“An air gap is a network security measure that consists of ensuring that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.” (Wikipedia)
Note the emphasis in the word physically.
A number of forums have discussed whether data diodes are equivalent to air gaps in one direction, including a number of articles on Cyber Matters. In reality you can argue it both ways.
In the blog Secure Delivery of a Payload we discussed how secure information exchange consists of two distinct elements: the information you need to convey – the payload, and the technical method used to carry the payload – the protocol. Attackers wishing to break into your network can exploit either of these: the protocol or the payload.
The previous blog looked at protecting protocol-based attacks. In this blog we look at content-based attacks – on the payload.
The Attack Vector
The principle behind a content-based attack is that when delivered, the payload contains malware that will cause the end system to do something unexpected, which the attacker can take advantage of – usually to gain access.
The most common and effective technical mitigations are:
- Patching – to ensure your applications have known vulnerabilities removed
- Anti-Virus – to detect known malware
(Aside: This is why these two mitigations are fundamental to the UK Governments baseline security standard, Cyber Essentials)
However, both of these mitigations have one thing in common, they work on known problems. The skilled attacker that really wants to get you will exploit an unknown problem – the so called Zero-Day.
To reduce this threat we can use the following techniques, first described in the White Paper Protecting confidential information using Data Diodes and which explores these concepts in much more depth.
- Accept the risk. Patching / Anti-Virus may be sufficient for the threat you face.
- Do a very strict pattern matching on the payload, only accepting payloads recognised to be conformant (i.e. whitelisting). For example, only accept “text” files with 7bit ASCII characters in it. More advanced scenarios will perform strict schema checking on the file to ensure it conforms to an expected set of rules.
- Convert the payload itself. Essentially, take all information out of the source file, and create a new one with the same contents. The White Paper Preventing Document-Based Malware from Devastating your Business talks about this defense technique in much more depth.
- Do a combination of the above. For example: only accept JPEG files, convert those to PNG and drop all other payloads.
One of the most difficult aspects of the above is not technical. It’s deciding which level of control is necessary and relevant to your business or application scenario – this is where Threat Analysis, as discussed in A Brief Introduction to Threat Analysis, fits. This is not easy, and it is why you need to consider engaging with experts that can help understand your exact situation and provide advice on the right solution for your situation.
Do you have the right level of content protection in your business?
A secure information exchange consists of two distinct elements: the information you need to convey – the payload, and the technical method used to carry the payload – the protocol. Attackers wishing to break into your network can exploit either of these: the protocol or the payload.
In this blog we briefly look at protecting protocol-based attacks. In a future blog we will look at content-based (payload) attacks.
Over the last 3-5 years Data Diodes have grown in popularity as a solution for moving data between isolated networks. With this has come creative marketing to leverage the term ‘Diode’ for solutions that are anything but.
Let’s just take a few moments to revise some of the fundamental modes of secure information exchange.
In this blog series, I have been exploring applications for Data Diodes. This week, I look at the issue of printing between different networks.
For the third article in the Data Diode blog series, I explore Audit and Monitoring between Domains.
In this blog series, I have been exploring applications for Data Diodes. This week, I look at the issue of getting Windows Updates into a segregated network — securely.
Guards and gateways are full application layer proxies that connect to two or more networks. They accept data passed on an inbound network interface, ‘process it’, and then pass data to the outbound network interface. The difference between the two is in the ‘process it’ step.
An article about a Nexor solution deployment in the FCO Services has been published in the Microsoft Technology in the Public Sector Magazine – Touch.
In this blog series, I will explore applications for Data Diodes. In the first of the series, we’ll look at providing secure access to remote CCTV cameras, in unsecured location.