NETWORK SEPARATION
1. Basic deployment: automatic and semi-automatic secure file sharing
Requirement:
- Automatic or semi-automatic safe file transfer from IT network to a secure air-gapped OT network.
GateScanner (GS) modules:
- GateScanner Multi-source located between data diodes sends all files to multiple AV and CDR scanning engines, delivering files from IT to OT.
- Files arrive at the IN port of GS Multi-source either from applications on the IT (automatic file transfer) or from users saving files at defined folders (semi-automatic transfers) and delivered by the OUT ports to specified folders within the OT.
2. Network separation with inputs from portable media
Requirement:
- An air-gapped sensitive network with unidirectional file flow into the secure zone
- Portable media input to destinations within the secure zone
GateScanner (GS) modules:
- Central management, including logging and updating of GateScanner modules, is located on the IT network (site A). Scan logs from GateScanner can be synced with the SIEM and are compatible with syslog, SNMP and other protocols.
- GateScanner’s file sanitization kiosk functions as a portable media import station that directs all incoming files – via the GateScanner Injector diode – to the GateScanner Multi-source for sanitization. Then files are distributed to their destinations in the secure zone (B) and users are notified by email.
- User-based scanning policies and pre-designated destinations are applied centrally.
3. Network separation with sandbox integration
Requirement:
- Automatic or semi-automatic safe file transfer from IT network to a secure air-gapped OT network with sandbox integration.
GateScanner (GS) modules:
- As in solution #1 with the addition of external tools integration implemented on GateScanner Multi-source, sending files-in-process in GateScanner Multi AV CDR engines, to the sandbox and back, as part of the CDR processing.
4. Expanded network separation with bi-directional data flow
Requirement:
- IT-OT network separation with secure multi-directional file sharing
- Secure incoming email into the OT, bridging the air-gap (enhanced productivity for the OT)
- Outgoing file redaction/data-loss prevention from the OT
- Input from portable devices into the OT network
GateScanner (GS) modules:
- GateScanner Injector data diodes are positioned between the IT and OT network to ensure the unidirectional flow of files into the OT.
- GateScanner CDR LAN, located between the IN and OUT of the data diodes, hosts two GatesScanner modules: Gatescanner Mail to provide one-way, CDR-sanitized email, delivered into the OT, and GateScanner Multi-source to proivide CDR-sanitized files from multiple GS engines, to the OT file share.
- GateScanner USB Security Kiosk delivers sanitized files from portable media uploads through a second data diode.
- Outgoing files from the OT are redacted with policy-based rules by GateScanner’s antivirus kiosk, for output to portable media, or by a third data diode, to the IT network file-share.