Probably the most safe pc techniques on the planet are on air-gapped networks that make entry through the web, or different exterior networks, inconceivable. This leaves distant attackers with out a means to work together with the machines that they wish to compromise. Certain, obscure and tough to implement side-channel assaults should be attainable, however they’re extraordinarily unlikely to succeed typically.
However what might be executed when restricted distant entry to those machines must be granted? The crew at Nelop Methods not too long ago had a request from a consumer to permit certainly one of their air-gapped techniques to have a one-way communications channel that might transmit syslog messages and efficiency information. They got here up with an fascinating Raspberry Pi-powered answer that works one thing like a diode for information, permitting read-only, one-way entry to particular information.
An summary of the method (📷: Nelop Methods)
Air-gapped networks are frequent in industries the place safety can’t be compromised, corresponding to in finance, healthcare, and significant infrastructure. These networks function solely offline, which is nice for security however problematic when directors want information for monitoring efficiency or checking safety logs. Extracting info with out exposing the community is a fragile steadiness, and the problem for Nelop Methods was to keep up that hermetic separation whereas nonetheless permitting perception into system well being.
Their answer was a bespoke information diode constructed utilizing a pair of Raspberry Pi boards linked via an optoisolator, which is a part that transmits alerts utilizing mild as an alternative of direct electrical contact. This ensures info flows in a single path solely, which means there’s no return path for information that might doubtlessly carry malware or allow intrusion makes an attempt. One Pi sits contained in the protected community because the sender, whereas the second lives on the surface because the receiver. Collectively, they kind a managed, safe bridge that leaks nothing however the meant logs.
The engineers developed customized scripts centered on stability over pace, prioritizing reliability so no log entry is misplaced. Whereas bandwidth is modest, the diode isn’t meant to switch bulk information — its job is to securely drip out operational intelligence. Early prototypes experimented with standard serial connections, however finally UART proved to be the cleaner, extra reliable method.
The outcome is a straightforward but helpful system that preserves the integrity of an air-gapped community whereas nonetheless supplying beneficial telemetry to monitoring groups. It’s a intelligent instance of making use of sensible engineering to a high-stakes drawback.