Unidirectional network
Encyclopedia
A unidirectional network (also referred to as a unidirectional security gateway or data diode) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security
. They are most commonly found in high security environments such as defence, where they serve as connections between two or more networks of differing security classifications. This technology can now be found at the Industrial Control level for such facilities as nuclear power plants, and electric power generation.
. Traditionally the data would be vulnerable to intrusions from the internet, however with a unidirectional network separating a high side with sensitive data, and a low side with internet connectivity, one can achieve the best of both worlds. This holds true even if both the low and the high network are compromised, as the security guarantees are physical in nature.
The controlled interface that comprises the send and receive elements of a unidirectional network acts as a one-way "protocol break" between the 2 two-way network domains it connects. This DOES NOT preclude unidirectional network use in transferring protocols like TCP/IP, that require communications (including acknowledgments) between sender and receiver. By employing TCP/IP client-server proxies prior to, and after one-way transfer, data transported as TCP packet flows can gain the security value of unidirectional transfer.
It is true that a primary unidirectional network path cannot be used as a "backwards" path for acknoledgement of the receipt of data by the ultimate destination. However, a scheme for such receipt acknowledgement exists, as granted in the 2010 award of US Patent 7,675,867 for a "One-Way Data Transfer System with Built-in Data Verification Mechanism." This mechanism ensures that the original sender of data is notified of successful receipt (or any number of alternative conditions). The Primary unidirectional path and the networks it connects are not compromised.
(DSTO) in the 1990s on the data diode and the interactive link has resulted in a commercialised product by Tenix, Fox-IT and VADO Security http://www.vadosecurity.com
Some commercial offerings use proprietary protocols that allow for data transfer from protocols that usually require bidirectional links.
The US Naval Research Laboratory (NRL) has developed its own unidirectional network called the Data Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential covert channel
if both the high and low side are compromised through artificially delaying the timing of the acknowledgment.
security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of information classifications
. Examples include the hierarchy that runs from unclassified at the low end through confidential and secret to top secret. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell-Lapadula constraints can be rigidly enforced.
The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied air gaps
to keep classified data physically separate from any internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an internet connection.
Examples of this use of unidirectional technology include:
must make election results available to the public while at the same time it must be immune to attack. The conventional solution to this is to use an air gap
between the public network and the election management system, with data export by "sneakernet
." The alternative is to use a data diode on the export channel.
This model is applicable to a variety of critical infrastructure protection
problems. For example, the public living downstream from a dam
needs up-to-date information on the outflow, and the same information is a critical input to the control system for the floodgates. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
. They are most commonly found in high security environments such as defence, where they serve as connections between two or more networks of differing security classifications. This technology can now be found at the Industrial Control level for such facilities as nuclear power plants, and electric power generation.
Benefits and limitations
The physical nature of unidirectional networks only allows data to pass from one side (referred to as the 'low' side) of a network connection to another (referred to as the 'high' side), and not the other way around. The benefits for the users of the high side network are that their data is kept confidential while they have access to data from the low side. Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. Traditionally the data would be vulnerable to intrusions from the internet, however with a unidirectional network separating a high side with sensitive data, and a low side with internet connectivity, one can achieve the best of both worlds. This holds true even if both the low and the high network are compromised, as the security guarantees are physical in nature.
The controlled interface that comprises the send and receive elements of a unidirectional network acts as a one-way "protocol break" between the 2 two-way network domains it connects. This DOES NOT preclude unidirectional network use in transferring protocols like TCP/IP, that require communications (including acknowledgments) between sender and receiver. By employing TCP/IP client-server proxies prior to, and after one-way transfer, data transported as TCP packet flows can gain the security value of unidirectional transfer.
It is true that a primary unidirectional network path cannot be used as a "backwards" path for acknoledgement of the receipt of data by the ultimate destination. However, a scheme for such receipt acknowledgement exists, as granted in the 2010 award of US Patent 7,675,867 for a "One-Way Data Transfer System with Built-in Data Verification Mechanism." This mechanism ensures that the original sender of data is notified of successful receipt (or any number of alternative conditions). The Primary unidirectional path and the networks it connects are not compromised.
History
The idea of unidirectional networks have been around since the 1960s, however only recently has this been developed into a commercial product. Work done by Australia's Defence Science and Technology OrganisationDefence Science and Technology Organisation
The Defence Science and Technology Organisation is a branch of the Australian Department of Defence which researches and develops technologies for use in the Australian defence industry....
(DSTO) in the 1990s on the data diode and the interactive link has resulted in a commercialised product by Tenix, Fox-IT and VADO Security http://www.vadosecurity.com
Variations
The most common form of a unidirectional network is a simple modified fibre optic cable, with send and receive transceivers removed for one direction. Commercial products rely on this basic design, but add other software functionality.Some commercial offerings use proprietary protocols that allow for data transfer from protocols that usually require bidirectional links.
The US Naval Research Laboratory (NRL) has developed its own unidirectional network called the Data Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential covert channel
Covert channel
In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
if both the high and low side are compromised through artificially delaying the timing of the acknowledgment.
Applications
There are two general models for using unidirectional network connections. In the classical model, the purpose of the data diode is to prevent export of classified data from a secure machine while allowing import of data from an insecure machine. In the alternative model, the diode is used to allow export of data from a protected machine while preventing attacks on that machine. These are described in more detail below.One-way flow to more secure machines
In the Bell-LaPadulaBell-LaPadula model
The Bell-LaPadula Model is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense multilevel...
security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of information classifications
Classified information
Classified information is sensitive information to which access is restricted by law or regulation to particular groups of persons. A formal security clearance is required to handle classified documents or access classified data. The clearance process requires a satisfactory background investigation...
. Examples include the hierarchy that runs from unclassified at the low end through confidential and secret to top secret. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell-Lapadula constraints can be rigidly enforced.
The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied air gaps
Air gap (networking)
An air gap or air wall is a security measure often taken for computers and computer networks that must be extraordinarily secure. It consists of ensuring that a secure network is completely physically, electrically, and electromagnetically isolated from insecure networks, such as the public...
to keep classified data physically separate from any internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an internet connection.
Examples of this use of unidirectional technology include:
- Government
- Commercial companies
One-way flow to less secure machines
The second broad application involves systems that must be secured against attack from public networks while publishing information to such networks. For example, an election management system used with electronic votingElectronic voting
Electronic voting is a term encompassing several different types of voting, embracing both electronic means of casting a vote and electronic means of counting votes....
must make election results available to the public while at the same time it must be immune to attack. The conventional solution to this is to use an air gap
Air gap (networking)
An air gap or air wall is a security measure often taken for computers and computer networks that must be extraordinarily secure. It consists of ensuring that a secure network is completely physically, electrically, and electromagnetically isolated from insecure networks, such as the public...
between the public network and the election management system, with data export by "sneakernet
Sneakernet
Sneakernet is an informal term describing the transfer of electronic information, especially computer files, by physically couriering removable media such as magnetic tape, floppy disks, compact discs, USB flash drives, or external hard drives from one computer to another. This is usually in lieu...
." The alternative is to use a data diode on the export channel.
This model is applicable to a variety of critical infrastructure protection
Critical Infrastructure Protection
Critical infrastructure protection is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation....
problems. For example, the public living downstream from a dam
Dam
A dam is a barrier that impounds water or underground streams. Dams generally serve the primary purpose of retaining water, while other structures such as floodgates or levees are used to manage or prevent water flow into specific land regions. Hydropower and pumped-storage hydroelectricity are...
needs up-to-date information on the outflow, and the same information is a critical input to the control system for the floodgates. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.