Air Gap Network Explained

by

What is an Air Gap Network?

An air gap network is an isolated network that prevents or limits computer systems and networks from connecting to other networks. Air gapped networks are used for systems that require strict security measures to limit the risk of security breaches or data compromise.

The diagram below is an example of an air-gapped network.

In this example, there are two physically separate networks. The open network has internet access and the air gap network has no internet or access to the 10.100.10.0/24 network. It is a fully isolated network with no external connections, and it can only communicate with computers in its own network. In the air gap network, no data can come in or leave the network.

An air-gapped network can help protect against ransomware, data leakage, viruses, unwanted downloads, hackers, or other unauthorized access.

In the above diagram, a user clicked an email that downloaded ransomware from the internet. This virus spread to other computers in the open network but could not reach the air gap network. Because the air gap network had no connection to any other network the virus was unable to infect its computer systems.

Air gap networks are often used for the following:

  • SCADA Systems
  • Power Grid
  • Military and government systems
  • Backup systems
  • HVAC devices
  • Classified data
  • Financial computer systems
  • Medical equipment

An organization can air gap any systems or network they choose.

Certain systems are required to be isolated due to compliance and regulations such as NERC and PCI security standards.

Air Gap Network Diagrams

There are different levels and designs for an air gap network, It really depends on your requirements. See the below examples.

Example 1: Fully Air-Gapped Network

In this example, the air gap network is fully isolated. It is on its own network with a separate network switch. None of the computers have internet access and are unable to communicate with any other network. Policies can also be configured to prevent the use of portable media such as a USB drive.

Advantages:

  • Most secure design
  • Allows no traffic in or out of the air gap network
  • Prevents data leaks
  • Prevents unauthorized remote access

Disadvantages:

  • Not a realistic design for Windows operating systems
  • How would you keep systems updated?
  • No option to transfer data if needed

Example 2: Allow Data Transfer via Portable Media

In this example, you allow data to be transferred to an air-gapped computer by USB drive or other portable media. There are no changes to the network, it is still air-gapped and has no internet or access to other networks.

Advantages:

  • Allows no traffic in or out via the network
  • Prevents unauthorized remote access
  • Allows files to be transferred via portable media
  • Could possibly update computers via portable media

Disadvantages:

  • Data can be moved in and out of the air-gapped network
  • Difficult to keep systems updated via portable media
  • Possible for viruses to enter via portable media. You will need to have a strict policy in place for usage

Example 3: Air Gap Network & Allow Windows Updates

In this example, a separate windows update server has been placed into the air-gapped network and is allowed to communicate to the other server. This allows the air gap network server to receive updates and distribute them to the computers in its network.

Advantages:

  • Allows windows systems to be updated
  • Prevents unauthorized remote access
  • Limits network traffic in and out of the network

Disadvantages:

  • No filtering of the traffic from the open network to the air gap network.
  • If the update server is compromised malicious traffic could enter the air gap network

Example 4: Air Gap with Firewall

In this example, a firewall is used to control inbound and outbound traffic for the air gap network. With a firewall in place, you can then only allow traffic that is needed. This would computers to access Active Directory to authenticate but block access to everything else.

With an enterprise firewall in place, I think this is the best option when you need to allow access outside of the air-gapped network. Most systems are going to need egress (outbound) network access so you should probably invest in a good firewall.

Advantages:

  • Allows traffic in and out of the air gap network with a firewall
  • Inbound and outbound traffic can be filtered (scanned for malicious content)
  • Only allow the traffic needed. For example, allow port 389 to the Active Directory server. Limited traffic to an IP address and port number will limit the risk.

Disadvantages:

  • The firewall needs to be properly configured to be effective

Example 5: Air Gap with Two Firewalls

This is a popular design as it puts a separate physical firewall in each network, providing an additional layer of security for each network. As traffic moves from the open network it is first filtered by firewall-1 if the traffic is allowed it then moves to firewall-2 for inspection.

Advantages:

  • Allows traffic in and out of the air gap network with a firewall
  • Traffic is filtered twice by two independent firewalls
  • Advanced firewalls can run deep packet inspection for additional filtering.

Disadvantages:

  • Extra cost for two firewalls
  • Additional configuration
  • Requires expert knowledge of enterprise firewalls.

How to Create an Air Gap Network

In most instances, an air gap network is created like any other network. The main difference is that it uses separate hardware and has no connectivity to other networks. There is no special configuration or equipment that makes a network air-gapped.

You could take a network switch, connect two computers, and as long as there is no connection to other networks you will have an air-gapped network.

A standalone computer with no connectivity can also be considered an air gap.

If you are allowed, I would recommend putting two firewalls in place to future-proof the air-gapped network. I’ve maintained a SCADA network that started out as fully isolated, and each year it required access to other networks and the internet. We eventually put in two FortiGate firewalls to help secure the SCADA network.

I hope you enjoyed this article. Post your questions and comments below.

Recommended Tool: SolarWinds Network Performance Monitor (NPM)

SolarWinds NPM is a powerful and easy-to-use software that can help you monitor, troubleshoot, and optimize your network performance.

Reduce network downtime, monitor network performance and availability, discover and map your network devices, analyze network capacity and hardware health, and much more.

You can start a free trial of NPM today and see for yourself how it can help you monitor your network more effectively. Just click on the link below to download NPM and get started.

Download Free Trial