U

Home » Cross Domain Solutions » Data Diodes

Prevent intrusion and maintain network integrity with Data Diodes

SecuriCDS Data Diode not only prevents intrusion and maintains network integrity but just as effectively prevents leakage and maintains network confidentiality. This high assurance solution safeguards assets for operators within ICS/SCADA or the defence industry.

Unidirectional information exchange between networks

SecuriCDS Data Diode allow for real time, unidirectional information exchange between networks. Many networks require extra protection against manipulation and data leakage as they contain classified or sensitive information. Sometimes they are kept isolated for safe keeping. However, there are times when certain information has to be sent into, or out of, such networks. In such cases, a data diode can be of help.

SecuriCDS Data Diode models

SecuriCDS DD1000i Unidirectional Security Gateway

DD1000i includes integrated server hardware for proxies and can be mounted in a 19” rack system (height: 1U). This data diode model takes data protection to a higher level. By offering a powerful solution for efficient, risk-free data transfer between closed and open networks, proxies are designed, developed and tested to meet the requirements for interacting with highly sensitive information. 

Download Product Sheet

SecuriCDS DD1000A Unidirectional Data Flow

The DD1000A offers high performance in a small package, measuring only 216 x 167 x 44 mm. One or two DD1000A can be mounted in a 19″ rack system using only 1U. DD1000A operates on Ethernet layer 2 and supports unidirectional protocols e.g. UDP.

Download Product Sheet

Data diode DD1G Unidirectional Data Flow

DD1G series offer high performance and secure data transfer for Ethernet Layer 2. The series include stand alone devices as well as DIN rail mounted devices, all in a very compact format (130x20x150/163 mm). By using a proxy service the data diodes can handle common communication protocols and translate them into unidirectional dataflows.

Download Product Sheet

Data Diode Engine

The Advenica Data Diode Engine is a standalone proxy software solution that enables efficient and secure data transfer through any ethernet-based data diode from Advenica. In combination with ready-to-use software services it enables use case specific network segmentation solutions for a variety of installation environments.

Download Product Sheet

Key features

SecuriCDS Data Diode guarantees unidirectional separation between network interfaces. It contains optical fibre with a transmitter on one side and a receiver on the other side, with no chance of a two-way transfer.

Network separation

The separation between the two data interfaces on a data diode is vital. In the SecuriCDS Data Diodes, the separation and diode functionality are based on an optical transmitter and receiver. The design guarantees that no data passes in the opposite direction. The SecuriCDS Data Diodes even includes the possibility to use dual power supplies to eliminate potential covert channels in the reverse direction.

Integrated proxy servers

Integrated proxy servers to enable handling of common communication protocols, e.g. data, file or network time transfers, are included in SecuriCDS Data Diode model D1000i. This data diode handles application level protocols and is easily integrated into any system.

Component assurance level N3

Advenica’s data diodes SecuriCDS DD1000A and SecuriCDS DD1000i are approved by the Swedish Armed Forces with the component assurance level N3 according to Swedish national security requirements. The component assurance level N3 can be used in systems with high impact level (e.g. handling secret information up to SECRET/TOP SECRET) but where the component level of exposure is somewhat limited.

High assurance data diodes

Advenica’s data diodes meets the highest demands on both security and assurance. Internal separation of functions, multi-stage unidirectional security and deep security analysis provides trust and high assurance. Special attention has been given to eliminate the risk of covert channels in the reverse direction.

Safeguarding network confidentiality

Protected or secret networks have a very high security requirements regarding confidentiality. High assurance data diodes provide the necessary security safe guarding that no information leakage can occur – making sure that information leakage cannot occur. The use cases range from importing software updates or virus definitions to importing e.g. OSINT information to a secret analysis network.

Return of Security Investment

Using a data diode is a highly cost-effective way to protect sensitive information. Read more about our calculation of what the Return of Security Investment (ROSI) can be for a data diode!

Protecting Industrial Control Systems (ICS)

Connecting ICS systems to other networks pose a great security risk and security measures must be taken to prevent intrusion and to maintain the network integrity. SecuriCDS Data Diodes provides the most secure option as the information can only be sent out from the ICS network to e.g. the business network. This effectively mitigates the cybersecurity risks while enabling information transfer.

Optical hardware separation

SecuriCDS Data Diodes are one-way information transfer devices that connect two networks of the same or different security levels. The data diodes have an optical hardware separation to guarantee a unidirectional separation between the two networks.

Some security challenges where datadiodes are a good solution

Traceability and security logging

Centralised logging in security-sensitive systems involves an enhanced risk of attacks. To reduce the risks, a solution is needed that protects both log data and all connected systems. Read more about traceability and security logging.

Secure transfer of SCADA information

To transmit critical information, e.g. from a SCADA system to an administrative office network means potential security risks. But there are solutions that take care of security problems and at the same time enables an exchange of information. Read more about secure transfer of SCADA information.

Secure updates

Updates for Windows and Linux systems are an important part of maintaining the security of the digital information in these systems. However, the updates themselves may be a security risk – to avoid these risks and to maintain the integrity and availability of the systems and be able to make secure updates, special solutions are required. Read more about secure updates.

