top of page
nmsguru

How to Securely Send PRTG Notifications through Air-Gapped Networks

Updated: Feb 17

When you are in charge of managing highly secure networks, such as OT devices networks, financial or government IT assets, you still need ways to monitor them and also notify if availability or performance issues occur. It is also highly important to know if a security incident is happening in such networks.

Obviously, these highly secure networks are disconnected from the Internet and from any other open network. In many cases these networks are built as"air gaped". It means that there is no physical or wireless network connection from the highly secure network to any other network and vice versa.


What are your options to monitor an Air-Gaped network ?

Below is a quick comparison between the options of monitoring the IT and Cyber aspects of an air-gaped network. They range between a full-blown deployment of monitoring and Cyber tools in the air-gaped network and a more simple and cost-effective approach of using the AutoMonX Smart Notifications product.

Option

Security

Operational Impact

Price

Standalone, full blown IT and Cyber monitoring solution

High

High

High

Purpose-built device (Diode) + Collectors (Syslog, SNMP traps)

High

Low

Medium

One-way file transfer + AutoMonX Smart Notifications

High

Low

Low

  • Standalone full-blown IT and Cyber monitoring - highly secure yet operationally complex and expensive solution. You need to deploy and manage a set of tools inside an air gaped network, your SOC and NOC teams need to split-brain and monitor your open and secure network on different dashboards / monitors. Passing through notifications is problematic (cellular modem is just another attack vector). Now, imagine you need to monitor 5-10 different air-gaped networks

  • Purpose-built devices - some organizations deploy diodes (one way communication devices). These are typically rack-mounted servers with an optical one way connection to the open network. That could ease the operational complexity as you can send Syslog and SNMP traps out to the open network where the monitoring and Cyber systems are in place, without compromising the security of the air-gaped networks. In this approach the costs are mounting as the prices of the purpose-built devices are in the tens of thousands of USD per such server

  • AutoMonX Smart Notifications - Our Smart Notifications solution, was originally built for filtering, correlating and sending only relevant notifications in many different ways (such as Email, Syslog, SNMP traps etc). Due to the demand of our customers, we have developed an offline mode that collects notifications as text files on the air-gaped network side and capable of "replaying" those alerts when these files are copied to an open/less secure network side and send them to multiple different destinations such as SOC management tools (Splunk, Elastic, ArcSight) and/or central monitoring solutions thus reducing the need to deploy stand-alone monitoring and security solutions inside the air gaped networks.


AutoMonX Smart Notifications

Smart Notifications is a software-based solution, much more cost effective and flexible in terms of deployment. You would need a secure file copying solution between the air-gaped and the open network. Smart Notifications is neutral in terms of which tool is in use as long as the notification files are copied to a shared folder from where it can read it. For example appliances like Waterfall, Forcepoint Data Diode and many others can be used in conjunction with SmartNotif.


Keeping the information secure - Sanitation of Data

Before notifications are stored in an offline file, there is an optional sanitation of

sensitive data. Smart Notifications can automatically remove anything that looks like an IP

address and automatically replace any text string to some other text of your choice.

Below is a snippet of the Smart Notifications configuration file where all IP addresses are

removed from the text, and any of the words "OT", "firewall", "topsecret" or "scada" are automatically replaced by the word "internal".


SECRET_INFO_REPLACE=TRUE SECRET_INFO_PATTERNS=OT,firewall,topsecret,scada SECRET_INFO_REPLACE_STRING=internal

SECRET_INFO_REMOVE_IP=TRUE






Kommentare


bottom of page