When considering using a data diode, the first question to address is, where to physically and logically locate the appliance in the network architecture. Often, organizations initially prefer a central approach based on budgetary considerations with one data diode for all locations, but in practice this will not provide the desired security level. A general rule is to physically locate the data diode in the DMZ at the site where the protection of a uni-directional network is needed. In practice, this will mean a factory, a plant or maybe for instance an oil or gas platform. This will ensure the highest safety and security level of the protected installation assets.
Data diode protocols
Next, it is time to look at supporting protocols. For example, the Fox-IT DataDiode supports several protocols. Whenever an organization uses different (unsupported) protocols, there are two ways to solve this matter: either determine if it is possible to convert the protocol to a supported one or decide to phase out the protocol and use a modern one. The latter can be combined by setting up a historian which collects data continuously and ensures that data is not lost in case of downtime.
Setting up the data diode itself physically does not take more than attaching two network cables and the power cable. Next, it is time set up the proxy servers. This process is described in our blog The role of the proxy server in a data diode set-up.
After setting up the proxies, everything is good to go. You have created a uni-directional network that ensures safe and secure transfer of data from one location to another without the risk of compromising key systems.
Naturally, if you do need help with the implementation of a data diode, the Fox-IT DataDiode team and its reseller and technology partners are ready to support you in every phase. Other question? Ask us via the form below.