For the most critical infrastructure (nuclear, military, ICS), logical segmentation isn't enough. Physical isolation (air gaps) or hardware-enforced unidirectional flows (data diodes) are required to prevent remote compromise.
An air-gapped network has no physical or logical connection to the internet or corporate network. However, Stuxnet proved that air gaps can be bridged via infected USB drives, supply chain compromises, or RF emissions.
💡 Pro-tip: True air gaps require strict physical security, ban on removable media, and supply chain vetting. Without these, the 'air gap' is just a false sense of security.
# Disabling USB mass storage on Linux air-gapped hosts
echo "blacklist usb-storage" | sudo tee /etc/modprobe.d/usb-storage.confThis kernel module blacklist prevents the OS from recognizing USB flash drives, closing the most common physical vector for bridging an air gap.
A data diode is a physical hardware device with two fiber optic connections: one send-only, one receive-only. It physically guarantees that data can only flow OUT of the secure network (e.g., for logging), but nothing can ever flow IN.
⚠️ Data diodes break standard TCP/IP because TCP requires bidirectional acknowledgments. You must use specialized proxy agents on both sides to handle the protocol translation over the diode.
| Method | Security | Usability |
|---|---|---|
| Logical VLAN | Low | High |
| Air Gap | Very High | Very Low (Manual transfers) |
| Data Diode | Maximum (Hardware) | Medium (Unidirectional only) |
Verify exercises to earn ★ 220 XP and unlock next lab level.