In this blog series, I have been exploring applications for Data Diodes. This week, I look at the issue of getting Windows Updates into a segregated network — securely.
It is widely reported that 80% or higher of all security attacks can be prevented by implementing basic security hygiene. The majority of such attacks take advantage of publicly known vulnerabilities in software. Once identified, these vulnerabilities are usually quickly fixed and updates made available by the vendor to their customer base. The updates need to be applied equally quickly — left unprotected for more than a few hours, the targeted vulnerabilities may be freshly attacked and infected. Consequently, it is vital to ensure regular updating of systems with all available fixes and patches relating to operating systems, applications and anti-virus software to mitigate the risk of a security attack to a known vulnerability.
The routine method of applying system updates is to use an automated vendor mechanism. For secure networks not connected to the Internet, this approach is not suitable. Update strategies for these unconnected networks often rely on a manual process; the updates are obtained from the Internet, then securely transferred to the segregated network before being applied. This process is typically unreliable, prone to error and costly.
For organisations with secure networks or networks isolated from the Internet, a Data Diode based solution can automate the process. The diode enable the transfer of Windows Updates from the Internet to a Windows Update Server in the secure network, while ensuring there is no route back from the secure network to the Internet.
While I’ve used the example of Windows updates, the concept can be used for most operating system, anti-virus and application update mechanisms.
Interested in finding out more details about getting operating system updates into your secure network? Contact me, or leave a comment below.
3 thoughts on “Diode Applications: Secure Windows Updates”
I admit I don’t know what protocol Windows update uses, but this would certainly work for Solaris 11 updates, which use vanilla http.
HTTP is quite hard via a diode, as it is implicitly a two way communication. The trick is to find a way of serialising the protocol via a proxy, or transforming the problem some way into a file transfer.
Comments are closed.