Applying Windows Security Updates to Air-Gapped Systems

BatchPatch provides two basic methods for applying updates to so-called “air-gapped” systems that are isolated from the rest of the world. Patching systems in isolated networks has always been both a challenge and a pain because you can’t simply follow your normal/typical procedures to get updates applied to these systems. Air-gapped systems virtually always have stricter security in place and more rules setup to prevent unauthorized access. Additionally, the systems themselves often tend to be the operating backbone of various other high-security systems or services, so they have an especially critical role just by virtue of what they do. The irony here is that the computers on these air-gapped networks are isolated specifically to create and facilitate a higher level of security, but at the same time the fact that they are isolated on a segregated network makes them harder to keep updated… and keeping systems updated is of paramount importance to keeping them as secure as possible. It’s a bit of a catch-22. You isolate the systems to make them harder to penetrate and more secure, but in isolating them you also make them harder to update… but keeping them updated is something that helps keep them secure.

All of the BatchPatch cached mode and offline update options are described in more detail here: Cached Mode and Offline Updates

2016-10-11-15_54_31

In the case where you have to apply Windows security updates to systems that are not connected to the internet or a WSUS your two options for using BatchPatch to complete this task can be broken down as follows:

Method A: Determine which updates are needed by the target computers, and then download just those particular updates on an internet-connected computer. Then transfer the cache of downloaded updates to the offline / air-gapped network. Then apply the updates to the target computers.

Step-by-step tutorial for option A: Patching an air-gapped environment with less stringent security rules

Method B: Without first determining which particular updates are needed by the target computers, use an internet-connected computer to download *all* possible updates that could be needed. Then transfer the cache of downloaded updates to the offline / air-gapped network. Then apply the needed updates to the target computers.

Step-by-step tutorial for option B: Patching an air-gapped environment with strict security rules

Why two different methods?

Method A requires first scanning the offline computers to discover which updates they need installed. When this operation is performed BatchPatch will produce a list of updates and URLs. That list has to then be moved to a computer that has internet access so that BatchPatch can process the list and download all of the needed updates. Once the updates have been downloaded they can then be moved to the offline network for consumption by target computers. The problem with this approach is that in some cases the security rules for the isolated network prevent/disallow people from taking *anything* from the isolated network to a different network, even if it’s just a text file list of updates and URLs. In other cases the rules might allow for such a file to be removed from the offline network, but doing this would require a whole change management process to be initiated, and the bureaucratic overhead of this option might simply make it more of a pain than anyone wants to deal with, especially if it needs to be done on a regular basis every month or two or three.

Method B does not require for any files to be taken from the air-gapped network, so it can be more convenient. However, the downside of method B is that since you don’t determine in advance which updates are needed by the air-gapped systems, you have to download *all* of the possible updates that could be needed. Since this could end up being quite a few updates it will take more time, more bandwidth, and more storage space.

This entry was posted in Blog, General, Topics, Tutorials and tagged , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.