Slashdot Mirror
Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/...
Is it 1998?
A useful metaphor in which to consider the problem might be a principle that's used to establish construction standards so that fires don't spread too widely or rapidly in very large buildings and other structures. What they do is they integrate fire-proof barriers at critical points, which block air transfer and heat exchange, and therefore limit the damage that a fire can do.
Stay with me here; this might get a bit arcane....
Imagine if we could apple a similar concept to computing and networks. Imagine if, instead of air and heat exchange, we limited the transfer of data between segmented portions of a network. This 'firewall'—to coin a phrase—would provide us with the ability to operate with relative security, and we could therefore rest assured that the designated secure parts of the network remain secure, while still allowing access to less secure areas via some sort of notional 'gateway'.
Pie in the sky, I know. But still, as an exercise in theoretical modeling, it's fascinating.
Crumb's Corollary: Never bring a knife to a bun fight.
Buy a used CDC-6500.
My apartment complex has a recyclable weekend once or twice a year for tenants to drop off old electronics. The list of acceptable items include "mainframe" computers. I've been waiting for someone to drop off a mainframe computer. No one ever does. Out of 300+ apartments in Silicon Valley, you would think that someone would have an old mainframe computer that they weren't using.
that has had the transmit pin on the NIC physically cut
ACK! What a terrible idea!
IPX on Token Ring, using Banyan Vines for file sharing. Run the server on OS/2. OpenVMS groupware.
Poor little virii won't know up from down.
My Other Computer Is A Data General Nova III.
Excellent. Consider that stolen.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."