Slashdot Mirror
Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
SneakerNET?
"Tempers are wearing thin. Let's just hope some robot doesn't kill everybody." --Bender
Is Futurepower still alive? That guy is a nutjob.
I'm going to answer the question even though Futurepower(R) is a schizophrenic nutjob. The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.
Firewall?
Really, the manufacturers track threats and release mitigations better than you can, and are built for exactly what you're asking. Daisy-chain ones from different vendors if you're really anal.
"National Security is the chief cause of national insecurity." - Celine's First Law
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/
Kinda like Sandboxie. Speaking of which, sandboxie?
My Other Computer Is A Data General Nova III.
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Why use multiple computers? What's the problem with Virtualization? Virtualize the firewall, slap on a tight-ass linux with bare minimums to perform routing/firewalling for the host machine. Works great for me. Very tiny attack surface (SSH at the very most, if even that.)
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/...
There are many solutions each with its own pros and cons. But without understanding what it is you are doing you are really wasting everyones time. Go into the details and help us understand the purpose and situation to what it is you wish to achieve and /. will do it's best to help you.
Those who can, do. Those who cannot, sue.
An IBM 650 would be a more interesting choice.
Nah, you didn't have to go there.
My point is that the solution to the author's problem has been available off the shelf for the past couple of decades.
Trying to cobble together something that looks like a firewall from 'secure linux' on Raspberry Pi is just going to set you up for every fail that the industry has run into and solved.
On the other hand, modern commercial firewalls have zones and sftp that satisfy the initial request, but face the same issues of designed-in frailties and owners who do not configure and patch them properly as any commercial product has these days
What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?
Print it out and type it back into the computer you want to transfer it to.
Windows computers on the isolated network...
If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.
Anons need not reply. Questions end with a question mark.
WAN -> Firewall -> Firewall -> LAN. Each firewall from a different company, and some tinkering with the router configuration to make even compromised computers not sure where they are.
Also helps if you use machines with a completely alien architecture to what everyone else is running. Viva la Alpha, MIPS, etc. It's not that you can't attack them, it's just that your custom forged 'PC' is now in the .000000000000001% bracket of commonality with everything else out there. Do you know how much of a bastard it is to setup cross-platform compilers (with a recent version of GCC)? How about writing code for an architecture you can only emulate (need to go buy the machine, cost you a little; plus running an Alpha can triple your power costs, both in the electricity it uses to power itself and the amount of AC you need to stop sweating while being in the same room as it)? And you still have to go back to school to relearn things like memory management as things work a little different in the Alpha world than the x86 / x64 world.
You need to go much simpler, for a lot of reasons. Humans need to use it. Humans need to choose to use it. Humans need to not go around it.
I think you need to base your solution around a presumed-infected node. I find working with the weeds to be better than trying to design a planter that weeds can't find.
Given "Machine A" as the user's actual workstation, internal, no outside access.
Given "Machine B" as the external-facing node, with whatever internet access you deem necessary, and we'll presume that it gets infected as a matter of routine. Maybe you wipe it daily, maybe you virtualize it. Maybe you leave it infected because it just doesn't matter.
I think you design a solution to transfer files from B to A. I've never heard of any malware jumping through an FTP connection. So maybe you transfer from B to A via a simple FTP connection (probably connecting from A to B). A simple batch-file script can do just as well.
This presumes that the file analysis is done on B. Otherwise, you could FTP from B to C (connection initiated from C), analyze it. If it's good, FTP from C to A, otherwise wipe C, just in case.
The point is, A has access to B and C, but B and C have no access to A.
I'd love to see malware that can attack a punch card deck.
Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.
Is it 1998?
A useful metaphor in which to consider the problem might be a principle that's used to establish construction standards so that fires don't spread too widely or rapidly in very large buildings and other structures. What they do is they integrate fire-proof barriers at critical points, which block air transfer and heat exchange, and therefore limit the damage that a fire can do.
Stay with me here; this might get a bit arcane....
Imagine if we could apple a similar concept to computing and networks. Imagine if, instead of air and heat exchange, we limited the transfer of data between segmented portions of a network. This 'firewall'—to coin a phrase—would provide us with the ability to operate with relative security, and we could therefore rest assured that the designated secure parts of the network remain secure, while still allowing access to less secure areas via some sort of notional 'gateway'.
Pie in the sky, I know. But still, as an exercise in theoretical modeling, it's fascinating.
Crumb's Corollary: Never bring a knife to a bun fight.
Buy a used CDC-6500.
