Federal IT managers face troubling times when it comes to synchronizing an air-gap network. And just in case you’re thinking “air gap” refers to a new brand of sneakers … well, you’re almost right.

In high-security situations, various forms of data often must be kept off production networks, due to possible contamination from nonsecure resources -- such as, say, the Internet. So IT admins must build enclosed systems to house that data -- stand-alone servers, for example, or small networks of servers that aren’t connected to anything but one another. There’s nothing but air between these and other networks -- hence the term “air gap” -- and transferring data between them is done the old-fashioned way: moving disks back and forth by hand, via “sneakernet.”

This is exactly the situation that Dartmouth University’s Scott Rea found himself in when he was asked to sync data between an off-network CA (certificate authority) and a highly available, completely on-the-network directory server. Managing who had access to certificates meant moving something called a CRL (certificate revocation list) back and forth between the Sun ONE Directory Server and the RSA Certificate Manager CA server. This list needed to be updated by manually transferring the data from one server to the other, regenerating the CRL list, and then having it digitally signed. After that had been completed, a tech would move the list to the target server using a floppy disk for the update, gradually wearing holes in his $200 basketball shoes.

“Many places that use certificate authorities only update their CLR once a year or so, but our requirements meant we had to be doing it every six hours,” Rea explains. “That meant adding round-the-clock IT staff, for a cost that would have been in middle six figures.” Rea’s underfunded academic project couldn’t shoulder that kind of expense.

But then a lightbulb went on over Rea’s head when he heard about something called a manual-share USB switch. This little $100 device allowed two computers to share the same USB hub at the press of a button. Seizing on his brainstorm, Rea purchased the following equipment from Sewell Direct: the USB switch, a 5V relay, a 5V AC adapter, a power timer, and a 1GB flash drive.

Rea then put on his hardware-hacking hat. First, he replaced the manual-share USB’s switch button with an AC-powered timer, which made it possible to have the USB hub switch between the CA and the directory server at specific intervals -- every six hours, for example -- without human intervention.

He then wrote a cron job for each server to take care of accessing the flash drive at the right time. On the directory side, the server reads any new CRL from the flash drive and publishes the contents, followed by a signed revocation request when one is received. When the CA server’s turn comes, it reads any new revocation requests back from the flash drive, verifies the requesting signature, and creates the new CRL, while also deleting the request.

No matter which side does the updating, the new data is transferred to the other server automatically. And because the USB switch is basically a binary device, the shared storage is never on both networks at the same time. That means air-gap integrity is maintained for about $100 -- not to mention the budget saved on sneakers.