Skip to main content
AirGapNetPhysical network isolation
← BlogConceptApril 20266 min read

When a firewall fails, the path stays up. A hardware switch is different.

Every software control assumes the path exists. When the rule misfires, traffic still has somewhere to go. A relay on the line fails the other way — and that changes the security outcome.

A software gate that fails closed protects the operator; a software gate that fails open protects the attacker. Physical gates do not have that ambiguity.

In this article

Section 01

The shape of a software gate

Every software-based access control — firewall ACL, EDR allowlist, segmentation policy, IAM role binding — is a function that takes a request and returns either allow or deny. The request reaches the gate because a path exists. The gate's job is to decide what to do about the request.

This is a useful and necessary design. Most decisions about who can do what on a corporate network do not need to be made at the cable layer. But the design carries an invariant: the path is up. If the gate is removed, broken, or misconfigured, traffic still has somewhere to go.

Section 02

What 'fail open' looks like in production

A firewall reload during a busy maintenance window. An EDR agent that crashes and is auto-restarted in a permissive mode. A segmentation policy that is silently overridden because two rules conflict and the more recent one wins. A jump-host bastion left in a maintenance state after a vendor visit. An IAM role assigned to a service account that nobody owns any more.

None of these are theoretical. They are the kinds of incidents that show up in post-mortems — usually months after the fact, when someone correlates a breach window with a configuration change that no alert was wired up to. In each case, the policy intended a closed gate, and the operational reality was an open one.

Section 03

Hardware default-open vs. hardware default-closed

A relay-based switch has two failure modes: stuck closed (the line keeps existing when it should not) and stuck open (the line stops existing when it should). For a physical isolation device, the safe failure mode is open — the line not existing. AGN1 is wired so that any failure — power loss, GSM module crash, firmware fault, control-plane disconnect — drops the relay and the line goes away.

This is the categorical difference. A misconfigured firewall fails into 'reachable'. A misfiring AGN1 fails into 'not reachable'. The same incident on the two devices has opposite security outcomes.

  • Software gate misfires

    Path stays up. The attacker keeps the route while the operator chases a config bug.

  • Hardware gate misfires

    Path goes away. The protected device is offline until the gate is restored — which is the safe state.

  • Audit

    Software gate logs may be discarded with the misfiring service. Hardware gate logs reflect physical state changes, not policy decisions about them.

Section 04

Where this stops mattering

Most traffic on a corporate network should not pass through a physical break. Email, file sync, normal application traffic — software controls are the right shape for those, and AirGapNet does not try to replace them.

Where the shape matters is on the dozen or so service paths per site that should be reachable only during a defined window. Vendor maintenance access. Backup writes. Admin tunnels to financial gateways. Update channels to OT controllers. For those paths, a default-closed physical gate is doing the kind of work no software control can: deciding whether the path exists, not who may use it.

Go from reading to running

See AirGapNet on your network.

We bring a real AGN1 to your bench and run one maintenance window on your equipment. 30 minutes on the call.

Book a demoMore articles