Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

Posted by BeauHD on from the two-in-one dept.

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

6 of 237 comments (clear)

  1. Answer by 110010001000 · · Score: 5, Insightful

    I'm going to answer the question even though Futurepower(R) is a schizophrenic nutjob. The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.

  2. Re: SneakerNET? by Entrope · · Score: 3, Insightful

    That's not nearly enough. Malware like Stuxnet shows how far attackers go to breach air gaps and similar forms of isolation. (SneakerNet is one, sometimes weak, form of air gap.)

  3. uhhh by Fwipp · · Score: 5, Insightful

    Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux

    You are so incredibly out of your depth you don't even know it.

    1. Re:uhhh by whitlocktj · · Score: 2, Insightful

      This was exactly my thought when I read that line. This is so far off in left field, I'm not entirely sure what he thinks he'll inherently benefit from by using Raspberry Pi, let alone several of them.

  4. Re: SneakerNET? by ShanghaiBill · · Score: 4, Insightful

    Indeed. Any system, even if airgapped can be penetrated, especially if there are insiders that can be bribed or blackmailed. It all comes down to deciding who you can trust. Do you trust your hardware? Do you trust the people that wrote Linux?

    The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall. A computer-as-firewall running a general purpose OS is going to have a much larger attack surface. If you aren't going to airgap, then get a real dedicated firewall, and then disable ALL the ports. Then use port knocking to open specific ports to encrypted communication with only pre-verified clients.

    If that isn't enough, then you can also wrap your computer in tin foil.

  5. Re:Way Way Way too complicated by omnichad · · Score: 3, Insightful

    I've never heard of any malware jumping through an FTP connection.

    Any transfer protocol implementation could have buffer overflows or any vulnerability that anything else has. Why is FTP more magic than SMB?