MFA Protection for Air-Gapped Networks

The recent cyberattacks launched as part the Russia-Ukraine warfare have reawakened concerns about the security of air gapped networks, particularly regarding identity protection. Air gapping is implemented to reduce the attack surface of a highly sensitive network, such as the ones found in nations’ critical infrastructure, military and governmental environments, and manufacturing shop floors. These types of networks are likely to be targeted by threat actors, a likelihood that serves as an alternative expression of hostility while refraining from conventional warfare. In this article, we explore how the Silverfort Unified Identity Protection platform enforces secure authentication within air gapped environments by enabling the use of FIDO2 hardware tokens for MFA without agents, code modification, or authentication infrastructure changes. In this manner, Silverfort provides these networks real-time protection against lateral movement and automated malware propagation.

What is an Air-Gapped Network?

Air-gapped networks are computer networks with no interfaces connected to the outer world. This is obviously a drastic measure so the approach is typically only used by highly sensitive organizations that require maximum levels of security.

Air-gapped networks are production environments where the machines comprising the environment have no outward-facing connection either directly to the Internet or indirectly to an outbound-facing internal network. Networks become air-gapped to reduce their attack surface and increases their resilience to cyberattacks.

Some prominent examples of air-gapped networks include various national security actors such as defense, governments and military bodies, as well as critical infrastructure entities that provide energy, water utilities and other enabling services.  Organizations of these types strive to segregate their most sensitive network segments entirely, so they are cut off from any internet connections.

Air-Gapped Networks are Still Exposed to Malicious Infiltration

While this approach makes sense in theory, in practice there are various constraints that make full air-gapping a nearly impossible task. What usually happens is that a certain degree of connectivity to the outside world is still maintained, regardless of all initial intentions, mostly due to operational reasons: operators who need to transfer external files into the network, software updates, remote technical support are a just a few common examples.  At the end of the day all this adds up to an inherent inability to implement a true 100% air-gapped architecture.  The Stuxnet malware, which was initially introduced into air-gapped networks using infected removable drives such as USB flash drives, should be a constant reminder that initial access to an air-gapped network remains possible.

Lateral Movement in Air-Gapped Networks

Once attackers have established an initial foothold in the air-gapped network, they can follow up with lateral movement, using stolen passwords and credentials to expand presence and increase the attack impact. In 2017, the infamous NotPetya attack performed such lateral movement in both standard IT networks as well as air-gapped OT networks.

So, air gapping by itself cannot vouch for the ironclad protection its name implies. It might have been possible way in the past, but in today’s hyperconnected IT environment, it’s simply impractical. This calls for re-evaluation of how such networks should be best protected, both from initial malicious access, as well as from lateral movement in a post-compromise phase.

What Restraints Make Air-Gapped Network Protection a Challenge?

Air-gapped networks cannot be easily protected with standard security solutions.

First and foremost, any solution that relies on cloud connectivity or internet connectivity cannot be used.

Second, a main feature of air-gapped networks is their commitment to 24x7x365 operational stability.  For example, this means that it’s impossible to reboot them after a software install or patch is applied. In many cases, these networks also employ other proprietary systems that are under strict vendor warranty terms that don’t allow installation of 3rd party software on the servers. Also, you can often find legacy systems that are still active in these networks, even if manufacturer support no longer exists. This rules out any type of agent-based solution.

And third, the nature of these networks increases their sensitivity for operational disruption caused by false positives or the breaking of critical processes while blocking malicious activity. All of these considerations significantly narrow the scope of optional security products that can be used in air-gapped networks.

Requirements for Multi-factor Authentication in Air-Gapped Networks

Overcoming the Built-In Security Restraints

Multi-Factor Authentication (MFA) is the ultimate solution against attacks that utilize compromised credentials to access targeted resources such as account takeovers and lateral movement. However, to be effective in an air-gapped network, an MFA solution must meet several criteria, per the constraints we’ve described above:

• Is able to fully function without relying on internet connectivity
• Does not require the deployment of agents on the machines it protects
• Creates minimal disruptions and does not endanger the stability and availability of sensitive systems and processes

Hardware Token Support

In addition, the common practice in air-gapped networks is to use physical hardware security tokens in place of the standard mobile devices that require internet connectivity. This consideration adds another requirement:

• Be able to utilize a hardware token to provide the second authentication factor.

FIDO2 is the preferred standard for hard tokens and is considered resilient to both advanced and traditional phishing attacks.

However, FIDO2 tokens can be used only with webauthN or U2F authentication protocols. If the systems within the air-gapped network weren’t designed initially to work with these protocols, it would be extremely difficult to perform the required alteration (see above on 24/7/365 availability). As a result, the last requirement is not easily satisfied, leaving many air-gapped networks exposed to attacks.

Silverfort Secure Authentication for Air-Gapped Networks

Our mission at Silverfort is to extend secure authentication to all users, access interfaces and resources. We have succeeded in applying MFA protection to resources that could have never been protected in this manner before, such as IT infrastructure, file shares, databases, IIOT, and even OT systems like HMIs and production servers.

Aligning with this vision, Silverfort also provides agentless MFA protection for air-gapped networks, enabling the use of FIDO2 hardware tokens without any code changes on the protected systems:

1. A Dedicated  Deployment Mode Agnostic to Internet Connectivity: Silverfort offers a full on-prem deployment mode. In this mode, Silverfort is deployed as a Virtual Appliance on-premises, with full functionalities available. Note that Silverfort also offers a SaaS-based deployment option and a hybrid on-premise-SaaS deployment option.
2. Agentless Architecture with No Code Changes Required: Silverfort’s unique innovative architecture allows organizations to extend Multi-Factor Authentication to any system or resource, without installation of agents on the protected machines, and without requiring any code customization or any alteration of the authentication protocols.
3. FIDO2 Compliant Hardware Tokens: Silverfort enables organizations to choose their authenticator in the air-gapped environments, including all FIDO2 hardware tokens.

The most popular implementation within our customers’ ecosystem is our integration with YubiKey tokens. This seamless integration bridges the gap between the modern FIDO2 tokens and your existing authentication infrastructure to provide comprehensive MFA protection to the air-gapped network.

Conclusion

Air-gapping is a sound security strategy —but one must acknowledge both its gaps and implications on the security products you can use. Silverfort’s MFA enables you to enforce secure authentication and validate the identity of users in air-gapped networks, ensuring they are protected against identity-based attacks.