My apartment complex has a recyclable weekend once or twice a year for tenants to drop off old electronics. The list of acceptable items include "mainframe" computers. I've been waiting for someone to drop off a mainframe computer. No one ever does. Out of 300+ apartments in Silicon Valley, you would think that someone would have an old mainframe computer that they weren't using.
You can build a gigabit one-way link out of three fiber optic transceivers for a few hundred dollars.
Place a tinfoil hat on each machine on your network. Voila! Problem solved.
Understand how their staff get/got into networks/sites going back to the 1950's and what could be expected into the 2020's.
Work out what products and services are now for sale or have been found in the wild and could be used to extract your secure data.
Methods are shared with other "trusted" nations, staff keep methods get sold/kept for later private sector work.
Very advanced and unexpected methods are on the open market, back market, out in the wild.
Look at how governments failed to secure their own data and why.
Internet-facing computers had plain text data so it could be shared with trusted contractors and other agencies.
Internet connected computers got found doing interesting things and interesting people collected all tools on "secure" staging systems by following the networks back.
A USB stick gets dropped around a site of interest so staff walk in and bypass all security.
Nobody smart thought to test the "modem" or "hard disk" or just trusted the altered computer hardware that got "shipped" in.
A company hires staff without vetting and staff walk out will all the data.
A company finds a very secure building but low cost cleaning staff hold doors open for "workers" who can use an elevator and tell a nice story about needing to get back in to their office.
A nice sale is made of advance private sector crypto that is junk due to government backdoors.
Work out who wants your secrets. Another nation? Your own nation? Competitor? Someone who can afford to hire ex and former clandestine service professionals? A long term dual citizen?
Groups on the internet with no funding but who have unlimited time and very advanced skills?
A cult? Faith? Political groups? Private sector competition? SJW with funding?
What will they want? Collect it all? Some files? Production work? Prototypes and concepts? Will they have an expert to guide them in your network? Or have to collect everything and sort/sell/copy later?
Look back at how the NSA and GCHQ finally learned how to kept their secrets in the 1970-80's
What did the security services finally get right and understand after decades of walk outs and complex staff issues? What failed with all the trust in contractors after the 1990's?
If your company or data is interesting or has value someone is going to be looking. Down a network, a walk in from the street or as new staff.
Keep your secrets using compartmentalization.
If a server needs to have internet facing work, make sure its only for that project. If it has to have everything on it, hire a really good cryptographer.
Someone who is working for you, not with the government, not part time for a university, not as contractor, not some outside brand, not for some other nation.
Try and secure your work and use the networks the best you can.
Try and keep any future projects away from the production networks.
Think about your modems, your storage, what hardware got "shipped" in over the years? Other nations and the clandestine services thought of all that.
Set up really interesting fake projects and see who asks or looks?
Mid and low ranking staff ask too many questions hinting at terms they should not know? Do they just want a promotion or are they trying to get access?
CCTV shows new people wondering around at strange times?
A USB device found? Someone wanting to do charity work or to sell something been on site a lot? They want to give a quick presentation from a usb stick?
Staff getting amazing new friends who really want to see their office? Data is collected by placing a trusted physical device internally well past any average protection.
After a while a type writer, paper, a vault and guards could be a good idea for the best ideas.
Fill your computer networks with encrypted bait and see what walks in or out.
Domestic spying is now "Benign Information Gathering"
Also be aware of physical collection. Someone could place collection hardware that works for a while and is them removes later. No network security swould see anything new or unexpected. Keep the site secure from new friends, strangers, new staff or harrower thats been in the post.
Domestic spying is now "Benign Information Gathering"
Adults with a lifetime history of gainful employment in the Bay Area don't live in apartments.
That's an interesting notion. I've been in my apartment for nearly 12 years, including when I was out of work for two years, underemployed for six months and filed for chapter seven bankruptcy. I had the option to break my lease but I didn't do so because my circumstances were temporary. The day after my bankruptcy finalized, I was working full time again.
If virtualization is too risky, maybe you need to consider total isolation: faraday cage and tinfoil hat. Anything you use to transfer files can be compromised and transfer malware.
If you're only concerned about mainstream exploits, then make your own custom file-shoveler solution: browse, etc. on a net exposed computer, download to an external hard drive, then switch the hard drive to the isolated PC and scan with whatever you trust before moving it into the "green zone." Drives aren't smart enough to execute malware, and presumably you're going to scan everything before you bring it in. Of course, one of the things you're going to have to update from the net on a regular basis is your updated virus pattern files from whoever it is that you trust to keep up to date on these things.
