A data diode is a simple network component that allows data to flow through a device. The term data diode is used because it operates similarly to an electronic diode circuit, permitting data to move in just one direction.
In network architecture, data diodes are a critical component in network segregation, particularly in the implementation of the most secure cross-domain solutions. These solutions use a combination of one-way flow control and careful content inspection, preventing the transmission of malware from untrusted to trusted networks.
Placing data diodes at network trust boundaries, such as between internal networks and the Internet or Security Operations Centre (SOC) networks, contributes significantly to safeguarding against potential threats and maintaining the integrity of trusted networks.
How are data diodes different from network security?
While data diodes restrict and inspect traffic similarly to firewalls, their core functionality differs. Firewalls rely on CPUs and software which are vulnerable to hacking, while a data diode’s hardware-based core functionalities make them resistant to remote hacking. Data diodes ensure unidirectional data flow without the need for constant updates or patches, providing a robust solution for securing network traffic.
When would I use data diodes?
Originally adopted by military and government agencies, data diodes are now finding increased deployment in critical systems across diverse sectors. These sectors range from life sciences and finance to energy and utilities, encompassing any industry where network segregation is crucial to safeguarding data and systems.
Data diodes transfer data across an air gap while maintaining the defined air gap protocols. This ensures that only intended data enters or leaves the segregated network. It allows receiving sensor data or log data from your Operational Technology (OT) network while preventing malicious actors from getting in. Data diodes can perform content inspection to verify the incoming data, enabling your network SOC to easily monitor and ensure no malware comes in at the same time.
Data diodes can also be used in more complex scenarios. For instance, they guarantee safe internet browsing from classified networks, ensuring the safe export of data based on well-defined workflows and enabling secure management of systems and networks, either from your trusted classified network, or a SOC network.
Data diodes provide a complementary enhancement to an organisation’s existing network security stack. Implementing security-enforcing functions in hardware and software has its benefits and the best security solutions take advantage of this to optimise their layered network defence.
Considerations when choosing a data diode
When selecting a data diode solution, it’s crucial to consider the technology underlying the diode and the overall cost-effectiveness. Many diodes are based on optical systems, which require expensive components such as a light emitter and receiver, driving the cost up.
In contrast, the Oakdoor data diode leverages transistors – one of the best-understood and most-tested electronic components. Transistors are simple, cost-effective, reliable, and capable of operating at very high frequencies. Electric current flows in one direction through the transistor with no reported successful instances of transistor hacking to date.
The hardware of the Oakdoor diode product family is UK CAPS approved for use at the highest classifications and equipped with a variety of security enforcing features. Most variants perform data structure inspection, ensuring only structured data can pass the data diode. Any unstructured data that fails to comply with the inspection rules is wrapped and stored for separate handling. The inspection rules themselves are encoded in the Oakdoor hardware and cannot be modified remotely.
In addition to validating the data structure, Oakdoor diodes automatically scan the data content for unwanted properties, such as macros in Word documents, further eliminating the risk of compromise.