Prevent intrusion and maintain network integrity with Data Diodes
SecuriCDS Data Diode prevents intrusion and leakage in addition to maintaining network integrity and confidentiality. This high assurance solution safeguards assets for operators within ICS/SCADA or the defence industry.
Unidirectional information exchange between networks
SecuriCDS Data Diode allows for real time, unidirectional information exchange between networks. Many networks require extra protection against manipulation and data leakage as they contain classified or sensitive information. Sometimes they are kept isolated for safe keeping. However, there are times when certain information has to be sent into, or out of, such networks. In such cases, a data diode can be the right solution. Advenica’s data diodes have an optical hardware separation to guarantee a unidirectional separation between the two networks.
The use cases range from importing software updates or virus definitions, connecting ICS systems to other networks, to importing e.g. OSINT information to a secret analysis network.
Models and prices
We offer a selection of data diodes with different perks and conditions. The price starts at around 3000€ CAPEX but depends on what product you purchase and how complex the solution you need is. The base products do not come with any need for MSA (Maintenance and Support Agreement).
Hardware
Software
SecuriCDS DD1000i
Unidirectional Security Gateway
DD1000i includes integrated server hardware for proxies and can be mounted in a 19” rack system (height: 1U). This data diode model takes data protection to a higher level. By offering a powerful solution for efficient, risk-free data transfer between closed and open networks, proxies are designed, developed and tested to meet the requirements for interacting with highly sensitive information.
SecuriCDS DD1000A
Unidirectional Data Flow
The DD1000A offers high performance in a small package, measuring only 216 x 167 x 44 mm. One or two DD1000A can be mounted in a 19″ rack system using only 1U. DD1000A operates on Ethernet layer 2 and supports unidirectional protocols e.g. UDP.
Data diode DD1G
Unidirectional Data Flow
DD1G series offer high performance and secure data transfer for Ethernet Layer 2. The series include stand alone devices as well as DIN rail mounted devices, all in a very compact format (130x20x150/163 mm). By using a proxy service the data diodes can handle common communication protocols and translate them into unidirectional dataflows.
Data Diode DDSFX – 10G
SFP modules for secure 10G transfers
This hardware enforced data diode with a small form factor, enables you to send and receive data from two separate networks, where the source and destination can be 10km apart.
Data Diode Engine
Proxy software
The Advenica Data Diode Engine is a standalone proxy software solution that enables efficient and secure data transfer through any ethernet-based data diode from Advenica. In combination with ready-to-use software services it enables use case specific network segmentation solutions for a variety of installation environments.
Data Diode Services
Services for your data diodes
The Advenica Data Diode Services are software applications that enable multiple use cases for one-way data flow supported by data diodes. The service handles the integration with applications on the source and destination networks, facilitating integration in the target system.
Key features
SecuriCDS Data Diode guarantees unidirectional separation between network interfaces. It contains optical fibre with a transmitter on one side and a receiver on the other side, with no chance of a two-way transfer.
Network separation
The separation between the two data interfaces on a data diode is vital. In the SecuriCDS Data Diodes, the separation and diode functionality are based on an optical transmitter and receiver. The design guarantees that no data passes in the opposite direction. The SecuriCDS Data Diodes even includes the possibility to use dual power supplies to eliminate potential covert channels in the reverse direction.
Integrated proxy servers
Integrated proxy servers to enable handling of common communication protocols, e.g. data, file or network time transfers, are included in SecuriCDS Data Diode model D1000i. This data diode handles application level protocols and is easily integrated into any system.
Component assurance level N3
Advenica’s data diodes SecuriCDS DD1000A and SecuriCDS DD1000i are approved by the Swedish Armed Forces with the component assurance level N3 according to Swedish national security requirements. The component assurance level N3 can be used in systems with high impact level (e.g. handling secret information up to SECRET/TOP SECRET) but where the component level of exposure is somewhat limited.
High assurance data diodes
Advenica’s data diodes meets the highest demands on both security and assurance. Internal separation of functions, multi-stage unidirectional security and deep security analysis provides trust and high assurance. Special attention has been given to eliminate the risk of covert channels in the reverse direction.
Some security challenges where datadiodes are a good solution
Traceability and security logging
Centralised logging in security-sensitive systems involves an enhanced risk of attacks. To reduce the risks, a solution is needed that protects both log data and all connected systems. Read more about traceability and security logging.
Secure transfer of SCADA information
To transmit critical information, e.g. from a SCADA system to an administrative office network means potential security risks. But there are solutions that take care of security problems and at the same time enables an exchange of information. Read more about secure transfer of SCADA information.
