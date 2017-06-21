Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 32
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
SneakerNET? (Score:1)
SneakerNET?
Re: SneakerNET? (Score:2)
That's not nearly enough. Malware like Stuxnet shows how far attackers go to breach air gaps and similar forms of isolation. (SneakerNet is one, sometimes weak, form of air gap.)
Re: (Score:1)
You can even spoof a keyboard. May as well call it a day
Re: (Score:2)
Indeed. Any system, even if airgapped can be penetrated, especially if there are insiders that can be bribed or blackmailed. It all comes down to deciding who you can trust. Do you trust your hardware? Do you trust the people that wrote Linux?
The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall. A computer-as-firewall running a general purpose OS is going to have a much larger attack surface. If you aren't going to airgap, then
Re: (Score:2)
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/... [geekwire.com]
Futurepower(R) (Score:2)
Answer (Score:4, Insightful)
Re: (Score:2)
I was told the only secure computer is one that is never turned on, never connected to a network, and sits in a safe where no one has access to it.
Anything else, is just slowing things down, not prevention.
If something can be exploited, it will eventually be exploited. All it will take is a lazy user who thinks the USB stick in his pocket will be OK to use "this once" and be wrong.
Uh? (Score:2)
Really, the manufacturers track threats and release mitigations better than you can, and are built for exactly what you're asking. Daisy-chain ones from different vendors if you're really anal.
Isn't this what Qubes is for? (Score:3)
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/ [qubes-os.org]
Kinda like Sandboxie. Speaking of which, sandboxie?
uhhh (Score:3)
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
IPX/SPX (Score:3)
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
Virtualization (Score:2)
Why use multiple computers? What's the problem with Virtualization? Virtualize the firewall, slap on a tight-ass linux with bare minimums to perform routing/firewalling for the host machine. Works great for me. Very tiny attack surface (SSH at the very most, if even that.)
Using a data diode, and careful controls (Score:2)
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure
You need to explain your purpose (Score:2)
There are many solutions each with its own pros and cons. But without understanding what it is you are doing you are really wasting everyones time. Go into the details and help us understand the purpose and situation to what it is you wish to achieve and
/. will do it's best to help you.