Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

Posted by BeauHD on from the two-in-one dept.

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

5 of 237 comments (clear)

  1. Answer by 110010001000 · · Score: 5, Insightful

    I'm going to answer the question even though Futurepower(R) is a schizophrenic nutjob. The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.

  2. Isn't this what Qubes is for? by JBMcB · · Score: 5, Interesting

    Separates different browser and email tasks into virtualized jails.

    https://www.qubes-os.org/

    Kinda like Sandboxie. Speaking of which, sandboxie?

    --
    My Other Computer Is A Data General Nova III.
  3. uhhh by Fwipp · · Score: 5, Insightful

    Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux

    You are so incredibly out of your depth you don't even know it.

  4. Re:Wait... whaaaa? by ShanghaiBill · · Score: 5, Interesting

    I'd love to see malware that can attack a punch card deck.

    Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.

  5. Microsoft ... by ElizabethGreene · · Score: 5, Interesting

    Microsoft has done some work around this on the Windows side.

    They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.

    Their reference material is here:
    http://aka.ms/cyberpaw

    The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.

    Those are:
    * restrict network communications with IPSec
    * no internet access on the PAWs
    * build everything in the red forest, including the PAWs, from known good media.

    There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.

    I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
    .
    (Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)