Doesn't "air gapped" imply physical separation? Putting a firewall, even if it's totally locked down, between two networks does not make it "air gapped".
> "How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website."<p>Sounds like the real problem was they didn't have a better mechanism for getting things like that in. If a security system stops people from doing their jobs, they'll poke a hole in it unless you provide a better option.
I thought "air gap" meant a machine or network that is physically separated (these days also without any radio connection) to other machines.<p>How can those not exist?
That's why you commit to multiple layers and types of defensive and recovery measures. Intelligence, preparation, prevention, prevention, prevention, monitoring, adaptation, more monitoring, effective response, well planned recovery.
Air gaps can also be bridged by using radio or sound waves. There could be a bunch on non-networked computers in a secure lab all talking to each other. This assumes trojaned hardware and/or operating system software in the systems that can send and receive data and commands.<p>Finally, technology such as Morse Code is still useful in these scenarios. Dits and dahs. Zeros and ones. That's all you need to be able to send and recv data.<p><a href="http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600" rel="nofollow">http://www.jocm.us/index.php?m=content&c=index&a=show&catid=...</a><p><a href="http://www.wired.com/wp-content/uploads/2014/11/air-hopper-malware-final-e-141029143252-conversion-gate01.pdf" rel="nofollow">http://www.wired.com/wp-content/uploads/2014/11/air-hopper-m...</a>
Back in the early days of Ethernet there were fiber to AUI widgets, that used 2 multimode fibers, one for TX, one for RX. We used these on classified systems with ony RX connected - we could send data in to these systems over UDP, and it was truly a one-way path.
> I have seem so many kludges connecting SIPPER and NIPPER networks<p>I don't know how much I trust someone who can't even get the acronym for SIPR and NIPR right (<a href="https://en.wikipedia.org/wiki/SIPRNet" rel="nofollow">https://en.wikipedia.org/wiki/SIPRNet</a> <a href="https://en.wikipedia.org/wiki/NIPRNet" rel="nofollow">https://en.wikipedia.org/wiki/NIPRNet</a>)