Air gaps never exist (2011) (opens in new tab)

(gse-compliance.blogspot.com)

43 pointscba910y ago49 comments

49 comments

Doesn't "air gapped" imply physical separation? Putting a firewall, even if it's totally locked down, between two networks does not make it "air gapped".

delinka10y ago

You can get physical separation with WAPs, too...

kinghajj10y ago

Technically that's not physically separate, as photons are physical entities.

jimrandomh10y ago

> "How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website."

Sounds like the real problem was they didn't have a better mechanism for getting things like that in. If a security system stops people from doing their jobs, they'll poke a hole in it unless you provide a better option.

AnimalMuppet10y ago

> Sounds like the real problem was they didn't have a better mechanism for getting things like that in.

Any mechanism for getting things like that in is a break in the air gap, by definition. (Well, by a strict definition.) But at least a better mechanism would be managed by security policy, not by underlings' need to get their job done. (That is, the security policy would have to take into account the need for updates as well as the potential security implications of importing new executable code from outside.)

elchief10y ago

Pedantically, not a "gap" if there's a network cable going to another network...

jis10y ago

Years ago I was told by a colleague that he was required to setup an administrative system that was NOT connected the network, but also had to be able to send and receive e-mail.

The inherent contradiction was lost on the people giving the orders. So...

Nadya10y ago

Well he was an expert.. wasn't he?

https://www.youtube.com/watch?v=BKorP55Aqvg

(Draw seven perpendicular red lines)

3 more replies

tetraodonpuffer10y ago

if the requirement is just email, seems like it would be quite feasible to set something up so that the MTA on the administrative system tunnels the email to the MTA of something network-connected in a non-tcp/ip kind of way (PTP microwave/laser link, printer-carrier pigeon-scanner combo, ...) that just passes the message over while remaining air-gapped

1 more reply

pwg10y ago

UUCP delivered email (and Usenet and file transfers) for a very long time before full time network connections became the norm.

https://en.wikipedia.org/wiki/UUCP

So, it is possible to send/receive email without an always on network connection.

1 more reply

alkonaut10y ago

I thought "air gap" meant a machine or network that is physically separated (these days also without any radio connection) to other machines.

How can those not exist?

cba9OP10y ago

Perhaps you should read the submission. The larger point here is that even if you set up a network in the first place which is genuinely airgapped, as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere in order to make everyone's lives easier and eventually, whether deliberate or inadvertent, a connection will be made (and of course, we know that the NSA has a variety of infiltration and exfiltration methods to get across air gaps, such as dropping flash drives and waiting for an insider to be foolish enough to bring it inside).

Believing that an air gap exists or will continue to exist indefinitely is hence setting yourself up for some unpleasant surprises in the future, and encourages weak security designs where the network/system is crunchy on the outside and all delicious and soft and gooey on the inside. (Which is more secure, to have your local WiFi set up with WPA or whatever and have employees telnet into servers, or just go Google-style and have fully encrypted end to end links without requiring any belief in security of the links?)

vonmoltke10y ago

> Perhaps you should read the submission. The larger point here is that even if you set up a network in the first place which is genuinely airgapped, as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere in order to make everyone's lives easier and eventually, whether deliberate or inadvertent, a connection will be made (and of course, we know that the NSA has a variety of infiltration and exfiltration methods to get across air gaps, such as dropping flash drives and waiting for an insider to be foolish enough to bring it inside).

The article is not well written, and I personally had to parse it several times to figure out what he was trying to say. I'm still not even sure if this is the correct interpretation.

> Believing that an air gap exists or will continue to exist indefinitely is hence setting yourself up for some unpleasant surprises in the future, and encourages weak security designs where the network/system is crunchy on the outside and all delicious and soft and gooey on the inside. (Which is more secure, to have your local WiFi set up with WPA or whatever and have employees telnet into servers, or just go Google-style and have fully encrypted end to end links without requiring any belief in security of the links?)

That depends on your physical security. A facility like the one he described should have had regular security audits to verify that no hard lines were placed where they should not be. All hard lines and ports should have been marked with identifying information. Nobody should have been able to keep a line open for any significant period of time unless these processes broke down.

1 more reply

specialist10y ago

as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere

Thank you.

Proponents of electronic voting and tabulation (eg central count of physical ballots) enthuse about security, air-gapping, data diodes, etc.

Alas, it's turtles all the way down. Dig deep enough and you'll expose the fiction.

