When you are in charge of managing highly secure networks, such as OT devices networks, financial or government IT assets, you still need ways to monitor them and also notify if availability or performance issues occur. It is also highly important to know if a security incident is happening in such networks.
Obviously, these highly secure networks are disconnected from the Internet and from any other open network. In many cases these networks are built as"air gaped". It means that there is no physical or wireless network connection from the highly secure network to any other network and vice versa.
What are your options to monitor an Air-Gaped network ?
Below is a quick comparison between the options of monitoring the IT and Cyber aspects of an air-gaped network. They range between a full-blown deployment of monitoring and Cyber tools in the air-gaped network and a more simple and cost-effective approach of using the AutoMonX Smart Notifications product.
Option | Security | Operational Impact | Price |
Standalone, full blown IT and Cyber monitoring solution | High | High | High |
Purpose-built device (Diode) + Collectors (Syslog, SNMP traps) | High | Low | Medium |
One-way file transfer + AutoMonX Smart Notifications | High | Low | Low |
Standalone full-blown IT and Cyber monitoring - highly secure yet operationally complex and expensive solution. You need to deploy and manage a set of tools inside an air gaped network, your SOC and NOC teams need to split-brain and monitor your open and secure network on different dashboards / monitors. Passing through notifications is problematic (cellular modem is just another attack vector). Now, imagine you need to monitor 5-10 different air-gaped networks
Purpose-built devices - some organizations deploy diodes (one way communication devices). These are typically rack-mounted servers with an optical one way connection to the open network. That could ease the operational complexity as you can send Syslog and SNMP traps out to the open network where the monitoring and Cyber systems are in place, without compromising the security of the air-gaped networks. In this approach the costs are mounting as the prices of the purpose-built devices are in the tens of thousands of USD per such server
AutoMonX Smart Notifications - Our Smart Notifications solution, was originally built for filtering, correlating and sending only relevant notifications in many different ways (such as Email, Syslog, SNMP traps etc). Due to the demand of our customers, we have developed an offline mode that collects notifications as text files on the air-gaped network side and capable of "replaying" those alerts when these files are copied to an open/less secure network side and send them to multiple different destinations such as SOC management tools (Splunk, Elastic, ArcSight) and/or central monitoring solutions thus reducing the need to deploy stand-alone monitoring and security solutions inside the air gaped networks.
AutoMonX Smart Notifications
Smart Notifications is a software-based solution, much more cost effective and flexible in terms of deployment. You would need a secure file copying solution between the air-gaped and the open network. Smart Notifications is neutral in terms of which tool is in use as long as the notification files are copied to a shared folder from where it can read it. For example appliances like Waterfall, Forcepoint Data Diode and many others can be used in conjunction with SmartNotif.
Keeping the information secure - Sanitation of Data
Before notifications are stored in an offline file, there is an optional sanitation of
sensitive data. Smart Notifications can automatically remove anything that looks like an IP
address and automatically replace any text string to some other text of your choice.
Below is a snippet of the Smart Notifications configuration file where all IP addresses are
removed from the text, and any of the words "OT", "firewall", "topsecret" or "scada" are automatically replaced by the word "internal".
SECRET_INFO_REPLACE=TRUE SECRET_INFO_PATTERNS=OT,firewall,topsecret,scada SECRET_INFO_REPLACE_STRING=internal
SECRET_INFO_REMOVE_IP=TRUE
Kommentare