As I wrote in my previous post, even an air-gapped network should have additional security measures in place in case there is a path to jump the air gap. DIY security is daunting. Unless you’re prepared for hours upon hours of work, the rest of this post may not be feasible.
I’m a proponent of security on each device in a network whether in an air-gapped network, behind a LAN, or a laptop/firewall/cell trio. This usually requires root access to the device. GRV-EPIC has shell access available, so EPICs are candidates for additional security. However, there are not many packages in the EPIC repository, so building security tools from source is the way to go.
Before securing your closed network, test in a non-production environment.
You said the network won’t have access to the internet. Therefore you can effectively block routing for all traffic except private addresses for redundant security. This can be done through groov Manage.
- In groov Manage, add static routes for the private address space. Go to groov Manage → Network → Static Routes and add routes for the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24 subnets on the interfaces that are used, or for greater security add static routes for only each IP address in your air-gapped network. Save the changes.
- Delete the default gateway. Go to groov Manage → Network → Configure. For the interfaces you configured for static routing in Step 1, if the interface is manual (aka static) delete the contents of the default gateway field and save the changes. If the interface is configured for automatic (aka dhcp), then configure the dhcp provisioner to not provide the a gateway to the EPIC.
You may also consider firewalling outgoing traffic via the shell. What you pass/filter is domain dependent, so I cannot provide specific guidance.
You can prevent rogue devices from spoofing MAC address by manually mapping MAC/IPs for the devices in the air-gapped network and then filtering incoming and outgoing ARP traffic.
You can harden the linux kernel with sysctl, but this depends on your firmware version as the linux kernel has been updated in EPIC.
Groov Manage has an option to disable USB. This may prevent stuxnet-like malware.
Building from source and using a network intrusion detection system such as snort or suricata can detect some network-based exploits by inspecting packets for malicious or suspicious characteristics. However, they can also block legitimate traffic. Therefore run network intrusion detection tools on alert mode rather than block mode.
In the past I used a tool called tripwire to detect tampering of files. Tripwire is no longer maintained, but there is no replacement with similar functionality. Essentially tripwire creates hashes for all configured files from a base system and regularly monitors the files for changes. If a file changes tripwire can alert you on another device in the air-gapped network.
If the operating system supports TPMs, then they can provide protection against firmware malware and hardware tampering. I’m not aware of support for TPMs on the EPIC, but if you have PCs in your closed network may already include TPMs.
I could go on. If you have questions on a particular topic, feel free to ask.