Back to Blog
DeploymentJuly 202515 min read

Air-Gap Deployment Guide — DKTrace in Classified Networks

Step-by-step guide for deploying DKTrace in air-gapped, classified network environments — including offline TI updates, internal PKI, and the data diode architecture for one-way log ingestion.

DK

DKTrace Research Team

Security Engineering · Threat Research

Why Air-Gap Deployments Are Different

Every dependency that normally resolves via internet must be handled internally:

Container image pulls → offline registry
TLS certificate validation → internal CA
Threat intelligence feeds → USB/SFTP/data diode
Time synchronisation → internal NTP server
Package updates → pre-staged offline bundles

Pre-Deployment Checklist

Offline container registry populated with all 29 DKTrace service images (verified against SHA-256 manifest)
Internal NTP server configured and verified (drift < 50ms required for correlation accuracy)
Internal CA established; DKTrace certs pre-generated (./scripts/generate-certs.sh --ca internal-ca.pem)
ClickHouse, PostgreSQL, Redis, NATS, MinIO all deployed from offline packages
JWT_SECRET rotated from default: openssl rand -base64 64

Threat Intelligence Without Internet

DKTrace supports three offline TI update methods:

Method 1: USB/Media Import

threat-intel-manager accepts STIX 2.1 bundles via REST API.

bash
# On transfer workstation (internet-connected):
./ti-export.sh --format stix2 --output /media/usb/ti-bundle-$(date +%Y%m%d).json

# On air-gap system:
curl -X POST https://dktrace-internal:8091/api/ti/import   -H "Authorization: Bearer $TOKEN"   -F "bundle=@/media/usb/ti-bundle-20260310.json"

Method 2: Data Diode (One-Way Hardware)

Owl Cyber Defense, Fox-IT, and similar hardware data diodes feed TI updates in with no return path possible. DKTrace supports UDP-only receive mode for data diode ingestion.

Method 3: Scheduled Transfer

Removable media with signed STIX packages, imported by the security team on a defined schedule (typically weekly for IOCs, daily for CVE updates).

Network Architecture

[COLLECTION ZONE]           [DATA DIODE]      [DKTRACE CORE]
  Syslog/CEF sources    →  (one-way HW)   →  ingestion-gateway :8082
  Agent endpoints       →  (one-way HW)   →  agent-receiver    :8098
  TI feeds (USB)        →  (manual xfer)  →  threat-intel-mgr  :8091

[ANALYST ZONE] — separate VLAN, no route to collection zone
  ← HTTPS from api-gateway :8080
  ← WebSocket from ws-gateway :8087

Critical: Never expose ports 5433 (PostgreSQL), 9002 (ClickHouse HTTP), 6380 (Redis), or 4222 (NATS) to the analyst VLAN. These are internal service bus ports only.

Certificate Management

bash
# Generate all service certs against your internal CA
./scripts/generate-certs.sh   --ca /etc/dktrace/pki/internal-ca.pem   --ca-key /etc/dktrace/pki/internal-ca-key.pem   --services all   --validity-days 365   --output /etc/dktrace/certs/

All inter-service communication uses mutual TLS (mTLS) with client certificates. Rotate certs annually — DKTrace's cert-manager service handles rolling rotation with zero downtime.

See It Live

Watch DKTrace detect this threat in your environment

Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.

Request a Live Demo

Previous

DORA Compliance for Financial Institutions — What Changes in 2026

Next

DKTrace High-Availability Architecture — Zero-Downtime SOC

Related Articles

Deployment

DKTrace High-Availability Architecture — Zero-Downtime SOC

13 min read