Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

Posted by BeauHD on from the two-in-one dept.

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

4 of 237 comments (clear)

  1. Re:Wait... whaaaa? by Anonymous Coward · · Score: 2, Informative

    Nah, you didn't have to go there.

    My point is that the solution to the author's problem has been available off the shelf for the past couple of decades.

    Trying to cobble together something that looks like a firewall from 'secure linux' on Raspberry Pi is just going to set you up for every fail that the industry has run into and solved.

    On the other hand, modern commercial firewalls have zones and sftp that satisfy the initial request, but face the same issues of designed-in frailties and owners who do not configure and patch them properly as any commercial product has these days

  2. Re: Using a data diode, and careful controls by omnichad · · Score: 1, Informative

    If the security depended on the USB stick itself to not automount (trusting the external device), then he wasn't the only person at fault.

  3. Re: SneakerNET? by KGIII · · Score: 4, Informative

    That they ask this question, in this manner, makes me uncertain that they can even configure a dedicated appliance properly. They probably aren't even remotely familiar with a specific vendor's myriad choices and methods. Juniper is not the same as Cisco, for example.

    My suggestion is to hire a qualified professional. If they have to ask Slashdot, they are not a qualified professional. This is not meant to be an insult, they probably are very good at something else. If you're going to take security seriously, hire a professional. If you're not going to hire a professional, don't even bother trying something like this.

    If they don't hire a professional, and attempt this, they might just as well ready their PR team to deal with the near certain eventual outcome of data exfiltration. It's going to happen. Hire a damned professional and be prepared to buy some equipment.

    --
    "So long and thanks for all the fish."
  4. Re:Using a data diode, and careful controls by thegarbz · · Score: 3, Informative

    However more important than that is proper controls.

    This right here is the most important sentence in this entire Slashdot story. Security is not about patching, isolating, and airgapping. Security is a complex process that gets more and more complex the more people are involved.

    The best airgapped system will fall, the best designed DMZ will get infiltrated and even the masters of IT infiltration will fall victim to a malicious or ignorant insider if security processes and controls aren't in place.