Air gaps and secure networks

I am a person with many interests. In one conversation, I’ll introduce myself as a new filmmaker. In another, I’m a seasoned theatre actor. Sometimes I give talks on Microsoft’s data platform products, SQL Server and Azure SQL Database. There’s another strong field of interest I have, which I don’t speak much about, and that’s information security (often shortened to infosec).

By no means am I a security expert. I use 1Password for managing my passwords and secure data between members of my company, and I use Cloak VPN when I connect to public Wi-Fi networks. My MacBook Pro’s hard drive is encrypted using FileVault. We have a guest Wi-Fi network at home to prevent non-residents gaining access to our smart lights and my NAS. I have passwords on my two computers’ screensavers.

I know I don’t do enough to keep everything as secure as possible, but I try.

Recently I’ve been watching the Pluralsight course Ethical Hacking (CEH Prep) (login required).

The very first thing in the course is setting up a secure lab environment, so that any tools used in the course are contained in that secure environment. This is the right way to do it, and I am using Hyper-V on my venerable Asus laptop to host these socially unacceptable virtual machines, away from my home network and away from the Internet.

This is called an “air gap”. Theoretically speaking, the virtual machines (guests) have no network access, and therefore there is air between them and a machine that is online. Practically speaking, this is untrue, because my laptop, which is hosting the guests, is online, but Hyper-V has segmented them on their own private network.

So this raises a question: How do I install applications on these guests if I’m not giving them access to any network? I don’t want to connect the guests to the Internet to download anything, firstly because of automatic updates (the lab environment must be predictable), and secondly because the guests may be compromised already, and it would be improper for me to expose compromised machines to the Internet (and my home network).

The answer, as with any air gap, is to do it the way we used to twenty years ago: burn files to CD-ROM or a USB drive, and then access that device from the guest.

Using Hyper-V (and other modern virtualization technology), it is trivial to connect a CD-ROM, USB drive, or disk image to a virtual machine. My challenge, in this “clean-room” laboratory that I’ve set up, is that I have no software on my host operating system. All I want to do is download the files to the host and then make them available to the guest virtual machines.

In the Pluralsight course, the way the presenter did this was to make a network share available from the host to the virtual machines. I decided against this, because it does not keep the lab environment completely separate.

The only other machine I can use is my MacBook Pro, which means having to copy files over the network to my host, which I want to avoid.

I decided to create a virtual hard drive (VHD), which is natively supported on all modern versions of Windows, as well as Hyper-V.

On the host, I created a VHD using the DISKPART command, which is built into Windows.

From the commandline, type diskpart to open it. At the DISKPART> prompt, type:

DISKPART> create vdisk file="D:\Temp\airgap.vhd" maximum=1024

This creates a 1GB virtual hard drive on my host, which I will use to store files that I want to install on the guest. However, before I can use this container file, I have to partition and format it.

Attach the new virtual disk we have just created:

DISKPART> attach vdisk

Create a primary partition on the virtual disk:

DISKPART> create partition primary

Select the partition:

DISKPART> select partition 1

Assign it a drive letter (I used Z: but you can use any available drive letter):

DISKPART> assign letter=z

At this point, Windows will pop up a dialogue box informing us that an unformatted drive has been detected. We can use this box to format the drive, using the default values.

Once the drive is formatted, we can transfer downloaded files to this new VHD.

The next step is using the VHD on the guest. To do that, once the files have been copied, we can detach the disk from the host using DISKPART again.

DISKPART> detach vdisk

This closes all open handles to the VHD, so that we can access it elsewhere.

In Hyper-V, or whichever virtualization host you’re using, the first thing to note is that VHDs cannot be added to virtual machines while they are running, so I have to make sure the guest is shut down.

We then add the VHD as a second hard drive to the guest’s configuration and start up the virtual machine. The VHD is already formatted, and it will receive a drive letter automatically when the operating system has started, so it will be accessible immediately. We can just run the applications or installation from that new drive as if we had downloaded the files directly to the guest.

To make changes to the VHD, we have to shut down the guest and then use DISKPART to attach to the VHD again. It is good practice to take all necessary precautions when attaching the VHD to your host again, because although the guest is turned off, there’s no guarantee that the VHD hasn’t been infected with something.

If you need to add new files, it would be better to create a new VHD instead. Treat the VHD with the same level of trust as a USB drive you find in a parking lot.

If you’d like to read additional technical posts, check out my blog on Born SQL.