Air Gaps 物理隔离

Bruce Schneier

October 11, 2013

Since I started working with Snowden's documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible.

自从我开始研究斯诺登的文档，我已经使用了一些工具，试图防国家安全局（NSA），以自保安全。我分享的建议包括使用洋葱路由（The Onion Router，简写为Tor），但相比其他方法，我更愿意使用特定的加密，并尽可能使用公开域的加密。

I also recommended using an air gap, which physically isolates a computer or local network of computers from the Internet. (The name comes from the literal gap of air between the computer and the Internet; the word predates wireless networks.)

我也建议使用隔离，从物理上计算机与因特网或本地网络隔离。（这个名字来源于从字面上电脑和互联网之间是物理隔离，只有空气间隙；这个词出现的时候还没有无线网络。 ）

But this is more complicated than it sounds, and requires explanation.

但是，这个术语是比它听起来要复杂的多，需要一些解释。

Since we know that computers connected to the Internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use -- or should use -- air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on.

因为我们知道，连接到互联网的计算机很容易受到外部黑客，物理隔离应防止这些攻击。有很多系统使用或者应该使用物理隔离：涉密的军事网络，核电站控制系统，医疗设备，航空电子设备，等等。

Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same.

拉登就使用过物理隔离。我希望人权组织在专制国家工作也要这样做。

Air gaps might be conceptually simple, but they're hard to maintain in practice. The truth is that nobody wants a computer that never receives files from the Internet and never sends files out into the Internet. What they want is a computer that's not directly connected to the Internet, albeit with some secure way of moving files on and off.

物理隔离在概念上可能很简单，但在实践中维持它们很难。事实是，没有人想要一台电脑，从来没有从互联网上收到文件，也从来没有发送文件到互联网。他们需要的是一台计算机，即使要用某些安全的方式通过开关来移动文件，该计算机也不要直接连接到互联网上。

But every time a file moves back or forth, there's the potential for attack.

但每次一个文件向后或向前移动，都有遭受攻击的可能性。

And air gaps have been breached. Stuxnet was a US and Israeli military-grade piece of malware that attacked the nuclear plant in Iran. It successfully jumped the air gap and penetrated the Natanz network. Another piece of malware named agent.btz, probably Chinese in origin, successfully jumped the air gap protecting US military networks.

某些物理隔离已经被破解。 Stuxnet病毒是美国和以色列的军事级别的恶意软件，攻击过伊朗的纳坦兹（Natanz）核工厂。它成功地跳出物理隔离和侵入纳坦兹的网络。另一个的恶意软件名为agent.btz ，可能源于中国，成功跳过保护美国军事网络的物理隔离。

These attacks work by exploiting security vulnerabilities in the removable media used to transfer files on and off the air-gapped computers.

这些攻击利用了移动存储介质在物理隔离计算机上插拔来交换文件的安全漏洞。

Since working with Snowden's NSA files, I have tried to maintain a single air-gapped computer. It turned out to be harder than I expected, and I have ten rules for anyone trying to do the same:

自从研究斯诺登的NSA文件以来，我已经试图维持一个物理隔离的单机。看起来，比我预想的要难。任何人试图做同样的事，我有十个规则要建议给你：

1. When you set up your computer, connect it to the Internet as little as possible. It's impossible to completely avoid connecting the computer to the Internet, but try to configure it all at once and as anonymously as possible. I purchased my computer off-the-shelf in a big box store, then went to a friend's network and downloaded everything I needed in a single session. (The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.)

