Slashdot Mirror
Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
I'm going to answer the question even though Futurepower(R) is a schizophrenic nutjob. The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.
That's not nearly enough. Malware like Stuxnet shows how far attackers go to breach air gaps and similar forms of isolation. (SneakerNet is one, sometimes weak, form of air gap.)
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/
Kinda like Sandboxie. Speaking of which, sandboxie?
My Other Computer Is A Data General Nova III.
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Indeed. Any system, even if airgapped can be penetrated, especially if there are insiders that can be bribed or blackmailed. It all comes down to deciding who you can trust. Do you trust your hardware? Do you trust the people that wrote Linux?
The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall. A computer-as-firewall running a general purpose OS is going to have a much larger attack surface. If you aren't going to airgap, then get a real dedicated firewall, and then disable ALL the ports. Then use port knocking to open specific ports to encrypted communication with only pre-verified clients.
If that isn't enough, then you can also wrap your computer in tin foil.
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/...
Nah, you didn't have to go there.
My point is that the solution to the author's problem has been available off the shelf for the past couple of decades.
Trying to cobble together something that looks like a firewall from 'secure linux' on Raspberry Pi is just going to set you up for every fail that the industry has run into and solved.
On the other hand, modern commercial firewalls have zones and sftp that satisfy the initial request, but face the same issues of designed-in frailties and owners who do not configure and patch them properly as any commercial product has these days
What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?
Print it out and type it back into the computer you want to transfer it to.
Windows computers on the isolated network...
If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.
Anons need not reply. Questions end with a question mark.
I'd love to see malware that can attack a punch card deck.
Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.
When a college roommate gave me an old IBM PC AT with MS-DOS from his computer surplus job, the first piece of software that I bought at the Egghead Software store was an anti-virus scanner for $25. My roommates gave me a hard time on the way home for purchasing a useless utility instead of a video game. Every PC and every floppy we shared in our apartment had viruses, which all came from the same source via SneakerNet.
Is it 1998?
A useful metaphor in which to consider the problem might be a principle that's used to establish construction standards so that fires don't spread too widely or rapidly in very large buildings and other structures. What they do is they integrate fire-proof barriers at critical points, which block air transfer and heat exchange, and therefore limit the damage that a fire can do.
Stay with me here; this might get a bit arcane....
Imagine if we could apple a similar concept to computing and networks. Imagine if, instead of air and heat exchange, we limited the transfer of data between segmented portions of a network. This 'firewall'—to coin a phrase—would provide us with the ability to operate with relative security, and we could therefore rest assured that the designated secure parts of the network remain secure, while still allowing access to less secure areas via some sort of notional 'gateway'.
Pie in the sky, I know. But still, as an exercise in theoretical modeling, it's fascinating.
Crumb's Corollary: Never bring a knife to a bun fight.
Buy a used CDC-6500.
My apartment complex has a recyclable weekend once or twice a year for tenants to drop off old electronics. The list of acceptable items include "mainframe" computers. I've been waiting for someone to drop off a mainframe computer. No one ever does. Out of 300+ apartments in Silicon Valley, you would think that someone would have an old mainframe computer that they weren't using.
Understand how their staff get/got into networks/sites going back to the 1950's and what could be expected into the 2020's.
Work out what products and services are now for sale or have been found in the wild and could be used to extract your secure data.
Methods are shared with other "trusted" nations, staff keep methods get sold/kept for later private sector work.
Very advanced and unexpected methods are on the open market, back market, out in the wild.
Look at how governments failed to secure their own data and why.
Internet-facing computers had plain text data so it could be shared with trusted contractors and other agencies.
Internet connected computers got found doing interesting things and interesting people collected all tools on "secure" staging systems by following the networks back.
A USB stick gets dropped around a site of interest so staff walk in and bypass all security.
Nobody smart thought to test the "modem" or "hard disk" or just trusted the altered computer hardware that got "shipped" in.
A company hires staff without vetting and staff walk out will all the data.
A company finds a very secure building but low cost cleaning staff hold doors open for "workers" who can use an elevator and tell a nice story about needing to get back in to their office.
A nice sale is made of advance private sector crypto that is junk due to government backdoors.
Work out who wants your secrets. Another nation? Your own nation? Competitor? Someone who can afford to hire ex and former clandestine service professionals? A long term dual citizen?
Groups on the internet with no funding but who have unlimited time and very advanced skills?
A cult? Faith? Political groups? Private sector competition? SJW with funding?
What will they want? Collect it all? Some files? Production work? Prototypes and concepts? Will they have an expert to guide them in your network? Or have to collect everything and sort/sell/copy later?
Look back at how the NSA and GCHQ finally learned how to kept their secrets in the 1970-80's
What did the security services finally get right and understand after decades of walk outs and complex staff issues? What failed with all the trust in contractors after the 1990's?
