HOWTO maintain an air-gapped system


#1

[Permalink]


#2

Even that advice seems pretty risky. Once upon a time the security guys at work made the claim that a fresh CD install of Windows XP put on the internet with a non-firewalled public IP could be compromised in less than 10 minutes, there was that many probes flying around looking for vulnerable hosts.

It’s certainly possible to configure a host without ever once connecting it to the internet, it was the ONLY way to install a computer for most of computing history. It’s just a question of how much convenience you need.

The “best” way to make an air gapped host would be the use of an OS that you personally built from source… gentoo is probably the best known option. Most of us aren’t going to pour over the source code looking for backdoors so there’s still some element of trust you have to place in the source distributors but I’d be much more comfortable with an OS I compiled myself than compiled binaries distributed on a CD or delivered over the internet via windows update.


#3

I’ve seen it happen on a LAN behind a firewall, which I guess says a lot about the network at that particular company.


#4

Connecting to the Internet through a web proxy on your collision domain will further isolate your box from the Internet. This is how we build PCI compliant servers in my shop. Don’t give the box a default route either.


#5

Better still: download an ISO, check the signature on the ISO, boot a bare-bones system designed to do nothing but install an ISO to a thumb drive, install to thumb drive, check the MD5/SHA hashes of the files installed from ISO.

Install from that thumb drive to the air gapped system.

(This presumes there’s nothing malicious in the thumb drive firmware.)

Another thing you should not do: use an Intel Core vPro line of processor in your airgap system; they have cell network antennas built in to the system hooks for “theft recovery” and can be remotely administered by whoever has a key to the management system on chip - even powered up and the storage contents processed. Edit: requires a cell network adapter which is not necessarily on-board


#6

vPro, I’m paranoid but you are going to have to source that. I’ve read some stuff on it but the source was crazy.


#7

I swear to god, Cory, sometimes you sound like the internet version of a Doomsday prepper.


#8

http://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/3rd-generation-anti-theft-technology-brief.pdf

From the source. The functionality listed in that document includes remote power up, control of the system at the BIOS level, including searching for information on disk and changing it.

The trust model then involves - how many entities have authorisation to generate auth keys to the BIOS to perform these actions? Your IT department; Intel -> your IT department; Intel -> NSA; Intel -> ?. For every new key generated that can authorise these actions, the attack surface grows. For every branch of authority from Intel to ?, the attack surface grows.

History shows us that someone, somewhere, will eventually get unauthorised access to the root keys for this scheme, and the evidence that they have done so will be non-existent until and unless a thorough investigation of a compromised system is performed that rules out all possible alternatives - including gamma rays flipping bits in silicon (which is to say, anyone with one of these keys has little chance of being discovered unless they fall into a pre-built honeypot or step forward themselves).

Edit: also, this : http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html
It chirpily upsells these as features, and even cites TPM features. I’m not willing to allow the manufacturer of my GPC system to cede control of it to whoever can blackmail their C-Level execs or customer service employees.


#9

That’s totally true. An unprotected fresh XP host would be owned before it finished booting. That said, if you put the machine up behind a firewall and your first connection was to windowsupdate.microsoft.com then you would probably be Ok (only DNS poisoning would get you then).

One of the hardest things about airgapped machines is keeping them patched. The patches represent a potential infection vector, but leaving your machines unpatched also leaves them wide open to anybody who figures out how to cross your airgap. This is what killed the Iranian nuclear weapons program.

This is also one area where Linux machines are more difficult to administer than Windows machines. With Linux you typically have this spiderweb of libraries and applications installed, and if you want to put something new on an unpatched machine you’ll often find that your application requires version 5.2.1 of some library and you have 5.2.0, but upgrading the library would also require you to upgrade the dozen or so apps that already use it, which means you have to upgrade the libraries that they depend on and pretty soon you’re just doing a full system update. The only way to keep your sanity is to never update anything and keep everything on the same version (the CD release version) and hope you never need anything that doesn’t come on the CD.


#10

In my experience, this won’t stop Skynet.


#11

There isn’t anything there referring to the 3G mobile network. I don’t like vPro or UEFI but it’s important to identify actually security vulnerabilities.


#12

At least one of their marketing materials (a cute demonstration animation) implies cellular connectivity, with a theft victim phoning up the anti theft service which then shuts down the system remotely; whether that requires a wifi connection for the laptop or not was beyond the cute demo animation.

I simply don’t trust a system designed to be controlled by someone who holds a key, which key I am unable to evict from the system. Built-in backdoors - even if there’s not a radio built in to the system, or not a radio you’re aware of built in to the system - are failings of secure systems, not features.

If there’s a poison pill built in to the chip from a certificate update, then a SSL key cert imported into the system’s built-in PKI management might compromise the system.

Leaving the trust infrastructure in un-auditable silicon with a number of black boxes means trusting those black boxes - which is security through obscurity, which is wrong.

Edit: found a citation that the chip has a hook to accept commands via encrypted SMS from an external cellular card - so I must retract the claim that it has a built-in radio.


#13

I agree, hardware is a BIG problem. I’m hoping open hardware and audits fills the gap. It is going to take a lot of work.


#14

This is absolutely true, I would be shocked if it actually took 10 minutes. Of course, no sane person should be using an operating system from 2001, either.


#15

The biggest problem that I have with my air-gapped system is the ozone and the noise from the power supply…


#17

I don’t get one thing here - if it’s air-gapped, why does it matter if you’ve built it by hand, or what exactly the system is?

Create documents in neutral formats (like plain text or XML) and make sure to vet them before moving to the connected system. Use well known standards for transferring data, so that you won’t ever have a problem of obsolescence of software. Since the 'gapped system is not connected, there should be no way for malware to make it through.

Any decent Linux or BSD distribution will do - even a 15 year old RedHat which can run a text editor and Latex or something…


#18

Of course… A sane person would use a 1996 OS – OS/2 warp 4 :smile:


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.