Data Diode FAQs

The Nexor Data Diode is computer hardware that enforces the unidirectional flow of network traffic.

A unidirectional network connection is a link between two networks for which a guarantee can be given that the information only flows from one network to the other and that it is impossible for data to flow in the opposite direction.

The source network is typically referred to as “upstream” and the destination network as “downstream”, following the analogy of how water flows from upstream to downstream. Although in many government and military environments, the source (untrusted) network is referred to as “black” and the destination (trusted) network as “red”.

The Nexor Data Diode works by enforcing the use of a single strand of a fibre optic connection in conjunction with fibre optic processing electronics that are specially designed for unidirectional signal flow. This lack of full duplex communication breaks the use of bidirectional traffic such as TCP/IP. This problem is addressed by using proxy servers that transmit data in a connectionless way.

By using a one-way connection, the Nexor Data Diode helps you prevent data leakage of confidential or classified information, while still having access to critical data sources you need for your daily job. Think about updates for your Anti-Virus products or Microsoft Windows, Databases, web feeds, email, video streams and operational information for your Security Operation Centers.

Once you start thinking about it you can come up with a lot more. The Nexor Data Diode can also prevent unwanted access to your Industrial Control Systems (ICS), including SCADA systems and DCSs, while still allowing ICSs to send out Critical Operational Data, Performance Metering and other Events and Alarms.

The next picture schematically shows the standard hardware setup of a Nexor Data Diode system. Located in the centre, the Nexor Data Diode optical diode hardware connects and isolates the upstream (sending) network from the downstream (receiving) network.

Located on the left-hand side the upstream proxy server ensures sending data from the upstream network through the optical diode to the downstream proxy server. On the right-hand side the downstream proxy server ensures receiving data from the optical diode for further handling in the downstream network.

The proxy servers are the primary point of contact for the networks on both ends of the optical diode hardware. Looking outward to their respective networks, they are responsible for interfacing with designated systems and will provide any forwarding services as pre-configured. Facing inward to the optical diode they facilitate protocol break and handle internal diode communications.

A protocol break consists of two components that reside between the sender and the receiver of a message. The first component is a “catcher”, which, while adhering to the protocol, strips all traffic control data from the data it receives, and only retains the payload data.

The second component is a “thrower”. The thrower does the opposite: it takes bare payload data, and sends the payload to another system by means of some chosen protocol. In order to do this successfully, the thrower performs all the complicated tasks that are necessary to adhere to the protocol specifications, including the creation of traffic control data.

The attacks that are caused by one of the parties not adhering to a protocol can only be prevented by ensuring that within the environment where attacks are unacceptable, both parties in the protocol are trusted.

For unidirectional communication scenarios, that implies that the side sending the payload (upstream) should be trustworthy, at least from the perspective of the receiver (downstream). The only way to ensure this is by the use of a protocol break.

There are two primary use cases for deploying the Data Diode:

1. Protecting secrets

2. Protecting assets