User Tools

Site Tools


Hard Air Gap - A device to isolate portions of a small network

An “Air Gap” in the networking world is a physical separation of network segments. Years ago I worked in a data centre and down the middle of the hall was a line of red tiles amidst the sea of grey. Under the suspended floor was a gap about 1m high where cables ran to the bottom of the cabinets that contained the servers. No cable was permitted to cross the red line - this simple rule enforced a physical separation between the potentially compromised areas of the network (REDNET) and the safe (GREENNET). The problem is, you still need to pass data securely between the two - consider online commerce; credit card and account data must be passed to secure servers in the rear from an internet connected network… there have been a number of very high profile hacks where account details have been stolen from non-air-gapped networks. HAG securely bridges these two zones - it is impossible to hack into the green network through HAG and the time gate limits the data exposure.

HAG supports 10/100Mb as only four of the conductors from the ethernet ports are connected through - gigabit support would require a doubling of the relays (but is do-able). Most things auto-negotiate this so you shouldn't be aware of it other than transfer rates - two minutes of 100Mb should allow you to transfer at least 40MB. If this is not enough, select one of the longer gate times, although any good transfer client (free or corporate) should permit resume and allow you to pickup where you left off when the NAS comes back, the client will just keep bashing away until the task is complete.

Air Gaps are now becoming more virtual (to match the change in server farms) and can be a combination of routing tables, network masks and firewalls. These provide the separation between networks but cost thousands.

This device (a HARD air gap - i.e. physical) was designed to switch two network segments to a single point based on a time “gate” in a small network and was in answer to a specific need.

The HAG needs to be supported by the networks on either side e.g. servers acting as go-betweens to marshal the data. All three servers need a NIC in the same network so they can see each other. Probably best to set up a small transfer network of 8 addresses and share it between these machines. The servers can have more than one NIC so it isn't a problem connecting them to their home network and the switched network. So for example

Server A has addresses and Server B has addresses and The NAS has address

Here, 192.168.0.x and 10.1.x.x are the home LANs for the respective servers and 192.168.12.x is the transfer LAN. Both servers can see their LAN and the NAS (when switched through). Each server pings the NAS, if there is no response, repeat until there is, then transfer any data.

HAG is not a network device in itself - it doesn't connect to the LAN but merely provides a metallic path from either of two Ethernet connections to one other. Think of it as a SPDT switch for 100Mb Ethernet. The common port should be connected to some NAS or other storage device (FTP server) and either of the other two connections go to the separated LANs. Each is connected for a time period in turn and the connections on the DIL relays mean they cannot be connected simultaneously. If both are on or both off, the network is effectively scrambled, making the device fail safe (i.e. both LANs are disconnected from the common.

The solution using this device is that server A pings the NAS. When it (begins to) responds, it has two minutes (or whatever your settings are) to move it's data to the NAS. Server B will later perform the same action to move the data off the NAS and/or pass back data to server A.

This solution is fairly easily scripted/programmed and if you use FTP (and others) you can resume your transfers when the network comes back round your way. Land the files with a non-exciting name and rename them after transfer so the other side doesn't attempt to process an incomplete file.

No direct network path exists between server A and server B. If your internet facing zone gets hacked, the attacker absolutely cannot jump through the HAG (or the common NAS) to your secure stuff on the other side.

Finally found a use for a few dozen 12F pics. The below GCB code compiles into PIC assembler. The schematic is at the bottom of the page.

Future improvement would be to add a RTC so proper scheduling of access could be added. This would trigger a move away from the tiny PIC at the heart of this useful device.


' Hard Air Gap (HAG) Lite. A fairly dumb Ethernet port selector switch
' V1.0  20/11/2016  A.Henderson
' Controller code uses the tiny PIC12F508
' The code is not elegant but we are constrained by the PIC...
' also, this is all it does so there is no need to be "clever"
' Connects two ethernet PORTs (A, B) to a common port alternately.
' A relay (metallic path) matrix is such that if both are de/activated
' the wiring of the ethernet cable is scrambled thus it is fail safe.
' Relays must be activated alternately to connect correctly to the
' common port.
' The controller draws power at +5V, 50mA from a USB socket.
' No connection is made to the USB data wires
' No connection is made to the ethernet wires
' At startup, the PIC reads 3 dip switches on GPIO.1,2,3 :
' 000 = Off, both PORTs disconnected
' 001 = PORTA connected
' 010 = PORTB connected
' 011 = Toggle at 2 minute intervals
' 100 = Toggle at 10 minute intervals
' 101 = Toggle at 30 minute intervals
' 110 = Toggle at 60 minute intervals
' 111 = Toggle at 120 minute intervals
' Config is only read at power-up.
' There is no RTC so all timings are approximate

' ----- Configuration
  #chip 12F508,4
  #config osc = int, wdt=on
  #define Approx1s 996
  #define ConA  16
  #define ConB  32


  ' assign the prescaler to the WDT
  'ASM [
  movlw   B'10001111'
  DIM RLMAP(2) AS BYTE '  this is the bit pattern to toggle

  DIR GPIO b'11001110'

  ' GPIO.0 OUT    ' "Running" indicator 
  ' GPIO.1 IN     ' dip switch bit 0
  ' GPIO.2 IN     ' dip switch bit 1
  ' GPIO.3 IN     ' dip switch bit 2
  ' GPIO.4 OUT    ' RL1 - PORTA
  ' GPIO.5 OUT    ' RL2 - PORTB

  Wait1s              ' pause a little after boot

  nn=(GPIO / 2) AND 7 ' read the switches (have to right shift)

  RLMAP(0)=ConA ' preset the most common config to save code

    CASE =0         ' disconnect both PORTs
    CASE =1         ' PORTA static
    CASE =2         ' PORTB static
    CASE =3         ' 2 mins toggle
    CASE =4         ' 10 mins toggle
    CASE =5         ' 30 mins toggle
    CASE =6         ' 60 mins toggle
    CASE =7         ' 120 mins toggle

  FOR nn=0 to 1
    FOR mm=1 TO DLY
      GPIO=RLMAP(nn) + (mm and 1)

  GOTO Main

  SUB Wait1s
    PAUSE Approx1s

great_cow_basic/hard_air_gap_a_device_to_isolate_portions_of_a_small_network.txt · Last modified: 2024/01/19 09:45 by