Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

Posted by BeauHD on from the two-in-one dept.

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

2 of 237 comments (clear)

  1. Re: SneakerNET? by KGIII · · Score: 4, Informative

    That they ask this question, in this manner, makes me uncertain that they can even configure a dedicated appliance properly. They probably aren't even remotely familiar with a specific vendor's myriad choices and methods. Juniper is not the same as Cisco, for example.

    My suggestion is to hire a qualified professional. If they have to ask Slashdot, they are not a qualified professional. This is not meant to be an insult, they probably are very good at something else. If you're going to take security seriously, hire a professional. If you're not going to hire a professional, don't even bother trying something like this.

    If they don't hire a professional, and attempt this, they might just as well ready their PR team to deal with the near certain eventual outcome of data exfiltration. It's going to happen. Hire a damned professional and be prepared to buy some equipment.

    --
    "So long and thanks for all the fish."
  2. Re:Using a data diode, and careful controls by thegarbz · · Score: 3, Informative

    However more important than that is proper controls.

    This right here is the most important sentence in this entire Slashdot story. Security is not about patching, isolating, and airgapping. Security is a complex process that gets more and more complex the more people are involved.

    The best airgapped system will fall, the best designed DMZ will get infiltrated and even the masters of IT infiltration will fall victim to a malicious or ignorant insider if security processes and controls aren't in place.