1。当您配置您的电脑，尽可能不要连到互联网上。完全避免计算机连到互联网上，这是不可能，但尝试同时配置电脑，并尽可能匿名。我在一个商业现货大卖场里买的电脑，然后去了一个朋友的网络，在一个会话中下载我需要的一切。（超严格的方式做到这一点的是，买了两个一模一样的计算机，用上面的方法配置一个，用基于云的杀毒检查一边，然后将杀毒后的结果，单向转移到物理隔离的计算机上。）

2. Install the minimum software set you need to do your job, and disable all operating system services that you won't need. The less software you install, the less an attacker has available to exploit. I downloaded and installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That's all. (No, I don't have any inside knowledge about TrueCrypt, and there's a lot about it that makes me suspicious. But for Windows full-disk encryption it's that, Microsoft's BitLocker, or Symantec's PGPDisk -- and I am more worried about large US corporations being pressured by the NSA than I am about TrueCrypt.)

2。尽可能少的安装软件，小到你需要完成你的工作的最小软件集，并关闭所有的你不会需要的操作系统服务。您安装的软件越少，攻击者可利用的漏洞就越少。我下载并安装OpenOffice，PDF reader，文本编辑器，TrueCrypt，BleachBit，就这些。（不，我对TrueCrypt的内部知识不了解，对它也很可疑。但对Windows机箱全盘加密而言，微软的BitLocker ，赛门铁克的PGPDisk的，我更担心这些美国大公司被美国国家安全局施压，而不是TrueCrypt。）

3. Once you have your computer configured, never directly connect it to the Internet again. Consider physically disabling the wireless capability, so it doesn't get turned on by accident.

3。一旦你配置好你的电脑，永远不要在把它直接连接到互联网上。考虑物理禁用无线功能，所以它不会意外地被打开。

4. If you need to install new software, download it anonymously from a random network, put it on some removable media, and then manually transfer it to the air-gapped computer. This is by no means perfect, but it's an attempt to make it harder for the attacker to target your computer.

4 。如果您需要安装新的软件，下载匿名随机网络，把它放在一些可移动介质， 然后手动转移到空气跳空计算机。这绝不是完美的，但它是一个尝试，使其难以为攻击目标的计算机。

5. Turn off all autorun features. This should be standard practice for all the computers you own, but it's especially important for an air-gapped computer. Agent.btz used autorun to infect US military computers.

5 。关闭所有自动运行功能。这应该是您所有计算机的标准做法，但它对物理隔离计算机尤其特别重要。 Agent.btz病毒就是使用自动运行感染了美国军用计算机。

6. Minimize the amount of executable code you move onto the air-gapped computer. Text files are best. Microsoft Office files and PDFs are more dangerous, since they might have embedded macros. Turn off all macro capabilities you can on the air-gapped computer. Don't worry too much about patching your system; in general, the risk of the executable code is worse than the risk of not having your patches up to date. You're not on the Internet, after all.

6 。尽量不要把计算机可执行代码移到物理隔离的计算机上。文本文件是最好的。 Microsoft Office文件和PDF文件是比较危险的，因为他们有可能嵌入的宏。，您可以关闭物理隔离电脑上所有的宏功能。不要过分担心修补你的系统，在一般情况下，可执行代码的风险比没有打补丁的风险更糟糕的。毕竟，你不是在互联网上。

7. Only use trusted media to move files on and off air-gapped computers. A USB stick you purchase from a store is safer than one given to you by someone you don't know -- or one you find in a parking lot.

7。仅使用可信介质在物理隔离电脑上移动文件。你从商店购买的U盘，远比你不认识的人给你的，或者你在一个停车场捡到的，更安全。

8. For file transfer, a writable optical disk (CD or DVD) is safer than a USB stick. Malware can silently write data to a USB stick, but it can't spin the CD-R up to 1000 rpm without your noticing. This means that the malware can only write to the disk when you write to the disk. You can also verify how much data has been written to the CD by physically checking the back of it. If you've only written one file, but it looks like three-quarters of the CD was burned, you have a problem. Note: the first company to market a USB stick with a light that indicates a write operation -- not read or write; I've got one of those -- wins a prize.

