Networks with the highest security requirements and disconnected from the outside world are known as Airgap Networks. Such networks support the critical infrastructure that societies and economies depend on.
- Energy / Utilities / SCADA networks
- First Responder Networks
As Airgap networks operate on an island without traffic going in or out, management of these networks present significant challenges. The challenges are exponentiated by the size of the networks and/or by the quantity of such networks that an enterprise or government operates. Network and Security Operations coverage must be 24x7x365 and internal troubleshooting standards are at the most aggressive Service Level Agreements (SLA). The impact of Air gap networks being down can be literally as serious as a matter of life and death, cause economic hardship, or result in instability to societies.
In order to meet the operational support requirements / SLAs, dedicated instances of costly network and security operations management applications, such as Netcool or Splunk, may need to be deployed per Airgap network.
Deploying such management applications is often cost prohibitive. Alternatively Airgap networks can be managed by element management systems (EMS) instead. This is a far more labor-intensive operational delivery model and due to the absence of powerful umbrella fault management and security management systems, automation, correlation, and filtering capabilities are limited, counter to what is demanded for the operations of Airgap networks.
The obvious preference is to manage the Airgap networks from a centralized location, but that requires remote access into the Airgap network, violating internal cyber security and/or external regulatory requirements. But that does not mean your centralized management applications have to be blinded from the Airgap network. Monitoring Airgap networks remotely and securely is possible.
ZoneRanger is a patented firewall proxy appliance to allow unsecure management traffic (SNMP, ICMP, etc) to be inspected (Deep Packet Inspection), validated, before being passed through a firewall boundary via an encrypted 256-TLS tunnel, after which ZoneRanger filters, replicates, and forwards the data to an unlimited number of defined destinations. In combination with Data Diodes, ZoneRanger enables monitoring of Airgap networks by network management applications such as Netcool, Solarwinds, and Splunk from a centralized location, without violating cyber security requirements.
A Data Diode network consist of two or more ZoneRanger appliances that form a one-way chain of communication, from a source to a destination. Key aspects of a ZoneRanger and Data Diode architecture includes:
- The ZoneRanger forwards Traps, Syslog Messages, NetFlow packets, and/or sFlow Packets from network to network through Data Diodes. The messages are batched together in files. The TCP connection used to transfer the data files between the ZoneRanger and the Data Diode is encrypted. The files are tamper-resistant, and replay-protected.
- The ZoneRanger polls the devices in the airgap/highly secured network via ICMP, SNMP, and TCP polls. When a device fails to respond to the poll, the ZoneRanger will generate a trap which is forwarded through the Data Diodes to a remote management application which analyzes if a device is not responsive. A new trap is created and sent to the remote management application when the device becomes responsive again.
- Each deployed ZoneRanger will send a periodic report listing the status of the devices connected to the ZoneRanger. ZoneRanger will then send the reports through the Data Diodes to the defined destination.
Utility Example for multiple Air Gap Networks
Expanding ZoneRanger beyond the use case of acquiring remote visibility of Airgap networks, with ZoneRanger and organizations can address challenges such as the ones below, in an eloquent and affordable way:
- Bridging conflicting Security and Operations requirements
- Reduce administrative effort related to the ever-changing network configurations.
- Costs and execution complexity related to changing management platforms.
- The effort and costs associated to firewall rule change management.
- Firewall rule change management cause delays in project executions
- Enhanced Security:
- Network attack surface is minimized. ZoneRanger drastically reduces the need for open firewall ports as the only open firewall port is the encrypted tunnel to the Network / Security Operations Center.
- ZoneRanger’s transparent proxy prevents internal network fingerprinting as it conceals the management application’s identity.
- Lower OPEX, Prevent CAPEX:
- Tavve’s solutions extend the life span of management applications (e.g. Netcool, Splunk) by intelligently directing the right traffic to the right destination.
- Firewall rule change management effort is reduced by up to 90%. Fewer open firewall ports, fewer ports to manage.
- Easily add, remove, or demonstrate new management tools. Tavve allows for seamless tool deployment without adding or changing device configurations in customer networks.
- Increase Network Management Redundancy:
- If a management application is disconnected or compromised, all Operations has to do is re-direct the traffic to one of its back up NOCs / SOCs management tools through ZoneRanger.
- Manage Compliance:
- Through Tavve’s solutions, the enterprise can aggregate management traffic from all of its business lines and operational entities in a centralized location to ensure that compliance (SOX, ISO, etc) is adhered to at all times, avoiding brand damage and regulatory fines as a result of inconstant compliance policies across multiple units managing their own networks.