Physical vs Logical
Air Gap
Logical immutability is software pretending to be a wall. Layer 1 disconnection is the wall. Understand the difference before ransomware decides for you.
Two Architectures, Two Outcomes
Both promise to keep your data safe. Only one removes the network as an attack surface entirely.
Firevault: Layer 1 Physical Disconnect
Firevault Offline Secure Storage operates at the physical layer of the OSI model. When disconnected, the storage has no network interface card, no IP address, and no software path that an attacker can follow. It is unreachable in the strictest sense.
Veeam, Rubrik, Cohesity, Dell PowerProtect
Hardened repositories, immutable buckets and WORM volumes are powerful, but they remain physically connected. Their protection lives in software policies, identity systems and storage APIs, all of which sit on the network and can be reached, abused or exploited.
Layer 1 and Physical Isolation, Defined
Short, declarative definitions to settle the conflation between physical and logical air gaps once and for all.
Layer 1, defined
Layer 1 is the physical layer. It is cables, connectors, ports and the electrical signal across them. Every other layer of the OSI model, including IP, TCP, TLS and the application itself, depends on Layer 1 existing. Remove Layer 1 and nothing above it can function.
Physical isolation, defined
Firevault physical isolation means the storage hardware has no active network interface when offline. There is no IP address to scan, no port to knock on, and no software stack listening on the data path. The hardware is not unreachable through policy, it is unreachable in the strictest sense.
The Research and Why It Does Not Apply
Side-channel research on powered air-gapped machines is real, narrow and frequently misquoted. Here is what it actually requires, and why Firevault is not in scope.
Acoustic, electromagnetic and optical covert channels
Academic research, including work from Ben-Gurion University and write-ups by Kaspersky and others, has shown malware exfiltrating tiny amounts of data from air-gapped machines over fan noise, screen flicker, power line emissions and hard drive vibrations. Useful for nation state research, useless against hardware that is not powered on or not connected.
Why these techniques do not apply to Firevault
Every air-gap jumping technique requires a running, compromised target that can be told what to do. Firevault storage is physically disconnected at Layer 1 and is not running an attacker-controlled workload. There is no implanted process to modulate fans, screens or power lines, because there is no live software stack on the data path while offline.
Where Software Defined Immutability Breaks
The recurring failure modes seen in modern ransomware incidents involving backup platforms.
Backup API Exploits
Modern ransomware crews specifically hunt for backup consoles. Once they have credentials or a vulnerability, immutability flags can be cleared, retention windows rewritten and backup catalogues poisoned. The data is technically still there, but no longer trustworthy.
Privilege Escalation
Logical air gaps depend on a privilege boundary. If an attacker reaches a sufficiently privileged account, the boundary collapses. Physical disconnection does not depend on privilege at all, because no privilege can connect a cable that is not there.
Firmware and Supply Chain
Software defined immutability assumes the underlying firmware, hypervisor and storage controller are honest. Supply chain attacks and firmware level malware bypass the policy entirely. Layer 1 disconnection removes the platform from the equation while data is at rest.
Read the full architectural argument for non IP control at the physical layer.
Layer 1 vs Logical, Common Questions
See a true Layer 1 air gap in action
Talk to the Firevault team about adding a physically disconnected gold copy alongside your existing immutable backup.
Takes about 2 minutes. No account needed.