you need to consider total isolation: faraday cage and tinfoil hat. Anything you use to transfer files can be compromised and transfer malware.
If you're only concerned about mainstream exploits, then make your own custom file-shoveler solution: browse, etc. on a net exposed computer, download to an external hard drive, then switch the hard drive to the isolated PC and scan with whatever you trust before moving it into the "green zone." Drives aren't smart enough to execute malware, and presumably you're going to scan everything before you bring it in. Of course, one of the things you're going to have to update from the net on a regular basis is your updated virus pattern files from whoever it is that you trust to keep up to date on these things.
If you're really concerned that someone is specifically targeting you... you're screwed, there's no way to beat than other than to pay attention to everything, all the time, and even then the attacker has the upper hand.
USB networking still exists.
It can be used so that the "secure" computer can see only one main directory (plus it's subdirectories) on the conventionally networked computer.
It has the added bonus that many machines have ports on the front so it can be plainly visible when the link is in place.
Why reinvent the wheel? If you really need this, you are probably employed at a place that can afford quality enterprise software. You can use Globalscape MFT with a DMZ host providing reverse proxy services, and enable FIPS 140-2 compliant mode encryption. It's not cheap, but it works great! You can even use workflows to run multiple antivirus engines on each file to ensure it is as virus-free as modern antivirus software is able to discern. If you are extremely concerned about personal security, your best bet is to avoid computers all together. If you must use a computer, remove the hard drive and use a Linux distribution on a bootable CD or DVD. Run an "owncloud" server on your own hardware, on your own Internet connection, to allow file transfer.
Consider implementing RFC 1149 - IP over Avian Carriers for transmitting data into your secure, air-gapped network. Although the latency is high, throughput is good and really, a little latency for the sake of security seems to be a minor cost to pay - besides the birdseed.
We have confidentiality standards, but that's not all of security. Nevertheless, having a B2-level machine between two mutually untrusting worlds provides you with a good place to review incoming exceutables and outgoing information. Do it using two humans, one called a sysadmin, the other a security administrator. Both must sign off before moving anything from one world (category/level, container) to another.
No go solve all the other problems in security (;-))
davecb@spamcop.net
It would be nice to have an internet connected machine and a hardened machine to store data/media/etc. Trick being passing data from internet machine to storage machine. Home use. Limited budget. Limited networking experience.
Just shove a network cable up your ass.
And examine every packet carefully.
Security is a tradeoff between usability and safety. You can use Xwindows to work on one remote machine, then cut and paste information to another. You lock the ever living sin out of all three.. the machine in the middle is locked down to doing only segregated X server sessions, and unable to do ANYTHING else. This is a gigantic pain in the ass. But it does put some serious obstacles in the way of malware. But this is probably too onerous of a process to use.. if someone needed this level of security they would get someone with real experience to make a brutal solution. So figure out what data needs to come in. Figure out a sanitizing system for your data. Figure out what processing needs to happen. Figure out where that data needs to leave. You need to simplify the process down as much as possible, and then put serious limits on the way things flow through the system. Have a submit system that is only designed to take in a couple megabytes. Use cgroups to limit your individual daemons to just above that. Is the data only going to be [0-9A-Za-z] then put a filter on your incoming data. Use modules that know about "tainted" variables. Docker isn't too bad IF you go full se-linux hardening (total PITA)
This is not perfect security. There is no such thing. That being said, here are the basics.
First, I'm assuming if you want to use these machines that you may want to surf the internet, particularly if your a dev and need to lookup something. Get some very fast network KVM's. Basically you want something that encodes to h264 if you can find it, then your only transmitting keyboard and mouse movements. Scan that while your at it, and log it, because, you never know. The KVMs network side would connect to the secure network, while video/mouse would connect to your public facing OS of choice.
Second setup run the internet through whatever the latest and greatest product is that provides a blacklist based proxy server along with real time virus scanning of anything even remotely suspicious. This will of course also feed the first box.
Third proxy that proxy with a BSD box. At this point you somehow want to try a white list for safe files. Of course it is not quite that simple, since you will be lucky if you can get a decent white list of generally safe executables and their hashes. At any rate the basic idea is if your first line of defense is a blacklist based approach, your second is a whitelist based approach. Run a different file scanner through this proxy. Further have both proxies try to block obviously insecure web content. (i.e. flash)
Forth, the secure systems should have what they need and nothing else. Remember you can browse the internet via the remote desktop window. You just can't copy or paste. Yes if you let a rouge program onto the secure system it might type the information into the insecure, but, well, yah still need to get work done, so some risks just must be accepted, unless you want to provide a separate internet facing device, such as a laptop, which really isn't a bad idea.
