We developed the Oakdoor™ product range in collaboration for the UK Government. The one-way transfer function of the data diode is guaranteed by the electrical properties of the transistors used in the Oakdoor hardware. Transistors are among the most well understood electronic components and provide equal guarantee to optical transmit and receive systems, that data traffic can only flow in one direction. In addition, the Oakdoor™ hardware implements data syntax verification which is widely acknowledged as an especially advanced and secure way of handling data across security boundaries, as it eliminates the risk of importing executable data structures.
Oakdoor™ aims to drive down the total cost of data diode ownership, paving the way for a wider uptake of this state-of-the-art cyber security solution and improving cyber security globally.
Hackers can attack software by manipulating the processed data to influence the instructions given to the processor. This can exploit vulnerabilities that can give control of the entire system to malware. Microprocessors are so complex that it is hard to ensure that such vulnerabilities never exist.
A hardware data diode is very simple. Using simple electronic components it is possible to create a hardware circuit that can pass signals in one direction only. This cannot be affected by the data passed through the circuit and so is immune from hacking.
SISL is an open specification language developed for Oakdoor™ Import Diode to enable efficient hardware-based verification of file syntax.
Any structured data can be expressed in SISL and its syntax subsequently verified. This ensures the data doesn’t contain any executable code, which could act as malware, and is therefore safe to handle in subsequent software.
Yes, in principle the programmable FPGA can be said to be ‘software’.
The one-way transfer function of the Oakdoor™ Data Diode is implemented electronically, and cannot be reconfigured. The Oakdoor Data Diodes include FPGA programmable hardware devices that allow further Security Enforcing Functions (SEF) to be implemented in additional to the one-way transfer SEF.
A critical feature of the ‘hardsec’ FPGA devices used in Oakdoor™ products is separation of the data plane and control plane, meaning that the hardware functionality can’t be hacked in the way traditional software can.
Any structured data can be expressed in Simple Information Serialisation Language (SISL), which is then verified according to the rules programmed into the FPGA. Data that doesn’t comply with the SISL definition, such as unstructured data, is ‘wrapped’ so that it can be handled in a safe manner.
If true one-way communication is enforced, how do protocols expecting acknowledgements react? Is only UDP-based traffic allowed?
Two-way protocols do not work across data diodes, as they require data to flow in both directions. But UDP traffic, which doesn’t require acknowledgements, works fine with simple data diodes.
To support two-way-protocols like TCP, proxy software in front of the diode receives the data and sends the necessary acknowledgements back to the sender. The software sends the data through the diode using UDP, where another software proxy forwards them to the destination using an assured delivery protocol.
Generally, four types of technology are used in data diodes:
|A computer decides whether to pass a data packet to the system output|
|A laser sends data down a fibre in the form of light pulses||Programmed with a single direction of data passing the chip||Single direction data flow is forced by transistors. Oakdoor is the only example of this.|
|Pros||Cheap and simple||The fibre is visible, making it intuitively easy to understand|
|Simple (few electronic components)|
|One-way device using intrinsic properties of basic electronic components|
It’s cheap as the electronics are built into commodity FPGAs
It’s fast (it can run at > 10Gb/s)
|Cons||All computers can be hacked, allowing one-way flow control to be subverted|
|Light can travel both ways in a fibre. It’s not possible to tell if light is flowing back in the wrong direction|
|The single direction is defined in the control plane. If any changes are made to the control plane functionality, the whole system must be re-accredited|
|Electrical data diodes are new, which some may perceive as a risk|
Oakdoor™ can be integrated into a zero-trust-architecture, providing additional protection to a segregated network within a ZTA.
The eminent issue is that ZTA assumes all data in rest and transit is encrypted – it’s only decrypted in the heart of the CPU. But to verify the syntax and semantics of data across a security boundary, it can’t be encrypted. So, the data has to be decrypted before any content inspection.
Cloud providers may deploy data diodes to enhance the protection of the management plane of their ZTA data centres. Typically, an independent infrastructure is established to control and manage the server racks, network configurations, storage solutions etc., and any vulnerability must be handled efficiently due to the large value of the data centre and its customers. Oakdoor™ Data Diodes and the Oakdoor™ Management Gateway were developed to protect this kind of infrastructure. With the ever-developing attack scenarios, all data centres should deploy the best protection available for the management plane.
It is faster, cheaper and as secure. The most optimal black surface a optical diode could use would achieve 35 dB attenuation, whereas the electrical diode operates with 100 dB attenuation.
The Oakdoor™ Data Diodes are based on simple electronic circuits that enforce a one-way signal flow. They also contain “hardsec” non-hackable programmable hardware devices that implement security enforcing functions in addition to the one-way transfer.
Firewalls and data diodes differ in the fact that firewalls are based on CPUs and software, which can be hacked. A data diode’s core functionalities are based on the physical and electrical properties of hardware and cannot be hacked by software.
The Oakdoor Document Gateway can verify file types including PDF, Microsoft Office (Word, Excel, PowerPoint), and images (JPG, PNG, GIF).
The Oakdoor Document Gateway can verify file types including PDF, Microsoft Office (Word, Excel, PowerPoint), and images (JPG, PNG, GIF). Unrecognised file types are wrapped so that they can be safely handled and quarantined.
The range of file types handled is constantly growing. Any structured data format can be supported by our implementation of the NCSC Safely Importing Data design pattern. Please contact us to discuss your requirements.
Oakdoor data diode hardware platform is approved by UK NCSC’s CAPS programme, covering the design, implementation, manufacturing and handling of the diode hardware.
Assessment of the additional security enforcing functions implemented in FPGA firmware is ongoing.
Please complete the contact form to get in touch with our support team to discuss any installation, technical and applications related questions.