Then you're in the trap of explaining technology to policy makers, testifying against trained bureaucrats supported by an army of vendor sales minions defending their cheddar.

You can't win.

It's nutty making.

alkonaut10y ago

I tried parsing it several times but from what I understood, they established an Internet connection out from the air gapped network, without coming into the facility with a big reel of network cable. So it seemed the network wasn't physically disconnected after all?

An air gapped computer is pretty easy to create -- just disable the radios and don't connect any network cables to it.

A network would be much harder but the key has to be that there are no other non-air gapped machines in the same facility. If someone wants to bridge the gap it should be obvious by the cable coming in the door and running all the way up to the machine.

Obviously the kind of air-gapped networks I'm talking about are computers never involved in any internet business at all, the kind that operate power plants (or centrifuges...).

genericresponse10y ago

That's why you commit to multiple layers and types of defensive and recovery measures. Intelligence, preparation, prevention, prevention, prevention, monitoring, adaptation, more monitoring, effective response, well planned recovery.

kbenson10y ago

I'm pretty sure you missed another 2-3 prevention layers. Shit's pretty dire after you're past that layer.

_wldu10y ago

Air gaps can also be bridged by using radio or sound waves. There could be a bunch on non-networked computers in a secure lab all talking to each other. This assumes trojaned hardware and/or operating system software in the systems that can send and receive data and commands.

Finally, technology such as Morse Code is still useful in these scenarios. Dits and dahs. Zeros and ones. That's all you need to be able to send and recv data.

http://www.jocm.us/index.php?m=content&c=index&a=show&catid=...

http://www.wired.com/wp-content/uploads/2014/11/air-hopper-m...

hackuser10y ago

> the blue cables in gas filled tubes

Cat5/6 cables? Why would they be in gas-filled tubes?

cba9OP10y ago

Good question - I have no idea. But if I google 'gas-filled tube ethernet', I get a number of hits like http://en.tdk.eu/blob/174150/download/5/smd-surge-arresters-... and http://www.first-electronic.com/uploadfile/2010989552637708.... which suggest that these products are sold for networking purposes to prevent surges. Since this is in a military context, I would hazard a guess that this may be some sort of standard hardening requirement to try to protect the datacenter against lightning strikes, EMPs (such as from nuclear strikes), and general accidents. This may sound paranoid, but then again, so do Faraday cages, and it is the military - it's their job.

dkbrk10y ago

The wording didn't sound like he was talking about a gas-discharge tube for surge protection. Also, that wouldn't have anything to do with security.

I think what may be happening is the ethernet cable runs are in sealed tubes running at either positive or negative pressure so that if someone tries to breach the tube and splice onto the cable it would be detected by a pressure sensor.

1 more reply

undersuit10y ago

Other responder might be more right, but I was thinking about how hard it would be to discreetly tap into a ethernet cable when I have to break glass.

peterwwillis10y ago

https://webcache.googleusercontent.com/search?q=cache:wZ0Cex...

http://www.gocsc.com/userfiles/file/ortronics/whitepapergovt...

https://security.stackexchange.com/questions/10447/is-the-us...

I'm honestly not familiar with these kinds of facilities, but with a potential "Collateral Confidential" type cable, one could imagine a gas-filled tube being a countermeasure of some sort.

jessaustin10y ago

For instance if the gas were poisonous?

1 more reply

SpikeGronim10y ago

You can pressurize the gas and put a barometer in the tube in order to detect any breach of the tube. This was used during the cold war and the NSA tapped the communications cable anyway by filling the space around the tube with gas as well. Source: James Bamford's books on the NSA.

wallaceowen2110y ago

Back in the early days of Ethernet there were fiber to AUI widgets, that used 2 multimode fibers, one for TX, one for RX. We used these on classified systems with ony RX connected - we could send data in to these systems over UDP, and it was truly a one-way path.

munin10y ago

> I have seem so many kludges connecting SIPPER and NIPPER networks

I don't know how much I trust someone who can't even get the acronym for SIPR and NIPR right (https://en.wikipedia.org/wiki/SIPRNet https://en.wikipedia.org/wiki/NIPRNet)

andreyf10y ago

from the link: "SIPRNet and NIPRNet are referred to colloquially as sipper-net and nipper-net (or simply sipper and nipper), respectively"

munin10y ago

when you pronounce them, sure, but why capitalize them like an acronym, but mis-spell the acronym?

