OPSWAT Announces FileScan.IO Asset Acquisition. Read More

How We Test Unidirectional Gateways

How We Test Unidirectional Gateways

Testing a Unidirectional Gateway/Data Diode

Product testing is important since it is the only way to ensure the product meets the standards proposed by the industry and by the company.

The most important thing in testing unidirectional gateway is to ensure that there is no data loss and that the data being transferred is exactly the same before the transfer and after. The same principal can be applied to data diode testing.

Testing a unidirectional gateway/data diode presents several challenges to which we had to find a solution:

1. The product works with two different networks with no possible connection between them.

2. Test protocols like TCP, UDP, OPCUA, MODBUS, are difficult to test manually.

3. Test protocols such as FTP and CIFS (file transfer). Although manual testing can be done, it is impossible to ensure that each bit of the transferred file is exactly the same as the original only applying manual testing.

4. With automatic testing, you must find a way to maintain synchronization between the test scripts of the Trusted Domain and the Untrusted Domain since they cannot communicate.

5. The unidirectional gateway/data diode must be stress-tested, and that mandates a large amount of data to be transferred.

OPSWAT unidirectional gateway solution is NetWall USG, and here we describe how we test it, providing solutions to the above problems.

What is NetWall USG?

NetWall is a product that transfers data from a trusted domain (Blue) to an untrusted domain (Red). NetWall consists of two physical computers interconnected with a high-speed data link. There is no network connection between the two physical computers. Data transfer across NetWall uses a proprietary internal non-routable protocol.

NetWall offers a solution to the most serious firewall security issue: it can be compromised. NetWall also overcomes the inherent issue with data diodes: failure to guarantee data delivery.

What is NetWall USG?

Why NetWall is Better Than a Firewall

If a bad actor gains access to a firewall, that person can configure the firewall to suit their needs and gain full access to the trusted domain. NetWall, however, provides a full protocol and network break between the trusted domain (Blue) and the untrusted domain (Red). If a bad actor gains control of the untrusted domain (Red) side of NetWall, they cannot gain access to the trusted domain because no network connection exists between the trusted domain (Blue) and the untrusted domain (Red) NetWall computers.

Why NetWall is Better Than a Data Diode

A data diode is like NetWall in that it transfers data from a trusted domain (Blue) to an untrusted domain (Red). Unlike a data diode that does not guarantee data delivery: NetWall does guarantee delivery. A data diode cannot provide untrusted domain (Red) server connection status: NetWall Red provides its server connection status to NetWall Blue.

NetWall Use Cases

NetWall is used in any environment where data must be transmitted from a trusted domain to an untrusted domain and the security of the trusted domain must be protected.

For example, a company may have one or more water plants that are in a trusted domain with no internet access. The company needs the status of the water plants at any moment or how much water has been produced. The solution to get that information without compromising the trusted domain is to use NetWall.

How to Test NetWall

The testing includes stressing NetWall. That means taking the product to its limits for a period of time and ensuring that the behavior was as expected.

The product is capable of moving files from the trusted side to the untrusted side using FTP or CIFS. It also has the capability to use TCP, UDP, MODBUS, OPCUA and SMTP protocols. The tests will use all these technologies concurrently.

How to Test NetWall

The scripts will generate data that will be moved from the trusted domain to the untrusted Domain by NetWall.

The tests record the data that NetWall sends from the trusted domain. The tests also record the data that is received by NetWall in the untrusted domain.

At the end of the tests the recorded results are compared. Any loss of data is noted in the test results.

FTP, CIFS Testing

Both protocols are used for moving files.

NetWall moves files that are in an FTP or CIFS folder in the trusted domain to an FTP or CIFS folder in the untrusted domain.

The tests simulate users who put files in the FTP and CIFS folders in the trusted domain. It simulates real-life conditions by creating many users writing small files, some writing medium size files, and a few users writing large files.

The testing scripts on the trusted domain record the following information for each file that is transferred:

  • The name of the file
  • The time of day when the file was fetched by NetWall from the Trusted Domain
  • The hash code for the file

The testing scripts on the untrusted domain record the following information for each file they receive from NetWall Blue:

  • The name of the file
  • The hash code for the file
  • The time of day when the file is received

At the end of the test, the records from the trusted domain are compared with the records from the untrusted domain. The hash code generated on Blue and the hash code generated on Red are compared to verify the integrity of the file received on NetWall Red. The comparison will generate an Excel file similar to the following:

FTP, CIFS Testing

TCP Testing

NetWall supports unidirectional TCP streams that originate in the trusted domain and terminate in the untrusted domain.

A test code was written to run on machines external to NetWall in both the trusted domain and the untrusted domain. This test code creates a file on the trusted domain, and then uses a TCP channel on NetWall to transfer the file data to the test code in the Untrusted Domain.

At the end of the testing cycle, an Excel file is generated to publish the test results. That Excel file will look like the following sample.

TCP Testing

UDP Testing

NetWall also supports UDP data streams.

A test code was written to run on machines external to NetWall in both the trusted domain and the untrusted domain. This test code creates data messages on the trusted domain, and then uses a UDP channel on NetWall to transfer the file data to the test code in the untrusted domain.

At the end of the testing cycle, an Excel file is generated to publish the test results. That Excel file will look like the following sample.

UDP Testing

Modbus Testing

For the Modbus tests, the values in the coils and registers on the Blue side are modified. Changed values are logged and when they are transferred to the Red side, they are also logged. Once the test is finished, the values are compared, and an Excel file is generated:

Modbus Testing

OPCUA Testing

To initiate an OPCUA test, the values of the nodes on the Blue side are changed. These are logged, and when they arrive at the Red side, they are also logged. On the Red side, some nodes are read, and others push the new values to subscribed clients. Finally, when the test ends, the two records are compared, and an Excel document is generated:

OPCUA Testing

SMTP Testing

To conduct SMTP tests, a script sends hundreds of emails from the trusted domain side to a server that is in the untrusted domain. Here it is verified that all the emails arrive.

Conclusion

Every NetWall release is certified to use these testing procedures, as well as others. We are confident that NetWall will always be stable and efficient.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.