NETWORK SEgregaTION
1. Basic deployment: Secure file sharing
Requirement:
Option 1:
- Secure file transfer from IT network to an air-gapped OT network.
GateScanner (GS) modules:
- GateScanner Multi-source located between data diodes sends all files to multiple AV and CDR scanning engines, delivering files from IT to OT.
- Files collected from designated folders in the IT, pass through the diode and enter the IN port of GS Multi-source for sanitization – and are then delivered securely via the OUT port, to incoming diode and designated folders in the OT.
Option 2:
- Secure file transfer from multiple sources including networked sources and cloud storages into the protected corporate network, with data masking of outgoing content.
GateScanner (GS) modules:
- GateScanner Security Dome functioning as a secure content hub with vaults, facilitating threat-free transfer of files in and out of the corporate network from multiple sources including S3, Web, UNC, FTP, SFTP and SMB
- The Dome’s automation client manages content Push and Pull from the Dome’s secure encrypted vaults.
- The GateScanner CDR engines provide military grade file sanitization and text-based file redaction of outgoing content using user-customized Yara rules.
2. Network segregation with inputs from portable media
Requirement:
- An air-gapped sensitive network with unidirectional file flow into the secure zone
- Portable media input to destinations within the secure zone
GateScanner (GS) modules:
- GateScanner’s file sanitization kiosk passes the disarmed files through a unidirectional diode (GateScanner Injector) for internal routing in the sensitive network through GateScanner Multisource OUT module. Users are notified by email.
- Central management of GateScanner Kiosk located on the enterprise IT network, enforces global policies and preset destinations, handles logging and updates to the stations, and delivers scan logs to the SIEM.
3. Network segregation with sandbox integration
Requirement:
- Automatic or semi-automatic safe file transfer from IT network to a secure air-gapped OT network with sandbox integration.
GateScanner (GS) modules:
- Similar in concept to solution #1 above, this approach extends the functionality by integrating external tools through GateScanner Multi-Source. Specific file types can be selectively routed to third-party sandbox solutions for analysis and then returned for further processing. Connectors for leading sandbox platforms are readily available.
4. Expanded network segregation with bi-directional data flow
Requirement:
- IT-OT network segregation with secure multi-directional file sharing
- Secure incoming email into the OT, bridging the air-gap (enhanced productivity for the OT)
- Outgoing file redaction/data-loss prevention from the OT
- Input from portable devices into the OT network
GateScanner (GS) modules:
- GateScanner Injector data diodes are positioned between the IT and OT network to ensure isolation of the OT.
- GateScanner CDR LAN, located between the IN and OUT of the data diodes, hosts two GatesScanner modules: Gatescanner Mail Protection to provide CDR-sanitized email to the OT, and GateScanner Multi-source to provide CDR-sanitized files from multiple external sources to the OT file environment.
- GateScanner Kiosk delivers sanitized files from portable media uploads as well as providing a route for redacting outgoing content from OT to IT.