8。对文件传输，可写入的光盘（CD或DVD ）比一个USB记忆棒更安全。恶意软件可以静静地写数据到随身携带的USB，但它无法旋转CD-R到1000转，而不引起你注意到。这意味着，恶意软件只能在你写入到磁盘时写入到磁盘。通过物理上查看ＣＤ的背面，你还可以验证多少数据已被写入到CD。如果你只写一个文件，但它看起来像ＣＤ的四分之三被烧录，你有问题了。注：第一家向市场推出了USB记忆棒带有一个表示写操作的指示灯（无法读取或无法写入，我已经拿到了其中的一个），该公司赢得一个奖项。

9. When moving files on and off your air-gapped computer, use the absolute smallest storage device you can. And fill up the entire device with random files. If an air-gapped computer is compromised, the malware is going to try to sneak data off it using that media. While malware can easily hide stolen files from you, it can't break the laws of physics. So if you use a tiny transfer device, it can only steal a very small amount of data at a time. If you use a large device, it can take that much more. Business-card-sized mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for sale.

9。当通过开关模式在你的隔离电脑上移动文件时，尽可能使用绝对最小的存储设备。并且用随机文件填满整个设备。如果隔离计算机被攻破，该恶意软件会试图使用该介质偷数据。虽然恶意软件可以很容易地隐藏你的被盗文件，它不能打破物理定律。所以，如果你使用一个微小的传输设备，它只能一次偷一个很小的数据量。如果您使用大型设备，它可以偷很多。名片大小的迷你CD可以有容量低至30 MB 。我还看到1 GB USB记忆棒出售。

10. Consider encrypting everything you move on and off the air-gapped computer. Sometimes you'll be moving public files and it won't matter, but sometimes you won't be, and it will. And if you're using optical media, those disks will be impossible to erase. Strong encryption solves these problems. And don't forget to encrypt the computer as well; whole-disk encryption is the best.

10。考虑加密你在开关隔离电脑上移动的所有东西。有时你会移动公开的文件，这没关系，但有时你移动的不是公开的文件，这就关系大了。如果你使用光学介质，这些磁盘将无法消除。强加密解决这些问题。而且不要忘了加密计算机，整个磁盘加密是最好的。

One thing I didn't do, although it's worth considering, is use a stateless operating system like Tails. You can configure Tails with a persistent volume to save your data, but no operating system changes are ever saved. Booting Tails from a read-only DVD -- you can keep your data on an encrypted USB stick -- is even more secure. Of course, this is not foolproof, but it greatly reduces the potential avenues for attack.

有一件事我还没有这样做但它是值得考虑的，是使用像Tails这样的无状态操作系统。您可以配置Tails带一个持久的卷来存储您的数据，但操作系统的任何改动都不会被保存。从一个只读DVD来引导Tails，你可以保持你的数据在一个加密的USB记忆棒，这样更安全。当然，这也不是万无一失的，但它大大降低了潜在的攻击途径。

Yes, all this is advice for the paranoid. And it's probably impossible to enforce for any network more complicated than a single computer with a single user. But if you're thinking about setting up an air-gapped computer, you already believe that some very powerful attackers are after you personally. If you're going to use an air gap, use it properly.

是的，这一切都是为严格安全的建议。它可能无法在任何比单用户单机复杂得多的网络上执行。但是，如果你正在考虑设立一个隔离电脑，你已经相信，一些非常强大的黑客的目标是你个人。如果你打算使用开关隔离，正确使用它。

Of course you can take things further. I have met people who have physically removed the camera, microphone, and wireless capability altogether. But that's too much paranoia for me right now.

当然你也可以采取进一步的行动。我见过有人完全物理地去掉了摄像头、麦克风和无线功能。但对我现在而言，它太严格了。

This essay previously appeared on Wired.com.

这篇文章不久前在Wired.com上发表过。

EDITED TO ADD:

Yes, I am ignoring TEMPEST attacks. I am also ignoring black bag attacks against my home.

编辑后补充：

是的，我忽略TEMPEST攻击。我也忽略了要用黑袋子炸弹攻击我家。