Air-gap: definition
An air-gapped infrastructure is a computer system that is totally cut off from external networks to guarantee maximum security. This principle is based on the physical separation of a network of machines that need to communicate with each other, and prevents any connection to a computer network, making digital intrusions extremely difficult if not impossible.
Although this method offers optimum protection, it involves significant technical restrictions, which is why it is mainly used for highly sensitive systems.
In some cases, physical isolation means no wired connection to a network at all and protection against electromagnetic interference. In addition, no devices should be connected that can establish a direct or indirect link with another machine. Finally, the system must not incorporate any wireless communication devices (Wi-Fi, 3G / 4G / 5G or GSM).
Although the environment is closed, the assets that make up an Air-gapped infrastructure need to be secure, as we’ll see below.
What’s the difference between Air-gapped and On-Premises infrastructures?
An On-Premises infrastructure is a set of assets (servers, workstations, software, network equipment) installed and operated in-house by an organization. Unlike Cloud solutions, where resources and data are hosted by an external service provider, an On-Premises infrastructure enables an organization to keep total control over its data and applications.
Although deployed and managed in-house, an On-Premises infrastructure can be opened up to outside networks with specific configurations, such as a VPN connection, access via a firewall, or even a hybrid architecture combining On-Premises and Cloud. Conversely, as its name suggests, an Air-gapped infrastructure offers no connection to the outside and is totally closed.
Cybersecurity: how to protect an Air-gapped environment
As Air-gapped infrastructures are adopted by organizations handling highly sensitive data, it’s important to bear in mind that potential attacks can be particularly sophisticated.
Also, in a totally closed environment, updates can be more complex to carry out for network applications and operating systems, and these networks can then become vulnerable and therefore easier for an attacker to exploit.
Furhermore, even in closed environments, users may need to use external media to update applications or operating systems. During these critical operations, for example, you need to be extra vigilant, and provide tools that are commensurate with the security stakes: EDR to detect known and unknown files and malicious behavior, EPP to carry out antivirus and external devices scans…
Logically, an Air-gapped environment should be equipped with an On-Premises solution to maintain total control over data. But how does it work in practice? Is it possible to update an EDR or EPP in a closed environment to ensure optimum protection at all times and, if so, how?
Securing Air-gapped environments with HarfangLab On-Premises
Cloud-like capabilities and functions
Even in closed environments, the quality of protection and working conditions for SOC analysts is crucial. How does HarfangLab meet these challenges?
- The features and detection engines available in the Cloud version are also available On-Premises: engines based on Signatures (YARA), behavior (Sigma), IoC, AI, Ransomguard, EPP…
- The engines integrated into the agents consume a minimum of resources, ensuring protection without any connection to the Cloud, to meet the requirements of Air-gapped environments
- The solution provides connectors and APIs with 100% functionality for easy integration with the existing ecosystem, given that Air-gapped environments generally include specific technical components.
Local support and regular updates
Our mission is to also make maintenance in operational and security conditions as simple as possible, thanks to:
- Proximity support recognized for its expertise and responsiveness
- Product and detection rule upgrade options to suit all needs, in total isolation, to meet the imperatives of Air-gapped environments
Wondering how to manage these updates in practice? The answer is simple.
The EDR manager evolves regularly, and new versions are made available to users according to the procedures defined for their integration into the console.
The same applies to detection rules and signature databases, which we download and make available to users.
For Air-gapped environments, users can connect to our MISP to integrate Threat Intelligence updates autonomously, or take advantage of manager updates to deploy new detection rules at the same time. Detection rule updates can be made from any Internet-connected device and transferred by USB stick into the console.
In short: deployment, features, support, updates, maintenance… HarfangLab On-Premises offers the same level of security and simplicity as its Cloud version, even for Air-gapped environments!
Want to learn more about our On-Premises offer
and ask about our solutions for Air-gapped environments?
More articles
EDR & FIM: monitor file integrity and easily link to telemetry to improve protection
File Integrity Monitoring aims to verify and analyze the integrity of critical files.
What is MISP?
Definition of MISP, perks and uses of this tool by HarfangLab’s Cyber Threat Intelligence teams to centralize detection rules, update…
Cybersecurity: why combine EDR and EPP
HarfangLab extends its protection with an EDR + EPP package. What are the technical advantages? What are the benefits for…
Performance and detection: concrete applications of AI in cyber
How to optimize detection and remediation capabilities with Artificial Intelligence, while enabling users to benefit from continuous innovation and new…