Secure air-gapped networks with MFA and access controls

The big idea behind networking is that connecting computers to other parts of an organization’s network or to the public internet is inherently a good thing. But, in a growing number of security use scenarios, network architects set out to do precisely the opposite by creating isolated or air-gapped networks. Here’s how UserLock helps you enforce strong multi-factor authentication (MFA) within air-gapped networks.

What is an air-gapped network?

The term “air-gapped” network gets thrown around a lot. And there isn’t a clear blanket definition, since the term’s meaning often depends on context. So, what do we mean when we talk about an air-gapped network?

In network security, network architects can isolate computers from one another both logically and physically.

A logical separation happens when the architect places computers on a network segment defined through software.

An air-gapped network takes this idea a step further and isolates the computers physically as well as logically.

An air-gapped network has no wired or wireless connection to any other local or external network, and has no connection to the outer internet. Sometimes, the air-gapped network is located in a dedicated room or building to isolate it even further.

In other words, air gapping tries to create an “island” that drastically reduces the attack surface.

The principle is simple: if a computer or network is not connected to anything, it’s incredibly difficult to remotely hack or infect it with malware.

Naturally, it's critical to control unauthorized access by employees to these networks. This is where the critical importance of secure authentication comes into play. We’ll dig into this below.

The challenge of managing air-gapped networks

First, let’s look at the two biggest challenges of managing air-gapped networks: complexity and cost.

While creating an air-gapped network offers important security benefits, it comes with the downside of higher management overhead. Air-gapped networks need management like any other network, but routine network management is harder without the convenience of connectivity. For example, network management is more complicated without the ability to allow for remote access, patching, and updating.

In an isolated network, infrastructure is not only more complex, but it’s also more expensive. For one, you have to duplicate all basic underlying systems, such as Windows Active Directory (AD). And as the number of air-gapped networks within your organization grows, both complexity and costs multiply quickly.

Who uses air-gapped networks and why?

Because they are such a major undertaking, the use of air-gapped networks tends to be tied to specific use cases that apply slightly different levels of security. Common examples include:

• The military and government agencies, where security is an absolute priority, and operational environment access must meet stringent compliance standards, such as FIPS-140-2 in the United States.

• Critical infrastructure such as energy, industrial manufacturing, mass transit, and air-traffic control where air-gapped networks help ensure greater resilience for industrial and IoT networks.

• Financial institutions, exchanges, and other highly regulated businesses, which apply air-gapping to enable disaster recovery, to protect key financial systems, or to isolate legacy industrial control workstations running vulnerable software.

• Healthcare facilities, which frequently use air gapping to securely operate certain kinds of medical equipment.

In some air-gapped networks, no devices of any kind can enter or leave the network. In others, there's more leeway. This can impact the way we apply security in each environment.

And while we traditionally think of air-gapped networks as based on legacy systems, today we also see organizations using air-gapped private cloud infrastructure, such as Google Distributed Cloud Hosted.

Are air-gapped networks as secure as they seem?

In theory, air-gapping prevents security problems. After all, if a network is cut off from any kind of connectivity or remote access, it must be safe from attackers, right? Unfortunately, of course, the answer is no.

The famous Stuxnet malware incident made public in 2010 shows that air-gapping alone is never a magic shield. A simple USB stick introduced malware to the target: an air gapped Windows network at Iran’s Natanz uranium enrichment facility. The lesson from Stuxnet underlines that to secure an air-gapped environment, you have to take multiple precautions. Don’t assume the air gap is enough.

After all, even isolated networks have to be accessed by someone to be managed or have software applied. And where there’s access, there’s risk. Rogue insiders might abuse their access the network, malware can arrive from outside by accident or by design, and outsiders can gain access to air gapped network account credentials.

And we see time and time again that it’s easy for attackers to get a hold of credentials, even those to highly privileged accounts. One fairly recent example is the November 2022 novel ransomware campaign targeting logistics industries in Ukraine and Poland. The attack used a ransomware payload deployed by a hacker after an initial compromise that involved the attacker gaining access to highly privileged credentials.

