Diode Applications: Secure Windows Updates
In this blog series, I have been exploring applications for Data Diodes. This week, I look at the issue of getting Windows Updates into a segregated network — securely.
It is widely reported that 80% or higher of all security attacks can be prevented by implementing basic security hygiene. The majority of such attacks take advantage of publicly known vulnerabilities in software. Once identified, these vulnerabilities are usually quickly fixed and updates made available by the vendor to their customer base. The updates need to be applied equally quickly — left unprotected for more than a few hours, the targeted vulnerabilities may be freshly attacked and infected. Consequently, it is vital to ensure regular updating of systems with all available fixes and patches relating to operating systems, applications and anti-virus software to mitigate the risk of a security attack to a known vulnerability.
The routine method of applying system updates is to use an automated vendor mechanism. For secure networks not connected to the Internet, this approach is not suitable. Update strategies for these unconnected networks often rely on a manual process; the updates are obtained from the Internet, then securely transferred to the segregated network before being applied. This process is typically unreliable, prone to error and costly.
For organisations with secure networks or networks isolated from the Internet, a Data Diode based solution can automate the process. The diode enable the transfer of Windows Updates from the Internet to a Windows Update Server in the secure network, while ensuring there is no route back from the secure network to the Internet.
While I’ve used the example of Windows updates, the concept can be used for most operating system, anti-virus and application update mechanisms.
Interested in finding out more details about getting operating system updates into your secure network? Contact me, or leave a comment below.
Author Bio – Colin Robbins
Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.
Be the first to know about developments in secure information exchange