The Air Gap: The Servers That Refuse IP Addresses

Definition

An air gap means there is no routed IP connectivity between a system (or site) and external networks such as the internet. Isolation can be absolute (no NIC, no wireless) or practical (dedicated VLANs with one-way diodes), but the goal is the same: remote sessions and drive-by downloads should be blocked unless manually approved through a controlled process.

Why it is not absolute

USB, maintenance laptops, supply-chain updates, and transient bridges (Bluetooth, ad-hoc Wi-Fi) reintroduce paths that behave like networks even when no “public IP” exists. IEC 62443 and NIST CSF therefore treat air gaps as policy plus monitoring, not magic.

Enterprise context

OT environments pair air gaps with jump hosts, media scanning stations, signed firmware, and separate engineering tools from corporate IT. NAC and 802.1X protect adjacent VLANs so a mis-cabled laptop does not become an unintended router.

False positives

Telemetry appliances that “call home” can look like breaches but are often misconfigured vendor cloud connectors—review allowed destinations and proxies instead of assuming malicious intent.

Data diodes and one-way transfer

Where policy demands proof against exfiltration, teams deploy data diodes or unidirectional gateways: hardware or FPGA paths that physically permit bits in only one direction (often into the low side). File import then uses separate review queues—virus scan, format normalization, human approval—because the return path does not exist for acknowledgments over the same channel.

Verification cadence

Effective programs schedule red-team cable checks (unexpected link lights), passive ARP monitoring on OT uplinks, and configuration drift detection on firewalls that should have zero default route. Treat “air gapped” as an evidence-based claim renewed each audit cycle, not a one-time VLAN label.

For historical context on malware that crossed OT boundaries, see the Stuxnet case study. For IoT segmentation guidance, read IoT IP security practices.

Document your network edge addresses when auditing what should never appear on isolated segments.

Frequently Asked Questions

Q.Does an air gap mean no IP addresses?

Systems may still use private IPs on an isolated control network. The point is lack of routed connectivity to untrusted networks, not the absence of addressing.

Q.What defeats an air gap most often?

Removable media, dual-homed maintenance laptops, and unapproved remote-access tools introduced by vendors or staff.

Q.How do enterprises verify isolation?

Periodic rule reviews, passive tap monitoring on choke points, DHCP snooping on adjacent switches, and controlled change windows with signed artifacts.

Q.What is a data diode in an air-gapped design?

A hardware-enforced one-way link that allows bits into a low network without a return channel for acknowledgments, reducing exfiltration risk while still permitting controlled imports through separate review steps.