Data diode vs firewall: how do they compare?
Both data diodes and firewalls can be used to secure different sections of computer networks. Usually these sections have different trust levels. For example, one section of the network is connected directly to the internet (like the DMZ) and another part runs core services, such as database servers and hosts sensitive information.
You will want to create multiple layers of defense to make it more difficult for hackers to gain access to any part of your network, especially the more critical ones. When it comes to shielding one part of your network from another, a data diode has similar characteristics compared to a firewall. But there are a few crucial differences. Let’s compare them on three important factors:
Hardware versus software
Contrary to a firewall, a data diode is a hardware product that enforces a one-way flow of data on the physical level. The diode device doesn’t contain any software, logic or field-programmable gate arrays (FPGAs), and only has a physical path for signals to travel in one direction.
Therefore, online attacks on a data diode are physically impossible. Although you will need software to convert bidirectional protocols to a unidirectional protocol to be able to send data over a diode. Important to understand is that this has no impact on the provided security value whatsoever.
To be clear: a firewall is a software solution. Humans have programmed the software and therefore bugs – some of which will be security vulnerabilities – are unavoidable. There are various examples of well-known firewall solutions that have been hacked by exploiting vulnerabilities. Moreover, a firewall can be complex to manage and configure. That leads to mistakes like wrong ports being opened, which hackers will be able to use.
Simplicity and flexibility
The data diode is a relatively simple product to implement, configure, and maintain. This cannot be said of a firewall: it’s a complex piece of software and keeping an overview of the configuration can be challenging. The firewall is, however, a flexible solution. To allow a new piece of software or protocol to communicate over the firewall, you often only need to open a port and its accompanying parameters. In the case of a data diode, you need to have specific software in order to convert bidirectional protocols to unidirectional protocols. For example, the Fox-IT DataDiode software supports many protocols, but if you want to make sure that it supports the one you need, take a look at our Replicator datasheets or contact us using the form below.
Because of the different nature of data diodes and firewalls, they can be certified up to certain levels. The Fox-IT DataDiode, for example, has been certified up to the highest Common Criteria Evaluation Assurance Level: EAL7+. The highest evaluation level a firewall can achieve is EAL4+.
The EALs stand for increasingly rigorous tests, from mere functional testing, to formally verified design and testing. In other words, the certification proves that the diode does exactly and only what we claim it does. There should also be a detailed audit trail from production to delivery of the diodes.
Conclusion: data diode versus firewall
Both firewalls and data diodes can be used to protect parts of your network. But only with a data diode you are guaranteed no online hacks are possible, because the security is enforced on the physical layer. Nevertheless, in a properly secured sensitive network, you will probably want to use a combination of these solutions.
Need more information on the differences between data diodes and firewalls? Get in touch with us via the form below.