Originally Posted by
Steve Demuth
If by that you mean the separate network itself should have no internet access, I sincerely doubt the practicality of that in the modern world. First, because keeping a network isolated when other networks in the same premises are connected is extraordinarily difficult Every such "air gapped" network I've ever encountered outside some national security facilities, proved when red-team attacked, to actually be connected. Maybe control of the environment is strong enough in some manufacturing settings to pull it off; it never was in any I've encountered. Second, because in most industries, the prevalence of partner-connected devices is exploding. Those devices need network paths to the outside world. As I mentioned elsewhere, by way of example, I've seen proton beam treatment facilities (which operate much like a factory building custom-variable inventory in terms of operational needs, and quality-control considerations) that required connectivity from hospitals in the United States to a manufacturer in Japan.
Use of virtual networks to provide "greater" isolation is not uncommon and has been in the picture for a couple of decades or more. And it's on the same wires and through the same gear. Yes, it's still possible to have a security issue, but it's a lot harder to pull off. Many of the networks I designed and sold for governmental entities (both local/county and Federal) utilized this method.
--
The most expensive tool is the one you buy "cheaply" and often...