3

I'm facing the issue to develop a system which archives some data, which was available via a web-server some time before (to selected users). Now the question arises on how to securely transport the valuable data from the live / online server to the air-gapped machine (not neccessarily a "true" server, probably without server OS and server HW).

As the data-amounts are rather small (few GB / half-year, one or two DVDs are enough, one large chunk), I thought about burning the data onto DVDs, wiping the encrypted copies from the online-server and re-encrypting the data on the air-gapped machine for long-term storage.

So much for my idea, now the more "formal" requirement:
I need to transport the data with minimal risk of infecting the air-gapped machine.
Obviously USB-sticks or similar are a bad idea and already have been exploited (thanks BadUSB). I thought DVDs (only once-writeable) are the most secure choice as they deny any sort of back-flowing channel from the archive system to the live-system. I may even mandate the use of some scanning on a secondary machine before the data is to be fed in into the archive.

Please also note that the archive system can't be optimized for availability reasons.

With all this background, my question:
Is there any more secure way of transporting data from an online-system to an airgapped-system than to use DVDs (+ scan-after-burn)?

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • Would a unidirectional network cable meet you requirements? – Gerald Davis Jul 01 '15 at 22:29
  • archivates -> archives ​ ? ​ ​ ​ –  Jul 02 '15 at 04:39
  • @GeraldDavis Wouldn't this break the air-gap? – SEJPM Jul 02 '15 at 07:18
  • @SEJPM Yes, a unidirectional network cable would break the air gap. Furthermore, it is quite inconvenient to work with because you can't use any of the standard file transfer tools (they pretty much all rely on bidirectional communication being available). You'd have to have one machine "broadcast" the source data and the other one sniff it out of the cable. You'd need to build error-checking in and perform manual correction should some element be dropped. – Stephane Jul 02 '15 at 09:08
  • @SEJPM Yes it would not be air gapped however is air gap a requirement or is it a method to achieve the goal of no information leak out of the secure system. I would point out unidirectional (aka data diodes) have been used in secure systems to include nuclear reactors for decades. – Gerald Davis Jul 02 '15 at 12:15
  • @GeraldDavis, indeed the air-gap is meant to secure the system against information-leakage (cheapiest way to get this). But those data diodes look *really* expensive and I'm not sure if I can get this through (even more considering the complicated usage), as DVD+Air-Gap is a lot cheaper and I only need to transfer one large chunk (several GB) per half-year, meaning 99%(+) of the time the diode would be unused. – SEJPM Jul 02 '15 at 16:07
  • @SEJPM Well you can make a unidirectional ethernet cable yourself. 10Mbps is very easy you are just physically cutting one set of the TX/RX wires. 100Mbps is a little harder but it can be done. – Gerald Davis Jul 02 '15 at 16:41
  • @GeraldDavis, thank you for this information, it may prove useful in the future :) However DVDs still seem to be the better option, as they keep the air-gap, and provide high-levels of control on what flows into the system (checking of each data chunk). And physically modifying would mean changing deploying (like) 50m cables, and I'm not sure if the users will be happy about this (as opposed to "good ol' style burning and inserting discs"). – SEJPM Jul 02 '15 at 17:00

1 Answers1

1

If you're really that paranoid about your air-gapped systems, you might want to consider using backup tapes.

They include no active part that could be exploited and aren't mounted as a standard file system so that limit the way the data they contain could be exploited.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • +1, nice idea, although not applicable, as this would mean you'd need to have some (trusted & air-gapped) PC for accessing the tapes, thus not fully solving the problem. – SEJPM Jul 02 '15 at 16:01
  • I don't see the problem: if you're talking about air-gapped system, you need a computer (otherwise, it's just offline storage - for which tapes are also well suited). Just dedicate a machine part of the air-gapped system to read the tapes – Stephane Jul 03 '15 at 07:01