• Air Gap Network Multi Factor Authentication

Air Gap Network Multi Factor Authentication

Air gaping.

It’s the ‘nuclear option’ of network security. By separating a machine from any other computer, managers can all but guarantee that it cannot be penetrated remotely.

Air gaping, or network separation as it is often known, is the step taken by the serious neurotics among users or because the regulatory body you report to insist on it, those whom even after attending to all the basics of digital security, still need to go the extra mile. Most users who seek to air gap their system will go to some pretty extreme measures. Some will remove all wireless hardware from their machines. Others will simply use devices that don’t come with any.

Don’t get me wrong. Air gaping may, in fact, have its place in some special cases. Air gaping is an established and recognized security practice often used in the more sensitive sectors, such as military, intelligence, and critical infrastructure. The potential consequences of these systems being compromised are sufficiently bad to justify this extreme measure.

The question is not whether or not air gaping should be practiced at all if it is a method that should be applied more broadly within the IT world.

To answer this question, we’ll have to take a closer look at the real cons of an air gaped system.

The Surprising Costs

Users tend to be more familiar with the logistical barriers created by network separation.

An air gapped network has zero connection to the outside world. All remote communication, collaboration, and even the simple act of sharing files and documents are impossible. There are infrastructural challenges as well. An air gap requires the creation of a whole new network with independent servers, routers, and other management tools. That network needs to be built from scratch in order to deliver the expected work demand.

Interestingly enough though, one of the biggest drawbacks to an air gap can actually come in the form of weakened network security. With an air gap in place, network users can become lax in their safety practices and take essential security basics for granted. A poor security culture means human error can give malicious actors a way into the system. Take for example the scenario of employees ‘taking it easy’ with network rules and using their private, insecure emails to transfer network date.

What’s more, the air gap itself can in fact be penetrated. And no, I’m not just talking about the highly sensationalized niche ‘air gap hacks’ some creative researchers have come up with. We’re referring to much more realistic concerns. Relying solely on an air gap to maintain the safety of a network means that just one connection with the outside world creates a single point of failure. If (or more accurately, when) a user creates a wireless connection with a private device or hardware, it can literally compromise the entire system.

The Air Gap Authentication Challenge

Even more importantly, air gaps create problems for one of the most basic elements of network security: Identity and Access Management (IAM).

Even though air-gapped networks are closed off from the outside, each user still needs to prove their identity before accessing a given work station. For a computer unable to receive data remotely, many modern innovations for authenticating users such as push notifications and other multifactor platforms that really on a connection to the web, are not an option.

This means a separate network basically needs to rely on one of two methods: Smart Cards or passwords. Smart cards are often not readily compatible with modern machines, which only adds to the infrastructural challenges of air gaping. As for the second option, using the outdated, weak option of passwords only undermines the security managers are trying to build.

In summary, even after taking the air gap-route, administrators will still need mechanisms to fill the security void.

Authentication for Air-gaped Networks – FIDO2 to the Rescue

Taking in consideration the challenges airgap networks hold, push authentication utilized by the Octopus Authenticator could not solve the authentication problem these sorts of networks hold.

To tackle the issue and to assist users who do not wish to use their phone as an authenticator we joined the FIDO alliance to offer a scalable on-premise authentication solution that includes Single Sign-On (SSO) capabilities and Multi-Factor Authentication (MFA) without any need for outside communications.

By Shimrit Tzur-David|August 20th, 2019|Categories: Articles|Tags: , , |

About the Author: Shimrit Tzur-David

mm
Shimrit holds an MSc and Ph.D. from the Hebrew University in Computer Science. Her research areas primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection and prevention systems. During her Ph.D., Shimrit was a consultant for Check Point and Marvell Semiconductor and designed an intrusion detection system product there.