The role of the proxy server in a data diode set-up
Whether you want to protect secrets, crucial operational (ICS) data or intellectual property, the best way to go about it is to ensure a unidirectional flow of network traffic. A unidirectional network connection is a link between two networks with the guarantee that the information only flows from the one network to the other, and that it is impossible for data to flow in the opposite direction. Thus, keeping secrets safely inside a secret network, or keeping hackers away from critical industrial equipment.
The way to do this, is to deploy a data diode. A data diode is placed between the source network (typically referred to as ‘upstream’) and the destination network (‘downstream’). For maximum security, the DataDiode rigidly enforces a strict ‘bit-in, bit-out’ regime in hardwired electronics. It has no IP address, MAC address, programmable circuits, and does not need such advanced technologies either. All complex logic that is required for functional operation, is handled by proxy servers. Separating the various responsibilities of the entire system in this manner, allows the Fox DataDiode to have the highest possible accreditation of EAL7+ Common Criteria certification.
The image above schematically shows the typical standard hardware setup of a Fox DataDiode system. Located in the center, the Fox DataDiode optical diode hardware connects and isolates the upstream (sending) network from the downstream (receiving) network. Located on the left-hand side, the upstream proxy server ensures sending data from the upstream network through the optical diode to the downstream proxy server. On the right-hand side, the downstream proxy server ensures receiving data from the optical diode for further handling in the downstream network.
Data diode proxy server: the primary point of contact
In this setup, the proxy servers are the primary point of contact for the networks on both ends of the optical diode hardware. Looking outward to their respective networks, they are responsible for interfacing with designated systems and will provide any forwarding services as pre-configured. Facing inward to the optical diode, they facilitate protocol break (read more below) and handle internal diode communications.
Note, that the proxy servers are the only devices connected to the optical diode box, making them the first devices in the upstream and downstream networks from the optical diode box point of view. The proxy servers therefore provide the first point of contact with either network, ensuring the additional functionality and security features in a data diode setup. Proxy servers consist of commodity hardware. Depending on the type of data they have to process, less or more RAM and CPU are needed.
Data diode protocol break
As mentioned above, the inward facing part of the proxies facilitate protocol break, which is meant to block protocol-based attacks. It consists of two components that reside between the sender and the receiver of a message. The first component is a ‘catcher’, which, while adhering to the protocol, strips all traffic control data off the data it receives, and only retains the payload data. The second component is a ‘thrower’. The thrower does the opposite: it takes bare payload data, and sends the payload to another system by means of some chosen protocol. In order to do this successfully, the thrower performs all the complicated tasks that are necessary to adhere to the protocol specifications, including the creation of traffic control data.
Want to know more about the proxy server with the Fox DataDiode? Contact us via the form below.