Frequently Asked Questions (FAQs)

Everything you ever wanted to ask about the Nexor Data Diode

What is a Nexor Data Diode?

The Nexor Data Diode is computer hardware that enforces unidirectional flow of network traffic.

What is a unidirectional network?

A unidirectional network connection is a link between two networks for which guarantee can be given that the information only flows from the one network to the other, and that it is impossible for data to flow in the opposite direction.

How are the separated networks designated?

The source network is typically referred to as “upstream” and the destination network as “downstream”, following the analogy of how water flows from upstream to downstream. Although in many government and military environments, the source (untrusted) network is referred to as “black” and the destination (trusted) network as “red”.

How does the Nexor Data Diode work?

The Nexor Data Diode works by enforcing the use of a single strand of a fiber optic connection in conjunction with fiber optic processing electronics that are especially designed for unidirectional signal flow. This lack of full duplex communication breaks the use of bidirectional traffic such as TCP/IP. This problem is addressed by using proxy servers that transmit data in a connectionless way.

When is a Nexor Data Diode needed?

By using a one-way connection, the Nexor Data Diode helps you prevent data leakage of confidential or classified information, while still having access to critical data sources you need for your daily job. Think about updates for your Anti-Virus products or Microsoft Windows, Databases, web feeds, email, video streams and operational information for your Security Operation Centers.

Once you start thinking about it you can come up with a lot more. The Nexor Data Diode can also prevent unwanted access to your Industrial Control Systems (ICS), including SCADA systems and DCSs, while still allowing ICSs to send out Critical Operational Data, Performance Metering and other Events and Alarms.

What is the standard hardware setup of a Nexor Data Diode system?

The next picture schematically shows the standard hardware setup of a Nexor Data Diode system. Located in the centre, the Nexor Data Diode optical diode hardware connects and isolates the upstream (sending) network from the downstream (receiving) network.

Located on the left-hand side the upstream proxy server ensures sending data from the upstream network through the optical diode to the downstream proxy server. On the right-hand side the downstream proxy server ensures receiving data from the optical diode for further handling in the downstream network.

What is the function of the proxy servers?

The proxy servers are the primary point of contact for the networks on both ends of the optical diode hardware. Looking outward to their respective networks, they are responsible for interfacing with designated systems and will provide any forwarding services as pre-configured. Facing inward to the optical diode they facilitate protocol break and handle internal diode communications.

What is a protocol break?

A protocol break consists of two components that reside between the sender and the receiver of a message. The first component is a “catcher”, which, while adhering to the protocol, strips all traffic control data from the data it receives, and only retains the payload data.

The second component is a “thrower”. The thrower does the opposite: it takes bare payload data, and sends the payload to another system by means of some chosen protocol. In order to do this successfully, the thrower performs all the complicated tasks that are necessary to adhere to the protocol specifications, including the creation of traffic control data.

How does a protocol break benefit the Nexor Data Diode?

The attacks that are caused by one of the parties not adhering to a protocol can only be prevented by ensuring that within the environment where attacks are unacceptable, both parties in the protocol are trusted.

For unidirectional communication scenarios, that implies that the side sending the payload (upstream) should be trustworthy, at least from the perspective of the receiver (downstream). The only way to ensure this is by the use of a protocol break. For more on this see our White Paper: Protecting confidential information using data diodes.

What are the primary use cases for the Nexor Data Diode?

There are two primary use cases for deploying the Data Diode:
1. Protecting secrets
2. Protecting assets

Visit the main Nexor Data Diode page.