Using Data Diodes for One-Way Information Transfer and Preventing Data Leaks

Every organization dealing with information processing eventually faces the challenge of securely storing confidential data and preventing its leakage. The importance of this issue for a company depends on the potential damage a data breach could cause. The greater the risk of loss from a data leak, the more rigorous the protective measures should be. These measures can range from establishing internal policies and installing Data Loss Prevention (DLP) systems to adopting a Zero Trust approach or creating Air Gaps, which involves physically isolating critical network segments from external access.

Isolating secure networks to prevent data exchange with other segments is crucial, particularly for industrial infrastructures and various process control systems like DCS, PLC, SCADA, state-owned companies handling regulated data, and commercial entities involved in innovative projects. However, the concept of an Air Gap is not entirely foolproof. This is mainly because even a fully isolated infrastructure must occasionally interact with the external world. For example, controller firmware needs regular updates, confidential commercial or government data requires refreshing, and outcomes of product designs often have to be presented to the public.

One way to address this issue is by transferring data using physical media such as USB drives, memory cards, or hard drives. However, this method comes with its own significant challenges, the most notable being the lack of assurance that the information will not be moved in reverse. A flash drive used to deliver data to an isolated network segment could unintentionally become a vessel for confidential information to leave the company. The inefficiency and security risks associated with using flash drives raise serious concerns.

Meanwhile, for about a decade, there has been a much more elegant and technologically advanced solution for one-way information transfer, the Data Diode. This solution is specifically designed to send packets of raw data in a single direction only. What sets Data Diodes apart from other unidirectional data transfer methods is their physical incapability to transmit data both ways. While Data Diodes have some limitations, they offer significant advantages over other options for setting up such connections in several key aspects.

Data Diodes – Functionality and Implementation Options

Hardware Diode

Data diodes can serve as standalone network devices or part of a hardware and software system, offering specialized functionality for one-way data transfer. A hardware diode typically works by having either a transmitting or receiving component removed from a bidirectional communication system. Most data diodes are built with only one of two necessary fiber optic cables, and either the receiver or transmitter is omitted. There are also RS-232 based devices, but they are infrequent, and a notable drawback of this standard is the control lines that allow data to potentially return to the source network.

The basic design of a data diode includes interfaces for connecting both to the receiving and transmitting networks, along with a power connector. To enhance functionality, manufacturers sometimes add features to their data diodes, like indicators showing packet transmission or settings to customize the device using a list of approved IP addresses.

Unidirectional Gateway

A hardware data diode is designed for the one-way transmission of streaming, unprocessed data, such as video camera signals that use specialized protocols like RTP or UDP. However, this becomes challenging with most common file transfer protocols like TCP, FTP, and HTTP, which require two-way communication to verify packet delivery and exchange other information.

To enable file transfers using these standard protocols, a combination of hardware and software is necessary. This involves integrating the data diode with a set of proxy servers that convert and adapt the data packets, mimicking the functions of TCP, SMB, or similar protocols. This setup, known as a unidirectional gateway, uses proxy servers on both sides of the data diode, offering more capabilities than a hardware-only solution. Such a gateway not only facilitates data transfer but also adds layers of security, allowing for the monitoring and filtering of data and incorporating antivirus systems and other security tools.

Software Data Diodes

A significant limitation of hardware data diodes and unidirectional gateways is their relatively low information transfer speed. Often, manufacturers list device speeds ranging up to 100 Mbit/s. In some scenarios, this limited speed can become a bottleneck in a secure network infrastructure.

Software data diodes present a solution to this issue. These network devices rely on the logic of their firmware, rather than hardware constraints, to manage information transfer. This allows for a significant increase in the throughput of a unidirectional channel. Generally, these systems are built around a secure operating system's microkernel, which facilitates the logical separation of networks without a return channel. They can achieve throughput rates up to 10 Gbps, support standard transport protocols, and offer advanced features like HTTP status code support. However, software data diodes come with their own drawbacks. There is a theoretical risk of information leakage through the return channel.

Application Scenarios for Data Diodes and Unidirectional Gateways

Data diodes are commonly used to transfer data from less secure (low) networks to more secure (high) ones. In secure networks, where sensitive data is stored, data diodes help prevent any data leakage. These unidirectional devices are typically employed for tasks such as receiving security updates, replicating databases, and broadcasting external video or audio feeds.

However, it is important to understand that data diodes are not designed to protect a high-security network from modern cyberattacks. Their primary function is to stop data from leaking out. This means incoming data packets containing malicious payload could still reach the intended high-security system. Therefore, similar to a two-way connection, it is necessary to thoroughly inspect and "clean" the traffic passing through the data diode.

Data can also move in reverse, from a secure network to a less secure one. This process typically involves extracting a limited set of data from a closed system without the ability to control that system. A typical example is using data diodes to transfer parameters from DCS, PLC, and SCADA devices, such as logic controllers, sensors, and other monitoring tools.

Additionally, there is a hybrid approach to using data diodes. In this setup, two independent one-way channels are established: one channel sends information to the secure system, while the other sends information out. This method enables comprehensive data exchange, like sending emails, updates, and various logs, and greatly lowers the risk of response-based cyberattacks. Essentially, an attacker would have to breach both channels, overcoming each one's security measures.

Data diodes are also valuable for bolstering Industrial Control System (ICS) protection by strictly controlling traffic at sensitive points. For example, a data server in a Demilitarized Zone (DMZ) might be one such point. Even though firewall settings usually let these intermediary devices pass traffic to the industrial network, installing a data diode before the data server and the ICS segment ensures that while critical devices can send status information to the server, no return traffic enters the secure network.

Placing another diode between the data server and the corporate network can help preserve the integrity. In both instances, the more critical side of the diode connects to the less crucial components, safeguarding the ICS network from threats originating either from the corporate network or storage while maintaining the essential integrity and accessibility of the data.

Conclusion

To wrap up, let's review the main benefits and drawbacks of data diodes and unidirectional gateways. The standout feature of most data diodes is their design, which physically prevents two-way information transmission. This characteristic sets them apart from firewalls, as they are, in theory, impervious to being bypassed or hacked. As such, hardware data diodes are extremely reliable for maintaining the confidentiality of sensitive information.

However, these advantages come with certain limitations: 

• Data diodes, in their hardware form, do not inherently support traditional transport protocols. This necessitates using proxy servers to adapt/convert the data for transfer.
• Due to this design, activities like routing and parsing traffic directly through a diode are most often also impossible.
• The restrictions they impose, coupled with their relatively basic functionality, can make data diodes a costly option.
• Some of these hardware systems also have limited bandwidth capacity.

In essence, data diodes have established themselves as effective tools for providing tangible, robust security for sensitive data. They excel in preventing data leaks and ensuring that only verified traffic is transmitted to secure network segments. These systems are particularly valuable in scenarios where reliability is paramount, such as handling state or commercial secrets and managing production networks, and in the military-industrial sector.