Essentially the most safe pc methods on the planet are on air-gapped networks that make entry by way of the web, or different exterior networks, inconceivable. This leaves distant attackers with out a means to work together with the machines that they need to compromise. Certain, obscure and tough to implement side-channel assaults should still be doable, however they’re extraordinarily unlikely to succeed generally.
However what will be carried out when restricted distant entry to those machines must be granted? The staff at Nelop Programs just lately had a request from a shopper to permit one in all their air-gapped methods to have a one-way communications channel that might transmit syslog messages and efficiency information. They got here up with an attention-grabbing Raspberry Pi-powered resolution that works one thing like a diode for information, permitting read-only, one-way entry to particular information.
An summary of the strategy (📷: Nelop Programs)
Air-gapped networks are widespread in industries the place safety can’t be compromised, comparable to in finance, healthcare, and demanding infrastructure. These networks function totally offline, which is nice for security however problematic when directors want information for monitoring efficiency or checking safety logs. Extracting info with out exposing the community is a fragile stability, and the problem for Nelop Programs was to take care of that hermetic separation whereas nonetheless permitting perception into system well being.
Their resolution was a bespoke information diode constructed utilizing a pair of Raspberry Pi boards linked by way of an optoisolator, which is a part that transmits alerts utilizing gentle as an alternative of direct electrical contact. This ensures info flows in a single path solely, which means there’s no return path for information that might probably carry malware or allow intrusion makes an attempt. One Pi sits contained in the protected community because the sender, whereas the second lives on the skin because the receiver. Collectively, they kind a managed, safe bridge that leaks nothing however the supposed logs.
The engineers developed customized scripts targeted on stability over velocity, prioritizing reliability so no log entry is misplaced. Whereas bandwidth is modest, the diode isn’t meant to switch bulk information — its job is to soundly drip out operational intelligence. Early prototypes experimented with typical serial connections, however in the end UART proved to be the cleaner, extra reliable strategy.
The end result is an easy but helpful system that preserves the integrity of an air-gapped community whereas nonetheless supplying beneficial telemetry to monitoring groups. It’s a intelligent instance of making use of sensible engineering to a high-stakes drawback.
