DATA DIODE

Data diode models

What is a Data Diode?
• Powerful (unhackable) tool to segment and protect sensitive networks, devices, and systems.
• Physical communication device to enable hardware-enforced one-way only data transfer

Cable Assembly
• A one-way cable assembly, typically derived from a two-way cable that is rendered one- way by disconnecting or clipping the
return line, and no supporting proxy servers.

Firewall-Enabled Policy
• Firewalls communicate directly through Ethernet cables. The source traffic is typically filtered and/or inspected before being
passed on to the destination. Destination to source traffic is disabled by software policy, rather than a physical restriction.
Unidirectional Gateway.
• unidirectional gateways are purpose-built hardware devices designed to enforce strict one-way data transfer policies
between networks of different security levels. The hardware components work together to ensure secure, reliable, and
controlled data transmission while maintaining security and integrity.

Intelligent Data Diode

• A one-way fiber optic cable between two electric diodes in a single enclosure. Proxies are built-in and designed to handle
all communication with the source and destination networks, including conversion of two-way protocols to one-way protocol
(and one-way back to two-way). This purpose-built architecture allows it to achieve reliable, consistent transfers.
Comparision among the models:

Simplicity:
• One-Way Cable Assembly: Simplest to set up and use, involving physical disconnection or clipping of cables.
• Unidirectional Gateway: Requires configuration of hardware or software to enforce one-way data transfer between networks.
• Firewall Policy-Enabled Data Diode: Moderately complex due to configuration of firewall rules, access controls, and policies.
• Intelligent Data Diode: May require more setup and configuration due to advanced security features and functionality.

Functionality:
• One-Way Cable Assembly: Provides basic unidirectional data transfer without additional features or controls.
• Unidirectional Gateway: Offers advanced features such as logging, auditing, monitoring, and access controls.
• Firewall Policy-Enabled Data Diode: Provides advanced functionality including firewall rules, access controls, logging, auditing,
and intrusion detection.
• Intelligent Data Diode: Offers the most comprehensive set of features including hardware-enforced security, logging, auditing,
tamper detection, and strict access controls.
 Brief on Owl Data Diode
• “Intelligent data diode” this purposely-built, hardware enforced, one-way transfer system, builds the one-way security policy of
a diode into every facet of the device. Intelligent data diodes include two electrically isolated diodes (one for sending, one for
receiving) which maintain physical separation of source and destination networks.
• By integrating a protocol proxy and ATM network within a data diode architecture, organizations can achieve secure and
controlled unidirectional data transfer between networks.
• The send side diode is inherently incapable of receiving data from the receive diode.
• While the receive side data diode is incapable of sending data back to the send side; ensuring secure one-way-only data
transfer
• The purpose-built ATM-based protocol provides a far more reliable means to transfer data one-way across the data diode.
• Intelligent data diodes utilize a one-way protocol, based on Asynchronous Transfer Mode (ATM).

How transmission and reception assurance is done in the above method of Data Diode?
• Each ATM packet receive sequenced identifying header on send side using a unique hashing sequence,once transferred the
receive side reconstructs payload back into corresponding protocol and since from transferred side expected hash sequence
is sent in header again using hashing algorithm the value is calculated from receiver side also and compared with the
expected value sent and thus the data transmission is assured here.
1.Intelligent data diode has separate network interfaces for data transfer and network administration mentioned in opds-100 data
sheet.
2.Fiber system data diode has separate network interface for sender and receiver node.
• In this setup, the data diode ensures that data can flow only in one direction, from the send side to the receive side. The proxies
facilitate the communication process by managing the data flow before and after the data diode. The acknowledgment from the
send side proxy to the source client occurs before the data enters the data diode, ensuring that the sender network is informed of
successful packet receipt before transmission through the one-way transfer mechanism of the data diode.

• TCP client program installed in source from where data should be sent it starts the session and proxy server sits near to the
transmit side data diode gives acknowldgement to server and receives data ,and start converting to atm cells inside this inbuilt
proxy.

• After this physical device driver takes control and transmits atm cells to client proxy in receive side of data diode and starts
decapsulating the atm cells to original protocol and start the session and waits for acknowledgement from destination where
server program is installed,once server give acknowledgement client proxy starts sending packets through server program to the
destination.
OPDS-100 owl data diode
• In software side the ATM (Asynchronous transfer mode) which transmists data in any protocol format as ATM header
and ATM payload transmitted with encoded header,payload packets and received at the receiver side after reception
extracted ATM payloads are Decoded to original protocol using the details given in the ATM header,In Asynchronous
transfer mode each transmission data packets are of 53 bytes consists of 5 bytes of header and 48 bytes of data.
Transmission
Protocol proxy functionality
• protocol proxy, situated on the source network side of the data diode, receives data from local applications and It
translates the data into the appropriate format compatible with the ATM network and prepares it for transmission

Packet Encapsulation
• The protocol proxy encapsulates the translated packets into the appropriate ATM format for transmission over the ATM
network. This may involve adding ATM headers and adapting the packet format to comply with ATM specifications.

ATM Transmission
• The encapsulated packets are then transmitted over the ATM network using ATM switches and routers. ATM is a high-
speed, connection-oriented networking technology that supports the efficient transmission of data.

