One-way network security; how to recognize a true data diode?
All data diodes are equal, but some are much better than others. Paraphrasing George Orwell’s 1984, data diodes may look the same at first sight, but if you take a closer look, there are important differences. For practical purposes, let’s leave software-based data diodes out of the equation. They are very hard to protect and thus cannot be acknowledged as being a true DataDiode. Let’s focus on the appliance-based solutions.
First, the purpose of a data diode is to enforce a unidirectional network in which data can only travel in one direction. Ideally, a data diode works on a ‘bit in / bit out’ basis and contains no logic whatsoever. This separates the data diode from a firewall because that has software embedded and can be traced on the network through its MAC and IP address. A firewall is programmed to apply a rules set and if the set allows certain traffic, it will pass. Reality is that this can also include malware, such as WannaCry has shown, as it was let through by firewalls and consequently crippled the network of many organisations in 2017. The fact that a firewall has software inside the appliance makes it vulnerable. Because a firewall is identifiable on the network, it is always susceptible to tampering and exploits.
What is a true data diode?
A true data diode has no logic in it whatsoever. The required logic is offered by two proxies on either side of the data diode that both handle the TCP/IP traffic. Important to point out that there are some data diodes out there that do have internal logic and are equipped with a chipset to handle traffic or configured with two chips for communication. This again makes them vulnerable to tampering. That is also the reason that these diode’s have only received an EAL4 certification whereas ‘bit in – bit out’ appliances are certified as EAL7 or EAL7+.
The Fox DataDiode has been awarded such an EAL7+ certification. Discover more about our product and how it is used in our download section.