With all these backdoors like Intel ME, and CPU vulnerabilities, VM escape vulnerabilities etc... I'm beginning to think I need a total redesign of my network to better mitigate this sort of thing.
Right now I have stuff split up using vlans, based on purpose, and risk. For example, anything that involves port forwarding to the internet is seen as high risk, as whatever that service is, whether it's a game server, or p2p application etc it could potentially have a remote code execution vulnerability that would then allow access to the rest of the network. So anything of that nature is on a vlan that I call "internet facing" which as is name suggests is for internet facing stuff. If any one of those services is hacked they are ideally limited to that vlan. BUT, with VM escape vulnerabilities, they could potentially escape out and then access the rest of the network... Then add Intel ME to the risk, and if the firewall (pfsense) has an Intel CPU (I think mine is old enough that I'm safe though) then my entire network is vulnerable. Then there's stuff like all the CPU vulnerabilities that come out every couple days. Intel CPUs are almost as bad as ISS 6.0 at this point. Seems every couple days a new exploit comes out. AMD may or may not be better. Basically it seems no matter how secure the software and your config/setup is, the hardware is what is the risk these days so you can't win.
So I've been thinking, the majority of my servers and data don't really need constant internet access. Maybe it's time to build an air gaped network, or at least, semi air gaped. I could simply split up the hardware to mitigate things like VM escape vulnerabilities and still have it connected to the main firewall, and have lot of rules to greatly limit the type of traffic. Or I could go even better and have a network that is totally not internet connected.
The challenge is then having to USB stuff over back and forth when I do need to move stuff to/from the internet. Publishing website changes to the live website, or updating OS, or installing new Linux packages etc. Also need to decide if my workstation is part of the air gaped network, or not. Almost need two workstations. Probably also want to avoid using a KVM for these two workstations just to be extra safe. I probably would not go as far as RF shielding the entire server room, though it is something I've pondered, because there are rumours that the Intel ME backdoor also has a backup 3G radio which means that even the machines behind the firewall are exposed. Though this has not been proven yet, and I have my doubts. Someone out there with the right gear would have been able to detect it by now and publish more detailed info.
Anyway not sure how far I'll actually go with this, there would be lot of cost involved as I need at least a separate VM and storage server as a start, and also more UPS capacity and power usage in general. But I'm kinda curious if anyone else has an air gaped network, or at least what kind of hardware/setup measures you take as a general way to mitigate all these hardware level vulnerabilities that have been coming out in the past years.
Right now I have stuff split up using vlans, based on purpose, and risk. For example, anything that involves port forwarding to the internet is seen as high risk, as whatever that service is, whether it's a game server, or p2p application etc it could potentially have a remote code execution vulnerability that would then allow access to the rest of the network. So anything of that nature is on a vlan that I call "internet facing" which as is name suggests is for internet facing stuff. If any one of those services is hacked they are ideally limited to that vlan. BUT, with VM escape vulnerabilities, they could potentially escape out and then access the rest of the network... Then add Intel ME to the risk, and if the firewall (pfsense) has an Intel CPU (I think mine is old enough that I'm safe though) then my entire network is vulnerable. Then there's stuff like all the CPU vulnerabilities that come out every couple days. Intel CPUs are almost as bad as ISS 6.0 at this point. Seems every couple days a new exploit comes out. AMD may or may not be better. Basically it seems no matter how secure the software and your config/setup is, the hardware is what is the risk these days so you can't win.
So I've been thinking, the majority of my servers and data don't really need constant internet access. Maybe it's time to build an air gaped network, or at least, semi air gaped. I could simply split up the hardware to mitigate things like VM escape vulnerabilities and still have it connected to the main firewall, and have lot of rules to greatly limit the type of traffic. Or I could go even better and have a network that is totally not internet connected.
The challenge is then having to USB stuff over back and forth when I do need to move stuff to/from the internet. Publishing website changes to the live website, or updating OS, or installing new Linux packages etc. Also need to decide if my workstation is part of the air gaped network, or not. Almost need two workstations. Probably also want to avoid using a KVM for these two workstations just to be extra safe. I probably would not go as far as RF shielding the entire server room, though it is something I've pondered, because there are rumours that the Intel ME backdoor also has a backup 3G radio which means that even the machines behind the firewall are exposed. Though this has not been proven yet, and I have my doubts. Someone out there with the right gear would have been able to detect it by now and publish more detailed info.
Anyway not sure how far I'll actually go with this, there would be lot of cost involved as I need at least a separate VM and storage server as a start, and also more UPS capacity and power usage in general. But I'm kinda curious if anyone else has an air gaped network, or at least what kind of hardware/setup measures you take as a general way to mitigate all these hardware level vulnerabilities that have been coming out in the past years.
Facebook
Twitter