A data diode example: one-way traffic in Italy
A couple of years ago, the Italian Ministry of Defense only used a classic CC EAL4+ firewall to protect critical infrastructures and secure networks. Considering this military environment often worked with highly confidential and sensitive information, this classic security measure was not sufficient. That is why the ministry decided to look for a better solution. Seeing as the organization had already been working with a ‘one-way traffic’ principle for several years, opting for a data diode was a logical conclusion. But why did the Italian Ministry of Defense choose Fox-IT to deliver and implement its Fox DataDiode? Learn more in this data diode example.
The Ministry of Defense’s network consists of multiple separate networks with various classification levels. As long as these levels are separated by an air gap, they are sufficiently secure. But when a network with highly confidential information has to receive data from a lower qualification classified protected network, it is a completely different story. In that case, the information should be permitted to make it to the well-protected network, without leaking out the other way. A data diode is a data valve that ensures information between networks can only travel one way, making it the perfect solution for this particular situation.
A data diode in this scenario makes outbound traffic impossible, which means it prevents confidential and classified information from being leaked. However, it does not stop incoming traffic, which could potentially undermine a well-protected network. In practice, inbound traffic is first guided through a network with all the required security measures, ranging from antivirus to IPS and SIEM. These security measures are supplemented with additional techniques, such as file format conversion (for example, Word to PDF), to neutralize potentially harmful content. Although the risks are minimal, it is theoretically still possible that, despite all the measures, malware finds its way into a protected network. This is a pre-accepted and calculated risk. However, the primary objective remains to prevent any information from leaving the network.
One-way traffic technology
After much consideration and with the help of distributor Programmatic, the Ministry of Defense selected the Fox DataDiode, a solution developed by Dutch security company Fox-IT. One of the main reasons was the CC EAL7+ certificate that the company was awarded. In addition, Fox-IT is the market leader in ‘one-way traffic technology’. The Ministry of Defense was especially pleased about the ease with which the DataDiode integrated into a network. And the Fox-IT experts proved themselves to be professional, open-minded, flexible and helpful.