Fifth. Jfrog's artifactory seems to be great stuff. Setup your own lists of good libraries and maintain it. Reduce internet traffic from the secure system. Or for more reasonable security let xray do its thing and then cache the standard repos on the internet. This kind of thing is important sine you can presumably blanket ban libraries and versions of libraries and such that are insecure, and as long as your ide gets them from scratch from time to time, well you get some warning. You could probably automatically send out emails to users of library versions that are found to be insecure.
For the truly paranoid, if your trying to only do development, only allow say the artifactory to download from the proxy, well that and standard security updates. Again, there should be a window/laptop/something for normal internet access. It is worth noting that even the most paranoid approach still lets a dev work. I.E:
Gradle (java) requests packages from the artifactory. The artifactory requests them. BSD starts download by requesting from the cots security solution. That thing checks its list and scans it, passing to the bsd which checks a different type of list and scans it, which passes to the artifactory which checks it against local ban lists and what x-ray results. It passes, gradle gets a copy and your build, in theory, finishes...
Of course your saying that visualization is too risky, so I'm not sure this is better. That being said, the insecure machine is a physically separate machine. If you want even more security, throw a sneakernet in theory. It would be a pain though. Still, for something like jfrog, maybe you could create a snapshot of all relevant libraries and sneakernet it over periodically. For that extra special degree of paranoia, use a dvd-r and finalize it, so no unintended transfer is even possible.
BTW, if your even more paranoid, well git has some ability to work offline. I haven't used it much, but there is definitely some possibility of moving code around with minimal risk, since presumably your only taking deltas, which you can review more easily.
See subject: You're an UNIDENTIFIABLE anonymous trolling worm - it's not possible for "your kind" to have balls, "ne'er-do-well"...
* RoTfLmAo @U...
APK
P.S.=> See subject hahahahaha... apk
It seems to me that we have a very simple and common piece of equipment for isolating one network from another while also allowing connectivity: a firewall.
You can get firewalls that scan traffic for patterns of attack, or compares the data being transferred against malware signatures. Granted, that's not perfect. It won't provide anything close to "perfect" security. But still, what do you anticipate your setup would provide that a good firewall wouldn't?
For example, you reference passing traffic through several Raspberry Pi devices, which essentially has each one acting as a firewall. Yeah, you can make all your internet traffic pass through multiple different firewalls, each with their own security scanning engines, but your adding expense and complexity for diminishing returns on improving security.
So what are you trying to do? What kind of security are you trying to provide, and what kind of attack vector are you anticipating?
...go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware
If you had a 100% effective way of checking for malware, then you wouldn't need to airgap your computer at all, just run this magical malware detector on the computer.
The thing about zero-day exploits is that since they are previously unknown, there's no way to catch them with any certainty.
If you want to keep your computer completely safe from network malware, keep it completely air gapped and off the network.
Create pristine client image. Create template from it. Redeploy "clean" and "dirty" system from template each day or each time you're concerned about being compromised.
Separate clean and dirty systems using vlans separated by firewalls. Only allow passive file transfer via nfs file server.
Deploy antivirus, ips, etc.
Install a wall, a really big (but beautiful) firewall.
Make sure that it is fully paid for by those on the other side.
At the firewall’s gate, deploy a large number of DHS-bots that will carefully inspect every single incoming packet, asking for their domain of residency, destination, MAC address where they intend to stay; question their purpose for coming, especially whether they are coming for pimping or terrorist activities; detect any involvement with social media accounts (and obtain associated passwords); and ascertain their true position on net neutrality. Discard any bits of raw meat or soil. Turn back any packets that profess disagreeable beliefs or are framed funny. In case of doubt, call IPSec immediately.
For outgoing packets, launch TSA processes instead to perform deep packet inspection. At that stage, it is customary to lose no more than 10% of the packets.
For extra security (at the expense of some performance), perform all networking purely within OSI model layers 8 (the convolution layer) and 9 (the administrative redundancy layer). You can regain some of the performance by connecting your Raspberry Pis in parallel rather than in series.
Microsoft has done some work around this on the Windows side.
They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.
Their reference material is here:
http://aka.ms/cyberpaw
The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.
Those are:
* restrict network communications with IPSec
* no internet access on the PAWs
* build everything in the red forest, including the PAWs, from known good media.
There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.
I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
.
(Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)
IPX on Token Ring, using Banyan Vines for file sharing. Run the server on OS/2. OpenVMS groupware.
