Air-Gapped Network

What is an Air-Gapped Network?

An air-gapped network is a computer network that is physically isolated from the internet and from any other networks that connect to the internet. The term "air gap" refers to the physical or logical separation—the empty space or gap of air—between systems that cannot be crossed by network connections. In an air-gapped network, data cannot move to or from external systems via network cables, wireless signals, or internet connections. Any data transfer must occur through deliberate physical actions like inserting USB drives, optical discs, or similar portable media, and such transfers are typically subject to strict security controls.

Air-gapped networks are used in environments where the cost or consequence of compromise is so high that the organizations running them are willing to accept significant operational constraints to achieve near-absolute isolation. Nuclear power plants, military installations, critical infrastructure control systems, and sensitive financial trading networks often operate as air-gapped systems. These environments recognize that while complete network isolation creates substantial challenges for software updates, data analysis, and system management, the security benefit of being immune to network-based attacks justifies those costs.

Maintaining true air-gapping requires organizational discipline. It's not sufficient to simply disconnect the network cable; security policies must prevent the introduction of malware through portable media, prevent unauthorized access to physical systems, and prevent accidental connections to external networks. Devices used in air-gapped environments must have compromised systems removed before being connected to other networks. Even people working with air-gapped systems must understand that they cannot casually download software from the internet or use removable media from untrusted sources.

Why It Matters

Air-gapping is an extreme security measure, which means it's only appropriate in extreme circumstances. For most organizations, the operational burden of air-gapping far outweighs the benefits. However, for systems that control critical infrastructure, manage nation-state secrets, or process defense-related information, air-gapping can be the best available tool to protect against sophisticated attackers with vast resources.

Air-gapping is also relevant for protecting systems during maintenance or testing. Organizations might temporarily air-gap a network segment while testing new security tools, software patches, or configurations to prevent accidental exposure of test systems to the broader network. Similarly, isolated networks might be created for forensic analysis of compromised systems, ensuring that malware cannot spread to other systems during investigation.

The security principle of air-gapping also informs defense-in-depth strategies even in connected networks. Organizations apply air-gapping concepts by creating network segments that are as isolated as possible, restricting the movement of data and connections between segments, and treating remote locations or subsidiary offices as quasi-air-gapped environments with limited connectivity to headquarters systems. This segmentation approach captures some of the security benefits of air-gapping while maintaining the operational flexibility of connected networks.

How Open-AudIT Helps

For organizations with air-gapped networks, Open-AudIT can be deployed as a local instance within the isolated network to provide asset inventory, configuration monitoring, and compliance checking without requiring any outbound internet connectivity. This allows teams managing air-gapped environments to gain the same visibility into their systems that connected organizations enjoy, though without the ability to automatically check for the latest vulnerability information or pull updates from external sources. Data can be securely transferred from the air-gapped Open-AudIT instance to external systems using authorized media transfer processes when needed for reporting or analysis.