Many of us have disconnected/air-gapped networks and may need tools to support some of our infrastructure requirements. You know, like that OpenShift Container Platform with OpenShift Container Storage backend install or other similar environments. There are some standard tools that you can expect to find whenever working with or building an air-gapped network. I highlight those tools in this article.
An air-gapped network is one that is self-contained but has no external or internet connectivity. Networks are often air-gapped as an extreme security method for government or corporate projects that require confidentiality or secrecy.
Typical components
Typical components needed within an air-gapped environment are Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), Trivial File Transfer Protocol (TFTP), PreBoot Execution Environment (PXE), Load Balancer(LB), and a web server.
DNS
DNS provides name resolution services to the air-gapped environment. DNS can be managed by BIND, Unbound, dnsmasq, or simply editing hosts files on each machine. Typically, regardless of the software used, the following records are needed:
- A records - IPv4 resolution record.
- AAAA records - IPv6 resolution record.
- SVC records - resolution record for services on the network.
- PTR records - reverse resolution for A records.
These records provide the resolution clients need on the network.
[ You might also like: Linux networking: 13 uses for netstat ]
DHCP
DHCP provides IP addresses to clients on the network without configuring each node manually. DHCP is supplied by dnsmasq or dhcpd. Several options are typically served with the DHCP assignment. Typical options passed to the clients are:
- IP Address - unique IP to identify the host on the network.
- Router/Gateway - usually, air-gapped environments are flat networks, but some may have routing if multiple air-gapped networks are connected together.
- DNS server - server(s) that provide name resolution for the network.
- TFTP server - profiles.
- TFTP boot file - additional boot files delivered by TFTP.
Those options offer the network settings the nodes need to fully communicate with each other on the air-gapped network.
Web server
Your toolbox can contain Apache, NGINX, NodeJS, or you may simply run a quick web server using Python.
TFTP
A Trivial File Transfer Protocol (TFTP) server serves or transfers files between a server and client, similar to FTP. However, there are some differences between the two, and they have their own respective use cases. TFTP uses UDP and runs on port 69. Typically, TFTP is used in conjunction with PreBoot Execution Environment (PXE) to serve files for diskless booting. However, it is often used to retrieve config files and even small system images, for example, router/switch OS images. A couple of options are :
- Tftp-server
- dnsmasq
PXE
PreBoot Execution Environment (PXE) provides an environment to boot and configure systems that do not have a locally-installed operating system. It is an "environment" and not so much one technology. Typically, the environment consists of a PXE-capable network card, a DHCP server, and a TFTP server. The booting process consists of:
- Booting a small OS on the NIC or provided by CD/USB that broadcasts for an IP.
- DHCP provides that IP and a location of the TFTP server to retrieve more files to boot with.
- The TFTP server serves the remaining boot files/images to continue to boot.
That is a very simplified version of the PXE boot process. The goal is to explain that the system boots without a locally-installed OS. So, as mentioned previously, if you have DHCP, TFTP, and a PXE-compliant network card, you should be able to boot "from the network."
OpenShift
If you're working with OpenShift, you will need a repository and load balancer to help correctly install and run the required computing resources. There are several options for registry services, such as Quay or a simple manual registry using Podman.
HAProxy provides load balancing.
Certificate services can be managed with an install of FreeIPA or Dogtag, or by using simple OpenSSL-deployed certificates.
Alternatives
The software components can be rolled up in a live CD or deployed via a pod. Remember, pods contain containers. An option could be to containerize each component in a pod and deploy it as needed from a private registry. Other alternatives might be to use a proxy server to provide limited access to the network or to have a jump box/bastion host with one foot in the "air-gapped" network and one foot in the "connected" environment.
[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
Wrap up
As you can see, many of the same services that are required in a "connected" network are also used in air-gapped networks. Services such as IP address allocation and name resolutions are necessary in either case. Just remember, in an air-gapped network, these services operate independently of other similar services.
Many Enable Sysadmin articles have been written on deploying or configuring the aforementioned software.
À propos de l'auteur
Stephen Wilson is a Senior Storage Consultant with Red Hat, Inc. He has over 20 years of experience in information systems management. His professional interests include system administration, cybersecurity, cloud technologies, and virtualization.
Stephen lives in Meridian, MS with his wife Tan and two boys, Stephen and Matthew. Stephen's personal hobbies include weightlifting, running (yes for fun), and basketball. Stephen is active in his community and volunteers his time to try and make things better for everybody
Contenu similaire
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit