Air-gapping is a cybersecurity practice that involves isolating a computer, system, or network and preventing it from establishing external connections. That includes severing both wireless and physical connections to other machines—and the greater internet—to protect sensitive data. 

When it's time to transfer data, an employee must connect a portable storage device, copy over protected data, and plug that drive into the destination machine. In this sense, air gaps feel very "old school," yet are common across industries where secrecy and security are paramount (such as government, defense, finance, and others).

How does air-gapping work?

Physical spacing is often critical in air-gapped environments. Organizations must establish any air-gapped machines in a trusted, contained environment isolated from the outside world. This even involves moving sensitive systems to interior rooms in some cases. 

Aside from providing another layer of defense against physical intrusion, this added distance helps contain any electromagnetic emissions common to almost every electronic device. Some organizations go one step further by surrounding these machines and networks with a Faraday cage to prevent leakage. Otherwise, hackers might be able to capture these electromagnetic waves and orchestrate an attack. It's also possible that air-gapped systems could be susceptible to electromagnetic interference without such precautions. 

Security policies play a big role in successful air-gapping. For example, organizations adhere to the principle of least privilege when it comes to managing air-gapped systems. Only a select few have physical access to the devices in question, and this access is monitored continually. Plus, organizations aiming to stop hacking attempts can mandate added awareness training to prevent Stuxnet worm infections and other targeted threats. 

Training might prevent an unsuspecting employee from obtaining a random USB drive and inserting it into an air-gapped computer—starting an infection. However, no amount of education will prevent sabotage from the inside, which is another major concern.

Are all air gaps the same?

There are a few different types of air-gapping that are used depending on the levels of secrecy or access control needed: 

  1. Physical air-gapping covers much of what we recently mentioned, and provides the utmost physical separation between sensitive systems and others. Network connections to external systems are "severed," and hardware such as storage racks are removed from associated systems. 

  2. Cloud air-gapping includes sending backup data to a cloud-based location, providing virtual disaster recovery and isolating personal or sensitive data from other sources. This is common across companies that compile massive data volumes from extensive customer bases.  

  3. Logical air-gapping uses segmented networks and software partitions to build secure, virtual data storage. Despite their practicality, logical air gaps come with inherent risks since connections to other systems and networks remain in place.

While air-gapping is highly effective, it comes with some drawbacks. These systems are sometimes vulnerable to interference and electromagnetic attacks. Organizations must also ensure that trusted employees have access, while remembering that insider attacks are still possible. They must also vet their software supply chains thoroughly—as an infected component or dependency could make its way into updates. 

Finally, updating these systems requires manual, in-person intervention at set intervals to prevent them from becoming outdated.

Does HAProxy support air-gapped environments?

Yes! HAProxy products can support any application deployed in any environment—including air-gapped environments. Organizations handling sensitive data can rest assured knowing that neither HAProxy Enterprise nor HAProxy Fusion "call home" to internal HAProxy servers (nor any other servers it isn’t configured to connect to). Our multi-layered security features such as HAProxy Enterprise Bot Management Module also process data and logs 100% locally. 

HAProxy users can apply updates by downloading OVA files (or rpm/deb package files) to physical storage then moving them over. This method supports multiple distributions and automation tools. 

HAProxy can also run with minimal permissions required at startup (or drop privileges as needed) for security purposes. And if reaching the external internet is sometimes required, you can easily set up HTTP forward proxying to reach the OCSP server. 

To learn more about air-gapping with HAProxy Enterprise, check out our OVA VM install instructions.