Comment unidirectional gateways (Score 1) 78
We see our customers using a few technologies routinely to update "air gapped" networks, to apply updates from standard sources:
Anti-virus vendors, Microsft, etc. - no special software is used on the patch/update repository:
(1) If safety is the goal (eg: power plant control networks, train control systems) people deploy a Waterfall FLIP. The FLIP unidirectionally replicates industrial servers to external networks so corporate users can see the data, and reverses direction on a schedule to pull updates. When oriented out of the network, the FLIP hardware is physically unable to send any signal or attack back into the control system network. The orientation reverses on a schedule, typically only briefly because we don't want to let the corporate replicas fall too far behind the industrial sources. When oriented back into the protected network, the FLIP software reaches out and pulls updates from AV, Microsoft, Linux and other vendors periodically, the software checks crypto / signatures as configured, does virus scans, and pushes good updates into the protected network. The FLIP software on the protected/inside/receiving network repeats the checks and sends clean updates to a WSUS, AV server or other repository on the control system network.
(2) If confidentiality is the goal (eg: a classified network), deploy a Unidirectional Security Gateway oriented into the protected network. The gateway software automatically pulls updates as above and sends them through the gateway hardware into the protected network. Nothing ever gets out - the gateway hardware prevents any signal or message from ever reaching the external network / Internet.
We see a lot of people doing manual updates as well. A Unidirectional Gateway replicates servers from a safety-critical or reliability-critical control system network out into corporate. When updates of the control system are needed, those updates are pulled manually from whatever website and crypto signatures and other authentications are checked manually on a corporate workstation, and approved updates are written to removable media. The most cautious customers use CD-ROM instead of USB, because of the CPUs and hackable firmware embedded in all USB gear. They carry the media to a workstation on an isolated "cleansing" network. They scan it again with anti-virus, and again check crypto signatures & hashes. They burn a copy to brand new media, throwing the old one away. They carry the new CD/media into a dedicated control system test network. They install and test the update. When it passes test, they carry the update to the live control system network.
(1) If safety is the goal (eg: power plant control networks, train control systems) people deploy a Waterfall FLIP. The FLIP unidirectionally replicates industrial servers to external networks so corporate users can see the data, and reverses direction on a schedule to pull updates. When oriented out of the network, the FLIP hardware is physically unable to send any signal or attack back into the control system network. The orientation reverses on a schedule, typically only briefly because we don't want to let the corporate replicas fall too far behind the industrial sources. When oriented back into the protected network, the FLIP software reaches out and pulls updates from AV, Microsoft, Linux and other vendors periodically, the software checks crypto / signatures as configured, does virus scans, and pushes good updates into the protected network. The FLIP software on the protected/inside/receiving network repeats the checks and sends clean updates to a WSUS, AV server or other repository on the control system network.
(2) If confidentiality is the goal (eg: a classified network), deploy a Unidirectional Security Gateway oriented into the protected network. The gateway software automatically pulls updates as above and sends them through the gateway hardware into the protected network. Nothing ever gets out - the gateway hardware prevents any signal or message from ever reaching the external network / Internet.
We see a lot of people doing manual updates as well. A Unidirectional Gateway replicates servers from a safety-critical or reliability-critical control system network out into corporate. When updates of the control system are needed, those updates are pulled manually from whatever website and crypto signatures and other authentications are checked manually on a corporate workstation, and approved updates are written to removable media. The most cautious customers use CD-ROM instead of USB, because of the CPUs and hackable firmware embedded in all USB gear. They carry the media to a workstation on an isolated "cleansing" network. They scan it again with anti-virus, and again check crypto signatures & hashes. They burn a copy to brand new media, throwing the old one away. They carry the new CD/media into a dedicated control system test network. They install and test the update. When it passes test, they carry the update to the live control system network.