Poor little virii won't know up from down.
My Other Computer Is A Data General Nova III.
You joke...
But I have been discussing exactly that as an alternative to TCP/IP for networking on top of I2P (A peer to peer privacy network similiar to the hidden service side of Tor, but with datagram support, so torrent away!)
*HOWEVER* there is a major problem with IPX support on linux, beyond the fact that the code hasn't really been updated (it HAS been maintained) in 20 years:.. no netfilter, qos, and possibly container support. What does this all mean? There isn't a good way to firewall your IPX nodes under linux (was there firewall support under netware?), you can't do rate limiting for your connections, and you might have problems trying to spin lxc/docker/etc containers instead of vms for network services.
Having said all that, there are still ipx tunnel/routing daemons out there supporting ipv4. It has as many network ids as ipv4 has network addresses, although NO netmasking. You get 48 bits (normally eui-48 ethernet ID) of unified LAN space and if you need that subnetted, you are SOL.
On the bright side: No IANA/ICANN/ETC to ransom your address blocks to you, 1:1 mapping of IPX network ids to IPv4 internet addresses (meaning you could write a router that would connect to a particular IPv4 address and port to get you LAN access. Make sure it has TLS 1.2 support however, since IPX has NO security checks whatsoever.)
While there are lots of issues with it, IPX is certainly capable of being used as an alternative protocol, but unless people are going to put in the elbow grease to make it great again, you will be reminded of what we've gained in the past 20 years of TCP/IP development.
You are literally asking what is the best way to "isolate" something, and then allow "data transfer" from that thing. The thing you are asking to allow completely negates the first action. These things are literally opposites.
Did this question make anyone else sad? I always wonder if this means today was a slow news day.
Congrats, you've just discovered Security by Bricolage, aka the McGyver trap.
Let me reassure you that every bigcorp I know does something like that. Not because it might be more secure, but just because after a mishap, you won't possibly be able to point at a "culprit" (and bigcorp has usually a big "culture of culprit" -- just like the well-known Soviet "kto vinovat?"
One effect is apparent, though: getting work done is nigh-impossible. But nobody gives a fuck.
Optical fiber is the best option to allow large voltage differentials on data networks.
You can transmit data through nodes that have over 100 000 V potential difference.
aaaaaaa
Just create your own OS and use this for all of your own WAN or LAN endpoints. Build your own protocols with your own set of rules for this protocol, not UDP, TCP, etc, but your own custom protocol which is simpler and lighter. Build your own router OS and reflash your off-the-shelf routers. This way, zero malwares and zero attack is possible on your LAN except maybe power/electric failure.
Yeah then transfer a pdf file and open it in Adobe Reader -- pwn'd. If you allow data transfer, no matter how, you can just as well connect it to the network directly. Removing network connectivity alone doesn't reduce the attack surface much. Sure it helps against direct exfiltrating of data (espionage). But if you are a target for espionage you don't stand a chance anyway. They will bribe the right people and exfiltrate with USB sticks or whatever. There is nothing you can do against a targeted attack.
ALSO use virtualization. Idiot.
You could just put the "very secure version of Linux" on all of the computers - problem solved or is it...
While there's a lot wrong with the Common Criteria process some of the underlying concepts are good. EAL7 essentially relies on the implementation of a security concept that is provably correct. This is opposed to trying to harden/secure a general purpose system. This is why people use Data Diodes, which are essentially one way network connections.
Security Concept = Only allow data to travel in one direction. You can then prove that data can't get from the high side to the low side
Implementation cut one of the fibres in a ethernet fibre connection allowing signal to travel in one direction and then make the network card think all is well. (Build a network stack that convert tcp to udp and spoof acks )
If you really want security design a system with these components.
"The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall."
I agree, I should have said firewalls. I am hoping people will give helpful suggestions, rather than explaining how they are superior.
You say you want an airgapped network, but data from internet connected systems need to be able to get into it. Do you also need to be able to send data back? If you need only a one way connection there are special devices for this, called data diodes. Typically they are two Ethernet to fiber converters, where the TX of one is connected to the RX of the other.
For example: https://www.deep-secure.com/wp-content/uploads/2015/10/Minerva-Diode-Overview.pdf
Malware could then in principle get into the airgapped network, but it would be non-trivial to get data out.
We make them with two back-to-back arm SBCs. In our case we use fiber and just
run one fiber. You have to configure the rx side mac by hand, and all you can send
across is UDP with no acks back, so you're kind of sending blind, but it does work.
