Using data diodes to air-gap systems
The reasons for having air-gapped systems often fall into the following two categories:
A closed system containing confidential information needs to be fed with information from an open system, while ensuring that no confidential information can leak to the open system.
- Import of Operating System updates.
- Supplying closed systems with time from an external NTP server.
The closed systems contains information that needs to be passed to an open system while ensuring that no modification of information in, or attack on, the closed systems is possible.
- Export of PLC reading in critical infrastructure systems.
- Protection of data sent to log server.
A data diode works by simple physics by sending light in one direction only to carry your data. A light emitter on one side sends light through a fibre to a photoreceiver on the other end. Nature ensures that there is no way for the data to go in the other direction giving an unhackable air-gap bridge between networks. Firewalls, and other software based solutions, will never be as secure. A firewall will always suffer from vulnerabilities and could be configured incorrectly.
How do I build a data diode?
It is possible to build a fully functional data diode using off-the-shelf components. In practice this is not recommended, due to laws and regulations in the sectors where data diodes are required. Frequently, you are limited to selecting a nationally approved data diode. Each country often has its preferred suppliers, due to high assurance requirements on development, production, delivery and lifecycle management.
To understand how a data diode works, we will however build one using off-the-shelf components.
In order to turn this into a data diode, we need to remove one of the fibres and only allow data to go in one direction.
Ok we add a dummy converter on the sending side that only servesw the purpose of sending a carrier signal to Rx on the sending media converter. This can also be achieved by adding a splitter fiber on the sending media converter where the Tx is also routed directly to the Rx input on the same media converter.
Air-gapping is achieved by separating two systems with a data diode, that is network equipment that on the physical level guarantees that data can only flow in one direction. A data diode provides a separation with much higher assurance than other mechanisms, such as firewalls.
link22 Diode Toolkit products and services work with any data diode and the selection of brand and model may be affected by requirements on:
- National approvals.
- Form factor.
- Integration of proxy computers.
A data diode, in isolation, will only offer a limited functionality that is unsuitable for most applications, since it only supports the most basic IP protocoll, UDP, which is a packet based one-way protocol. Most systems will contain services that operate on a higher level, e.g. file or TCP based.
By adding proxy software hosted in either a virtual or physical computer (possibly integrated in the data diode) on each side of the data diode, the more complex protocols can be supported. The proxy on the sending side converts the complex protocol to UDP for transfer over the diode for reconstruction in the receiving proxy.
One-way communication systems are sensitive to link errors, for instance power interrupts, cabling issues and other network problems. To maintain high reliability a diode proxy has to have mechanisms to increase reliability and alert when failures occur. Our diode proxy increases reliability through retransmissions; heartbeat functionality will detect and alert any link errors. The receiving proxy will, in addition, verify the integrity of transferred data ensuring that you can trust that the data has been transferred correctly and without errors. It is also important to limit bandwidth usage over the data diode to prevent package loss.