If you're really concerned that someone is specifically targeting you... you're screwed, there's no way to beat than other than to pay attention to everything, all the time, and even then the attacker has the upper hand.
The same goes for paper tape, cloads, etc. None and nothing is totally immune from tampering...... somehow.
This is why chains of authorities are so important, and why security certificate infrastructure and blockchain so useful..... until spoofed certificates and muddied blockchains are discovered.
Nothing is foolproof because fools are so ingenious.
---- Teach Peace. It's Cheaper Than War.
USB networking still exists.
It can be used so that the "secure" computer can see only one main directory (plus it's subdirectories) on the conventionally networked computer.
It has the added bonus that many machines have ports on the front so it can be plainly visible when the link is in place.
Why reinvent the wheel? If you really need this, you are probably employed at a place that can afford quality enterprise software. You can use Globalscape MFT with a DMZ host providing reverse proxy services, and enable FIPS 140-2 compliant mode encryption. It's not cheap, but it works great! You can even use workflows to run multiple antivirus engines on each file to ensure it is as virus-free as modern antivirus software is able to discern. If you are extremely concerned about personal security, your best bet is to avoid computers all together. If you must use a computer, remove the hard drive and use a Linux distribution on a bootable CD or DVD. Run an "owncloud" server on your own hardware, on your own Internet connection, to allow file transfer.
Whatever you do, don't program on a Mac. The malware is compatible with everything. Even alien motherships.
We have confidentiality standards, but that's not all of security. Nevertheless, having a B2-level machine between two mutually untrusting worlds provides you with a good place to review incoming exceutables and outgoing information. Do it using two humans, one called a sysadmin, the other a security administrator. Both must sign off before moving anything from one world (category/level, container) to another.
No go solve all the other problems in security (;-))
davecb@spamcop.net
Multiple points of failure along the way decrease overall security anyway.
And examine every packet carefully.
Security is a tradeoff between usability and safety. You can use Xwindows to work on one remote machine, then cut and paste information to another. You lock the ever living sin out of all three.. the machine in the middle is locked down to doing only segregated X server sessions, and unable to do ANYTHING else. This is a gigantic pain in the ass. But it does put some serious obstacles in the way of malware. But this is probably too onerous of a process to use.. if someone needed this level of security they would get someone with real experience to make a brutal solution. So figure out what data needs to come in. Figure out a sanitizing system for your data. Figure out what processing needs to happen. Figure out where that data needs to leave. You need to simplify the process down as much as possible, and then put serious limits on the way things flow through the system. Have a submit system that is only designed to take in a couple megabytes. Use cgroups to limit your individual daemons to just above that. Is the data only going to be [0-9A-Za-z] then put a filter on your incoming data. Use modules that know about "tainted" variables. Docker isn't too bad IF you go full se-linux hardening (total PITA)
That said, I'd love to be a fly on the wall when some collector approached the property manager or condo board to ask for permission to add 220V three cycle and a 2" water line to his residence so he can run his mainframe, water chiller/condensor and UPS
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
It seems to me that we have a very simple and common piece of equipment for isolating one network from another while also allowing connectivity: a firewall.
You can get firewalls that scan traffic for patterns of attack, or compares the data being transferred against malware signatures. Granted, that's not perfect. It won't provide anything close to "perfect" security. But still, what do you anticipate your setup would provide that a good firewall wouldn't?
For example, you reference passing traffic through several Raspberry Pi devices, which essentially has each one acting as a firewall. Yeah, you can make all your internet traffic pass through multiple different firewalls, each with their own security scanning engines, but your adding expense and complexity for diminishing returns on improving security.
So what are you trying to do? What kind of security are you trying to provide, and what kind of attack vector are you anticipating?
...go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware
If you had a 100% effective way of checking for malware, then you wouldn't need to airgap your computer at all, just run this magical malware detector on the computer.
The thing about zero-day exploits is that since they are previously unknown, there's no way to catch them with any certainty.
If you want to keep your computer completely safe from network malware, keep it completely air gapped and off the network.
" I've been in my apartment for nearly 12 years"
You never even went for a walk outside?
I agree. He should definitely start going to storage locker auctions.
For the record, that is a joke. No, don't do this.
"So long and thanks for all the fish."
Install a wall, a really big (but beautiful) firewall.
Make sure that it is fully paid for by those on the other side.
