Owl Cyber Defense
Data Diode Specialist
banner-Library.png

Learn About Data Diodes

Hardware That Physically Enforces

a One-Way Flow of Data

 
 
eBook | The Definitive Guide to Data Diode Technologies

eBook | The Definitive Guide to Data Diode Technologies

A piece of hardware that physically enforces a one-way flow of data. As one-way data transfer systems, data diodes are used as cybersecurity tools to isolate and protect networks from external cyber threats and prevent penetration from any external sources. A data diode sits at the edge of the network security perimeter; relying on its physical hardware components to mitigate all network cyber threats against the network while simultaneously allowing the transfer of data out of the network in a highly controlled, deterministic manner.
— What is a Data Diode?
 

DHS Recommends the use of Data Diodes

OPDS SUPPORTS DHS 7 STRATEGIES

In order to reduce the risk of cyberattacks against critical infrastructure (transportation, energy, water, etc.), the Department of Homeland Security (DHS), operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The ICS-CERT partners with various agencies, law enforcement, owners, operators and vendors to share information about industrial incidents and provides guidance for defense of control system environments against emerging cyber threats.

Homeland Security - 7 Steps to Effectively Defend Industrial Control Systems →

As a part of the first line of defense against cyberattacks in the US, the Department of Homeland Security (DHS) regularly provides guidance to organizations on cybersecurity best practices and practical advice on tools and implementation. Recently the DHS, with input from the FBI and the NSA, released the first paper below which recommendations to protect sensitive networks, specifically pointing to the use of data diodes.

Owl has also created a second response document, in which the DHS ‘Seven Steps’ are mapped directly to the use of data diodes, illustrating real life use cases and guidance on how to achieve the DHS best practices.

We recommend reading these papers to get an understanding of what data diodes are capable of, how they fit into a defense-in-depth strategy, and ways that they may be useful to secure your network or environment.

While these papers focus on “critical infrastructure”, it is important to remember that data diodes are agnostic to data, networks, and industries, and work with a range of data types, protocols, and networks. So even if you represent a hotel, a law firm, or a university, data diodes are powerful tools that can probably help you with your network cybersecurity needs.


 

What is a Simple Data Diode?

The simplest example is an RS-232 cable.  These cables can be used to connect computing platforms and only contain three pins: transmit, receive, and ground. If the receive pin was removed then data could only physically be transmitted and NOT received.  This allows data to be sent with no path for anything (or anyone) to gain access through the cable into the computer or network. While secure, the first problem is that the protocols used over the connection are expecting responses which are no longer being provided.  So not only is the cable “broken” but now the protocols are also broken and either won’t operate at all or will fall into some kind of recovery mode where they try to compensate for disrupted communications (multiple-retries, etc.).

 


 

What is an Owl Data Diode?

An Owl data diode goes way beyond a disabled cable; it is a hardware-based electronic device designed with two separate circuits – one send-only, and one receive-only – which physically constrain the transfer of data to one direction only and form an “air gap” between the source and destination networks.  As described below, Owl provides a multi-layered, patented approach to the design of our data diodes.


 

Data Diode Purpose

Data diodes are used to defend networks from cyber-attacks and transfer information generated within the protected network in a one-way fashion to end-users outside the network. In this way, data can be sent to the cloud, a remote monitoring facility, support engineers, regulatory bodies or any other end-user that needs access, without creating a vulnerability or threat vector into the network.

Data diodes separate and create boundaries between trusted and untrusted networks and straddle the demarcation line between them. This separation between networks is more commonly known as network segmentation. This is a basic and vital part of any comprehensive cybersecurity strategy. It is perhaps simplest to think of data diodes as digital one-way valves for data, allowing data to flow out, without a way back in.

Data diodes can be used to protect very small network segments, such as an individual industrial controller, a car, or a database, or they can be used to protect a very large segment, such as an entire nuclear power plant.


 

Owl Data Diode Core Technology

The hardware-based nature of data diodes, enforced by the fundamental laws of physics, places them at the highest possible level of security, short of physically disconnecting the network and not allowing any data to flow in or out.

Initially based on Sandia National Labs technology, Owl data diodes have been built from the ground up in their purest form, incorporating the one-way flow into the design of all components; from the transmitter and receiver, to the transfer protocol, all the way down to the electricity on the circuit boards, physically ensuring a fail-safe, deterministic one-way-only data transfer. The send side is incapable of receiving data, and the receive side is incapable of sending data.

In addition, because there is no shared circuitry beyond the one-way connection, data diodes are considered by many regulatory bodies to effectively create an air gap, or a physical separation between networks. The hardware-based nature of data diodes, enforced by the fundamental laws of physics, places them at the highest possible level of security, short of physically disconnecting the network and not allowing any data to flow in or out.

