Triple-homed setup
A triple-homed Airlock Gateway offers the highest level of network separation and security. It uses three distinct NICs:
- External interface: untrusted/client traffic
- Back-end interface: connections to protected applications
- Management interface: administration traffic
Requirements
- Three NICs (physical or virtual)
- At least three IP addresses, one per interface
- The back-end and management IPs must be on different subnets. One of them may share a subnet with the external IP if required.
Behavior and routing
- Management access is only possible through the dedicated management interface.
- Traffic to NTP, Syslog, or Mail servers is sent over the management interface. If these servers are outside the management subnet, configure host- or network routes (often via a firewall).
- A firewall on the back-end interface is optional but may be added to protect Airlock from attacks originating from unprotected back-end servers.
- As with other setups, if the same client IP reaches Airlock externally and also on the back-end or management interface, Airlock cannot always determine the correct return path. NAT or proxies typically resolve this.
Advantages
- Highest level of security: strict separation of external, internal, and management traffic
- Administrative access is isolated and cannot be mixed with external or back-end flows.
- Strongest protection against lateral attacks from back-end servers
Operational considerations
- Requires more NICs, IPs, and subnets which resulkts in higher operational complexity.
- Additional routing entries may be necessary for services outside the management subnet.