Network hardware and network development for large security


(Hopefully this topic is parked in an appropriate area - - - please move if not true!!)

In my reading an air gapped system is considered to be the most secure.

My question is - - - - how close can I get with other options.

Using a managed switch and implementing a 'private' network using vlans?
(Is this even a good idea?)

Can vlans be used to create an 'almost air gap'?

Is/are there other method(s)?

Does any of this change when using IPv6?

TIA for any ideas and/or suggestions!

An air gap means no connectivity to another network (i.e. the Internet). Closing any "gap" obviously defeats this concept.

None of the concepts you list cover an air gap...nor "almost". As long as you don't connect or enable any possible connections to the insecure network in question, you maintain your air gap.



1 Like

Closest think to a complete disconnection (aka "air gap") is a connection that only allows very specific traffic, encrypted and authenticated. Perhaps if you give us more details about your use case, we can provide more specific advice.


You really need physical hardware such as this that enforces data flow direction to accomplish what you're envisaging

I'm not sure if that's an advertisement...

It just seems like a Layer 2 firewall/IPS/IDS, hardly an Air Gap.

I think what's missed, Air Gaps keeps things out and keeps things in...

Just different terms. Cool!

Think more so:

  • The network James Bond stored files, videos and documents once taking them back to HQ
  • The computer portrayed in the movie Mission Impossible holding covert employee files
  • The network portrayed in the movie Clear and Present Danger holding mission files
  • Crime laboratory computer equipment

It's hardly advertising. I have zero connection with this company. Not sure why you perceived it as such...

Just making the point that a degree of isolation like the OP is wanting requires either a real air gap - no network connectivity - or some kind of physical hardware solution

1 Like

Hi @ajoeiam,
it depends for what you are looking. What is the part you are not trusting (Other users, other computers, the admins, physical access, etc)?
In general VLANs can be secure and there are a lot of options to do so, for example port authentication with certificates. It would be a good idea to split DMZ and internal switches (mainly cause of load reasons / DDOS). To sum up, VLANs are a secure approach and widely used.

Regarding your IPv6 questions, VLANs are implemented at the layer 2 of the OSI model. The IP protocol is a layer above and there is no change if you are using IPv6 or IPv4. Basically VLANs establish virtual switches, like using two different switches not interconnected.

I hope this will help you. Let me know if you need some more details.

1 Like

This answer gets the closest to understanding my original question.

I know what an air gap is.
I know that changing that reduces the security.

So - - - what I don't trust - - - - phew - - - - its not a short list!

The web has become a place for entities to take from others and sell what has been taken to generate money.
So I'm not trusting websites much! There are a tiny number that don't insist on tracking the Pthibt out of you. So I really don't trust those 3rd party domains connected. Crackbook has developed a way to even do that in house (not that they were terribly trustworthy before that either! Other users may inadvertently even allow such. To date me myself has to wear all the hats so I would hope that me as an admin might be trustworthy but if I needed to allow assistance from others that would be something I would like to protect myself from - - - even now. Physical access is an interesting conundrum - - - - regulatory agencies are allowed to show up and on demand would take at the least all the hardware - - - and likely at least the hard drives. So there is a need for a network within a network so that any such information would reside on a discrete sub-set of storage (also means that backup and offsite version as well is crucial imo). This set of tools is only at the development stage right now so a solid list of 'whats and whatfors' isn't yet available.

Maybe this might help - - -

Someone physically outside the network - - - how possible is it that they can 'bull' their way out of a specific vlan and gain access to other such in my network?

Thanking those that have responded so far - - - - the comments are helping me better define what I am looking for!