Ask HN: Company wants to isolate corporate network from the Internet
Corporate is nervous about cyber attacks and has asked about isolating the corporate network from the Internet and use VM's for webmail and browsing. Updates can be done offline.
Is this doable or just ridiculous? Isolating the network does increase the security while reducing the attack surface. But without good usable internet access, it's harder to be productive as an employee. Therefore efficiency of the workforce will be lowered. Depending on your company size, there are ways to achieve relatively high security. However, no system is secure enough and everything can be hacked at some point if there is enough interest in it. Most of the time when I've had to work on an air-gapped network, I was also provided with a second computer connected to the Internet. I found that to be a good compromise, though getting small code snippets or scripts onto the air-gapped network was a pain since I had to type the whole thing or bug IT to transfer it. I say most of the time, since I once had to work in a very high-security environment with no Internet-connected computers in the area. I had to leave the secure area to look up things on my phone. It was a nightmare. This is the ideal design, along with an office whose job it is to manually move data from the public side to the private side. These offices usually have a server on the public and private side to make it seem like it's an automated transfer (like putting a file in Dropbox on the public and then seeing it show up on the private side), but in reality you have a security guard making sure nobody's copying up `MSOfficeOfficialThisTime.msi`. Couldn't you print the snippet as a QRCode and then scan it on the air gapped system? There are others like this. This is the one I can recall now . Basically the proxy mitm a Js agent which is pretty much vnc for your browser. You only get the view of the headless proxy sandbox rendering whatever page you requested . So if any escape happens it happens in an isolated disposable compute managed by the proxy https://www.broadcom.com/products/cyber-security/network/web... I’ve worked on air gapped networks and I was probably a tenth as productive as I normally can be (if that) as a programmer. Having all sorts of info at your fingertips speeds up development and debugging quite a bit. I’d be worried your leadership doesn’t understand the trade off they’re making for company productivity for something like this. Absolutely doable. The other question may be how this can help from "cyber attacks" but I guess that's for you to figure out.