Data Diodes

Here are some frequently asked questions about our Data Diodes!

Data diodes are expensive, right?

The word “expensive” is a relative term if a data diode is viewed solely as an expense. Actually, a data diode is an investment that can be cheaper than not having bought it in the first place. It is all about the alternative cost and risk apetite of not having sufficient security. If the use case is right for a data diode, it is not only more secure but also lower in TCO(Total Cost of Ownership) to alternative technologies as it demands less in maintenance, administration, and support. Read more about it here!

How do we calculate the ROSI?

To calculate the ROSI (Return on Security Investment) is about calculating what the lack of security can cost and what the most cost-effective solutions are – this to be able to know what you should spend on security. Read more about how to do it here!

How much does it cost?

We offer a selection of data diodes with different perks and conditions. The price starts at around €3000 CAPEX but depends on what product you purchase and how complex the solution you need is. The base products do not come with any need for MSA (Maintenance and Support Agreement).

What are the alternatives?

For unidirectional data communication flow, a data diode is the most secure alternative. But, if you require data communication in two directions, there are other solutions you could choose – for example, a Security Gateway. (In some cases a network design with data diodes in opposite directions can be a solution.) A Security Gateway only forwards received information when it complies with a certain policy which is derived from your organisation’s information security policy. Read more about Security Gateways!

What is the difference between a configured firewall and a data diode?

A data diode contains special hardware designed in such a way that there are no known physical methods or properties that can be used to transmit information in the reverse direction, i.e. in the wrong direction through the data diode. A firewall configured for unidirectional traffic ensures this with software that may contain backdoors, bugs, and exploitable vulnerabilities. It is also difficult to guarantee the correctness of the configuration during the entire time the firewall is in operation. In addition, there are examples of firewalls which, despite being configured for unidirectional traffic, still allowed some data traffic in the wrong direction.

Can a data diode function in both directions?

That depends on how the question is meant. One data diode cannot function in both ways as a data diode guarantees unidirectional separation between network interfaces. It contains optical fiber with a transmitter on one side and a receiver on the other side, with no chance of a two-way transfer. But you can of course make a two-way secure communication design with a data diode in each direction. Another option when you need a secure two-way communication is to use Security Gateways, e.g. Advenicas ZoneGuard. ZoneGuard, allows for a strictly controlled two-way filtered information flow supporting third party controls for enforcing a digitally signed information policy. Read more about ZoneGuard.

Are your data diodes approved according to Common Criteria?

Advenica solutions have been awarded several prestigious approvals by the European Union, national certification bodies and international IT security certification bodies. Currently, our data diodes do not have the common criteria certification, but they are available with approval on assurance level N3 by the Swedish Armed Forces.  It means that you can use Advenica’s approved data diodes to let secure networks receive information from open or lower classified networks. Important to know is that a Common Criteria approval does not guarantee that you will not discover vulnerabilities. Most, if not all, products with Common Criteria-certifications need to be updated when vulnerabilities are identified. The core of an Advenica data diode is based on physical separation and is immutably secure without updates. Read more about our certifications.

Do you control all your production, including all components?

Advenica offers solutions for cybersecurity that meet the highest security requirements. Our product development differs in many ways from traditional development as our customers require us to demonstrate that our solutions offer high assurance security. This can only be achieved if all work is possible to evaluate. We develop and manufacture the vital parts of our solutions in-house to ensure the highest level of security (high assurance). We ensure IT security, protection of development and production environments, perimeter security of the premises and the availability of a reliable, security conscious workforce. We design the products with as few components as possible that are vital from a security perspective, and that vital parts can be assembled or supplied under our own control. We perform final configuration and control ourselves on our premises with our own personnel and under strict security control. Read more about our high assurance product development in our White Paper.

What is the delivery time?

We generally have very short delivery times and can usually deliver your products within a week. The time from the point of delivery of the products until they are functioning is also very short, provided that other relevant infrastructure is in place.

What is the difference between the different data diodes?

All our data diodes have high performance and provides physical separation in the forbidden backward direction. DD1000i includes integrated server hardware and software for the proxies. It can solve two-way network protocols and is available in a military approved version. The DD1000A offers in a small form factor, measuring only 216 x 167 x 44 mm, the same military approved high assurance. The DD1G series offer secure data transfer in a very compact format (130x20x150/163 mm) and can be delivered as DIN-mountable or stand-alone. Read more about the different models and what protocols they support.

Approvals

Our data diodes have national approvals in several countries. Please contact your Advenica sales representative for specific country information.

The EU certification/approval system does not apply to non-cryptographic products. Advenica’s Data Diodes have been certified in three EU Member States for use up to national security class SECRET. Usually for cryptographic products, the EU requires the opinion of two Member States before granting an approval. If the EU certification/approval program had included non-cryptographic products, Advenica’s date diodes would have been approved for use up to and including EU SECRET security class.

Certifications and approvals

Advenica solutions have been awarded several prestigious approvals by the European Union, national certification bodies and international IT security certification bodies. We also hold US patent for our VPN technology, Three Domain Separation.

Warranty

Advenica warrants that this product will be free from defects in material and workmanship for one (1) year from the date of purchase.