Skip to main content
AirGapNetPhysical network isolation
← BlogEngineeringMay 20267 min read

Why our control plane runs on cellular, not your LAN

If the device that gates a network is reachable from that network, the gate is not really there. Why we put the control channel on GSM — and what that buys you.

If the device that gates a network can be reached from that same network, the gate is not really there. A separate physical channel is the whole point.

In this article

Section 01

The problem with IP-based control

A network appliance that is controlled over the network it controls is a security paradox most operators have learned to live with. Managed switches, remote PDUs, KVMs, and segmentation devices all expose a management interface — and that interface, by necessity, lives on a network that someone can reach.

Even when the management plane is on its own VLAN, that VLAN is still IP. It has an address, a route, a port, and a stack. Any of those is a foothold under sufficient pressure — credentials leak, firmware has CVEs, jump hosts get compromised, segmentation rules drift. The whole class of attacks that target out-of-band management is a function of the management plane being electrically reachable from somewhere an attacker also is.

Section 02

What an independent channel buys you

AGN1's control channel is GSM/SMS. The radio module is a separate die from the network ports it gates; it does not share a bus with the relay logic and it does not speak IP. You open a window by SMS from a whitelisted phone number, and the relay opens. The protected LAN never carries control traffic, because control traffic does not exist on that LAN.

This is not about cryptography being better over GSM — it isn't. It is about topology. The attacker who is on the protected segment has no path to the controller, because the controller is not on the segment at all. It is across an air gap that is enforced by physics, not by routing.

  • Topological isolation

    The control plane has no shared link layer with the data plane it gates. A pivot from one to the other requires crossing an electrically separate medium.

  • Low attack surface

    An SMS endpoint exposes a tiny parser and a fixed set of allowed senders. Compared to a web admin UI, the surface to fuzz is small.

  • Independent of LAN state

    A misconfigured firewall or a flooded uplink does not affect whether you can open the window. The control path is not on the LAN.

  • Carrier-redundant

    GSM works across multiple national carriers from the same SIM slot; the LAN you are gating may have one upstream provider.

Section 03

Trade-offs we picked up

GSM is not free. Each device needs a SIM. Latency on SMS is in the seconds, not milliseconds. Coverage at the install site matters — and on a basement install in a thick-walled facility, it sometimes does not exist without an external antenna.

We picked this trade deliberately. A control plane that opens a relay in two seconds instead of two hundred milliseconds is fine for maintenance windows, which are scheduled in advance or opened by an operator who is already in a meeting about them. The use case is not low-latency control — it is non-shared control.

Section 04

What this is not

GSM control is not a backdoor for AirGapNet. The device does not phone home to us, does not stream telemetry, does not accept commands from anyone outside the operator's whitelisted phone numbers. The carrier sees that an SMS was sent and received; they do not see the content of the maintenance window plan or what is on the other side of the gated line.

If your environment forbids cellular radios on principle — some defense and high-security industrial environments do — AGN2 is the right device. It exposes the same physical-break semantics over a wired out-of-band port instead.

Go from reading to running

See AirGapNet on your network.

We bring a real AGN1 to your bench and run one maintenance window on your equipment. 30 minutes on the call.

Book a demoMore articles