1 more reply

j / k navigate · click thread line to collapse

49 comments

tlrobinson10y ago

Doesn't "air gapped" imply physical separation? Putting a firewall, even if it's totally locked down, between two networks does not make it "air gapped".

delinka10y ago

You can get physical separation with WAPs, too...

kinghajj10y ago

Technically that's not physically separate, as photons are physical entities.

jimrandomh10y ago

> "How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website."

AnimalMuppet10y ago

> Sounds like the real problem was they didn't have a better mechanism for getting things like that in.

elchief10y ago

Pedantically, not a "gap" if there's a network cable going to another network...

jis10y ago

Years ago I was told by a colleague that he was required to setup an administrative system that was NOT connected the network, but also had to be able to send and receive e-mail.

The inherent contradiction was lost on the people giving the orders. So...

Nadya10y ago

Well he was an expert.. wasn't he?

https://www.youtube.com/watch?v=BKorP55Aqvg

(Draw seven perpendicular red lines)

3 more replies

tetraodonpuffer10y ago

1 more reply

pwg10y ago

UUCP delivered email (and Usenet and file transfers) for a very long time before full time network connections became the norm.

https://en.wikipedia.org/wiki/UUCP

So, it is possible to send/receive email without an always on network connection.

1 more reply

alkonaut10y ago

I thought "air gap" meant a machine or network that is physically separated (these days also without any radio connection) to other machines.

How can those not exist?

cba9OP10y ago

vonmoltke10y ago

The article is not well written, and I personally had to parse it several times to figure out what he was trying to say. I'm still not even sure if this is the correct interpretation.

1 more reply

specialist10y ago

as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere

Thank you.

Proponents of electronic voting and tabulation (eg central count of physical ballots) enthuse about security, air-gapping, data diodes, etc.

Alas, it's turtles all the way down. Dig deep enough and you'll expose the fiction.

Then you're in the trap of explaining technology to policy makers, testifying against trained bureaucrats supported by an army of vendor sales minions defending their cheddar.

You can't win.

It's nutty making.

alkonaut10y ago

An air gapped computer is pretty easy to create -- just disable the radios and don't connect any network cables to it.

Obviously the kind of air-gapped networks I'm talking about are computers never involved in any internet business at all, the kind that operate power plants (or centrifuges...).

genericresponse10y ago

kbenson10y ago

I'm pretty sure you missed another 2-3 prevention layers. Shit's pretty dire after you're past that layer.

_wldu10y ago

Finally, technology such as Morse Code is still useful in these scenarios. Dits and dahs. Zeros and ones. That's all you need to be able to send and recv data.

http://www.jocm.us/index.php?m=content&c=index&a=show&catid=...

http://www.wired.com/wp-content/uploads/2014/11/air-hopper-m...

hackuser10y ago

> the blue cables in gas filled tubes

Cat5/6 cables? Why would they be in gas-filled tubes?

cba9OP10y ago

dkbrk10y ago

The wording didn't sound like he was talking about a gas-discharge tube for surge protection. Also, that wouldn't have anything to do with security.

1 more reply

undersuit10y ago

Other responder might be more right, but I was thinking about how hard it would be to discreetly tap into a ethernet cable when I have to break glass.

peterwwillis10y ago

https://webcache.googleusercontent.com/search?q=cache:wZ0Cex...

http://www.gocsc.com/userfiles/file/ortronics/whitepapergovt...

https://security.stackexchange.com/questions/10447/is-the-us...

I'm honestly not familiar with these kinds of facilities, but with a potential "Collateral Confidential" type cable, one could imagine a gas-filled tube being a countermeasure of some sort.

jessaustin10y ago

For instance if the gas were poisonous?

1 more reply

SpikeGronim10y ago

wallaceowen2110y ago

munin10y ago

> I have seem so many kludges connecting SIPPER and NIPPER networks

I don't know how much I trust someone who can't even get the acronym for SIPR and NIPR right (https://en.wikipedia.org/wiki/SIPRNet https://en.wikipedia.org/wiki/NIPRNet)

andreyf10y ago

from the link: "SIPRNet and NIPRNet are referred to colloquially as sipper-net and nipper-net (or simply sipper and nipper), respectively"

munin10y ago

when you pronounce them, sure, but why capitalize them like an acronym, but mis-spell the acronym?

1 more reply

j / k navigate · click thread line to collapse