What is an Air Gap?
Air Gap, also known as Air Gapped, Air Wall or disconnected network, is a high security concept. Its approach is to completely isolate a system by creating an "Air Gap" around the system. It's similar to a thermos bottle in which the contents are separated from the environment by a vacuum, allowing liquids in the bottle to remain hot or cold for longer. IT systems with very high security requirements are operated both logically and physically separated from other systems by an Air Gap. This means that they are not connected to a local network, the Internet or other IT systems. Data transfer to or from an air-gapped system is only possible using transportable storage media such as USB sticks. The air-gapped concept is often applied in these areas:
- Military or Intelligence
- Research facilities
- Critical infrastructure such as nuclear power plants or aviation safety
Types of Air Gaps
Essentially, there are three main ways to implement the Air Gap concept:
Absolute physical Air Gap
The "classic" variant where the system is completely physically isolated. The system has no network connections to the outside world, and for access, people must physically go to the system and usually cross extensive security barriers.
Relative physical Air Gap
In this variant, the system is not completely physically isolated since it is located, for example, in a data centre where there are external network connections. There, a single air-gapped server may be located in a rack along with servers connected to the Internet. However, the air-gapped server is not connected to the network.
Logical Air Gap
In this variant, separation is based on logical processes such as encryption, hashing and access controls.
The air-gap concept is softened somewhat when it is extended to several servers and connected workstations, for example in the form of an intranet. Workstations in particular, which nowadays often have access to the Internet, represent a security risk.
Challenges of the Air Gap concept
- Even this concept is not 100% secure:
- Information can be extracted by observing and analyzing electromagnetic radiation, energy demand, noise from read heads or similar.
- Humans as a security risk: For example, through social engineering.
- Infiltration of malicious code is possible by attacking the software supply chain.
- High effort is required to build and maintain an Air Gap:
- Updates within the air-gapped system are very costly; new versions of applications, for example, must be manually brought onto the system and then installed.
- Scalability within the system is difficult to achieve because automations necessary for scaling must be built within the system itself.
- There is no such thing as a 100% isolated IT system these days:
- There is pretty much always a system nearby, that is connected to the Internet or another, less secure network. This means that attackers can at least get close to an air-gapped system in order to attack the isolated system from there.
Facilitating software updates in an air-gapped network
The biggest of the aforementioned challenges is the high overhead of software updates, especially when operating not just a single server, but an entire network within an Air Gap. The inability to automatically update software due to lack of Internet access plays into the hands of attackers. For example, once they have gained access to an air-gapped network through social engineering, they can expand it all the more quickly through known vulnerabilities in old software versions.
The larger the air-gapped network, the more important it is to automate the distribution of updates as much as possible to keep the effort to a minimum and the software as up-to-date as possible. System administrators do not always have to build the automation themselves. For Microsoft products, for example, you can use the "Windows Server Update Service". For easy updates for software development and project management tools, the Cloudogu EcoSystem can be a solution.
You can learn more about the capabilities and benefits of running software tools in an air-gapped environment with Cloudogu EcoSystem in this blog article: Simplifying software updates in air-gapped environments with Cloudogu EcoSystem.