Secure updates
Updates for Windows and Linux systems are an important part of maintaining the security of the digital information in these systems. However, the updates themselves may be a security risk – to avoid these risks and to maintain the integrity and availability of the systems and be able to make secure updates, special solutions are required. Read more about secure updates.
What data diode do you need?
There are many kinds of data diodes. Depending on your needs, some data diodes might be a better choice than others. To help you find the best data diode, you can use our data diode selector!
Data Diodes
Here are some frequently asked questions about our Data Diodes!
Data diodes are expensive, right?
The word “expensive” is a relative term if a data diode is viewed solely as an expense. Actually, a data diode is an investment that can be cheaper than not having bought it in the first place. It is all about the alternative cost and risk apetite of not having sufficient security. If the use case is right for a data diode, it is not only more secure but also lower in TCO(Total Cost of Ownership) to alternative technologies as it demands less in maintenance, administration, and support. Read more about it here!
How do we calculate the ROSI?
To calculate the ROSI (Return on Security Investment) is about calculating what the lack of security can cost and what the most cost-effective solutions are – this to be able to know what you should spend on security. Read more about how to do it here!
How much does it cost?
We offer a selection of data diodes with different perks and conditions. The price starts at around €3000 CAPEX but depends on what product you purchase and how complex the solution you need is. The base products do not come with any need for MSA (Maintenance and Support Agreement).
What are the alternatives?
For unidirectional data communication flow, a data diode is the most secure alternative. But, if you require data communication in two directions, there are other solutions you could choose – for example, a Security Gateway. (In some cases a network design with data diodes in opposite directions can be a solution.) A Security Gateway only forwards received information when it complies with a certain policy which is derived from your organisation’s information security policy. Read more about Security Gateways!
What is the difference between a configured firewall and a data diode?
A data diode contains special hardware designed in such a way that there are no known physical methods or properties that can be used to transmit information in the reverse direction, i.e. in the wrong direction through the data diode. A firewall configured for unidirectional traffic ensures this with software that may contain backdoors, bugs, and exploitable vulnerabilities. It is also difficult to guarantee the correctness of the configuration during the entire time the firewall is in operation. In addition, there are examples of firewalls which, despite being configured for unidirectional traffic, still allowed some data traffic in the wrong direction.
Can a data diode function in both directions?
That depends on how the question is meant. One data diode cannot function in both ways as a data diode guarantees unidirectional separation between network interfaces. It contains optical fiber with a transmitter on one side and a receiver on the other side, with no chance of a two-way transfer. But you can of course make a two-way secure communication design with a data diode in each direction. Another option when you need a secure two-way communication is to use Security Gateways, e.g. Advenicas ZoneGuard. ZoneGuard, allows for a strictly controlled two-way filtered information flow supporting third party controls for enforcing a digitally signed information policy. Read more about ZoneGuard.
Are your data diodes approved according to Common Criteria?
Advenica solutions have been awarded several prestigious approvals by the European Union, national certification bodies and international IT security certification bodies. Currently, our data diodes do not have the common criteria certification, but they are available with approval on assurance level N3 by the Swedish Armed Forces. It means that you can use Advenica’s approved data diodes to let secure networks receive information from open or lower classified networks. Important to know is that a Common Criteria approval does not guarantee that you will not discover vulnerabilities. Most, if not all, products with Common Criteria-certifications need to be updated when vulnerabilities are identified. The core of an Advenica data diode is based on physical separation and is immutably secure without updates. Read more about our certifications.
Do you control all your production, including all components?
Advenica offers solutions for cybersecurity that meet the highest security requirements. Our product development differs in many ways from traditional development as our customers require us to demonstrate that our solutions offer high assurance security. This can only be achieved if all work is possible to evaluate. We develop and manufacture the vital parts of our solutions in-house to ensure the highest level of security (high assurance). We ensure IT security, protection of development and production environments, perimeter security of the premises and the availability of a reliable, security conscious workforce. We design the products with as few components as possible that are vital from a security perspective, and that vital parts can be assembled or supplied under our own control. We perform final configuration and control ourselves on our premises with our own personnel and under strict security control. Read more about our high assurance product development in our White Paper.
What is the delivery time?
We generally have very short delivery times and can usually deliver your products within a week. The time from the point of delivery of the products until they are functioning is also very short, provided that other relevant infrastructure is in place.
What is the difference between the different data diodes?
All our data diodes have high performance and provides physical separation in the forbidden backward direction. DD1000i includes integrated server hardware and software for the proxies. It can solve two-way network protocols and is available in a military approved version. The DD1000A offers in a small form factor, measuring only 216 x 167 x 44 mm, the same military approved high assurance. The DD1G series offer secure data transfer in a very compact format (130x20x150/163 mm) and can be delivered as DIN-mountable or stand-alone. Read more about the different models and what protocols they support.