Virtual Air Gap Networks Explained: Air-Gapping A Virtual Machine

By Tal Zamir. October 24, 2019

Cyber attacks have become far too commonplace and sophisticated. So it’s not surprising that enterprise employees are continually and unwittingly exposing their devices – and their company’s crown jewels – to risk. 

CISOs and IT leaders know they need a more effective way to block sensitive company information from cyber criminals. That’s why they’re turning to “virtual air gap” technology. This isolation technology improves cybersecurity by orders of magnitude and uniquely lets users access the resources (websites, applications, plug-ins, email, etc.) they need without risk.  

Here’s a quick primer on what virtual air gap is and how it works. 

Virtual Air Gap

Virtual air gap’s approach is akin to physical air gaps. But instead of using separate physical machines dedicated for classified usage, virtual air gap uses a single physical machine to deliver the same top-grade security. 

It employs virtualization to seamlessly split a single, physical end-user device into few fully isolated local virtual machines (VMs), each with its own segregated operating system (OS). It does this in a way that is completely seamless to the user. Everything the user interacts with – including all applications and operating systems – runs in one of the VMs. 

Instead of letting a bloated/vulnerable OS control the user’s device, the endpoint is controlled by a hardened bare-metal hypervisor. The hypervisor manages a few isolated VMs running locally on the device, one per user persona/security zone. The isolation is done by leveraging processor hardware support for virtualization, available in any 5-year old commodity laptop/desktop (e.g., Intel VT). 

A typical set of air gapped VMs consists of:

  • An unlocked internet VM that allows the user unrestricted access to non-corporate resources. This includes the ability to browse the full web, install any application, and use external devices. 
  • A corporate VM for accessing standard corporate applications, such as office documents, corporate email, and internal services.
  • A locked-down privileged VM for accessing sensitive corporate data and systems, such as privileged IT systems, payment/transaction systems, sensitive customer data, CRM systems, etc.  

The VMs are completely segregated but live on one physical device. It’s like having physically separate, dedicated laptops, one per persona. 

Each VM’s network access is limited according to the security zone it belongs to. The internet VM can only access the wild internet. The corporate VM can only access non-privileged corporate network resources. The privileged VM can only access privileged resources on the network. This is achieved by deploying an invisible network security VM that acts as a local sophisticated firewall residing on the device and controlling the network traffic of the VMs.

From the user’s perspective, the endpoint looks like a single unified Windows desktop, as seen in the this user experience demo. End-users don’t have to understand anything about hypervisors or virtual machines. They work as they’re normally accustomed to while, behind the scenes, applications and websites are launched automatically in the correct VM due to unique application redirection features. 

Copying and pasting data between applications that belong to different VMs is done seamlessly by the user, but is strictly controlled by the hypervisor. IT administrators  can choose to completely block the functionality or allow it in certain directions and under centrally-defined limitations such as size, content, auditing or CDR (Content Disarm and Reconstruction). 

For example, the administrator can define a policy in which copying text from the internet VM into the corporate VM is allowed, audited, and limited to a certain amount of bytes per transfer, while blocking copying of content from the corporate VM to the internet VM. Note that all clipboard operations must be human-operated and cannot be initiated by malware residing inside the VMs. (The virtual air gap solution verifies human interaction on the physical hardware before allowing the clipboard operation to be completed).

Hysolate pioneered virtual air gap technology because, in previous lives, our founders and their colleagues were exasperated by the impossibility of protecting sensitive data from cybercriminals who target endpoints. Now, we’re giving CISOs and IT leaders the protection and productivity their companies want – and the peace of mind they need to sleep at night. 

Learn how to virtualize air gap networks with Hysolate, keeping employees productive and malware at bay. Request a demo to see the technology live for yourself.

About the Author

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.

Share this article: