How to securely import Windows Updates, Security Patches and Third Party patches into a secure air-gapped system using an Everfox Cross Domain Solution (CDS). 

Some networks, especially those running critical operations or holding very sensitive information, need to stay disconnected from the internet. This is a crucial step to protect them from cyber threats and unauthorized access. For example, networks used in military communications, financial transactions, or healthcare data often require this level of security. By keeping these networks isolated, they can ensure their operations remain safe and their data stays private. Reducing the risk of cyber-attacks and data breaches, at the cost of connectivity. 

However, for a very long period, there has been the continual issue where disconnected systems need some way of being able to receive updates for important software updates, patches and libraries, without directly connecting those systems to the internet. Outdated systems running old versions of software are often ripe for attack. Especially when those systems are some of the most critical and important in the world [1]. 

Sneakernet and Air Gapped Systems 

Often organisations will choose the path of least resistance, which is to give the illusion that their system is still disconnected by using USBs to copy the update files from their low side networks. The previously disconnected computer system becomes connected the moment that the USB is inserted into the air-gapped machine. Malware checks are often insufficient to protect the destination system from attacks. Important and costly resources, such as IT Administrators consume time copying files to and from the USBs in question. This is a natural trade off, as the more updates that are pushed to the air-gapped network, requires more effort on behalf of the IT Administrator. The Airgap Update Solution aims to solve this trade off through the benefits of automated transfer of data without compromising the security posture of a sneakernet. 

Windows Update CDS Tools 

Everfox has developed a utility for the automated exporting of Windows Updates from a Windows Server on the outside of an air-gapped system and importing them into a destination server in an air-gapped network. It is designed to be used in conjunction with the Everfox Copier file utility and one or more of the following Everfox Cross Domain Solutions. 

• Data Diode 
• Data Guard 
• Information eXchange (iX) Appliance 

The Everfox Windows Update utility is deployed to the same machine as the host WSUS server on both networks. Designed as a lightweight plugin to the Everfox Copier. Automated configuration scripts means that the entire solution (including configuration of the Everfox Copier) can be deployed in as little as 30 minutes from scratch. As the utility aims to exist on the same machine as the WSUS server on both sides. There is no need to keep a secondary copy of the update on the source/destination side and simply only need to keep one copy that is replicated to the destination network. There is also no need to launch additional VMs other than the CDS solution itself. 

Automated Update Rollout Across the Air-gapped Estate 

The Everfox Windows Update tools are built for an entirely automated deployment according to the schedule configured in Windows Task Scheduler. By default, an automated deployment runs each day and the WSUS Server sends all available updates to each machine subscribed to those updates within the air-gapped network. 

Signature Checking 

The Everfox Windows Update Solution has multiple signature checks to ensure the integrity of the update is not compromised during the copy operation or during ingest of the update into the destination WSUS Server. These checks are as follows: 

• Initial Signature check from the source WSUS server before ingestion into the source WSUS Server
• Signature checks including binary and hash checks within the Copier utility itself, to ensure compromise hasn’t occurred in transit. This is combined with full TLS configuration in Copier to ensure all communication is encrypted in transit. 
• Manifest checks within both the sender and the receiver, on a per update basis for auditable analysis of files transferred. 
• Further Signature check on the destination WSUS server before ingestion. 

The process steps are as follows: 

1. 1) Configurable Synchronisation from the internet to the source WSUS server, to pull new updates.
2. 2) Validation of the signature on the updates.
3. 3) Export database (including all update metadata).
4. 4) Generate manifest file that details all files in one update. 
5. 5) Transfer new updates from the source server to the disconnected WSUS server.
6. 6) Import WSUS database and metadata into the disconnected WSUS server providing they are as expected.

Using WSUS for Third Party Patches  

Finally, it is also possible to either use the Copier utility itself or the WSUS API to handle third party patches and AV updates [2]. The Microsoft Configuration Manager with Windows Systems Updates allows for full status messages and automated rollout of Third-Party patches to clients. 

Overall, the Airgap Update Solution offers multiple ways of ensuring that updates can be imported safely and quickly, without wasting valuable time copying files to and from transferable media. 

We’re here to help – reach out if you’d like to discuss this topic further. 

Aaron Mulgrew, Senior Solutions Architect, Western Europe & UK 

Scott Gallagher, Infrastructure Engineer, UK 

Tim Freestone, Director Sales Engineering, International & Global Solutions, UK 

[1] https://www.csoonline.com/article/2514214/legacy-systems-are-the-achilles-heel-of-critical-infrastructure-cybersecurity.html (opens a new window)  

[2] https://learn.microsoft.com/en-us/previous-versions/windows/desktop/bb902470(v=vs.85) (opens a new window)