Industries · Government

Physical isolation — as procurement-ready hardware.

Government operational environments treat physical isolation as the established standard, not a feature. AirGapNet ships that standard as 19-inch rack-mount hardware with a local audit log, no telemetry, and no cloud dependency.

Request evaluation unit See maintenance flow

Federal supply-chain incident, SolarWinds 2020

18,000

A trojanized software update flowed through an always-open trust channel into US Treasury, Pentagon, DHS, and thousands of organizations. The path was managed — it was also reachable 24/7.

Source: CISA AA20-352A

Attack surfaces

Four paths that almost never need to be reachable.

Each one carries a real operational need — and stays open between calls because no one wants to break the part that worked the one day it was needed.

Inter-agency data exchange

Cross-agency data paths are always-on by default because the manual alternative is paperwork. The path is reachable to anyone who has any agency credential.

Vendor patching of classified networks

Vendor patch windows on classified or sensitive networks are scheduled but the path itself exists permanently. Audit finds this every year.

Compliance and disclosure exports

FOIA / disclosure / transparency exports run from internal systems out. The path between the internal store and the export server stays open between requests.

Cross-domain administration

Sysadmins manage multiple security domains from one workstation. The cross-domain path is the highest-value target in the entire environment.

How it maps

Real scenarios. Concrete fix.

Pick the scenario closest to your floor. The mapping below is what changes once AirGapNet sits on the service path.

Vendor needs to patch a domain controller during a quarterly maintenance window.

AGN2 opens the vendor path only for the scheduled window. The path returns to a physical break at the timer expiry — no reliance on the vendor disconnecting cleanly.

FOIA office needs to export records from internal store on a Friday.

AGN1 between internal store and export server opens for the duration of the export. The path does not exist between exports.

Sysadmin needs to administer two domains for 30 minutes from one workstation.

AGN1 with whitelisted phone numbers + manual SMS unlock. Window auto-closes at 30 minutes. Audit log captures the operator's number, the window length, the close event.

Recommended setup

AGN2 on the rack. AGN1 per machine.

A typical mid-sized site uses one rack-mount AGN2 for vendor and admin networks, plus per-machine AGN1 units on the lines that matter most.

AGN2

Cross-domain corridor — between sensitive and admin networks

Typical · 1–2 racks

AGN1

Per high-consequence path — DC, FOIA export, classified vendor

Typical · 3–10 units

AGN1

Operator workstations — between admin workstation and high-side network

Typical · 1 per operator

What changes

After rollout, four things stop being possible.

AirGapNet is a hardware switch, not a policy. The change is measurable from the network side, not just in process documents.

Cross-domain administration runs in time-boxed windows
Vendor patch paths exist only during scheduled maintenance
No telemetry leaves the device — fully air-gapped from the vendor
Audit log signed and stored locally for FOIA / IG review

Go deeper on the Government angle.

Concept

When a firewall fails, the path stays up. A hardware switch is different.

Every software control assumes the path exists. When the rule misfires, traffic still has somewhere to go. A relay on the line fails the other way — and that changes the security outcome.

Read article

Engineering

Why our control plane runs on cellular, not your LAN

If the device that gates a network is reachable from that network, the gate is not really there. Why we put the control channel on GSM — and what that buys you.

Read article

Concept

Air gap vs network segmentation: when to use which

Both isolate, but they answer different questions. Segmentation asks who may use a path; an air gap asks whether the path exists. Pick the right tool — usually both, in different parts of the diagram.

Read article

Or read across all of it:How it works Case studies Full blog

Procurement-ready

AirGapNet hardware, no cloud, no telemetry.

We work with public-sector procurement on FCC, NDAA, and TAA compliance documentation. The first evaluation unit ships under standard NDA.

Request evaluation unit Other industries