But again, you could send across bit by bit a PDF with malware through a data diode
too, malware that could encrypt your files and demand a bitcoin ransom. So really
you need protection in depth, and good offsite backups as well as network security.
I used to do neural experiments on lab animals and even on humans. 60 cycle hum is an insidious problem. You can't block it with clever wiring smart looking circuitry designs, because it *gets into the cases* of a lot of hardware. And we proved that even a micro-Amp of current sneaking into our electrodes by coupling with any part of our systems could be detected by humans and animals.
We not only had to run everything off batteries, we couldn't even have the battery recharging circuitry attached. The recharger had to be disconnected by relays to physically isolate wall current from the system. Even "isolated power supplies" carried 60 cycle, *on the ground plane*. CRT monitors and their flyback transformers were almost as much of a problem, because they coupled with our instruments. I'm the one who figured out that the old green-screen text terminal we were using for subjects to type answers was coupling via magnetic fields from its power supply to the metal desk and carrying current to the electrodes, and replaced the desk with a wood one.
And the power supplies for the lab animal work involved a motor, coupled with a broomstick handle, to a generator to keep the high frequency ground plane noise out of those systems. The building administrators kept insisting that a much smaller "power converter" system would replace it, but none of them blocked high frequency noise coupling through the circuitry. It was a source of a lot of big arguments to keep the working system which had proven itself for years.
Go choke on a dick.
Unique obfuscation on top of most trusted and minimal open source network components. You will need experts who know the net facing components in and out, can develop and support them.
The obfuscation could be something like knocking before any answer from a net facing component. Maybe the knocking could be masqueraded to look like some usual and normal communication like harmless email to a totally separate address range, from a totally separate address. After receiving the mail, the server could wait for a mutually agreed time and then in a narrow time window allow for a blind logon attempt, only responding if the client side sends a time variant correct handshake offer?
Yes. This must be secure because it sounds so cool.
Doesn't mobile phone IDs already work in this way. It uses a totally separate technology (GSM) to send keys for opening a connection for a different computer using a different connection with a different technology. Except the key exchange is not masqueraded to look like something else.
Gotta try that sometime. *runs marker over Windows 10 installation*
Actually, funny as your post is one thing that is pretty much true is that modern versions of mainframe OS's (Traditional like zOS or Unisys 2200 for example) are (to my knowledge) not vulnerable to all the malware or viruses that are out there.
Only problem I've ran into with IPSec, aside from support, is it's much more complicated to set up and get running than say OpenVPN.
Several years ago, I was responsible for a network at a legal services organization. Security was paramount because they had documents that could only be shared with other attorneys if various protective orders were signed. In this instance, I used a intrusion detection/prevention system and egress filtering on the firewall itself in addition to a hardware-based IPS that was forced on me by the board of directors a couple of years after implementing the solution I was already using. None of the servers had public-facing IP addresses. They could only be accessed via junction points through a Tivoli Access Manager installation. Physical access to the server room was limited to me and the Executive Director (but there were only 8 people in the office anyway so it's not like that was any big deal). Emails were scanned for viruses at the server and desktop levels, and we hired an outside firm to perform penetration testing every year. (After the first pen test came back essentially blank, I started whitelisting the IPs used to test our systems to simulate what might happen if they got past the IPS. We still came back clean...)
This worked well for several years, but as luck would have it, once when I was out of the office for a few days at a training seminar, the appliance-based IPS failed while one of the members was trying to hold a webinar. Since it was a "managed appliance" and I was 500 miles away, there was nothing I could do. My boss was pumping me for information and I was reporting back the best I could with everything I could see, and everything I could see was telling me nothing was wrong. Performance continued to degrade until the entire network just went offline before I could get back. Long story short, when I got back, I bypassed the appliance and everything worked flawlessly.
Of course, since I was the only tech person in the organization, my boss didn't understand what really went wrong and they (eventually) outsourced the network administration part of my job... To a company that ignored the manual I wrote and didn't understand TAM so they just gave all the servers public-facing IP addresses without any sort of firewall or protection. They also ended the pen-test policy. No, I don't know why. Basically, they undid everything I did and stuck it out there for anyone to see.
Months later, before starting a new job, I read about Shodan and thought I'd run the old URL through it for fun. Everything was wide open. I had no gripe against my former employers so I gave them a call to let them know that all the people they were so paranoid about for so many years could potentially grab anything they wanted. Did I get a "thanks"? Nooooo... I was accused of planting a back door in the system!
So yeah, it doesn't matter WHAT you do, somebody else is going to screw it up and you're going to get blamed.
