Opening the doors to safer networks with Oakdoor data diode

Then what? Until now, you’ve had two not-quite ideal ways to protect these connections: a firewall that uses software to protect the network, with potential software vulnerabilities a hacker could exploit, and a data diode that only lets certain types of data through, which is highly effective, but prohibitively expensive to buy and run. Some organisations get around this by transferring data from one side of their network to the other manually using discs. But it’s cumbersome and the capacity is limited. And it’s not even fool-proof – malware can still jump onto discs.

This was the problem a client brought to us. Our answer is a new kind of data diode that’s low-cost and no-maintenance. We’ve called it Oakdoor. We believe it makes a new level of security protection possible, even for the most sophisticated segmented networks that would need multiple diodes. And we believe it shows that complex problems can have simple solutions.

To explain why, let’s look at our client a bit more closely.

They had a low side and a high side to their network. But like a bank that updates customers’ balances after each transaction, they moved data from the low to the high side. And like a business that shares audit information with the world at large, they also moved data in the opposite direction. As well as that, while the high side had its own memory and capacity, it needed software products and patches, which it got from the low side, increasing their vulnerability.

Our client had sophisticated firewalls in place, but wanted more protection. So they looked into data diodes.

Data diodes have existed for decades, and they’re seen as one of the best barriers. Data can only travel one way through them, so hackers can’t exploit the connection by sending malware or other attacks in the opposite direction. But our client was quoted tens of thousands of pounds for a single diode, with a significant annual maintenance bill on top. In common with other organisations, they’d defined multiple segregated networks, with high sides partitioned into different areas. In all, they were going to need large numbers of data diodes to cover all their high-low network connections.

Even for organisations like government departments where security is paramount, this would be too big a pill to swallow. So, rather than pin all their faith on firewalls, they asked our cybersecurity and engineering experts to think of a third option. Two years of development later, the result is Oakdoor.

Current data diodes have their own servers built in, along with extra services like virus screening. This comes with an underlying, and ongoing, maintenance cost. Oakdoor performs only the most essential function – keeping the flow of data one-way to protect high-side computers. So, it’s as simple as it can be – and the maintenance cost disappears.

No bigger than a paperback book, it connects to servers the organisation is already paying to maintain and needs no special extra components. Meanwhile, applications in other parts of the high network are already carrying out functions like virus screening.

Another difference between Oakdoor and other data diodes is that our systems are electrical rather than optical. It's commonly believed that data diodes must be based on components that translate information into photons. But we’ve found that electrical components are simpler and just as secure, making for a less costly package and a faster interface. Electrical components are also a closer match with how other network components communicate.

All this means that, with our diode, the headline cost is only about a tenth of a conventional one – low enough to have multiple diodes connecting different segregated networks. This makes it well suited to modern networks, whose high sides are often divided into different parts (just like our client’s), for instance by country or sector. Ideally, each part needs a data diode to protect its link with the low side. While that level of protection has been off-puttingly expensive until now, we believe Oakdoor puts it within reach.