Diode Applications: Secure Windows Updates

27 Aug

In this blog series, I have been exploring applications for Data Diodes.  This week, I look at the issue of getting Windows Updates into a segregated network — securely.

It is widely reported that 80% or higher of all security attacks can be prevented by implementing basic security hygiene. The majority of such attacks take advantage of publicly known vulnerabilities in software. Once identified, these vulnerabilities are usually quickly fixed and updates made available by the vendor to their customer base. The updates need to be applied equally quickly — left unprotected for more than a few hours, the targeted vulnerabilities may be freshly attacked and infected. Consequently, it is vital to ensure regular updating of systems with all available fixes and patches relating to operating systems, applications and anti-virus software to mitigate the risk of a security attack to a known vulnerability.

The routine method of applying system updates is to use an automated vendor mechanism. For secure networks not connected to the Internet, this approach is not suitable. Update strategies for these unconnected networks often rely on a manual process; the updates are obtained from the Internet, then securely transferred to the segregated network before being applied. This process is typically unreliable, prone to error and costly.

For organisations with secure networks or networks isolated from the Internet, a Data Diode based solution can automate the process. The diode enable the transfer of Windows Updates from the Internet to a Windows Update Server in the secure network, while ensuring there is no route back from the secure network to the Internet.

While I’ve used the example of Windows updates, the concept can be used for most operating system, anti-virus and application update mechanisms.

Interested in finding out more details about getting operating system updates into your secure network?  Contact me, or leave a comment below.

5 Responses to “Diode Applications: Secure Windows Updates”

  1. Dave Walker September 26, 2013 at 18:10 #

    I admit I don’t know what protocol Windows update uses, but this would certainly work for Solaris 11 updates, which use vanilla http.


    • Colin Robbins September 26, 2013 at 22:37 #

      HTTP is quite hard via a diode, as it is implicitly a two way communication. The trick is to find a way of serialising the protocol via a proxy, or transforming the problem some way into a file transfer.


      • Jason White March 11, 2017 at 06:45 #

        So how do you propose I can do a file transfer without losses at highest speed possible on a 1G network. Like how can I build a proxy server for file transfer which will even send fake acknowledgement for working of say a cifs.


      • Colin Robbins March 14, 2017 at 09:07 #

        Thank you for the comment Jason.

        File transfers at 1G are possible depending upon the Diode product you choose, and the proxy software.
        Fake acknowledgements are typically a feature of the proxy software. It acknowledges the receipt of the file having passed the data to the Diode. Of course it has no way of knowing if the data was received the other side of the diode.



  1. WINDOWS HIDE UPDATE 2014 - August 28, 2013

    […] Diode Applications: Secure Windows Updates | Cyber Matters […]


Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: