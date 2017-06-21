Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 52
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
SneakerNET? (Score:1)
SneakerNET?
Re: SneakerNET? (Score:2)
That's not nearly enough. Malware like Stuxnet shows how far attackers go to breach air gaps and similar forms of isolation. (SneakerNet is one, sometimes weak, form of air gap.)
Re: (Score:1)
You can even spoof a keyboard. May as well call it a day
Re: (Score:2)
Indeed. Any system, even if airgapped can be penetrated, especially if there are insiders that can be bribed or blackmailed. It all comes down to deciding who you can trust. Do you trust your hardware? Do you trust the people that wrote Linux?
The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall. A computer-as-firewall running a general purpose OS is going to have a much larger attack surface. If you aren't going to airgap, then
Re:Wait... whaaaa? (Score:4, Funny)
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/... [geekwire.com]
Re: (Score:1)
An IBM 650 would be a more interesting choice.
Re: (Score:1)
Nah, you didn't have to go there.
My point is that the solution to the author's problem has been available off the shelf for the past couple of decades.
Trying to cobble together something that looks like a firewall from 'secure linux' on Raspberry Pi is just going to set you up for every fail that the industry has run into and solved.
On the other hand, modern commercial firewalls have zones and sftp that satisfy the initial request, but face the same issues of designed-in frailties and owners who do not conf
Re: (Score:3)
I'd love to see malware that can attack a punch card deck.
Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.
Futurepower(R) (Score:2)
Answer (Score:5, Insightful)
Re: (Score:2)
I was told the only secure computer is one that is never turned on, never connected to a network, and sits in a safe where no one has access to it.
Anything else, is just slowing things down, not prevention.
If something can be exploited, it will eventually be exploited. All it will take is a lazy user who thinks the USB stick in his pocket will be OK to use "this once" and be wrong.
Uh? (Score:2)
Really, the manufacturers track threats and release mitigations better than you can, and are built for exactly what you're asking. Daisy-chain ones from different vendors if you're really anal.
Isn't this what Qubes is for? (Score:5, Interesting)
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/ [qubes-os.org]
Kinda like Sandboxie. Speaking of which, sandboxie?
Re: (Score:2)
Yep, and it's almost usable, too. OTOH, Qubes is focused on the workstation. For network-level isolation, it's really hard to beat two firewalls from different manufacturers and code bases back-to-back.
Think Internet--PaloAlto--Sophos UTM--LAN (Substitute any two other unrelated NG firewalls)
Systems on the inside initiate all connections; no reaching in. That means having staging DBs, etc. on the outside that are polled from the inside by transfer routines that parse and validate everything outside of th
uhhh (Score:5, Insightful)
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
Re: (Score:2)
While he's at it he could increase the speed of this system by splitting connections across multiple ports on the network interface. It's crazy enough to work!
IPX/SPX (Score:5, Funny)
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
Virtualization (Score:2)
Why use multiple computers? What's the problem with Virtualization? Virtualize the firewall, slap on a tight-ass linux with bare minimums to perform routing/firewalling for the host machine. Works great for me. Very tiny attack surface (SSH at the very most, if even that.)
Using a data diode, and careful controls (Score:2)
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure
You need to explain your purpose (Score:2)
There are many solutions each with its own pros and cons. But without understanding what it is you are doing you are really wasting everyones time. Go into the details and help us understand the purpose and situation to what it is you wish to achieve and
/. will do it's best to help you.
Foolishness. (Score:2)
What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?
Print it out and type it back into the computer you want to transfer it to.
Windows computers on the isolated network...
If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.
Dual firewalls (Score:2)
WAN -> Firewall -> Firewall -> LAN. Each firewall from a different company, and some tinkering with the router configuration to make even compromised computers not sure where they are.
Also helps if you use machines with a completely alien architecture to what everyone else is running. Viva la Alpha, MIPS, etc. It's not that you can't attack them, it's just that your custom forged 'PC' is now in the
.000000000000001% bracket of commonality with everything else out there. Do you know how much of a ba
Way Way Way too complicated (Score:2)
You need to go much simpler, for a lot of reasons. Humans need to use it. Humans need to choose to use it. Humans need to not go around it.
I think you need to base your solution around a presumed-infected node. I find working with the weeds to be better than trying to design a planter that weeds can't find.
Given "Machine A" as the user's actual workstation, internal, no outside access.
Given "Machine B" as the external-facing node, with whatever internet access you deem necessary, and we'll presume that