One-way network links for small businesses: Part 3

In Part 2, we covered receiving the signals we transmitted in Part 1. In some cases, this may be more complexity than you need. Let us look at some simpler cases.

Consider this case from security company Darktrace, described in this article:

A casino had a large fish tank, with automated sensors to monitor water temperature, salinity, oxygen content, feeding schedules, etc. These sensors connected to the network via Wi-Fi. Even though they attempted to isolate the tank on a separate VPN, an attacker was able to gain control of the fish tank and begin using it to exfiltrate data.

Note: If you look up articles about this hack, they frequently show one of the big aquariums at the major Las Vegas casinos, frequently the impressive 53-foot-long one at the Mirage. Darktrace did not indicate which casino was hacked, nor did they provide a picture, so these are just stock photos. Some of the articles say as much; some do not.

It would have been better if the sensors had been on a wired network, because that is harder to hack inconspicuously. But since the hacked casino was not identified, we do not know the system they were using to monitor their aquarium; wired Ethernet may not have been an option.

The report from Darktrace said that the aquarium was on a VPN, but apparently the attacker got around it. The problem is that it is easy to misconfigure VPNs, and vulnerabilities in router software can allow successful attacks. The nice thing about the network TAPs we are working with is that they do not have the hardware to transmit data in both directions, so the chances of a failure allowing two-way transmission are very small.

It would have been better to have the aquarium on its own network, along with the computer that was used to control it. (If they had to use Wi-Fi, they would need a dedicated access point.) But they probably wanted to be able to monitor it from the main office, or the front desk. Once again, we could use a network TAP to give the business network read-only access to the data from the aquarium. We would need a program similar to the one we used in Part 2 of this article. It would use WinPcap to promiscuously capture packets, looking for the ones from the aquarium, it would then forward them to the business network using a UDP socket. (For more reliability, a TCP socket could be used, with only a bit more work.) This would work because the messages between the aquarium and the controlling computer are probably fairly simple. If the aquarium reports only in response to queries from the control computer, it would be necessary to have a script on the control computer periodically poll the aquarium.

A similar situation arises with IP security cameras. They are notorious for lack of security, and are frequently hacked and used as parts of botnets, as this article by Mace Security describes. You definitely should not hook them directly to the Internet, but even if they are just connected to your business network, they provide a convenient foothold for anyone who manages to penetrate the network, a convenient base from which to launch lateral attacks. Many IP security cameras have built-in web servers, so one can capture images by issuing an HTTP request. We should put the cameras on their own isolated network, with a control computer that requests images periodically. As with the aquarium, we use a network TAP, and have a program that promiscuously captures the packets, looking for the returned images, and forwards them to the business network.

In these cases, we can do without some of the safeguards from our original solution, because we are dealing with less critical information, and it is more evident if we lose some packets. That said, it would still be good to have a watchdog timer to warn you if you stop receiving packets.

Also, our original solution, with the two network cards talking to each other through the network TAP, ensured that we would know if the network TAP was mis-cabled. These simpler solutions do not provide this assurance, so you might consider putting the network TAPs in a locked cabinet, with labels indicating proper cabling, so someone trying to fix a network problem late at night on a weekend does not inadvertently cable around the TAP, joining the isolated network and your business network.

Or, with a little more work, you could have the program from Part 1 of this article talk to the aquarium or camera network, and package the data the same way we did there.

Commercial solutions

There are several companies that offer one-way links. This is a better solution, if you have the budget, because they are supported by the vendor, and you do not have “some assembly required”. Here are a few companies that offer them:


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *