Physical access, such as from inserting a USB drive, is the simplest and most straightforward way to infect an air-gapped computer. Since this could end up being quite a few updates it will take more time, more bandwidth, and more storage space.Although it may seem that an air-gapped system is safe from external attacks, there can still be instances where even a disconnected computer can be targeted. However, the downside of method B is that since you don’t determine in advance which updates are needed by the air-gapped systems, you have to download *all* of the possible updates that could be needed. Method B does not require for any files to be taken from the air-gapped network, so it can be more convenient. In other cases the rules might allow for such a file to be removed from the offline network, but doing this would require a whole change management process to be initiated, and the bureaucratic overhead of this option might simply make it more of a pain than anyone wants to deal with, especially if it needs to be done on a regular basis every month or two or three. The problem with this approach is that in some cases the security rules for the isolated network prevent/disallow people from taking *anything* from the isolated network to a different network, even if it’s just a text file list of updates and URLs. Once the updates have been downloaded they can then be moved to the offline network for consumption by target computers. That list has to then be moved to a computer that has internet access so that BatchPatch can process the list and download all of the needed updates. When this operation is performed BatchPatch will produce a list of updates and URLs. Method A requires first scanning the offline computers to discover which updates they need installed. Step-by-step tutorial for option B: Patching an air-gapped environment with strict security rules Why two different methods? Then apply the needed updates to the target computers. Then transfer the cache of downloaded updates to the offline / air-gapped network. Method B: Without first determining which particular updates are needed by the target computers, use an internet-connected computer to download *all* possible updates that could be needed. Step-by-step tutorial for option A: Patching an air-gapped environment with less stringent security rules Then apply the updates to the target computers. Method A: Determine which updates are needed by the target computers, and then download just those particular updates on an internet-connected computer. In the case where you have to apply Windows security updates to systems that are not connected to the internet or a WSUS your two options for using BatchPatch to complete this task can be broken down as follows: You isolate the systems to make them harder to penetrate and more secure, but in isolating them you also make them harder to update… but keeping them updated is something that helps keep them secure.Īll of the BatchPatch cached mode and offline update options are described in more detail here: Cached Mode and Offline Updates The irony here is that the computers on these air-gapped networks are isolated specifically to create and facilitate a higher level of security, but at the same time the fact that they are isolated on a segregated network makes them harder to keep updated… and keeping systems updated is of paramount importance to keeping them as secure as possible. Additionally, the systems themselves often tend to be the operating backbone of various other high-security systems or services, so they have an especially critical role just by virtue of what they do. Air-gapped systems virtually always have stricter security in place and more rules setup to prevent unauthorized access. Patching systems in isolated networks has always been both a challenge and a pain because you can’t simply follow your normal/typical procedures to get updates applied to these systems. BatchPatch provides two basic methods for applying updates to so-called “air-gapped” systems that are isolated from the rest of the world.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |