Slashdot Mirror
Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
I'm going to answer the question even though Futurepower(R) is a schizophrenic nutjob. The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.
That's not nearly enough. Malware like Stuxnet shows how far attackers go to breach air gaps and similar forms of isolation. (SneakerNet is one, sometimes weak, form of air gap.)
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/
Kinda like Sandboxie. Speaking of which, sandboxie?
My Other Computer Is A Data General Nova III.
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Indeed. Any system, even if airgapped can be penetrated, especially if there are insiders that can be bribed or blackmailed. It all comes down to deciding who you can trust. Do you trust your hardware? Do you trust the people that wrote Linux?
The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall. A computer-as-firewall running a general purpose OS is going to have a much larger attack surface. If you aren't going to airgap, then get a real dedicated firewall, and then disable ALL the ports. Then use port knocking to open specific ports to encrypted communication with only pre-verified clients.
If that isn't enough, then you can also wrap your computer in tin foil.
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/...
What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?
Print it out and type it back into the computer you want to transfer it to.
Windows computers on the isolated network...
If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.
Anons need not reply. Questions end with a question mark.
I'd love to see malware that can attack a punch card deck.
Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.
Is it 1998?
A useful metaphor in which to consider the problem might be a principle that's used to establish construction standards so that fires don't spread too widely or rapidly in very large buildings and other structures. What they do is they integrate fire-proof barriers at critical points, which block air transfer and heat exchange, and therefore limit the damage that a fire can do.
Stay with me here; this might get a bit arcane....
Imagine if we could apple a similar concept to computing and networks. Imagine if, instead of air and heat exchange, we limited the transfer of data between segmented portions of a network. This 'firewall'—to coin a phrase—would provide us with the ability to operate with relative security, and we could therefore rest assured that the designated secure parts of the network remain secure, while still allowing access to less secure areas via some sort of notional 'gateway'.
Pie in the sky, I know. But still, as an exercise in theoretical modeling, it's fascinating.
Crumb's Corollary: Never bring a knife to a bun fight.
Buy a used CDC-6500.
My apartment complex has a recyclable weekend once or twice a year for tenants to drop off old electronics. The list of acceptable items include "mainframe" computers. I've been waiting for someone to drop off a mainframe computer. No one ever does. Out of 300+ apartments in Silicon Valley, you would think that someone would have an old mainframe computer that they weren't using.
I've never heard of any malware jumping through an FTP connection.
Any transfer protocol implementation could have buffer overflows or any vulnerability that anything else has. Why is FTP more magic than SMB?
That they ask this question, in this manner, makes me uncertain that they can even configure a dedicated appliance properly. They probably aren't even remotely familiar with a specific vendor's myriad choices and methods. Juniper is not the same as Cisco, for example.
My suggestion is to hire a qualified professional. If they have to ask Slashdot, they are not a qualified professional. This is not meant to be an insult, they probably are very good at something else. If you're going to take security seriously, hire a professional. If you're not going to hire a professional, don't even bother trying something like this.
If they don't hire a professional, and attempt this, they might just as well ready their PR team to deal with the near certain eventual outcome of data exfiltration. It's going to happen. Hire a damned professional and be prepared to buy some equipment.
"So long and thanks for all the fish."
Microsoft has done some work around this on the Windows side.
They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.
Their reference material is here:
http://aka.ms/cyberpaw
The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.
Those are:
* restrict network communications with IPSec
* no internet access on the PAWs
* build everything in the red forest, including the PAWs, from known good media.
There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.
I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
.
(Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)
Excellent. Consider that stolen.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."