this post was submitted on 09 Oct 2024
211 points (97.3% liked)

Technology

59424 readers
2821 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 1 month ago (9 children)

Is this mitigated by blocking mass storage devices on all devices on the air gapped network? Seems like the minimum you would want to do on a network important enough to air gap.

[–] [email protected] 9 points 1 month ago (8 children)

Depends. If you need updates on the software used in the air gapped network you won't have lot of options. Burning cd's doesn't sound so crazy all of a sudden though...

[–] [email protected] 14 points 1 month ago

Having worked in classified areas, both as an admin and an unprivileged user, CDs were normally the method of transferring data up the network. (Transferring down rarely occurred, and even then you’d be limited to plaintext files or printouts.)

I’ve seen more places use data diodes to perform one- or two-way transfers so that requests can be streamlined and there’s no loose media to worry about tracking. It’s not super fast and higher speeds mean more expensive equipment, but it covers 98% of software update needs, and most non-admin file transfers were under 20MB anyways.

Anything that did require a USB drive, like special test equipment (STE) or BIOS updates, had to use a FIPS-140-1 approved drive that offered a ready-only mode via PIN. This drive could only be written to from a specific workstation that was isolated from the rest of the machines (where data was transferred via CDs of course) and required two persons to perform the job to ensure accountability.

Not the most time-efficient way of doing things, and not completely bulletproof, but it works well enough to keep things moving forward.

load more comments (7 replies)
load more comments (7 replies)