One-way flow control
Data Diodes can provide the Flow Control component in our Secure Information eXchange Architecture (SIXA). They ensure that data is travelling in the direction that it is intended to (data import or export) and helps prevent covert channels.
The importance of flow control
The Flow Control component reduces the attack surface on components further down the line by reducing the ability for unauthorised data transfer to those components.
When a component is compromised, it is common for malware to try to communicate back to a control centre in order to allow remote control of the malware. The Flow Control component will reduce or remove the ability for any communication from malicious software back to such a control centre.
Two-way flow control can be provided by a traditional component such as a network firewall but this increases the risk profile of the solution. However, as data diodes can enforce an assured one-way flow they are more attractive for secure information exchange scenarios which require higher levels of assurance.
Data Diodes provide a protocol break
In order to use a data diode, it will be necessary to provide proxies to manage any two-way protocol interactions (e.g. TCP). A data diode proxy listens for a given transport protocol and extracts the encapsulated data. This data is passed over the diode using a one-way protocol.
The two-way protocol is then re-established on a proxy on the other side of the data diode. This protocol break at the transport layer means that attacks hidden inside the transport protocol are removed.
Flow control or validate?
It is worth noting that in some secure information exchange scenarios, rather than a flow control component being required, it may actually be more appropriate to use a validation (or guard) component. In scenarios that require particularly high levels of assurance both components may be considered in finding the right solution.
Nexor Data Diode
The Nexor Data Diode is evaluated to Common Criteria EAL7+ (the highest certification possible) and guarantees that data is only permitted to physically flow in a single direction. Originally developed for use by defence and government organisations, the Nexor Data Diode is used in environments that require high assurance solutions.
Find out more about the Nexor Data Diode.
Be the first to know about developments in secure information exchange