At the firewall’s gate, deploy a large number of DHS-bots that will carefully inspect every single incoming packet, asking for their domain of residency, destination, MAC address where they intend to stay; question their purpose for coming, especially whether they are coming for pimping or terrorist activities; detect any involvement with social media accounts (and obtain associated passwords); and ascertain their true position on net neutrality. Discard any bits of raw meat or soil. Turn back any packets that profess disagreeable beliefs or are framed funny. In case of doubt, call IPSec immediately.
For outgoing packets, launch TSA processes instead to perform deep packet inspection. At that stage, it is customary to lose no more than 10% of the packets.
For extra security (at the expense of some performance), perform all networking purely within OSI model layers 8 (the convolution layer) and 9 (the administrative redundancy layer). You can regain some of the performance by connecting your Raspberry Pis in parallel rather than in series.
Microsoft has done some work around this on the Windows side.
They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.
Their reference material is here:
http://aka.ms/cyberpaw
The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.
Those are:
* restrict network communications with IPSec
* no internet access on the PAWs
* build everything in the red forest, including the PAWs, from known good media.
There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.
I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
.
(Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)
RFC 6214 - Adaptation of RFC 1149 for IPv6
It's important to have modern standards like IPv6 in your networks.
“Common sense is not so common.” — Voltaire
IPX on Token Ring, using Banyan Vines for file sharing. Run the server on OS/2. OpenVMS groupware.
Poor little virii won't know up from down.
My Other Computer Is A Data General Nova III.
He's practicing for the trip to Mars. He can prove he's got extensive experience at the most important part of the job.
You are literally asking what is the best way to "isolate" something, and then allow "data transfer" from that thing. The thing you are asking to allow completely negates the first action. These things are literally opposites.
Did this question make anyone else sad? I always wonder if this means today was a slow news day.
Optical fiber is the best option to allow large voltage differentials on data networks.
You can transmit data through nodes that have over 100 000 V potential difference.
aaaaaaa
ALSO use virtualization. Idiot.
You could just put the "very secure version of Linux" on all of the computers - problem solved or is it...
While there's a lot wrong with the Common Criteria process some of the underlying concepts are good. EAL7 essentially relies on the implementation of a security concept that is provably correct. This is opposed to trying to harden/secure a general purpose system. This is why people use Data Diodes, which are essentially one way network connections.
Security Concept = Only allow data to travel in one direction. You can then prove that data can't get from the high side to the low side
Implementation cut one of the fibres in a ethernet fibre connection allowing signal to travel in one direction and then make the network card think all is well. (Build a network stack that convert tcp to udp and spoof acks )
If you really want security design a system with these components.
Besides, even if you found a big iron jockey with the collectors bug who happened to live in an apartment or condo, where would he put it?
Well, exactly, that's why he'd be giving it away!
I am TheRaven on Soylent News
Note: AppleTalk is no longer supported in newer versions of macOS, so you might have problems connecting to alien motherships.
I am TheRaven on Soylent News
Actually, funny as your post is one thing that is pretty much true is that modern versions of mainframe OS's (Traditional like zOS or Unisys 2200 for example) are (to my knowledge) not vulnerable to all the malware or viruses that are out there.
Termites.
"Powers. I have them."
I have used various versions of the FWTK to isolate test networks. There is an independent version of the code here.
If you (can find and) use the old version, beware of the author's reflections on his code.
As this has long been abandonware, I'd say that all of this code should be running in a chroot() as nobody should you use it. Also note that you'll need the -m32 compiler flag (in addition to many other changes) to get a clean build.
There you have it.
Punchcards. So you can physically review the data to be entered.
(I'm only half kidding.)
Obviously the insecure one is still vunerable.
Read what I've written again, it's about the secure one being able to read and write on another machine and not the other way around.
Plus anything you can call a secure system is not compatible with Wannacry etc - there is only one vendor that sells a vunerable OS.
https://www.youtube.com/watch?... It's interesting to watch as a whole, but the takeaway is that if someone with basically infinite resources (i.e. NSA/CIA/GCHQ or whatever it's called in your part of the world) wants to get you then you are done. Quoth Rob Joyce from the video: "we own you"
That would put you just about half way into your nominal "three-score years and ten" What are you going to do with the next 40-50-60 years of your life?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
RFC 1149 is applicable here too. But you'd have to use Rocs or Elephant Birds to make intruding packets obvious evident.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
> Pie in the sky, I know. But still, as an exercise in theoretical modeling, it's fascinating.
except that all firewalls have been compromised. therefore, pie in the sky.
As Homer Simpson famously said, all good jokes have multiple layers. Just like information security schemas.
Crumb's Corollary: Never bring a knife to a bun fight.