Data Diode – a hardware device that only allows data to go out of protective walls, while blocking all those that go in, is by no mean a new concept. However, recently it has been used in important infrastructure for OT network security, which allows transfer of data from OT to IT.
In common function, internet connected devices are able to receive and transfer data. When there is an unreliable network in the connection, Data diode will eliminate that channel, while performing a one-way flow at the hardware level.
At the moment, after years of development, there are two ways of using Data Diode, including:
- Pure Data Diode: The device or the network device allows only raw unidirection data, which ensures network security and protection of important digital systems from potential network attacks.
- Unidirection Gateway: A combination of hardware and software of the proxy server in both the start and end network. The hardware, which is a Data Diode, performs physical unidirection traits, while the software makes copies of the Database and emulates the protocol server for bidirection processing. An exclusive trait in this procedure is that data is transferred to predetermined locations, with a switch off transmitted via the Data Diode.
In theory, the aforementioned traits make Data Diodo seemingly utmost secured, yet there are still prevailing problems even in solvable aspects. So the question is, why?
Now, Data Diode eliminates all applications that use the Transmission Control Protocol (TCP), as this is a bidirection data transmittance. This leads to Data Diode supporting User Datagram Protocol (UDP) only, and thus is limited to datagrams of 1,500 bytes.
In systems with high amounts of log information in high frequency and large structure, Data Diode will become a bottleneck during data reception. For syslog, the process is smooth with Data Diode, seeing that it uses default UDP. However, there are other protocols that utilizes TCP like Windows DCOM/WMI, CheckPoint OPSEC/LEA, JDBC, FTP, SCP, SDEE… Troubles also prevails in SCADA systems built on Windows, seeing that events on the Windows server can surpass 2,000 bytes, which cross the limit of UDP datagrams.
As such, the most importance use of Data Diode is simply unidirection information transmittance, not prevention of toxic software. Therefore, Data Diode provides no protection from malware in input and output data of businesses.
The traditional use of Data Diode would isolate the network that needs protection, thus preventing data transferring – the core to businesses and organizations’ operations/procedures. In some cases, Data Diode will also act as as prevention scheme, which is detrimental in this new information society.
To tackle this problem, new Data Diode solutions have arisen, including those that allows TCP connections (like FTP and SMTP) to a specialized medium protected server, where data will be inserted to UDP datagrams, then transferred to another medium server at the target source via Data Diode, where transferred datagrams are processed and new connections to the final destination are created.
It can be seen that in order to maintain the physical unidirection trait of data transfer, Data Diode overcomplicates the structure and increases the number of involved steps in the procedure. However, this leads to another problem: the more steps involved, the less secure the system is.
In summary, this means that Data Diode’s most outstanding benefit lies in reducing human errors (from users and base developers). With physical unidirection data transmittance, users cannot make mistakes in configurations, nor in simple functions. Data Diode also eliminates the chances of underlying design flaws, which may cause leaks where unallowed data can access protected networks.
Secure Xchange Solution – The data exchange security solution
This is a solution developed by Seclab (originally the R&D department of French Electronics company), which elevates functions of Data Diode products in SXN – Secure Xchange Network, as well as in USB gates (SXU – Secure Xchange USB) between the sending and receiving networks that are physically separated.
Let’s examine this Secure Xchange Solution (SXN).
The solution uses a rackmount 1U physical structure, which includes 3 FPGA boards (Field programmable Gate Array: a programmable ASIC product line that resembles a programmable computer), that consists of Gate A and Gate B, matching with the 2 separated networks.
Gate A and Gate B are independently configured, issued to 2 different independent administrators, who both understand their respective network structure, and cooperate when configuring transmittance channels.
Via the motherboard, data is transmitted between Gate A and Gate B in the following procedure:
- Isolation from Gate A.
- Data filtering. Identification of data (in application datagrams or files) that are safe and suitable for converting.
- Converting of data to match with hardware and protocol requirements of Data Diode before transmittance.
- Transmittance to Gate B: Information in layer 1-4 of the OSI model are recreated, independent from Gate A’s input data. Only secure data that passes verification will go out of Gate B.
The SXN solution also provides slot-structured devices, where each slot is configured differently through different service/device, uni-direction or bi-direction, independent in logic despite having the same chassis.
Valid datagrams transmitted between Gate A and B are processed by the motherboard, which uses FPGA in all hardware chip’ tasks. During the procedure, datagrams’ transmittance of layer 1-4 in a 7 layer OSI model will be recreated, which shall eliminate all potential attacks like MAC, DHCP, IP altering…
The solution is advantageous in building a comprehensive solution from algorithms and integrated hardware devices, all for safe data transmittance, access control, separation of networks that require protection/isolation, as well as assistance in data control and filtering.
Hai DongRelated posts: