The Data Diode technical model to achieve a one way network connection is relatively simple. However when you start to consider trust and assurance, it gets more complex.
There are many articles that talk about the data diode technical model. In short, a sending computer and a receiving computer both have fibre optic network cards. The fibre connection is wired such that a signal can only pass from sender to receiver. There is no fibre connection from receiver to sender, this data cannot flow back.
Depending upon the application the sending / receiving computers may be proxy servers. In the examples below I assume proxy servers are in use to keep the diagrams simple.
There are two implementation models in the market today.
In the first, the fibre cards are linked by a fibre cable – the fibre cards are physically wired so that the connections only exist from the sender side to the receiver, as in the $1612 Diode.
Aside: this approach is very dependent upon the exact specification on the fibre card, some cards get upset and cease to function when they do not see a data flow in both directions.
The second model is where a physical box, called a data diode is installed between the sender and receiver.
What’s the difference? Why buy a physical data diode, when a bit of cable linking fibre cards will do?
Good security practice says you start by understanding the threats to the system, then look at how you mitigate the threats. When looking at the technology element of a security solution, this often maps down to what do you trust, and what assurance do you have over that trust.
In both models, the first assumption has to be one of the proxies is on the “bad” side and is not trustworthy (it could be the sender or receiver depending on whether you are importing or exporting data). This untrusted proxy could have been taken over by the attacker. The adversary the has control of your application, operating systems and fibre network card. Perhaps there is a vulnerability on the network card, that enables the send/receive ports to be switched? In such a scenario theory, the attacker could conceivably reverse the data flow direction, or perhaps more likely find a low-bandwidth back channel.
This may seem a farfetched and unlikely scenario – but with sophisticated, well motivated attackers, can you be sure it is not possible? You are placing trust in commodity network cards, dare I say it possibly from China. How do you know these have not been engineered to enable such a switch to occur? How can you be confident the sending fibre card is only transmitting on the interface connected to the cable, and has no way of providing feedback?
With the physical box model of a data diode, you do not have to have any trust in the proxy servers (or Operating System or Fibre Card) to protect the integrity of the one-way function. The physical box is providing physical layer separation between the networks, using clever electronics; there is no need to be concerned with the integrity of other items on the link (the cables, fibre cards etc).
There is no software for the attacker to influence, hence you have a high level of trust that data can only flow one way. In products such as the Nexor Data Diode, this is backed up by 3rd party validation, using formal methods, under the Common Criteria evaluation scheme. In addition, the Common Criteria process means the supplier has to know the full supply chain of each of the security enforcing components, to make sure there is no horse meat.
DIY Data Diode for $1612
Is it viable to build a Data Diode for $1612?
This is a great sequence of blogs putting forward the benefits of Diodes, from Austin Scott of Synergist SCADA Inc, ending with the proposition and recipe of how you can build your own for $1612.
I had drafted a comment / reply to be added to their blog, but then recognised their blog does not allow comments.
Here is the response I drafted:
This is a great sequence of blogs putting forward the benefits of Diodes.
I also like the DIY data diode story, which may work well in some test lab environments. But are you really proposing such a solution for a productions control systems environments?
Most customers I talk to want a reliable solution, that they can install and forget about. Once you start custom building something, and to quote the blog “you will need to write some scripts in your database”, does that give you a supported & sustainable solution in the long term?
Also, a lot of the control systems environments I come across are in regulated environments. How will a system accreditor react to such a system?
I don’t disagree you could build such a thing, I just wonder how viable it is in a production environment.
Finally, why use two computers at $600 each – you could probably use a Rasberry PI at $25 and hand solder a few modifications to add the PCI card.
Darren Rodgers, a colleague from Nexor, who spends a lot of time working with customers helping them with their diode solutions also observed:
I suppose do you buy an Audi that is widely recognised, good build quality and has excellent support and reliability OR buy a kit car which may appear cheap to start off with but you’re on your own and it may cost you more in the long run and break down regularly!
Which is a perfect summary to end on (apart from the choice of an Audi).
So, is a physical box diode model better than a fibre card / cable-based solution? In my view, it all depends upon what you are prepared to trust. But hang on, why are we using Diode in the first place – because we don’t trust firewalls to do the job? So once committed to a diode solution, why compromise on trust at that point?