The core of all Owl data diode solutions is the linked pair of two Communication Cards (one send-only and one receive-only) that together form the basis of the data diode. Along with the cards, all Owl data diodes include management software, proxies to interface to external applications, and protocol conversion, with other features available as required. Owl data diode Communication Cards vary in size and capabilities, from the world’s smallest, that are the size of a quarter and transfer data at just over 1 Mbps, to the specialized cards installed in single box solutions that support transfer up to 1 Gbps, to the PCIe cards that are fitted into standalone servers and support throughput of up to 10 Gbps.


 

Owl Products & Form Factors

OPDS-5D, OPDS-100D, OPDS-100, & OPDS-1000

Owl data diode products are deployed either as an all-in-one, single box solution (OPDS/OCDS product lines) with the pair of Communication Cards included in the single device, or with two separate Owl-designed PCIe Communication Cards (send & receive), each installed on their own server and connected solely through a single fiber optic cable.

Owl data diode products are deployed either as an all-in-one, single box solution (OPDS/OCDS product lines) with the pair of Communication Cards included in the single device, or with two separate Owl-designed PCIe Communication Cards (send & receive), each installed on their own server and connected solely through a single fiber optic cable.

ONE-WAY IN A TWO-WAY WORLD

The cybersecurity value proposition of deterministic, one-way communication is clear, but for some, how a one-way data diode works in a world dominated by two-way protocols can cause confusion. In order to address the expected “handshakes” or acknowledgments of two-way protocols in a one-way system, data diodes employ a proxy on both the send and receive sides. Rather than the source communicating directly with the destination, the source communicates with the send side proxy on the data diode. That two-way conversation is then converted to a one-way data transfer across to the receive side of the diode. Then the receive side proxy initiates a new two-way communication with the destination and completes the data transfer to the destination endpoint.

THIRD PARTY TESTED

To meet the stringent requirements of government agencies, the Department of Defense and the Intelligence community, Owl products have been tested and accredited by independent third parties. We have EAL Common Criteria ratings that prove our technology provides a deterministic one-way transfer of information.

COMPARISON TO FIREWALLS & OTHER TECHNOLOGIES

The primary difference between hardware-based data diodes versus firewalls and unidirectional gateways is that it is physically impossible to send data of any kind in the reverse direction. Therefore data diodes are inherently immune to the misconfiguration, back-doors and vulnerabilities present in these other technologies.

WHERE DID DATA DIODES COME FROM?

Since the early 1990’s, data diodes have met the elite cybersecurity needs of the most demanding users, including the US DoD and intelligence agencies. From initial deployments in national labs, branches of defense and intelligence agencies, the use of data diodes has spread to other government agencies and then into highly regulated critical infrastructure operations like nuclear power plants. Today, data diodes are in widespread use globally across many industries (power generation, telecom, transportation, financial services, data centers, mining, water/wastewater, etc.). As cyber attacks continue to increase and prove that “standard” cybersecurity technologies (firewalls, RBAC, etc.) aren’t enough anymore, organizations are turning to data diodes to provide the only cybersecurity that absolutely cannot be hacked.


 

Data Diodes for Cross Domain Solutions

OCDS-SFF

A proven, hardware-based cybersecurity technology, data diodes are an intricate and differentiating part of Owl cross domain solutions (CDS). The function of a cross domain solution is to move information in one direction from one network domain or enclave to another, most times changing from one security level to another, either to a higher or lower level (unclassified-NIPRNet to Secret-SIPRNet, Secret to Top Secret-JWICs, etc.).

Owl offers a series of data diode cross domain solutions, from high-bandwidth server based solutions, to all-in-one appliance solutions, including highly mobile tactical solutions and even miniaturized solutions.

Owl’s patented data diode technology is a hardware-based solution, specifically designed for one-way data transfers. A data diode, similar to a diode circuit, is physically limited to one direction.  No amount of configuration changes, malware installs, or credential stealing can change this Owl CDSs utilize two data diodes in series, the first one sending data out of one network and the second receiving the data in a different network. The send diode is physically restricted to only send and the receive side is physically restricted to only receive.

The Owl data diodes use one-way optical separation within the CDS and enforce a network protocol break between the networks.  The protocol break converts all data packets to a non-routable Asynchronous Transfer Mode (ATM) cell.

The Owl data diodes use one-way optical separation within the CDS and enforce a network protocol break between the networks.  The protocol break converts all data packets to a non-routable Asynchronous Transfer Mode (ATM) cell.

By implementing these two features Owl ensures the source and destination networks are not connected by an electrical wire, and the networks are not communicating via common routable protocols.  Combined, these features ensure 100% network confidentiality enforced by segmentation.

Owl CDS are then coupled with a hardened Linux Operating System and mission specific data/content inspection.  The hardened Linux OS provides for the continued availability of the system, and the content inspection ensures the integrity of the data flows between the networks.

The most significant advantages of a hardware-based solution, rather than software-based like other CDSs, are that it cannot be hacked or manipulated and can offer the fastest data rates available in a CDS, up to 10Gbps.

Learn more about our Cross Domain Solutions and our UCDSMO Baseline Solutions.