Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

Isn't this what Qubes is for?

[JBMcB]

Separates different browser and email tasks into virtualized jails.

https://www.qubes-os.org/

Kinda like Sandboxie. Speaking of which, sandboxie?

Re:Isn't this what Qubes is for?

[BaronM]

Yep, and it's almost usable, too. OTOH, Qubes is focused on the workstation. For network-level isolation, it's really hard to beat two firewalls from different manufacturers and code bases back-to-back.

Think Internet--PaloAlto--Sophos UTM--LAN (Substitute any two other unrelated NG firewalls)

Systems on the inside initiate all connections; no reaching in. That means having staging DBs, etc. on the outside that are polled from the inside by transfer routines that parse and validate everything outside of the application that receives the data. Anything that does not positively match expected input is dropped. If you really want to be serious, all systems log externally to a log host with WORM drives that has had the transmit pin on the NIC physically cut (mostly kidding -- hi Marcus!).

Remote access is terminal services or equivalent to a concentrator on the outside and a second hop internally with separate authentication at each hop. Absolutely no VPN or other tunneling that supports direct traffic flow from outside to inside.

SecureID or other token-based auth is mandatory.

Stupidly expensive and a pain to configure and maintain correctly, but very secure. If you need to ask, you probably don't need it and can't afford it.

Using a data diode, and careful controls

[Sycraft-fu]

If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.

A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.

However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.

If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.

Foolishness.

[Gravis+Zero]

What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?

Print it out and type it back into the computer you want to transfer it to.

Windows computers on the isolated network...

If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.

Re:Wait... whaaaa?

[ShanghaiBill]

I'd love to see malware that can attack a punch card deck.

Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.

Re:uhhh

[gl4ss]

I guess his idea would be to use multiple brands of packet scanners and shit. ...which sounds just fine, except that.. uh. those scanners suck and if you only want to move files between them anyways, why not just set up a network where the raspberry pi is a ftp or smb or whatever share.

basically that's what he wants anyways. a file share between the two machines.

here's another idea though, just make a bluetooth obex file share from the computer that you browse the internet with. or a 3rd computer. enable bt when you want to transfer files. doesn't need you to buy more shit to fix a paranoidicity problem that doesn't get fixed with buying more shit.

don't enable tcp/ip bluetooth networking though.

he doesn't want to browse the internet from the isolated machine anyways, only to move files, and to scan them while moving.

or just use IRDA to send files over. what he wants, apparently, is a file box that sits between the machine that has access to internet and one that doesn't have internet access and the machine with internet access shouldn't have direct access to the machine that is isolated and the only USE CASE is to ferry files around.

so setting up a fileshare where he can upload files from the internet enabled machine and where they then get scanned(again) before being visible to the isolated one.

but really, if you're doing something that needs such a level of isolation, why the fuck are you moving files to it from the outside anyways that much. if it's cad or whatever you're doing on it, just have a different computer to look at the reference data you need for doing your thing.

Microsoft ...

[ElizabethGreene]

Microsoft has done some work around this on the Windows side.

They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.

Their reference material is here:
http://aka.ms/cyberpaw

The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.

Those are:
* restrict network communications with IPSec
* no internet access on the PAWs
* build everything in the red forest, including the PAWs, from known good media.

There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.

I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
.
(Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)