DiscussionPaper
HowDoesaDataDiodeWork?
February2017
Introduction
Datadiodesworkbyusingaone-waylinktopassinformationfromonenetworktoanother.
Theyareacombinationofhardware,firmwareandsoftware,speciallydesignedtomake
datatransfersfastandreliableandguaranteedone-way.
Applicationsinterfacetoadatadiodeinoneofthreeways:usinganetworkcommunications
protocol,bypassingfilesthroughafilestoreorwithanApplicationProgrammingInterface
(API).
Theone-waylinkistypicallyconstructedfromfibreopticinterfacecomponents,whichare
joinedusingafibreopticcable(Figure1),thoughitispossibletodesignelectroniccircuits
todoasimilarjob.Aseparatecomputerisusedateachendoftheone-waylinktorunthe
softwarethatprovidestheinterfacetoapplications(thoughinsimplecaseshardwarelogic
cantaketheplaceofthesecomputersandthesoftware).
Figure1:Adatadiodeworksbyusingtwoone-wayfibreopticinterfaces
Theapplicationthatisthesourceofthedatausesthetransmitterinterfaceonthe
sourcecomputertopassdatatothedatadiode.Thetransmitterinterfacesendsthis
datatothedriveelectronics,whichtransmititacrossthefibre.Thedriveelectronics
inthedestinationcomputerreceivethedataanddeliverittothedestination
applicationusingthereceiverinterface.
TheOne-WayLink
Theone-waylinkinadatadiodeworksbyusingcircuitrythatonlytransmitsatthe
©2017DeepSecureLtd
sourceendandcircuitrythatonlyreceivesatthedestinationend.Typicalfibreoptic
one-waylinksusealightemittingdiode(LED)atthesourceendtoconvertelectrical
pulsesintolightpulses.Thelightpulsestravelalongafibreopticcabletothe
receivingendthatusesaphotodiodetoconvertthelightpulsesintoelectrical
pulses(Figure2).
Figure2:Afibreopticone-waylink
Modernfibreopticnetworkinglinksarebi-directionalandusetwofibres,each
carryingdatainadifferentdirection(Figure3).Theycanbeconvertedintoaonewaylinkbydisconnectingoneofthefibres.However,networkinterfacecontrollers
oftenuseabi-directionalprotocoltoagreethedatatransfermodetheywilluseto
communicate,anddisconnectingafibrebreaksthissotheyfailtooperate.Also,
modernnetworkingcomponentsincludefeaturesthatdetectthedisconnectionofa
fibreandtreatthisasafaultthatpreventsallcommunication.Asaresult,data
diodesaregenerallybuiltfromspecialfibreopticnetworkingcomponentsthatare
designedtooperateinaone-waymode.
Figure3:Fibreopticnetworkingusestwofibrestomakeaconnection
ProtocolInterfaces
Mostdatadiodesprovideexternalnetworkinterfacesofsomesort,butthereiswide
varietyintheprotocolsthataresupported.
2
PerhapsthesimplestprotocolinterfaceisonethatpassesUDPdatagramsreceived
fromthesourcenetworktothedestinationnetwork.Thiscanbeusedforapplication
levelprotocolsbuiltonUDP,suchassyslogandsimplevideostreaming.
MorecomplexprotocolsuseTCP,whichisabi-directionalprotocol.TCPisusedeven
whendataflowsareonewaybecauseacknowledgementsandflowcontrol
informationneedtobepassedintheoppositedirectiontomakethedatatransfer
reliable.TCPcannotbeusedacrosstheone-waylink,sothedatadiodeinterfaceon
thesourcecomputerworksbyactingasanapplicationlevelproxythatterminates
theTCPconnection,extractsthepayloaddataandpushesitacrosstheone-waylink
andreturnsthenecessaryacknowledgements.Theinterfaceonthedestination
computergetsdatafromtheone-waylinkandusesTCPtodeliverittothe
destination.
SomedatadiodesprovideTCPinterfacesthatallowdatatobedeliveredusingSMTP
emailorpushedusingHTTP(Figure4).
Figure4:AdatadiodewithanHTTPinterface
SomedatadiodevendorssupportTCPprotocolssuchasHTTPbyusingproxiesthat
runonexternalservers(Figure5).Theseusesomeproprietaryprotocoltomovethe
datapayloadacrossthesourcenetworkfromthesourceproxytothedatadiode’s
sourcecomputerandfromthedestinationcomputertothedestinationproxy.The
benefithereisthatthediodecomponentissimpler,buttheoverallsolution
footprintislargerthanifthediodedirectlysupportedHTTPetc.
3
Figure5:AdatadiodeusingexternalHTTPproxies
FileStoreInterfaces
Manydatadiodesprovideafilestoreinterfacethatmovesorcopiesfilesfromafile
storeonthesourcecomputertoafilestoreonthedestinationcomputer(Figure6).
Figure6:Adatadiodewithafilestoreinterface
Thesourceapplicationaccessesthefilestoreonthedatadiode’ssourcecomputer
usingsomenetworkfilestoreprotocol,suchasSMBorNFS.Anyfilesitwritesinto
thestorearemovedorcopiedacrosstheone-waylinktotheinterfaceonthe
destinationcomputer,whichwritesthefileintoitsfilestore.Thedestination
applicationthenaccessesthestoretoreadthefile.
Somedatadiodessupportfilestoreinterfacesusingagentsthatrunonexternal
servers(Figure7).Thefilestoreagentontheexternalserveronthesourcenetwork
movesorcopiesfilesthatappearinthefilestoretothesourcecomputerusingsome
proprietaryprotocol.Thefileispushedacrosstheone-waylinktothedestination
computer,whichpassesittotheagentontheexternalserveronthedestination
network.Theagentstoresthedatainafilethatisfetchedbythedestination
application.Thisapproachgenerallyprovidesmoreflexibilitythanhavingthefile
storeimplementedinthedatadiode,bysupportingarangeoffilestoresolutions,
butdoesrequirealargerfootprint.
4
Figure7:Adatadiodeusingexternalfilestoreinterfacecomputers
ApplicationProgrammingInterfaces
Somedatadiodesallowcustomsoftwaretobeinstalledonthesourceand
destinationcomputers.TheyprovideanApplicationProgrammingInterface(API)
thatthesoftwarecanusetopassdatatothedatadiode’stransmitterinterfaceand
receivedatafromitsreceiverinterface.Thisallowsthedatadiodetobecustomised
tosupportapplicationspecificprotocolsdirectly,ratherthanrequiringtheuseof
externalinterfacecomputersthatperformprotocolconversion.
MinervaDataDiode
Deep-Secure’sMinervadatadiodeworksbyprovidingalinkbasedonspecial
purposefibreopticsthatguaranteestransfersareone-way,protocolinterfacesthat
allowapplicationstointerfacedirectlytothedatadiodeandutilitiesthatrunon
externalcomputerstoprovideadditionalinterfaces.Minervaissuppliedasan
appliance,whichcomprisestwoservers,thatismanagedthroughawebinterface.
5