MFA is now essential for air-gapped security

In an air-gapped network, workstations are the new security perimeter. That makes the way users authenticate to those computers a critical element of air-gapped security. But all too often, access security in air-gapped networks hinges on the Windows password, a credential vulnerable to misuse or theft.

Some organizations don’t extend MFA to air-gapped islands because they assume the cyber-moat magically protects them — a risky and false assumption.

And some don’t apply MFA for air-gapped networks because they think they can’t. Most MFA solutions offering second-factor authentication (2FA) don’t work without outer internet connectivity — which air-gapped networks cannot allow. And for those that do, the options for MFA methods are limited.

The standard fallback is to use proprietary smartcards, but this approach can be complex and expensive to implement. That leaves FIDO2 hardware tokens. These can work well, but the underlying protocols they use are not always compatible with legacy systems, networks and workstations.

Offline MFA allows you to benefit from this important security layer for air-gapped networks in the same way you already do for conventional Internet-connected LANs.

How UserLock solves the air-gapped MFA puzzle

The answer is to use an MFA solution such as UserLock, which is designed to maintain MFA and access restrictions in an offline state. So you can continue to enforce access policies and MFA, even without an Internet connection.

When you install UserLock’s micro-agents on your employees’ local workstations or laptops, these agents communicate via Windows protocols with a UserLock server installed inside the air-gapped network.

Then, once your users authenticate against a local Active Directory (AD), UserLock applies your MFA and access control policies without any connection to the internet. This capability means UserLock can support air-gapped and offline environments out of the box.

For the user, UserLock MFA works in the same way it would on any workstation. The user enters their Windows credentials, then they receive an MFA prompt.

With UserLock, you can implement the following authentication types as a primary or backup authentication type.

• TOTP or HOTP tokens such as the YubiKey Series 5 and FIPS Series or the Token2 T2F2 ALU and Programmable Tokens.

• A time-based one-time password (TOTP) generated by a smartphone authentication app, or our UserLock Push app (some prior Internet connectivity is required to maintain synchronization in the smartphones). The UserLock Push app can authenticate users with Push notifications (only available with an internet connection) as well as with TOTP codes in a scenario without internet.

Through UserLock, admins can deploy MFA on their air-gapped network very similarly to how they do on an outer Internet-connected network. But UserLock also allows air-gapped network admins to go beyond MFA with further access controls. Many of these controls are critical in air-gapped environments, such as:

Granular access controls

UserLock's granular access controls help limit the scope for insider attacks. Admins can enable time-based access restrictions to define when a user can access a workstation (and when they can't). They can also limit session times to a given value, or impose quotas on a user, a group of users, or an AD organizational unit (OU).

Real-time monitoring and alerts

UserLock's session management allows admins to monitor logins across time and to set up custom alerts, adding multiple layers of security. Admins can respond to risky behavior remotely, block a session with one click, or create scripts to automate responses.

Workstation restrictions

UserLock's restrictions on session type allow you to limit a user or group of users to using a particular machine. For example, admins can limit users to accessing only via known domain machines.

Air-gapped network auditing and reporting

The use cases for air-gapping often require stringent auditing and compliance checks. By logging and documenting MFA events, session history, and user access events, UserLock enables comprehensive auditing and reporting to meet the most stringent compliance requirements.

Concurrent session restrictions for private, air-gapped cloud access

Today, the private, air-gapped cloud also supports sensitive workloads. For example, Google Distributed Cloud Hosted is a fully isolated cloud environment compliant with NIST SP 800-53 and FedRAMP high-security controls important in sectors such as defense or regulated industries that must protect sensitive workloads.

As a GDC Hosted Build Partner, UserLock is compatible with GDC Hosted. UserLock allows air-gapped GDC Hosted environments to limit concurrent sessions for both users and administrators.