The Data Diode technical model to achieve a one way network connection is relatively simple. However when you start to consider trust and assurance, it gets more complex.
There are many articles that talk about the data diode technical model. In short, a sending computer and a receiving computer both have fibre optic network cards. The fibre connection is wired such that a signal can only pass from sender to receiver. There is no fibre connection from receiver to sender, thus data cannot flow back.
Depending upon the application the sending / receiving computers may be proxy servers. In the examples below I assume proxy servers are in use to keep the diagrams simple.
There are two implementation models in the market today.
In the first, the fibre cards are linked by a fibre cable – the fibre cards are physically wired so that the connections only exist from the sender side to the receiver, as in the $1612 Diode.
Aside: this approach is very dependent upon the exact specification on the fibre card, some cards get upset and cease to function when they do not see a data flow in both directions.
The second model is where a physical box, called a data diode is installed between the sender and receiver.
What’s the difference? Why buy a physical data diode, when a bit of cable linking fibre cards will do?
Good security practice says you start by understanding the threats to the system, then look at how you mitigate the threats. When looking at the technology element of a security solution, this often maps down to what do you trust, and what assurance do you have over that trust.
In both models, the first assumption has to be one of the proxies is on the “bad” side and is not trustworthy (it could be the sender or receiver depending on whether you are importing or exporting data). This untrusted proxy could have been taken over by the attacker. The adversary the has control of your application, operating systems and fibre network card. Perhaps there is a vulnerability on the network card, that enables the send/receive ports to be switched? In such a scenario theory, the attacker could conceivably reverse the data flow direction, or perhaps more likely find a low-bandwidth back channel.
This may seem a farfetched and unlikely scenario – but with sophisticated, well motivated attackers, can you be sure it is not possible? You are placing trust in commodity network cards, dare I say it possibly from China. How do you know these have not been engineered to enable such a switch to occur? How can you be confident the sending fibre card is only transmitting on the interface connected to the cable, and has no way of providing feedback?
With the physical box model of a data diode, you do not have to have any trust in the proxy servers (or Operating System or Fibre Card) to protect the integrity of the one-way function. The physical box is providing physical layer separation between the networks, using clever electronics; there is no need to be concerned with the integrity of other items on the link (the cables, fibre cards etc). There is no software for the attacker to influence, hence you have a high level of trust that data can only flow one way. In products such as the Nexor Data Diode, this is backed up by 3rd party validation, using formal methods, under the Common Criteria evaluation scheme. In addition the Common Criteria process means the supplier has to know the full supply chain of each of the security enforcing components, to make sure there is no horse meat.
So, is a physical box diode model better than a fibre card / cable based solution? In my view, it all depends upon what you are prepared to trust. But hang on, why are we using Diode in the first place – because we don’t trust firewalls to do the job? So once committed to a diode solution, why compromise on trust at that point?
Do you agree? Please leave your comments below.