Air gap (networking)

A security practice that physically isolates a computer or network from untrusted networks to reduce remote attack risk. Common in classified, industrial and critical infrastructure systems; requires strict controls.

An air gap (also called an air wall or air‑gapping) is a defensive measure in computer security in which one or more computers or an entire network are physically and logically isolated from untrusted networks. The primary goal is to prevent direct electronic communication with external systems such as the public Internet, an unsecured local area network, or other networks that could carry malware or enable remote data exfiltration. Air‑gapped systems are typically used where confidentiality, integrity, or operational safety is critical.

Characteristics and implementation

Air gapping is a configuration and set of organizational controls rather than a single product. Implementations usually combine physical separation of cabling and devices, disabling or removing network interfaces and wireless radios, strict controls and inspection of removable media, and rigorous access control for personnel. Where limited data flows are needed, one‑way hardware devices called data diodes can allow controlled outbound transfer without permitting inbound traffic. Manual transfer of files using removable media or dedicated, inspected transfer stations is often called "sneakernet."

History and notable examples

The practice of keeping critical systems offline predates modern networks, but in recent decades it became formalized in military, intelligence and industrial contexts. High‑profile incidents such as the Stuxnet malware demonstrated that air‑gapped environments can be targeted indirectly—for example via infected removable media, compromised supply‑chain components, or malicious insiders—so air gaps are treated as a strong layer of defense rather than an absolute guarantee.

Threats and bypass techniques

Removable media (USB drives, optical media) transferring malware between networks.
Insider threats: authorized users who intentionally or unknowingly bridge the gap.
Supply‑chain compromises embedding malware in hardware or firmware before deployment.
Side‑channel exfiltration using electromagnetic emissions, acoustic signals, optical signals (LEDs or screens), or power‑line modulation researched by security labs.
Physical access attacks where an adversary directly tampers with devices or installs covert transmitters.

Uses, benefits and limitations

Air gaps reduce the remote attack surface and can make large‑scale remote intrusion much harder, which is why they are common in classified networks, industrial control systems (ICS/SCADA), nuclear and critical infrastructure facilities, and in some consumer uses such as cryptocurrency cold storage. However, air gapping increases operational complexity and cost: updating software, backing up data, and sharing information require careful procedures. The technique also cannot eliminate risks posed by human error, physical compromise, or preexisting hardware compromises.

Mitigation and best practices

Effective air‑gap security combines technical and procedural controls. Recommended measures include:

Strict policies and technical controls for removable media (whitelisting, encryption, single‑use media, scanning in dedicated transfer stations).
Physical security and tamper‑evident measures for devices and wiring; controlled visitor access and logging.
Use of data diodes or vetted one‑way transfer mechanisms when data flows are required.
Firmware and supply‑chain verification, hardware attestation, and integrity checks before deployment.
Regular audits, monitoring for anomalous activity, and training to reduce human errors and insider risk.

Architects of secure systems treat air gaps as one layer within a defense‑in‑depth strategy and design update, backup, and maintenance processes that preserve the isolation guarantees. For more on secure network design and isolation patterns, see resources on secure networks: secure network, general guidance on the public Internet, and local LAN segmentation discussions.