What is a data diode?
TAGS
SHARE
A data diode is a simple unidirectional network device designed to ensure secure data flow between isolated networks. Functioning similarly to an electronic diode circuit, it permits data to move in only one direction.
Data diodes are a critical component in network segmentation and can be commonly found in high-security environments to enable connection between networks of differing security classifications. By enforcing one way data flow and performing rigorous content inspection, data diodes help protect sensitive information like state secrets, patient records, financial data, and critical national infrastructure from cyber threats.
Placing data diodes at network trust boundaries, such as between internal networks and the internet or Security Operations Centre (SOC) networks is essential to mitigating potential cyber risks and maintaining the integrity of trusted networks.
How do data diodes work?
Data diodes are designed to protect against three primary cyber threats: malware, unauthorised access to information, and data leakage. They achieve this by preventing network protocol attacks, ensuring that malicious activities cannot exploit communication channels.
For example, OakdoorÒ data diodes enforce a hardware-based unidirectional flow of information, effectively separating inbound and outbound traffic through a protocol break. When network traffic, such as IP frames, enter the input diode, it is deconstructed, transmitted through hardware, and then reconstructed into IP packets at the output before proceeding further. This process blocks protocol-based attacks, and safeguards against content-based threats, where malicious data might attempt to otherwise infiltrate the network.
What is the difference between a data diode and a firewall?
While data diodes and firewalls both restrict and inspect network traffic, their core functionalities are fundamentally different. Firewalls rely on Central Processing Units (CPUs) and software, making them vulnerable to hacking. In contrast, data diode’s hardware-based core functionalities permit only certain types of data to pass through, while the hardware from which they are constructed is inherently resistant to remote hacking.
While some organisations may prefer to transfer data manually, using discs or USB sticks to move data from one network to another, with the acceleration of digitisation across all sectors, the need for safe connectivity becomes increasingly critical.
Most organisations already have firewalls in place, but the potential impact of cyber-attacks often necessitates additional layers of protection and unidirectional network data diodes offer that extra protection for secure data transfer.
What is the difference between a data filter and a data diode?
Typically, data diodes only control the direction of data transfer. When a data filter is integrated into the data diode, it ensures not only one-way flow of information by separating inbound and outbound traffic with a protocol break, but also inspects content structure to allow only defined types of data to pass through. This gives the extra level of assurance of protection against malicious actors.
When would I use data diodes?
Originally adopted by military and government agencies, data diodes are increasingly deployed in critical systems across diverse sectors, including life sciences, finance, energy and utilities. Any industry where network segregation is crucial to safeguarding data and systems benefits significantly from the additional protection that a data diode offers.
Data diodes are set up to ensure that only intended data enters or leaves the segregated network. For example, data diodes allow sensor data or log data from your Operational Technology (OT) network to be received safely, while preventing malicious actors to infiltrate the system. Data diodes can perform content inspection to verify the incoming data, enabling your network SOC to monitor while ensuring no malware comes in at the same time.
In more complex scenarios, data diodes offer additional capabilities. They can secure internet browsing from classified networks or enable secure management of systems and networks, either from your trusted classified network, or a SOC network.
Data diodes provide a complementary enhancement to an organisation’s existing network security stack. Implementing security-enforcing functions in hardware and software has its benefits and the best security solutions take advantage of this to optimise their layered network defence.
Consideration when choosing a data diode
When selecting a data diode solution, several factors should be considered from cost and certifications to underlying technology.
- Costs: The technology behind the diode impacts its overall cost-effectiveness. Many traditional diodes use optical systems, which require expensive components such as a photocouplers, leading to high costs and performance limitations. In contrast, the Oakdoor® data diode leverages transistors - simple, cost-effective, reliable, and capable of operating at very high frequencies. This means that the headline cost is significantly reduced.
- Certification: A key consideration and requirement for many security and defence environments is that a data diode is UK CAPS approved for use at the highest classifications and equipped with a variety of security enforcing features. This certification indicates that the diode is suitable for use in the most sensitive environments.
- Simplicity of technology: Many current data diodes come with built-in servers and additional services like virus screening, which contribute to ongoing maintenance costs.
- Electrical not optical: Many data diodes rely on optical components to convert information into photons. Other data diodes use electrical components. While it’s a common belief that data diodes must be based on components that translate information into photos, electrical components are simpler and just as secure, with faster interface. Electrical components also align more closely with how other network components communicate, making diodes such as Oakdoor® solution a better for a modern network infrastructure.