Probably the most safe laptop programs on the planet are on air-gapped networks that make entry by way of the web, or different exterior networks, inconceivable. This leaves distant attackers with no means to work together with the machines that they wish to compromise. Certain, obscure and troublesome to implement side-channel assaults should still be attainable, however they’re extraordinarily unlikely to succeed generally.
However what could be executed when restricted distant entry to those machines must be granted? The crew at Nelop Methods lately had a request from a shopper to permit considered one of their air-gapped programs to have a one-way communications channel that might transmit syslog messages and efficiency information. They got here up with an attention-grabbing Raspberry Pi-powered answer that works one thing like a diode for information, permitting read-only, one-way entry to particular information.
An summary of the method (📷: Nelop Methods)
Air-gapped networks are widespread in industries the place safety can’t be compromised, equivalent to in finance, healthcare, and significant infrastructure. These networks function totally offline, which is nice for security however problematic when directors want information for monitoring efficiency or checking safety logs. Extracting data with out exposing the community is a fragile stability, and the problem for Nelop Methods was to keep up that hermetic separation whereas nonetheless permitting perception into system well being.
Their answer was a bespoke information diode constructed utilizing a pair of Raspberry Pi boards linked by means of an optoisolator, which is a part that transmits indicators utilizing gentle as a substitute of direct electrical contact. This ensures data flows in a single course solely, that means there’s no return path for information that might doubtlessly carry malware or allow intrusion makes an attempt. One Pi sits contained in the protected community because the sender, whereas the second lives on the surface because the receiver. Collectively, they type a managed, safe bridge that leaks nothing however the meant logs.
The engineers developed customized scripts targeted on stability over velocity, prioritizing reliability so no log entry is misplaced. Whereas bandwidth is modest, the diode isn’t meant to switch bulk information — its job is to soundly drip out operational intelligence. Early prototypes experimented with standard serial connections, however in the end UART proved to be the cleaner, extra reliable method.
The outcome is an easy but helpful system that preserves the integrity of an air-gapped community whereas nonetheless supplying invaluable telemetry to monitoring groups. It’s a intelligent instance of making use of sensible engineering to a high-stakes downside.
