Today’s business environment is increasingly digital, and more vulnerable than ever to cyber attack. Because of this, various network security technologies have been developed to protect organizational data and infrastructures. One of the most effective of these modern technologies is the data diode.
Although data diodes were developed decades ago and are used today by thousands of organizations around the world, many people—even cybersecurity professionals—have never heard of them, or have heard only inaccurate descriptions of them. Below, you’ll find a description of what data diode technology is, how it works, and the role it plays in securing critical networks, systems, and data.
What is a data diode?
A data diode is a unidirectional network communication device that enables the safe, one-way transfer of data between segmented networks. Data diode design maintains physical and electrical separation of source and destination networks, establishing a non-routable, completely closed one-way data transfer between networks. Data diodes effectively eliminate external points of entry to the sending system, preventing intruders and contagious elements from infiltrating the network. Securing all of a network’s data outflow with data diodes makes it impossible for an insecure or hostile network to pass along malware, access your system, or accidentally make harmful changes.
Data diodes allow companies to send process data in real time to information management systems for use in financial, customer service, and management decisions — without compromising the security of their networks. This protects valuable information and network infrastructure from theft, destruction, tampering, and human error, mitigating potential loss of thousands of dollars and countless hours of work.
How does data diode technology work?
A diode is an electronic component that allows current to flow in one direction only. Similarly, data diode technology lets information flow safely in only one direction, from secure areas to less secure systems, without permitting reverse access. Owl data diodes are comprised of two communication cards that work as a pair. The first card is the “send” card and only has electronic components that allow it to send data, with no ability to receive. The second card, the “receive” card, only has electronic components that allow it to receive data. In this way data can only flow in one direction and physically cannot travel the other way.
Because it is only physically capable of sending data one-way, a data diode creates a physical barrier or “air gap” between the two points. This prevents data leakage, eliminates the threat of malware, and fully protects the sending network from external threats through the data diode’s network path. The other consequence of this one-way path is that the protocol is “broken” between the sending and receiving domains in order to accommodate a one-way protocol connection.
What is a protocol break?
A protocol break is the process of terminating a data transfer protocol, sending the data payload via a different protocol, and then re-establishing the original protocol before data travels to its destination. All Owl data diodes incorporate a protocol break, which conceals source network information such as IP or MAC addresses. This makes it impossible for any external threat actor to ping, deconstruct, or otherwise obtain any information about the source network. Protocol breaks also prevent the transmission of malicious data concealed within packet headers.
Proxies in the data diode’s network interface allow two-way communication to continue seamlessly on each side of the data diode, with a one-way link in between. This allows organizations to create one-way data flows using protocols that are inherently two-way, such as TCP/IP.
How is a data diode different from a firewall?
Data diodes perform many of the same security duties as firewalls, but the two technologies are inherently different. Firewalls are software-based solutions built on commercial operating systems that require frequent maintenance and are vulnerable to a wide array of external attacks. Data diodes, on the other hand, are hardware-based solutions that enforce one-way data flow through a deterministic mechanism that cannot be modified or forced to operate in an unintended way.
In some use cases, data diodes are implemented to replace software-based firewalls with a stronger, more reliable technology. In other cases, data diodes work directly with existing firewalls as part of a strong “defense-in-depth” strategy, with layers of security tools working together for additional security. However, if an organization determines that its firewalls are no longer needed or do not provide any additional security, they can be removed.
How is a data diode different from a “unidirectional gateway”?
The term “unidirectional gateway” was coined to describe network security technology that does not meet Evaluation Assurance Level certification standards for true data diodes. Products sold as unidirectional gateways can be any combination of hardware and/or software, with varying levels of sophistication.
Moreover, a single data diode can handle data transfers from multiple servers or devices simultaneously, without bottlenecking, and can be used in high availability architectures, while unidirectional gateways can only handle a single protocol or data type per connection. This is because unidirectional gateways are based on technology that was initially designed to allow simultaneous two-way communication. Data diodes, on the other hand, are based on technology that is inherently one-way and cannot be compromised.
Who uses data diodes?
Critical infrastructure operators, industrial companies, military commands, intelligence organizations, and even commercial companies such as financial institutions use data diodes to provide reliable, hardware enforced security for their systems and networks.
For example, data diodes are commonly used in power generation facilities to protect turbines and other critical equipment. Status and performance data travels from the device, through a data diode, and then out of the facility to the corporate IT network or a cloud service. The diode allows data to flow out with almost no latency, while eliminating any connection into the facility from outside.
Can data diodes be used for two-way data flows?
Yes, data diodes can be implemented in a specialized configuration to facilitate two-way data transfers, while still providing hardware-enforced network segmentation. Owl’s ReCon is a highly tailored, proven hardware-based cybersecurity solution utilizing two independent one-way paths in a single unit, with each path protected by a data diode. However, the transfer can only be initiated from the “high” security side of the network connection. This approach enables network segmentation, remote command and control, remote monitoring, and SCADA data replication, with significantly less risk than a standard software firewall.
How much does a data diode cost?
Data diodes are highly cost-effective solutions. The Owl DiOTa, for example, costs less than $7,500 and allows data to flow from an industrial device to a network, without providing a path back in to the device. Owl’s other data diode products, such as the OPDS-1000, also provide more value and a lower total cost of ownership compared to firewalls, “unidirectional gateways,” or any other competing technology.