Router (Blind to transfer)Routing table is also used to route the data packets to destination.
Reception
The received ATM cells are processed by the data diode to enforce unidirectional data flow. The data diode inspects and forwards
the cells to the destination network without allowing any data to flow back to the source network.

ATM reception
• The data diode strips off the ATM headers from the received cells, revealing the encapsulated data. This process involves
extracting the payload from the ATM cells while discarding any ATM-specific information added during transmission.
Protocol proxy
• Once encapsulated data reaches destination it passed to protocol proxy , which performs the reverse process of the
transmission phase. The proxy translates the data back into its original protocol format suitable for consumption by local
applications.

• The translated data is then received by the appropriate network devices or applications on the destination network.

Router (Blind receive and accept )routing table is also used at destination side.
Resend Mechanism:
• Error Detection Mechanisms:
• Implement error detection mechanisms such as checksums or CRC (Cyclic Redundancy Check) on the
transmitted data packets.
• If the receiver detects errors in the received packets, it can trigger an error condition or flag the packet as corrupted.
• The absence of error flags within the timeout period can be interpreted as implicit acknowledgment of successful reception.
• The error flags can be sent as signals or retransmission signal using Selective Retransmission protocol.
• SRP messages include packet identifiers, sequence numbers, and other metadata to identify the packets
requiring retransmission.
• Feedback channel:
• Although bidirectional communication is not possible in a unidirectional data diode, an out-of-band feedback channel
can be established for error reporting.
• The receiving end can use this feedback channel to report errors or signal successful reception of data packets.
• The sender can use the absence of error reports within the timeout period as implicit acknowledgment.
• In summary, in a unidirectional data diode system, acknowledgment is emulated through implicit means such as the
absence of errors or feedback within a timeout period. The sender assumes successful reception if no indication of packet loss
or corruption is received within the expected timeframe, triggering retransmission if necessary.
• This could involve using dedicated hardware interfaces, secondary network connections, or specialized protocols
embedded within the data diode system.
Out-of-band-channnel creation:
• Physical Separation:
• Use physically separate communication channels or networks for the primary data transmission and feedback channel.
• For example, if the primary data transmission occurs over a network connection, the feedback channel can utilize
a separate physical network connection or communication medium.
• In an optical fiber-based data diode system, separate wavelength channels can be used for primary data
transmission and feedback communication.
• Redundant Data Diode Systems:
• Deploy redundant data diode systems in parallel, where one system handles primary data transmission, and the
other handles feedback communication.
• This ensures that the feedback channel operates independently and does not impact the primary data transmission.
Reliable Signaling Protocol (RSP):
• It employs techniques such as message acknowledgment, error detection, and retransmission mechanisms
to guarantee message delivery.
• RSP messages are exchanged over a secondary communication channel or dedicated hardware interface to ensure out-of-
band signaling.
Sequential Acknowledgment:
• Implement a sequential acknowledgment mechanism where the receiver acknowledges receipt of specific packets
in a predetermined sequence.
• If the transmitter does not receive acknowledgment for a particular packet within a specified timeframe, it interprets this
as an error and retransmits the corresponding packet.
• For sending acknowledgements we can use out-of-band channel or feedback channel discussed earlier
ATM Configuration:
• Configure ATM switches or routers to route data packets from the original sender to the receiver and feedback
signals from the receiver to the feedback proxy.
• Utilize ATM's virtual circuit (VC) technology to establish separate virtual circuits for data
transmission and feedback communication.
• Assign appropriate Quality of Service (QoS) parameters to prioritize data transmission while ensuring timely
delivery of feedback signals.
Owl data diode products:
• OPDS-1000
1000 base-T copper
Supported Protocols :
Natively supports UDP, TCP/IP, SNMP, SMTP, NTP, SFTP and FTP transfers (separately or simultaneously

• ReCon 2U
1000 base-T copper
The ReCon 2U solution was designed to combine the same proven security benefits of a one-way, hardware-enforced data diode
cybersecurity solution with the ability to provide secure round trip, bidirectional communication.
Supported Protocols :
FTPS, TCP/IP, DNP3, Ethernet/IP, IEC-104, ICCP, MS SQL Database Replication

• XD Verge - FPGA based one way transfer

Invulnerable to CPU-based attacks
Supported Protocols :
UDP Unicast, ARP (Source Side)
• EPDS
Supported Protocols :
Natively supports UDP, TCP/IP, SNMP, SMTP, NTP, SFTP and FTP transfers (separately or simultaneously)

• Owl PaciT
standard capacity (1 Gbps), mid capacity (5 Gbps), and high capacity (10 Mbps)

• XD Matrix
Supported Protocols :
Natively supports UDP, TCP

Fibersystem Data diode products:

• Data Diode Middleware (DDMW)
DDMW is a software for data diode
• Data Diode Rugged 1Gbit
• Data Diode Rugged 100Mbit
Advenica products:
• SecuriCDS DD1000i
1000Base-T
Protocols supported:
UDP, TCP, HTTP(S), NTP File transfer: FTP, SFTP, SMB, NFS Logging: Syslog Email: SMTP

• SecuriCDS DD1000A
1000Base-T
Protocols supported:
UDP, RTP, Syslog
Thank you