Essential components of a Linux-based air-gapped network

Many of us have disconnected/air-gapped networks and may need tools to support some of our infrastructure requirements. You know, like that OpenShift Container Platform with OpenShift Container Storage backend install or other similar environments. There are some standard tools that you can expect to find whenever working with or building an air-gapped network. I highlight those tools in this article.

An air-gapped network is one that is self-contained but has no external or internet connectivity. Networks are often air-gapped as an extreme security method for government or corporate projects that require confidentiality or secrecy.

Typical components

Typical components needed within an air-gapped environment are Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), Trivial File Transfer Protocol (TFTP), PreBoot Execution Environment (PXE), Load Balancer(LB), and a web server.

DNS

DNS provides name resolution services to the air-gapped environment. DNS can be managed by BIND, Unbound, dnsmasq, or simply editing hosts files on each machine. Typically, regardless of the software used, the following records are needed:

• A records - IPv4 resolution record.
• AAAA records - IPv6 resolution record.
• SVC records - resolution record for services on the network.
• PTR records - reverse resolution for A records.

These records provide the resolution clients need on the network.

[ You might also like: Linux networking: 13 uses for netstat ]

DHCP

DHCP provides IP addresses to clients on the network without configuring each node manually. DHCP is supplied by dnsmasq or dhcpd. Several options are typically served with the DHCP assignment. Typical options passed to the clients are:

• IP Address - unique IP to identify the host on the network.
• Router/Gateway - usually, air-gapped environments are flat networks, but some may have routing if multiple air-gapped networks are connected together.
• DNS server - server(s) that provide name resolution for the network.
• TFTP server - profiles.
• TFTP boot file - additional boot files delivered by TFTP.

Those options offer the network settings the nodes need to fully communicate with each other on the air-gapped network.

Web server

Your toolbox can contain Apache, NGINX, NodeJS, or you may simply run a quick web server using Python.

TFTP

A Trivial File Transfer Protocol (TFTP) server serves or transfers files between a server and client, similar to FTP. However, there are some differences between the two, and they have their own respective use cases. TFTP uses UDP and runs on port 69. Typically, TFTP is used in conjunction with PreBoot Execution Environment (PXE) to serve files for diskless booting. However, it is often used to retrieve config files and even small system images, for example, router/switch OS images. A couple of options are :

• Tftp-server
• dnsmasq

PXE

PreBoot Execution Environment (PXE) provides an environment to boot and configure systems that do not have a locally-installed operating system. It is an "environment" and not so much one technology. Typically, the environment consists of a PXE-capable network card, a DHCP server, and a TFTP server. The booting process consists of:

1. Booting a small OS on the NIC or provided by CD/USB that broadcasts for an IP.
2. DHCP provides that IP and a location of the TFTP server to retrieve more files to boot with.
3. The TFTP server serves the remaining boot files/images to continue to boot.

That is a very simplified version of the PXE boot process. The goal is to explain that the system boots without a locally-installed OS. So, as mentioned previously, if you have DHCP, TFTP, and a PXE-compliant network card, you should be able to boot "from the network."

OpenShift

If you're working with OpenShift, you will need a repository and load balancer to help correctly install and run the required computing resources. There are several options for registry services, such as Quay or a simple manual registry using Podman.

HAProxy provides load balancing.

Certificate services can be managed with an install of FreeIPA or Dogtag, or by using simple OpenSSL-deployed certificates.

Alternatives

The software components can be rolled up in a live CD or deployed via a pod. Remember, pods contain containers. An option could be to containerize each component in a pod and deploy it as needed from a private registry. Other alternatives might be to use a proxy server to provide limited access to the network or to have a jump box/bastion host with one foot in the "air-gapped" network and one foot in the "connected" environment.

[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ] 

Wrap up

As you can see, many of the same services that are required in a "connected" network are also used in air-gapped networks. Services such as IP address allocation and name resolutions are necessary in either case. Just remember, in an air-gapped network, these services operate independently of other similar services.

Many Enable Sysadmin articles have been written on deploying or configuring the aforementioned software.