Overview:
An air-gapped environment is a highly secure network that is physically isolated from other networks, including the Internet and external systems. This isolation is achieved by maintaining a complete separation between the air-gapped network and any other networks, effectively creating an "air gap" to prevent the transfer of data through conventional wired or wireless connections. Air-gapped networks are commonly employed in environments where the protection of sensitive data is paramount, such as government agencies, military facilities, financial institutions, and critical infrastructure.
This whitepaper explains how SIRP is deployed and managed in air-gapped networks. This architecture employs a centralized SIRP on-prem instance to offer a unified and scalable approach to security management, without the need of internet connectivity.
Components:
Deployment:
Deploying the SIRP appliance in an air-gapped environment requires meticulous planning and execution. Typically the deployment process involves the following steps:
The SIRP appliance and license are provided in physical media.
This appliance undergoes a thorough vetting and verification process to ensure its security integrity before being uploaded onto the server.
Deployment engineers are present onsite to oversee and facilitate the smooth installation and configuration process.
Once installed and configured, the license is deployed and access is provided by creating the users.
Finally, the integrations are enabled and configured with other security controls within the network e.g. ingesting alerts from SIEM platform to kick off Incident Management.
Importing Threat Intelligence:
In an air-gapped environment where direct access to SIRP’s update servers is unavailable, obtaining updated threat intelligence feeds poses a challenge. To address this, the latest threat intelligence feeds are compiled into a CSV format and stored on physical media. The CSV file is securely provided to the client. Subsequently, the feeds are then manually imported into the SIRP appliance.
Updating the SIRP Appliance:
Maintaining the security and functionality of the SIRP’s in an air-gapped environment requires a carefully orchestrated update mechanism. The SIRP Team has developed a specialized patch mechanism tailored for offline deployments. The patch is physically provided to the onsite engineer responsible for the SIRP maintenance and support. The engineer manually uploads the patch onto the appliance, ensuring its seamless update. Optionally, the patch file can also be scanned to verify the file's integrity.
Support:
Onsite support is paramount for clients operating in air-gapped environments. Any new integrations, custom requirements, or enhancements such as custom widgets are either provided onsite to cater to the specific needs of the client's environment or developed offsite and then delivered in the form of a patch file. The onsite support ensures prompt troubleshooting and resolution of any issues that may arise during operation.
Orchestration and Automation:
Operating within an air-gapped environment necessitates certain limitations on the functionality of SIRP. The appliance only integrates with locally reachable security controls and technologies within the air-gapped network. All automated processes occur locally within the air-gapped environment. Cloud-based integrations and AI functionalities are disabled due to the lack of external connectivity.
Conclusion:
Deploying SIRP in an air-gapped environment requires a tailored approach that addresses the unique challenges posed by physical isolation from external networks. Through meticulous planning, specialized mechanisms for data import and updates, and dedicated onsite support, organizations can harness the power of SIRP's security automation while maintaining the highest standards of security and compliance within their air-gapped environments.