Having a network that is air-gapped, physically disconnected from the rest of the world, is certainly more secure than having one connected to the rest of the world. Because if there is no connection, then how can a remote attacker gain access?
But it doesn’t mean that there are not still vulnerabilities, and the network still needs to be checked to ensure that it is secure. An air-gapped network is only one device or one misconfiguration away from being turned from an air-gapped environment into a connected one. So, ensuring that an air-gapped network continues to remain that way is key to ensuring the security of the network.
The enhanced security of these networks is achieved by physically isolating them from external networks, reducing the risk of remote attacks. This isolation can help prevent unauthorized access but can also hinder traditional methods of vulnerability scanning.
The challenges of vulnerability management in air-gapped networks
There are unique challenges for SOC and NOC teams to manage and secure these networks. While they are more secure by design, the very factors that make them more secure can also make them harder to manage.
With an air-gapped network there is often limited access to real time threat intelligence, meaning that it is harder prioritize risks to the network. Any patches and updates will need to be carried out manually, adding extra time to an already time-consuming process.
These, combined with the limitations of vulnerability scanners when checking air-gapped networks means that it can be harder to identify, prioritize and remediate vulnerabilities and misconfigurations within an air-gapped network.
What’s the threat to air-gapped networks?
The most well-known attack on an air-gapped network is probably the Stuxnet attack, where a flash drive carrying the malicious worm infected Windows machines within Iran, targeting industrial control systems and causing damage to nuclear centrifuges.
It shows that air-gapping a network does not make it completely secure, and that these networks still require regular monitoring to ensure that they remain secure.
What is best practice for air-gapped networks?
Best practice for an air-gapped network is identical to best practice for any other network.
- Inventory management / asset identification. First you have to know what is on the network (and what shouldn’t be on there!)
- Segmentation. Although the network is air-gapped, it does not need to remain flat. By segmenting the network within an air-gapped network, it means that in the event of an infection, the threat is containerized and any further proliferation is prevented due to the attack surfaces being as small as possible.
- Carry out regular audits as necessary (routers and switches as well as firewalls)
- Remediation prioritization – when you know where the vulnerabilities and misconfigurations are, then risk prioritized remediation is key to dealing with the biggest threats first.
- Education and training. Ensuring that the people interacting with the air-gapped network know and follow the security policies and procedures is essential to maintaining a secure network.
How to audit air-gapped networks with Nipper and Nipper Enterprise
Both Nipper and Nipper Enterprise can be used to audit and assure routers, switches and firewalls within air-gapped networks.
Nipper
Nipper is a downloadable application which is installed on a local machine, enabling deployment in air-gapped environments. Or if that is not possible, all that is needed is a copy of the configurations that need to be checked as the configuration assessment methodology does not require direct access to devices.
Nipper Enterprise
In order to perform passive analysis of device configurations, Nipper Enterprise requires access to a populated and up-to-date CMDB. If no CMDB is available, we can provide one. Or if keeping the CMDB up to date is a challenge, Nipper Enterprise can populate and keep it in sync with the live running configurations of networking devices through its Configuration Collector capability.
This ensures near real time proactive configuration security/compliance analysis is performed on live, running configurations – even in air-gapped and offline deployments as it only requires the configurations and not direct access to the devices.
It has flexible deployment options which include:
- On-premise – deployed on a server; either a physical machine or using a virtualization platform (e.g. VMware ESXi with an Open Virtual Appliance);
- Virtual Private Cloud (VPC) – deployed using an Amazon Machine Image (AMI);
- Flyaway Kit – installed on a physical or virtual laptop.
For more information on how Nipper solutions can support the security of your air-gapped networks, please visit our product pages to learn more.