OPSWAT Expands Vietnam Presence, Opens First Critical Infrastructure Protection Lab in Asia. Read More

Why Data Diodes Are Essential for Isolated and Classified Networks

In order to protect highly sensitive data and networks, such as military networks and critical infrastructure control systems, the most commonly used security measure is to completely disconnect the system from other networks. These disconnected networks are also called isolated or air-gapped networks. This has been the use case for critical infrastructure and SCADA systems as well as military networks, but is becoming more and more problematic as the need to import and export data from the isolated networks is increasing. The manual transfer of data not only generates a security risk but also a huge work load, and is prone to human error.

Data diode: Secure one-way data transfer

A data diode solves these issues by creating a physically secure one-way communication channel from the insecure network to the secure network. The one-way channel allows data to be safely transferred into the secure network, while not allowing any data to leave. The data transmission is handled by two dedicated servers; in order to explain the principle, at Arbit Security we call the sending server the 'pitcher' and the receiving server the 'catcher'. No data can be transported from the receiving network to the transmitting network (i.e from the catcher back to the pitcher); since the data diode has a single fiber-optic cable, it is impossible to reverse transmissions due to the basic laws of physics (no covert channel is possible).

This means that data diodes can ensure the following:

  • Exploited network access is not possible from outside the network
  • 100% data leak prevention since no data can leave the network
A diagram of unidirectional networking data diode connected to OPSWAT's Multiscanning

Files Securely Transmitted Between Low and High-Security Networks

When comparing diode and firewall technology, it is important to note that once implemented, a data diode cannot be changed in any way. The worst-case scenario is that the diode is forced to shut down. Whereas firewalls, once breached, may still permit the transmission of data. When a diode is breached, or fails, all physical channels for transmissions are shut down with the diode.

Since data diodes can ensure security while allowing for significantly higher employee productivity, the use of data diodes, in order to protect networks, data and PII, is becoming the next logical security step for many high security organizations.

How can users benefit from a data diode?

By allowing for limited and safe connectivity, users are able to complete their tasks more efficiently, including:

Forwarding email

Users on secure or even air-gapped networks often have several mail addresses referring to different networks. In order to receive mails, users are forced to log in to multiple networks to check their mail accounts. By installing a Data Diode, you will be able to forward all emails to one account on the most secure network and thereby significantly improving efficiency.

User initiated file transfers

Even working within a secure network, users often need graphs, images, and other information for the completion of reports. By using Data Diode technology, users can transfer the information they need by simply dragging and dropping the files to a dedicated transfer folder which is forwarded to the secure network.

Mirror web sites

Permitting full web access to the Internet is always a huge security issue, and with air-gapped networks, full access is simply impossible. Nevertheless, if you or the organization needs online access to pinpointed websites, there is the option to mirror the needed sites using Data Diode technology. The website will have the information sent through the data diode, creating a mirror of it for employee use.

RSS feeds

Employees often rely on RSS feeds to get the latest updates on topics in their industry or profession. High-security organizations can now allow the use of RSS feeds by having the information travel through a data diode, much like the email and website mirroring.

Streaming (video, audio)

Streaming of video and audio is now possible for high-security organizations. Since even video files can contain malware, taking precaution on the use of streaming media such as news feeds, surveillance, or video seminars is important. Using a data diode provides all of the necessary precautions, while not hindering the use of these media types at all.

Centralized print solution

Without the use of unidirectional networking, organizations will have more separated networks and more printer pools. Every separated network would need its own set of printers to allow employees to print information from that network. With Arbit's Data Diode, it is possible to set up a centralized print solution that covers more networks and even support "follow the print".

How can Administrators benefit from a data diode?

By allowing secure data access without requiring manual transfers, administrators are able to complete their tasks more efficiently, including:

  • Running Windows server update services (WSUS)
  • Antivirus updates and Software repositories
    • Diodes can be set up to retrieve downloaded updates and forward the data to the protected network, making daily operations easier and less time-consuming.
  • Securing & centralizing log data
    • Unidirectional networking allows separated networks to compile log data into one comprehensive log. This makes network analysis and oversight easier for administrators.
  • Securing & centralizing backup data
    • Should something happen on one of your networks, an updated backup/log data is essential for your continued business, and therefore a high-priority security and operational issue. Diode solution makes it possible to move and secure this type of data almost "online".
  • Time synchronization
    • Admins with more separated networks know the importance of the same time source on different networks, especially when it comes to comparing log data.

How can you ensure that transfers on the data diode are threat-free?

Even though no data can leave a secure network when using a data diode, it is still important to ensure that the data entering the network is threat-free. This is why it is important to use an advanced anti-malware solution to ensure that the data entering secure networks is free from malware threats.

How can a data diode improve portable media security?

Since users will also need to use portable media to bring in data to the secure network, and portable media can contain malware threats, it is important to make sure that all removable media is thoroughly checked for malware before the device is allowed to be connected to the high security network.

Click to Enlarge

After the files have been found to be clean, a data diode and secure file transfer system can be used to transfer the data into the secure area, without having to physically bring in and connect the media. This not only improves productivity, but also eliminates another possible security risk: booby-trapped devices that could go undetected by anti-malware solutions but can cause major damage when connected to the network.

The bottom line is, that maintaining data flow between separated networks is a security challenge and a time consuming operation for users and Administrators. By combining Arbit's expertise in data diodes and unidirectional gateways with OPSWAT's robust multi-scanning, data sanitization, and portable media security technology, customers can benefit from automated, reliable, efficient and threat-free data transfer in high-security networks. In this way, users and administrators can focus on more important tasks rather than dedicating their valuable time to manually transferring data.

About the Author:

Søren Elnegaard Petersen, is Key Account Manager at Arbit Security. Founded in 2006, Arbit Security specializes in high-end security products, including its unidirectional data diode solution. Arbit offers data diodes for one-way transfer into a secure network, as well as release of data from a secure network using Arbit Trust Gateway technology. Arbit Security is based in Denmark and helps secure high-security networks throughout the world.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.