An air-gapped network is an internal computer network that is completely isolated from the outer Internet with no inbound or outbound traffic at all. Typically, the reasons are either physical security or high data confidentiality requirements. Some prominent examples of air-gapped networks include various national security actors such as defense, governments, and military bodies, as well as critical infrastructure entities that provide energy, water utilities, and other enabling services.
Organizations of these types strive to segregate their most sensitive network segments entirely, so they are cut off from any internet connections. The notion behind air-gapping a network is to reduce its attack surface to the bare minimum and ensure that no malicious traffic makes its way inside. It should be noted, however, that due to the increased connectivity today, there are very few networks that are truly 100% gapped with no interaction at all. The more common reality is of a ‘mostly air-gapped’ network that maintains highly controlled external connections for software updates, 3rd party contractor access, etc.
While the air-gapped network’s attacks are indeed reduced, that doesn’t make it immune to cyberattacks. Moreover, while the air gapping makes an attacker’s initial access much harder, it has no effect on the network’s resilience to post-compromise actions such as lateral movement and following malware execution.
In fact, its segregation from external sources such as threat intelligence servers, or centralized threat analysis cloud makes an air-gapped network more vulnerable than a regular one to such attacks.
The most pressing security issue within an air-gapped network is malicious access to its computers and servers. Such access can be carried out directly by a malicious insider or through lateral movement. That or the other, to defend against such a scenario there is a need to harden the authentication requirements to more than merely username and password. But how can you employ an MFA solution if there is no outbound connectivity?
The common practice for air-gapped networks to overcome this barrier is to use physical hardware security tokens in place of the standard mobile devices that require internet connectivity.
This consideration adds another requirement, with FIDO2 as the preferred standard for hard tokens, and is being resilient to both advanced and traditional phishing attacks. However, FIDO2 doesn’t natively fit into many networks that weren’t designed to work with the specific protocols it supports, leaving them out of the scope of this protection. Learn how Silverfort solves this problem.
Although it’s not impossible to hack an air-gapped network, it’s much more difficult and less likely to be successfully hacked than a network that is connected to the internet or other external networks.
With the increasing sophistication of attackers, it’s important for organizations that use air-gapped networks to have a robust security strategy in place to detect and respond to any potential breaches.
There are several methods that can be used to breach an air-gapped network, such as:
The main advantage of an air-gapped network is that it is much more difficult and less likely to be successfully hacked than a network that is connected to the internet or other external networks.
Some of the advantages of air-gapped networks include: