NEXOR DATA DIODE

EAL7+, guaranteed one-way data flow

The Nexor data diode guarantees that data is only permitted to physically flow in a single direction, enabling secure data transfer to the isolated network(s). The technology has been evaluated to Common Criteria EAL7+ and is trusted by a number of high-security organisations.

In high-security environments, it is often difficult to make a physical connection between different networks but there is still a need to share information. This is when data diodes become an attractive solution to managing flow control securely.

Organisations that require high assurance solutions have been able to deploy the Nexor data diode to securely connect networks of different trust levels. This has increased the speed and throughput of their data transfers, facilitating the business processes required but still achieving the necessary levels of information assurance required.

Originally developed for use by defence and government organisations, the Nexor Data Diode has been deployed in a variety of secure information exchange scenarios including file importing; system updates; network monitoring; print management; remote camera control and process control interfaces.

How does a data diode work?

One-way flow control
Data diodes can provide the Flow Control component in our Secure Information eXchange Architecture (SIXA). They ensure that data is travelling in the direction that it is intended to ( import or export) and help prevent covert channels.

The importance of flow control
The Flow Control component reduces the attack surface on components further down the line by reducing the ability for unauthorised data transfer to those components.

When a component is compromised, it is common for malware to try to communicate back to a control centre in order to allow remote control of the malware. The Flow Control component will reduce or remove the ability for any communication from malicious software back to such a control centre.

Two-way flow control can be provided by a traditional component such as a network firewall but this increases the risk profile of the solution. However, as data diodes can enforce an assured one-way flow they are more attractive for secure information exchange scenarios which require higher levels of assurance.

Data diodes provide a protocol break
In order to use a data diode, it will be necessary to provide proxies to manage any two-way protocol interactions (e.g. TCP). A data diode proxy listens for a given transport protocol and extracts the encapsulated data. This data is passed over the diode using a one-way protocol.

The two-way protocol is then re-established on a proxy on the other side of the data diode. This protocol break at the transport layer means that attacks hidden inside the transport protocol are removed.

Flow control or validate?
It is worth noting that in some secure information exchange scenarios, rather than a flow control component being required, it may actually be more appropriate to use a validation (or guard) component. In scenarios that require particularly high levels of assurance, both components may be considered in finding the right solution.

Nexor data diode
The Nexor data diode is evaluated to Common Criteria EAL7+ (the highest certification possible) and guarantees that data is only permitted to physically flow in a single direction. Originally developed for use by defence and government organisations, the Nexor Data Diode is used in environments that require high assurance solutions.

GuarDiode – Managed Data Diode Solution

GuarDiode is a managed solution from Nexor that extends the functionality of data diodes. It takes the one-way data transfer capabilities of standard data diodes and adds functionality from Nexor Guardian. This provides a highly secure, high throughput content checking capability on the permitted channel, that reflects our SIXA architecture. It guarantees one-way information exchange and, depending on its configuration, can mitigate data leakage or malicious data transfer threats.

GuarDiode adds content filtering in the form of deep content inspection, virus scanning and quarantine capability. Its ultimate goal is to ensure that any data transferred between networks of different security levels comply with the security policies of the secure domain.

Third-party evaluations

The Nexor Data Diode has been certified by the following organisations:

Further information

We have compiled a list of the most Frequently Asked Questions (FAQs) in relation to the Nexor Data Diode. A full technical specification sheet for the Nexor Data Diode is also available upon request.

We also recommend that you find out more about how data diodes can perform the flow control element in our architectural approach to secure information exchange. Our Secure Information eXchange Architecture (SIXA) is based on best practice design patterns from the National Cyber Security Centre (NCSC), the UK National Technical Authority.