Jun 18, 2020

Secure Authentication in Air-Gapped Networks? Yes, It Can Be Done!

By Ron Rasin and Revital Aronis —

 

What’s An Air-Gapped Network?

Air-gapped networks are computer networks that don’t have any interfaces connected to the outer world. This is obviously a pretty drastic measure so the approach is typically only used by highly sensitive organizations that require the maximum level of security.

Some examples of air-gapped networks include critical infrastructure companies, such as power, energy and water utilities, and organizations dealing with different levels of top secret systems and data like defense contractors, government agencies, and military branches. Traditionally, these organizations segregate their most sensitive network segments entirely and they are—at least, in theory—cut off from any internet connections.

The Less-Than Secure Reality of Air-Gapped Networks

The construct works well on paper, but the reality is that these networks are not nearly as cut off as many operators think. In most cases, some connectivity to the outside world is required. Operators may need to transfer external files into the network. For example, software updates can be transferred into the air-gapped network using a USB drive and remote vendor support may also be required from time to time. All this means that inherently, the network is no longer entirely cut off from the outside. We are all familiar with the example of the Stuxnet malware which was initially introduced into air-gapped networks using infected removable drives such as USB flash drives.

This Also Means Air-Gapped Networks Can be Infiltrated.

Once inside, attackers can start moving laterally in the network, using stolen passwords and credentials to make their way deep inside these critical networks. For example, 2017’s NotPetya attack made use of the incredibly powerful Mimikatz tool to propagate not only in internet-facing IT networks, but also in air-gapped OT networks.

The truth is that air-gapped networks are nowhere near as secure as they are made out to be. While in the past, it might have been a sound approach, modern threats along with modern practices mean that air-gapped networks don’t provide airtight security, leaving your network exposed to threats.

The Challenges of Securing Air-Gapped Networks

Considering what’s at stake, sensitive organizations need—NEED!—to ensure air-gapped networks are in actuality protected not only from the external world, but also if someone managed to gain a foothold inside the network.

Problem is, that’s no simple task.

A lot of air-gapped networks have highly sensitive systems that must remain stable and available 24x7x365 and it’s impossible to reboot them after a software install or after a patch is applied. Other proprietary systems are under strict vendor warranty terms that don’t allow any 3rd party software installation on the servers. Also, you can often find legacy systems that are still active in these networks, even though they are no longer supported by their manufacturers. This typically means that they aren’t supported by security vendors either. As a result, deploying software agents to secure systems in air-gapped networks is often not a realistic possibility.

The stability and availability requirements of these environments also require organizations to consider how disruptive a security control will be. If a security control generates too many false-positive alerts, or worse, blocks legitimate processes, it becomes too disruptive. Multi-Factor Authentication (MFA) solutions have an advantage here because they don’t offer just a binary option – to allow or block access. MFA gives users the ability to confirm legitimate access requests by themselves, without involving the helpdesk or the SOC, therefore reducing the occurrence of false-positives alerts, streamlining processes and minimizing disruptions.

Finally, many security solutions these days—and this is especially true for modern authentication solutions—rely on web connectivity. Obviously, such a requirement makes these solutions unsuitable for these networks. So in the end, this leaves very few options for securing air-gapped networks, and most of these environments are not properly protected

Requirements for Secure Authentication in Air-Gapped Networks

As we explained, while Multi-Factor Authentication (MFA) is a crucial security control that can prevent unauthorized access, air-gapped networks have strict requirements that must be met.

Air-gapped networks require solutions that:

  • Work without an internet connection;
  • Are agentless and do not require code changes, since it’s often impossible to deploy agents or change the code of many high-availability systems, solutions by 3rd party vendors, or legacy systems.
  • Create minimal disruptions and do not compromise the stability and availability of sensitive systems and processes
  • And here’s a requirement we haven’t discussed so far; Secure authentication solutions for air-gapped networks must offer a hardware token, which is considered more secure and can be used in locations where the use of personal phones is not permitted.

Due to security concerns and lack of connectivity, air-gapped networks use physical hardware security tokens in place of mobile devices. FIDO2 tokens are considered more secure than legacy One Time Password (OTP) tokens, which can be stolen or lost and are vulnerable to nasty man-in-the-middle attacks. This is why FIDO2 is the prefered standard for hard tokens and is considered unphishable, preventing cutting-edge, as well as traditional, phishing attacks.

But FIDO2 tokens are inherently limited. Here’s the thing—they require the protected applications to adopt webauthN or U2F protocols in order to function with these tokens. The glaring problem? It’s very difficult, if not impossible, to change systems to adopt these protocols, so very few applications can work with them.

As a result, today very few systems in air-gapped networks are properly protected.

Extending Secure Authentication to Air-Gapped Networks with Silverfort

At Silverfort, we have been helping organizations of all types protect assets long thought of as unprotectable, such as IT infrastructure, File shares, Databases, IIOT, and even OT systems like HMIs and production servers, since our start. We recently extended that support to enable secure authentication in air-gapped networks, allowing a full on-premises deployment that doesn’t need internet connectivity, doesn’t require software agents on protected servers, or code changes to protected systems, and offers FIDO2 hardware tokens:

  1. A New Deployment Mode That Can Operate Without Internet Connectivity: Starting with version 3.0, Silverfort offers a full on-premises deployment mode. In this deployment mode, Silverfort is deployed as a Virtual Appliance on-premises, and provides all the functionality, without calling any external functions. Note that Silverfort also offers a SaaS-based deployment option and a hybrid on-premise-SaaS deployment option.
  2. Agentless Architecture, No Code Changes Required: Silverfort’s unique innovative architecture allows organizations to extend Multi-Factor Authentication to any system or resource, without requiring any software agents on the protected servers, and without   requiring any code customization or implementation of new authentication protocols.
  3. Offering FIDO2 Compliant Hardware Tokens: Silverfort enables organizations to select the authenticator to be used in air-gapped environments with a flexible integration that supports all FIDO2 hardware tokens.

Many of our customers choose to leverage our integration with YubiKey tokens. With this integration, Silverfort now seamlessly bridges the gap between the modern FIDO2 tokens and your existing infrastructure, allowing you to use these highly secure tokens without changing your existing infrastructure or applications.

Now air-gapped networks can add MFA to protect their systems with no changes to the network system, no SDK, no agents, and no proxies. And not only can it validate user identities, but it also prevents lateral movement, should attackers make their way inside.

Conclusion

In highly sensitive organizations, air-gapping may be the right security choice—but only when you acknowledge and make up for the inherent weaknesses in these environments. With Silverfort’s Agentless Authentication Platform, you can enforce secure authentication to validate the identity of users in air-gapped networks and add a compensating security control, continuously securing access to your most sensitive assets.

 

Ron Rasin, VP Product Management, Silverfort

Ron leads Silverfort’s product management and roadmap. He brings over a decade of hands-on product management experience and cyber security expertise.
Prior to joining Silverfort, Ron was the Director of Product Management at Claroty, and held product management roles at Wix and NCR.
Before that Ron served as a Team Leader at the 8200 elite cyber unit of the Israel Defense Forces. Ron holds a B.A in Economics from Tel Aviv University.

Revital Aronis, Sr. Product Manager, Silverfort

Revital is a Senior Product Manager in Silverfort’s PM department. Prior to joining Silverfort, Revital was a product manager at illusive networks, and held different R&D positions at Contextream and HPE. Before that Revital served as a team leader at the 8200 elite cyber unit of the Israel Defense Forces. Revital holds a B.A in Computer Science and Psychology from Tel Aviv University.