Guards are not Air Gaps

December 2014

“An air gap is a network security measure that consists of ensuring that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.”  (Wikipedia)

Note the emphasis in the word physically.

A number of forums have discussed whether data diodes are equivalent to air gaps in one direction, including a number of articles on Cyber Matters.   In reality you can argue it both ways.

One thing is absolutely certain however.  A data guard, allowing a two way data flow, is absolutely not an air gap and is not equivalent to an air gap.  A data guard enables communication between two networks under strictly controlled conditions – it does not physically separate the networks, but can provide separation at the network layer.  Air gaps provide physical separation, in order to manage different threats.

To someone concerned with network security this should matter. It is important to address the business requirement using the appropriate technology. That is why Nexor have a portfolio of flow control products and on Cyber Matters we try to explain concepts that even some experts get confused about.  What you will not find us doing at Nexor or on Cyber Matters is trying to market a Guard as an Air Gap, they are different things which solve different problems.

Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.

• LinkedIn profile
• View all of Colin's posts