A data diode is a cybersecurity solution that ensures a one-way flow of information. A data diode maintains network integrity by preventing intrusions, network confidentiality by protecting the most valuable information, and availability by stopping production-disrupting attacks. There are several different areas of use, or use cases, where a data diode is exactly what you need. But there are also areas of use where a data diode is not suitable. In this blog post, we go through some of those cases!
Why do you need a data diode?
A solution often used to protect sensitive or classified information from leakage or manipulation is to disconnect it from other networks entirely. However, there are situations when data needs to be transferred to or from the protected network.
The most common device used to regulate the flow of information is probably a firewall. This is a device with the purpose of protecting your network by only allowing certain traffic to enter. It monitors and filters what traffic and data packets enter the network and is blocked based on a set of rules. But if you need to transfer information to or from a security-sensitive network, a firewall is not the only solution in your toolbox to improve your cybersecurity.
Cross Domain Solutions (CDS) is a collective name for products and solutions that enable controlled communication between different networks or security domains, with different security or protection requirements. Most people often associate this with firewalls, but there are alternative solutions that can both have higher assurance and simplify. Advenica’s CDS products focus on high assurance and security over time. A data diode is a Cross Domain Solution.
By using a data diode, you can ensure that the transfer is carried out securely, without risking the integrity or confidentiality of the network.
How does a data diode work?
Data diodes are the fail-safe way to protect sensitive systems and confidential data. A data diode is a security product that is placed between two networks and acts as a non-return valve whose function only allows data to be sent in one direction while blocking all data in the opposite direction. Since the data diode’s security features are based on hardware and optical fiber, it can be shown that it is physically impossible for data to be transported in the opposite direction. Since the security is not based on software, there are no vulnerabilities in the form of software bugs or misconfiguration, nor can it be attacked by malicious code. Hardware-based security means that it can be shown that data diodes have high assurance.
Some examples of when a data diode is not the right solution
Here are some examples when a data diode cannot be used:
Protection of webshop against attacks
A webshop must always be reachable from the internet and also needs to be able to present data to customers, i.e. traffic must be able to go in both directions. As a data diode ensures unidirectional information flow, this security solution becomes impossible in this example.
However, if the webshop is to present real-time data from a production system, a data diode is a suitable solution between the webshop and the production system. With such a solution, the data can be replicated or “streamed” out from the production system to the webshop in a secure manner. The result is that you can present real-time data on the webshop without risking that the production system is exposed to the internet.
A database needs to be protected from incorrect input
Communication between the client or application and the database must be bidirectional as a question needs an answer. But in a situation where the database is only to receive data, for example logs, a data diode with the support of integrated special proxies can be used between the data source and the database. But if the data is incorrect or contains dangerous elements, the data diode cannot filter this out unless you define policies for the data in proxies or other supplementary equipment.
However, one can collect data for analysis from a high-security network (e.g. OT) to a database in an administrative network or even in the cloud while maintaining the “air-gap” in one direction via a data diode. If the database’s information is needed from the low-security network to the high-security network, this solution will not work as no responses from the database will reach the high-security network. As an alternative solution, a “master” database can be mirrored to a “presentation” database using various techniques in order to protect the “master” database in the high-security network from manipulation.
Protection of collaboration tools from attacks
Collaboration tools such as MS Teams are by definition based on two-way communication. Since a data diode can only handle communication in one direction, a data diode becomes irrelevant for this type of application.
But, if you want to use collaboration tools internally in an isolated environment, it is a good solution to use a data diode that maintains the isolation of the network as long as the collaboration traffic is not to pass. Today’s collaboration tools contain many functions and many ways to communicate. If you want to be able to securely transmit information (video/audio/text) without the risk of the information being manipulated on the server, you can advantageously use a data diode to protect the transmitting server from the receiving network.
Email protection
Email is still the most important communication channel for most companies, and despite competition from other collaboration tools, email maintains its position as the leading communication channel. As described in the previous use case, e-mail is by definition based on two-way communication and thus not an application suitable for a data diode.
The exception is if, for example, you want to receive alarms or other information via e-mail from an isolated network. Then you can manage it through a data diode using proxy technology. The proxy on the protected side can then act as mail server and the proxy on the open side act as mail client, alternatively if you have mail servers on both sides, both proxies can act as MTA (Mail Transfer Agent).
Five things you can use data diodes for
You can use a data diode for a lot more than you think. There are countless solutions, but here are five uses you might not have known about!
1. Data diodes and IoT sensor networks
If you have an IoT sensor network, you want to be able to protect your network from tampering, but still be able to export sensor data. If the sensors are manipulated, it can have major consequences as very critical information is often involved. It is also crucial that incorrect data is not sent. When the sensor data is exported, the data diode can ensure that the information can be extracted, but that the sensor network is protected against threats. In this case, the data diode is connected so that only export of sensor data is possible.
2. Data diodes and HTTP mirror
An HTTP mirror is a way to mirror a website into a secure network in order to view the content securely. By using an HTTP mirror you do not have to retrieve the information directly online, and thus limit the possibilities for cyberattacks. A data diode makes sure that the website can be mirrored/copied into the protected environment and ensures that no information is leaked.
3. Data diodes and traffic tapping
By using TAP (Test Access Point) or port mirroring (e.g. SPAN) where the traffic is dropped on a mirrored port on (usually) a switch, you can do a traffic tapping on a duplicate of the traffic. This way you can monitor OT or ICS systems without security risks.
It can also be of value to know if someone has been inside your system and to be able to see exactly what has happened – then you can use a so-called intrusion detection system. In this case, a data diode can be used to ensure that the intrusion detection system can only listen to the traffic, but not in any way affect the systems in OT/ICS.
4. Data diodes and video streaming
When streaming video, for example through a surveillance camera, a good security solution can be to let the multiple streams of information flow through a data diode. The purpose of the data diode will then be to protect the IT environment so that the connection between camera and network does not become an input for an attack.
5. Data diodes and logging
Data diodes can be a good solution when working with logging. The purpose of logging is to be able to see if something has gone wrong, and if so what, much like a black box in an airplane. When exporting log data from a device that you want to monitor, a data diode can ensure that the log information can only go in one direction, so that the log analysis system cannot affect the sensitive systems being monitored.
Read more about data diodes and who needs a data diode!
Feel free to contact us and we will tell you more about how data diodes can help you with your security challenges!
