Data diodes

What is a data diode?

Data diode is a device that relays data one-way only. A secure gateway solution, based on the data diode, enables transfer of data across networks with different security domains and protects critical industrial processes from cyber threats.

Typical applications

  • Secure and automated data transfer across different security domains
    • File transfer, e.g. classified documents
    • Distribution of antivirus and Windows updates to high security networks
    • Database mirroring to high security networks
  • Industrial Control Systems (ICS)
    • Sharing production data to the corporate network
    • Monitoring production sites from the corporate network

Secure gateway solutions based on Fox DataDiodes

  • Complete solution from a single provider
    • Secure gateway: data diode, proxy servers and software
    • Consultation, design, deployment, training, support and maintenance
  • Tailored solutions
    • Software customisation, e.g. content analysis
    • Integration to log management / SIEM solutions
  • Uncompromised security
    • Fox-IT’s certified DataDiodes (Common Criteria EAL7+)
    • Insta’s security and quality certified processes: ISO/IEC 27001, ITILv2 & ITIL 2011, AQAP 2110 and ISO 9001

Further information

Please contact us for more information.

Further information is also available on Fox-IT’s homepage and DataDiode page.

 

 

The challenge: How to protect critical assets while allowing data transfer

It is vital for an organisation to reliably control access to networks hosting confidential information, such as classified documents. On the other hand, data transfer has to be allowed to access the documents and to relay security updates to protected networks.

A common approach to protecting classified information is to set up a disconnected, totally isolated network (also called an Air Gap). Transferring information to such an isolated network typically involves offline transportation of data on removable media such as USB flash drives. In principle, this seems a technically secure method but it is prone to human error. Moreover, it is non-realtime and inefficient.

In Industrial Control Systems (ICS), it is critical to prevent attacks on production facilities to avoid costly process disruptions. However, in order to share production data and monitor production sites, a connection is needed between the production network and corporate network.

A firewall won't guarantee security

Sometimes, a firewall is used to control the flow of information between different security domains. This is realtime but fails to provide uncompromised security. For example, a vulnerability in the firewall software may allow an attack and there is no way of verifying that the product is free of backdoors. However, the biggest security risk is the administrator who—intentionally or otherwise—might configure the firewall to allow unwanted traffic.

Data diode combines confidentiality and flexibility

With a data diode based secure gateway solution, confidentiality and availability, two seemingly contradictory requirements can be combined. The guaranteed one-way connection provided by the data diode prevents unwanted access to business assets while facilitating the free flow of information.

The data diode is integrated to the surrounding network environment by installing proxy servers on each side of the diode. The servers enable the use of two-way protocols and they can perform content analysis to relayed data. The servers can also be connected to a log management or SIEM system to store the analysis results and to generate security alarms.

The data diode device is the key element to guaranteeing information flows in one-way only. To ensure secure implementation, Insta uses Fox DataDiodes certified at the highest level (Common Criteria EAL7+). In the Fox DataDiode, only one strand of fibre of an optic cable pair is used, and hence, no hardware exists to send data the other way.