If your company or data is interesting or has value someone is going to be looking. Down a network, a walk in from the street or as new staff.
Keep your secrets using compartmentalization.
If a server needs to have internet facing work, make sure its only for that project. If it has to have everything on it, hire a really good cryptographer.
Someone who is working for you, not with the government, not part time for a university, not as contractor, not some outside brand, not for some other nation.
Try and secure your work and use the networks the best you can.
Try and keep any future projects away from the production networks.
Think about your modems, your storage, what hardware got "shipped" in over the years? Other nations and the clandestine services thought of all that.
Set up really interesting fake projects and see who asks or looks?
Mid and low ranking staff ask too many questions hinting at terms they should not know? Do they just want a promotion or are they trying to get access?
CCTV shows new people wondering around at strange times?
A USB device found? Someone wanting to do charity work or to sell something been on site a lot? They want to give a quick presentation from a usb stick?
Staff getting amazing new friends who really want to see their office? Data is collected by placing a trusted physical device internally well past any average protection.
After a while a type writer, paper, a vault and guards could be a good idea for the best ideas.
Fill your computer networks with encrypted bait and see what walks in or out.
Domestic spying is now "Benign Information Gathering"
The same goes for paper tape, cloads, etc. None and nothing is totally immune from tampering...... somehow.
This is why chains of authorities are so important, and why security certificate infrastructure and blockchain so useful..... until spoofed certificates and muddied blockchains are discovered.
Nothing is foolproof because fools are so ingenious.
---- Teach Peace. It's Cheaper Than War.
USB networking still exists.
It can be used so that the "secure" computer can see only one main directory (plus it's subdirectories) on the conventionally networked computer.
It has the added bonus that many machines have ports on the front so it can be plainly visible when the link is in place.
Why reinvent the wheel? If you really need this, you are probably employed at a place that can afford quality enterprise software. You can use Globalscape MFT with a DMZ host providing reverse proxy services, and enable FIPS 140-2 compliant mode encryption. It's not cheap, but it works great! You can even use workflows to run multiple antivirus engines on each file to ensure it is as virus-free as modern antivirus software is able to discern. If you are extremely concerned about personal security, your best bet is to avoid computers all together. If you must use a computer, remove the hard drive and use a Linux distribution on a bootable CD or DVD. Run an "owncloud" server on your own hardware, on your own Internet connection, to allow file transfer.
Since it got formalized with an RFC.
I've never heard of any malware jumping through an FTP connection.
Any transfer protocol implementation could have buffer overflows or any vulnerability that anything else has. Why is FTP more magic than SMB?
It seems to me that we have a very simple and common piece of equipment for isolating one network from another while also allowing connectivity: a firewall.
You can get firewalls that scan traffic for patterns of attack, or compares the data being transferred against malware signatures. Granted, that's not perfect. It won't provide anything close to "perfect" security. But still, what do you anticipate your setup would provide that a good firewall wouldn't?
For example, you reference passing traffic through several Raspberry Pi devices, which essentially has each one acting as a firewall. Yeah, you can make all your internet traffic pass through multiple different firewalls, each with their own security scanning engines, but your adding expense and complexity for diminishing returns on improving security.
So what are you trying to do? What kind of security are you trying to provide, and what kind of attack vector are you anticipating?
That they ask this question, in this manner, makes me uncertain that they can even configure a dedicated appliance properly. They probably aren't even remotely familiar with a specific vendor's myriad choices and methods. Juniper is not the same as Cisco, for example.
My suggestion is to hire a qualified professional. If they have to ask Slashdot, they are not a qualified professional. This is not meant to be an insult, they probably are very good at something else. If you're going to take security seriously, hire a professional. If you're not going to hire a professional, don't even bother trying something like this.
If they don't hire a professional, and attempt this, they might just as well ready their PR team to deal with the near certain eventual outcome of data exfiltration. It's going to happen. Hire a damned professional and be prepared to buy some equipment.
"So long and thanks for all the fish."
Microsoft has done some work around this on the Windows side.
They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.
Their reference material is here:
http://aka.ms/cyberpaw
The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.
Those are:
* restrict network communications with IPSec
* no internet access on the PAWs
* build everything in the red forest, including the PAWs, from known good media.
There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.
I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
.
(Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)
Optical fiber is the best option to allow large voltage differentials on data networks.
You can transmit data through nodes that have over 100 000 V potential difference.
aaaaaaa
Excellent. Consider that stolen.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
He's thinking of Microsoft's Sneaker.NET.
I am TheRaven on Soylent News
I have used various versions of the FWTK to isolate test networks. There is an independent version of the code here.
If you (can find and) use the old version, beware of the author's reflections on his code.
As this has long been abandonware, I'd say that all of this code should be running in a chroot() as nobody should you use it. Also note that you'll need the -m32 compiler flag (in addition to many other changes) to get a clean build.
Yeah -- they ask on stackoverflow.com... ;^/