I have used various versions of the FWTK to isolate test networks. There is an independent version of the code here.
If you (can find and) use the old version, beware of the author's reflections on his code.
As this has long been abandonware, I'd say that all of this code should be running in a chroot() as nobody should you use it. Also note that you'll need the -m32 compiler flag (in addition to many other changes) to get a clean build.
If you think you can easily just use flash drives to transfer data, think again.
Flash drives have firmware that can easily be hacked.
Optical is vastly safer in that regard.
However! The optical drives drivers can also be hacked.
Your only alternative is 2 computers, one networked, the other not.
Networked computer is accessed by one-way cable standard from mice, keyboard, etc.
The networked computer is seen via a monitor or some custom method that wires it up as a device you can then open as a "stream in a media player" like style.
It'd be like using Remote Desktop but even more secure.
This is a known problem/engineering goal and has a known solution. It's called a "One Way Transfer" system. The US Government has been using them for years. Your concept is close to the actual implementation. Research it and you might find some better approaches.
You get one OR the other, take your pick
What you're looking for is called a data diode and a high/low network. I'll leave the rest of the digging up to you. You've got the gist of the idea but I think your threat model is a bit busted. What are you trying to defend against, random malware or targeted attack from a nation state?
BTW, they aren't usually found outside of very specific applications because they're a big pain in the ass and hard to keep "clean". Also linux isn't as bullet proof as you think- it CAN be, but it's one of those "as part of this healthy breakfast" things. It takes some other security hygiene (this is assuming you're looking to defend against an adversary who can burn 0 days on you.)
I think the main question is to identify what you are trying to do. Sorry if I missed that in the comments. "carefully examined data transfer" is not very clear. Are you using SFTP to move files? Are you using a socket connection through a VPN to move data? Are you web browsing? As GI Joe says, knowing is half the battle.
Malware normally gets on a computer via user interaction. Opening an email or browsing to an infected website. There are exceptions, but unless you are being specifically targeted, generally unlikely.
Not knowing the details, I would recommend using two routers. One as the gateway to the internet. Turn off wifi and disable external access to the router. Set the firewall to drop everything except what you are using it for. SSH or VPN or whatever you are actually doing with this. Use a non-standard port if you can (again, don't know what you are doing). Put the second router between the Computers and the gateway router with a different IP address range. (192 subnet for the first and a 172 for the second). Connect out from the first PC to the internet.
If you are connecting to the internet via a web browser, all bets are off. If you are, use noscript, Open DNS, and an ad blocker. That will help.
Despite decades of training and experience in the "Network Security" field, I still have trouble configuring even the latest hardware and software firewalls to prevent ALL possible network attacks. Physically separating networks and implementing security protocols (IPSEC / VPN / etc.) might be a move in the right direction, but not the absolute perfect solution to the world's needs.
You can create a network so secure that not even the end users, or even designers, can use it. It is perfect. And in 5 years, script kiddies will have tools that manipulate it with ease.
In the end, you have to accept the fact that somebody 'could' eventually hack it. With that, implement a solution which is reasonable and one which the intended audience is not inconvenienced to the point where they will not use it. More equipment means more potential for failure, and more complexity is more difficult to maintain and upgrade.
The risk must be managed, you need to stay current with modern attack vectors and available mitigations, and anticipate future attack vectors. This evolves so fast that you really cannot take a vacation and stay on top of today's game.
Last recommendation: Don't advertise your network as invincible. That just opens the challenge.
There you have it.
Punchcards. So you can physically review the data to be entered.
(I'm only half kidding.)
Look at the system configuration used by ExpressVPN.
Firewalls with NO disk storage that have a dedicated connection to a Netboot server where the Netboot server has no connection to the internet.
Maintenance is done via DVDs written on a Tails system that is disconnected from the internet after downloading updates.
Use the same configuration in layers [Linux x86_64, Solaris SPARC, NetBSD MIPS].
Each Firewall layer has a separate Netboot server with a different architecture from the firewall.
Obviously the insecure one is still vunerable.
Read what I've written again, it's about the secure one being able to read and write on another machine and not the other way around.
Plus anything you can call a secure system is not compatible with Wannacry etc - there is only one vendor that sells a vunerable OS.
https://www.youtube.com/watch?... It's interesting to watch as a whole, but the takeaway is that if someone with basically infinite resources (i.e. NSA/CIA/GCHQ or whatever it's called in your part of the world) wants to get you then you are done. Quoth Rob Joyce from the video: "we own you"
Secure by design :)
Don't even need the air-gap.
Just use NetBeui...