关键要点
- Air-gapped = completely isolated from internet. Zero network connectivity to external systems.
- Use case: Government (classified), military (war scenarios), finance (high-security), healthcare (HIPAA ultra-sensitive).
- Challenge: Cannot auto-update models, embeddings, or dependencies. Requires manual update procedures.
- Architecture: Dedicated hardware, encrypted storage, restricted user access, physical security.
- Network isolation: Firewalls, air-gap appliances, and network segmentation prevent any external communication.
- Model management: Transfer models via USB, secure media, or internal networks only; no cloud access.
- Updates: Manual process — test updates offline first, then deploy via secure channels.
- As of April 2026, air-gapped is standard for government and defense contractors.
What Does Air-Gapped Mean?
Air-gapped infrastructure has no network connection to the internet or any external system. All data and computation stays on isolated hardware.
Absolute isolation: No WiFi, no Ethernet to external networks, no USB connections to internet-connected devices.
Data never leaves: Inference happens locally, results stay locally.
Updates are manual: Cannot auto-download model updates. Updates require physical media (USB drive, SD card) or internal network transfer.
What Does Typical Air-Gapped Architecture Look Like?
A single machine or small cluster, completely isolated, with restricted physical access.
- 1Dedicated hardware: Servers used only for LLM inference, nothing else.
- 2Isolated network: No connection to corporate network or internet. Separate VLAN at most.
- 3Encrypted storage: All model files, data, logs encrypted at rest.
- 4Controlled access: Only authorized personnel can access. Multi-factor authentication required.
- 5Physical security: Locked server room, surveillance, access logs.
- 6No removable media: USB ports disabled, CD/DVD drives removed.
- 7Local monitoring: Logs stay on-system, not sent to external monitoring services.
How Do You Isolate Networks From External Connections?
Isolation is enforced at multiple levels:
- Physical: Separate network hardware (switch, router) for air-gapped infrastructure.
- Firewall: Inbound and outbound traffic blocked. No exceptions for cloud services, NTP, DNS to external servers.
- Software: Host-level firewalls (iptables, Windows Firewall) as secondary control.
- Monitoring: Network traffic audited. Any attempt to connect externally is logged and flagged.
How Do You Manage Models in Air-Gapped Environments?
Model updates are manual, requiring physical media transfer or internal secure processes.
- 1Download model on internet-connected machine (separate, non-classified environment).
- 2Verify model integrity (checksum, digital signature).
- 3Transfer to air-gapped system via encrypted USB drive or internal file server.
- 4Validation: Run tests to ensure model integrity was not compromised during transfer.
- 5Deployment: Load model into inference engine.
- 6Documentation: Log which models are deployed, versions, dates.
How Do You Handle Updates and Patching?
Security updates and model updates are manual:
- Model updates: Follow process above. Schedule updates quarterly or annually.
- OS patches: Test on isolated staging environment first, then deploy to production.
- Dependencies: Evaluate new versions carefully. Air-gapped systems run older versions longer.
- No auto-updates: Disable automatic updates entirely. All updates are controlled, documented, audited.
How Do You Ensure Security in Air-Gapped Systems?
Air-gapped inherently more secure (no external attacks), but new risks emerge:
- Insider threats: Employees with access could copy data via USB. Require two-person integrity.
- Supply chain attacks: Compromised models or dependencies during transfer. Verify checksums, digital signatures.
- Physical theft: Models and data worth millions. Require locked room, surveillance, intrusion detection.
- Social engineering: "Trust me, I need to update the model." Require formal change control processes.
- Logging gaps: If logs are not audited, nobody detects insider activity. Require external audit of logs regularly.
Common Air-Gapped Deployment Mistakes
- Incomplete isolation: Leaving one port open, one wireless card enabled, or allowing USB devices defeats air-gapping. Audit rigorously.
- No change control: Model updates happen informally, no documentation. Leads to loss of knowledge about which version is deployed.
- Poor backup strategy: Air-gapped systems need redundant storage and off-site backups. But backups themselves must be air-gapped.
- Insufficient logging: Air-gapped systems require comprehensive auditing (who accessed what, when). Without logs, breaches go undetected.
- Trusting physical security alone: Security requires multiple layers: isolation, encryption, access control, auditing, not just locked doors.
Common Questions About Air-Gapped Systems
How do we update models in an air-gapped system?
Manually via encrypted USB, or via an internal secure network isolated from the internet. All updates require change control approval and audit trails.
Can we use cloud backups for air-gapped systems?
No. Cloud backups require internet connection (defeating air-gapping). Use physical backups (encrypted hard drives) stored in separate secure facility.
Is air-gapped truly secure against all attacks?
Mostly, but insider threats remain. Air-gapped is secure against remote attacks, but physical access or insider access can compromise it.
How expensive is air-gapped deployment?
Hardware costs $50k–500k (not much more than regular on-prem). Operational costs (security, auditing, training) are 5–10× higher due to manual processes.
Can we use standard tools (Ollama, vLLM) in air-gapped environments?
Yes. Both tools work without internet. Deploy once, then no internet connectivity needed. Ensure all dependencies are installed offline.
Sources
- NIST Cybersecurity Framework — nist.gov/cyberframework
- DoD Data Management — defense.gov/News/Releases/
- Air-Gap Security Guidelines — ietf.org (RFC documents on network isolation)