What is a Data diode and why is it needed?
Imagine that you have two networks that need to be protected from unauthorized access, DDoS attacks and information leaks, but at the same time you need to transfer data between them. This is where the Data diode comes to the rescue.
A data diode or unidirectional gateway is a device that transmits data flow in only one direction. It is impossible to send data back at the physical level.
Below the cut we talk about how it works and what its advantages are relative to other information security technologies.
Data diode form factor from various companies.
Use navigation if you don't want to read the entire text:
→ Where did it all start?
→ Area of use
→ Principle of operation
→ Characteristics and working with protocols
→ Use cases
→ Data diode features
→ Comparison with other approaches
→ Conclusion
Where did it all start?
Let's dive into history. The first Data diode prototypes began to be developed by government organizations in the mid-1990s. They began to be actively used in the United States in defense and government agencies, where it was necessary to secure the internal network from external attacks.
One of the key moments in the development of the concept was the introduction of standards such as Common Criteria, which define the requirements for information technology security.
At the moment, Data diode technology is about 30 years old, but it is still in demand and has found its application in commercial use. Because many companies deal with sensitive information, they need to ensure the security of their corporate networks. This may be due to both compliance with legal requirements and the natural process of increasing the level of security.
Today we will turn our attention to one of the tools that can help with this task – Data diode technology. Within the framework of the article, we will not dive into technical aspects and consider specific use cases, but will briefly understand the principle of operation of data diodes and the possibilities of their use in practice.
Area of use
As mentioned earlier, Data diodes are widely used in military and government institutions with high security levels. The technology is currently being used in a variety of industries, including oil and gas, aviation, cloud connectivity for the Industrial Internet of Things (IIoT), and others.
In 2013, a group of experts on industrial systems cybersecurity (ICS), led by the French network and information security agency (ANSSI), introduced a ban on the use of firewalls to connect networks at the L3 level. For example, railway transport control systems with networks at the L2 level or corporate networks. Instead, it was recommended to use unidirectional technologies for protection.
By 2016, European research centers and associations (VDMA, Fraunhofer Institute for Applied and Integrated Security AISEC) began to recommend the use of Data diode.
For example, the German security guidelines “German VDMA Industrie 4.0 Security Guidelines recommends the use of data diodes to protect critical network segments” recommends using Data diode to protect critical network segments.
Principle of operation
What are the advantages of data diodes over bidirectional information flow methods? After all, there are tools such as:
- Encryption with two-way keys (Public-Key Cryptography),
- VPN (Virtual Private Network),
- Symmetric Encryption.
The key difference is that Data diode devices are physically unable to transmit data packets back and forth. This is due to the design using separate physical networks – input and output.
Working principle of Data diode.
The transfer of sensitive information can occur from the input network (untrusted) to the output network (secure) or vice versa.
In the first case (from the input network to the output network), the data on the protected network remains confidential, and users retain access to information on the side of the unprotected network.
This functionality may be attractive if the information being protected is stored on a network that requires an Internet connection: the output network can receive Internet data from the input network, but no data on the output network will be accessible to intrusion via the Internet.
First use of Data diode.
In the second case (from output network to input network), a safety-critical physical system can be made available for online monitoring. At the same time, it will be protected from DoS attacks aimed at causing damage to the protected network.
The second case of using Data diode.
There is another way to use Data diode, which is called hybrid. In this case, two independent transmission channels are used: one transmits information to the secure network, and the other from it.
This approach allows the exchange of various data, such as email messages, updates and work logs, while making a feedback attack much more difficult. A hacker will have to overcome two security systems to gain access to the data.
Hybrid case of using Data diode.
Characteristics and working with protocols
The data transfer speed of Data diode technology covers the range from 100 Mbit/s to 10 Gbit/s. It depends on the type of protocol used to transfer data, packet sizes, and the number of active accounts transferring data.
Considering the wide range of Data diode products from various companies, the characteristics depend directly on membership in the group:
- Hardware diodes. They work by removing a transmitting component on one side and a receiving component on the other in a bidirectional communication system. In minimal versions, the device housing contains interfaces for connecting to the receiving and transmitting networks, as well as a power connector. Manufacturers can implement additional functionality, for example, indication of transmitted packets or the ability to configure the device through a file with a list of allowed IP addresses.
- Diode proxy. It is a software and hardware complex based on Data diode and proxy servers on both sides. Allows you to implement much more service functions than solely hardware systems. Here we can talk not only about data transfer, but also about their protection, monitoring and filtering – using anti-virus systems and other tools.
