Semi-Permeable Secure Air-Gap Technology

Abstract

With the rapid rise of cyberattacks and state-sponsored cyber warfare, securing critical infrastructure has become increasingly urgent. Traditional defences such as firewalls and intrusion detection systems are frequently bypassed, leaving internal systems vulnerable. Air-gapped networks (AGNs) offer strong protection through physical isolation, making them resistant to most cyberattack vectors. However, their lack of connectivity creates significant usability and data exchange challenges, limiting their adoption in modern environments. This tension between security and practicality motivates the need for a solution that preserves the air gap while enabling controlled communication with external networks.

Past research has explored various methods of bridging air-gaps, including the Floodgate principle, E-Gap, Reflective NetGap, and Lock-Keeper. These systems demonstrate the feasibility of transferring data across isolated networks but suffer from limitations such as low bandwidth, proprietary or inflexible designs, and limited filtering capabilities. As a result, existing solutions are not well-suited to the demands of modern applications, which require higher throughput, standardised interfaces, and stronger, customizable validation mechanisms. This work addresses these gaps by proposing a new approach that combines hardware-enforced separation with flexible software integration.

This thesis introduces Semi-Permeable Air Gap (SAG) technology, a three-component system consisting of a Proxy, a Bridge, and a Host. The Proxy and Host act as endpoints in the external and internal networks, respectively, while the FPGA-based Bridge enforces physical isolation through hardware switching and buffered data transfer. APIs are employed as the standard interface, providing process-agnostic communication and simplifying integration with modern applications. The FPGA Bridge is further enhanced with an RISC-V core, enabling isolated execution of validation routines, including user authentication and schema-based deep packet inspection. This modular design provides strong physical security while maintaining the flexibility to adapt to evolving protocols and requirements.

The system is prototyped and tested, achieving a bandwidth of 100 Mbps, constrained by the Ethernet interface on the selected FPGA board. Simulations confirm that the design scales to multi-gigabit speeds, demonstrating its suitability for high-performance environments. Two validation programs are implemented and verified: one enforcing access control through IP-based authentication, and another performing schema-compliant API request verification. Together, these results confirm that the SAG system provides secure, flexible, and controlled communication across air-gapped networks while preserving data integrity. This work contributes a novel methodology that revitalises the role of AGNs in modern cybersecurity by uniting hardware-enforced isolation with software-driven adaptability.