Offline Windows Patching for Isolated or Air-Gapped Networks

Applying Windows security updates to a network that is isolated from or completely air-gapped from the primary network can be a challenge and a pain. At the very least it means that you, the sysadmin, have to devise a patching plan for multiple networks. However, it also means that you need a way to figure out which updates the computers on the isolated network need installed, and you need to figure out how to get those updates to that network. One of the most frustrating parts of this process is that frequently when a network is isolated or completely air-gapped, getting files onto or off of that network brings with it additional bureaucratic, or even political, challenges inside the organization that go beyond any existing technical challenge. If a company has taken the precaution of isolating an entire network of computers, they usually will also have very specific processes in place for change management to prevent unauthorized files from getting onto or being taken from the network in question. If the air-gapped network is housing high security computers or data, which is usually why a network would be air-gapped in the first place, then there will typically be very stringent rules that govern when and how files may be removed from that network or brought onto that network.

Offline Updates / Offline Patching:

BatchPatch provides several different modes of operation. You’ll want to select which mode of operation you use, depending on the configuration and rules in your particular environment. All of the different modes are described at the following link, but for users who will be patching isolated / offline / air-gapped networks, you’re likely going to be looking at scenario 3, scenario 4, and scenario 5

Offline Updates with Scenario 3:
In scenario 3 the isolated network is *not* air-gapped but rather is firewalled carefully such that you can setup BatchPatch on a computer that has internet access as well as access to the isolated network, even though the computers on the isolated network do not otherwise have direct access to the internet. In this scenario WSUS may or may not be involved. Involving WSUS would depend primarily on whether or not you already have one in place or whether or not you want to setup a new one. For most users who are reading this now, you’re probably here because you do not already have WSUS and/or do not want to use WSUS. More details here: Cached Mode and Offline Updates

Offline Updates with Scenario 4:
In scenario 4, the isolated network may or may not be air-gapped, but it assumes that you are not allowed/able to simply setup BatchPatch on an internet-connected computer that also has direct access to the isolated network. However, in this scenario you *are* allowed to remove files from the isolated network, which you can use to your advantage with BatchPatch to figure out which updates BatchPatch needs to download from Microsoft by first doing a BatchPatch scan on the isolated network, and then taking the results list to an internet-connected network. The downloading of updates would occur on the separate internet-connected network. More details here: Cached Mode and Offline Updates

Offline Updates with Scenario 5:
In scenario 5 you’re dealing with the highest level of security, in which you are not even allowed to remove any files from the isolated network, or perhaps too much paperwork is required for it to be a viable option that is easily repeated every single month. In this case you would use BatchPatch on an internet connected computer to download all possible updates that could ever be required by computers on the isolated network. In this way you don’t ever perform a scan on the isolated network, so therefore you don’t have to remove the scan results list. Instead you just go directly to the internet connected network to download all possible updates, and then you bring that entire repository to the offline network. More details here: Cached Mode and Offline Updates

This entry was posted in Blog, General and tagged , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.