- Software data diodes. Allows you to increase the capacity of a unidirectional channel. The key feature of the implementation is that the limitation of information transfer is determined by the logic of the firmware, and not at the hardware level. As a rule, such systems are implemented on the basis of a secure operating system microkernel, which is responsible for the logical separation of networks without a return channel. Such systems can have a throughput of up to 10 Gbit/s, support standard transport protocols and offer additional service capabilities, for example, support for HTTP status codes.
One of the key advantages of Data Diode is its compatibility with the link, network, transport and application layer protocols of the OSI model. However, the specific protocols used vary by manufacturer.
Use cases
First scenario
Most often, the Data diode is used on one channel when transferring data from an unprotected network to a secure one. In this case, the device prevents the leakage of confidential information that is stored and processed within a secure network.
This approach has found wide application in automated process control systems (APCS), where it is necessary to transfer parameters from logical controllers, signals from sensors and other data between system components. In this case, components can be located both in a secure network and in external environments.
Second scenario
In addition to using a Data diode, which provides security for one data link, it is possible to create two independent unidirectional links using a Data diode on each. One of them is designed for transmitting data to a secure network, and the second is for transmitting data to external systems.
In this case, it is possible to fully exchange information between different networks. At the same time, to carry out a successful cyber attack, it is necessary to gain access to both independent channels at once and overcome the security system of each of them.
In addition, the use of a mixed scheme increases fault tolerance, since the channels operate independently. Additionally, it is possible to use several Data diodes in one direction, located at different vulnerable points of the network.
For example, Data diodes can be placed between the data server and the ICS segment or corporate network. This provides an additional layer of security by separating data flows and creating barriers to possible attacks from different parts of the network.
Data diode features
According to some indicators, data diodes are significantly superior to other means of information security, which we will talk about in the next chapter, but the solution also has a number of features.
Advantages
- Data diode provides a high level of security due to the fact that information can only move in one direction, preventing the possibility of intrusion from a less reliable network to a more secure one.
- The technology has a relatively high degree of reliability and fault tolerance, as it uses a hardware solution for physical separation of networks.
- Easy to install and use. To connect, you will need to provide power to the device and two network cables that connect the gateways (switching equipment). Use and configuration are possible through the terminal or the web interface, if available. When starting operation, no hardware configuration is required.
- Because the Data diode operates at the physical layer and does not require application-level authentication or encryption protocols, data transfer rates can be very high.
Flaws
- Some Data diode solutions can be expensive, especially if high throughput or advanced functionality is required.
- The Data diode is designed to transmit data over a network or fiber optic cable, therefore, it may have limited data processing and filtering capabilities.
- Unidirectional data transfer may be inconvenient in some scenarios where two-way communication is required.
Comparison with other approaches
Let's compare Data diode technology with other information security technologies such as firewalls, virtual private networks (VPN) and data encryption.
Data diode vs firewalls
A firewall is a hardware or software package that monitors network packets, filtering their passage. The firewall relies on configured settings to block or allow traffic.
Differences
Firewalls provide control and filtering of incoming and outgoing traffic. Data Diodes, on the other hand, only transmit data in one direction. Firewalls do not have the ability to physically separate networks into different segments, so they could theoretically be more susceptible to cyber attacks.
Data diode vs virtual private networks (VPN)
A VPN provides a secure connection between remote users and an organization's central resources over public networks. Typically, encryption protocols are used to ensure the confidentiality of transmitted data.
Differences
Data diode provides one-way data transfer, while VPN provides two-way communication between remote users and the organization's network, and also encrypts the traffic.
Data diode is typically used to transfer data between different security layers, while VPN is used to secure communications between remote users and central resources.
Data diode vs data encryption
Data encryption ensures the confidentiality of information by converting it into an unreadable format for third parties.
Differences
Data diode is designed to transfer data between networks of different security levels, while data encryption ensures the confidentiality of information during transmission or storage.
Data diode does not necessarily include an encryption process, although it may work with encrypted data depending on configuration.
Conclusion
Data diode provides unidirectional data transfer, protecting critical systems from cyber attacks and ensuring their continuity of operation. This may be especially relevant in the context of the emerging Industrial Internet of Things (IIoT) segment.
Thanks to physical isolation, the Data diode becomes a reliable tool for protecting command and control systems from external threats.
In addition, growing interest in this technology from major global software and hardware manufacturers indicates an increase in market potential and the emergence of new innovations in this area.
Did you know about this technology before? Maybe you had to work with it in practice? Share your opinion in the comments!
