Zero Trust Air Gap Lockdown Inbound and Outbound
Air Gaps are a useful tactic as a part of a defense in depth strategy. However, they are inconvenient and ineficient. Is this trade off between security and convenience a false choice? Learn how a Zero Trust Air Gap Lockdown can provide convenience and security together. Explore the challenges associated with fine-grained lockdown of the inbound path, of the outbound path.
Defense in depth is about layers. Protect at each level. Assume a breach has occured. Buy time and observability. Do not put all your defenses in a single location such as a firewall or a VPN. Zero Trust is the concept of using authenticated identity to drive authorisation on a fine-grained basis, between a single, non-shared user and a single resource. If each network transaction, regardless of direction, is initiated by a known, allowed actor, to a known, allowed destination, performing an allowed action, and if no other network transactions are allowed, this is the ultimate in network security.
An Air Gap is a method of ensuring no network transactions occur. Technically this achieves the objectives of Zero Trust (by allowing nothing). However, once achieved, this objective is human capital ineficient, requiring physical access to all resources to perform needed operations. This in turn can actually reduce security (prop the door open, introduce a backdoor such as an Ewon or other cellular modem). The human desire for efficiency in work often defeats the goals of the organisation. A better solution is a Zero Trust Air Gap Lockdown: achieve the security objectives (and more) of the Air Gap with the convenience of remote usage.
To implement this network security model, you must be able to control both directions of traffic. It is important to restrict outbound traffic since it makes it more challenging for an attacker who might have other out-of-band means of attacking. For example, assume that a staff member finds a USB flash drive and brings it into the secure enclave. This might introduce malware that must then turn around and make an outbound connection to the command-and-control to activate. By blocking the outbound direction, we prevent the malware from activating, giving the organisation time to detect and remediate.
One of the challenges when implementing a full outbound firewall block can be breaking certificate verification. This is a complex topic, encryption certificates need proper time synchronisation as well as the ability to fetch a certificate revocation list or Online Certificate Status Protocol. However, enabling these outbound can be a challenge. The Agilicus AnyX platform has a simple means of configuring outbound ONLY to our platform, and, at the same time, allowing certificate verification and revocation to operate. See “Locked-Down Networks Certificate Revocation” for more information. Any Zero Trust Air Gap Lockdown solution must allow for certificate verification to be performed, otherwise it becomes prone to an Attacker In The Middle atack vector.
A common challenge on the inbound path is the complexity of mapping identity and application onto layer-3 and layer-4 (IP and port) coordinates. Applications might use a Content Delivery Network, with unknowable IP addresses. They might use port-ranges. They may have multiple modes of operation on a single IP and port. Source IP, although commonly used, is a poor approximation of identity. A true Zero Trust system must use common single-sign-on identity attestation and authentication, including multi-factor, not mere IP address. Common firewalls are incapable of operating in this mode and become simple DMZ or port-forward setups. A Swiss Cheese if you will. A Zero Trust Air Gap Lockdown must be able to use per-person identity, not shared accounts. A Any Zero Trust Air Gap Lockdown must be capable of acting on individual applications, and, transactions within it (e.g. admin versus viewer, e.g. write files versus read files).
Agilicus AnyX can be used to implement a Zero Trust Air Gap Lockdown solution, for both the inbound and the outbound direction. Agilicus recommends using the host-firewall, or, a directly attached layer 3/4 firewall to block all but the Agilicus fixed, well-known IP in both the inbound and outbound direction. In this fashion malware has nowhere to go: the outbound path is blocked. Similarly, attackers have no way to come in: they must either provide identity attestation, authenticated, and then pass authorisation checks.
The Agilicus AnyX Zero Trust Air Gap Lockdown stylised deployment is shown below. In this we show two methods. The Critical Resource Server on the left uses an OS-based firewall (perhaps implemented in a virtual-machine hypervisor, perhaps in the OS) to block all but the Agilicus AnyX source/destination. Malware that becomes resident on the host out-of-band cannot reach out, cannot activate. A user, outside the environment, has transparent access after proving their identity and role. The Critical Resource Server on the right is implemented in a simlar fashion, but, the firewall is external (e.g. if the resource is incapable of running the Agilicus Connector such as on e.g. an embedded HMI). This firewall should be as close as practical. Since this firewall is very simple (a single IP-based ACL), it can often be implemented in an existing router or even a switch.
From a convenience standpoint, the Agilicus AnyX Zero Trust Air Gap Lockdown is unparalleled. The end-user sees transparent access with Single-Sign-On. From a security standpoint, per-user, per-transaction fine-grained audit backstops a per-user, per-transaction role-based access control.
From an acceptability and meeting-of-organisation policy standpoint, a single outbound HTTPS connection, interacting properly with existing SSL-inspecting firewalls, meets the criteria of even the most security-conscious organisations. Outbound only, strong, audited encryption, layered interaction with other security appliances, perfect fine-grained audit.
The Agilicus AnyX platform provides a convenient, simple-to-deploy, non-disruptive Zero Trust Air Gap Lockdown with is both efficient and secure. It was indeed a false choice to assume you could be either easy to use or secure.