Ethernet Data Diodes

Can anyone recommend a Datadiode that is cost effective or would we be better with a 2 port Firewall (if they exist)

Looking to try and get data from an OT system to an IT system

Why not use a commercial firewall (Cisco etc or Stratix ) remember you can disable ports as required and allows for any future proofing in terms of expansion or port failure

I'm installing an Emerson firewall now... there's only two ports on it.

From what I read, it seems a data diode is really a firewall, but possibly simpler to configure or something like that.

Not two port, but I've used the Moxa EDR-810s as firwalls before, useful as they have NAT translation as well.

I'm curious how these data diodes work in practice. If data physically only flows in one direction then how do devices communicate? UDP might work but you can forget TCP as it requires handshaking. I have to say, it also sounds rather extreme for a machine control network.


Edit/

It seems that TCP is possible (sort of) because the send and receive devices have TCP proxy applications so endpoints can believe they are speaking over TCP but in reality there cannot be any handshake

/Edit

Nick

Manglemender said:

I'm curious how these data diodes work in practice. If data physically only flows in one direction then how do devices communicate? UDP might work but you can forget TCP as it requires handshaking. I have to say, it also sounds rather extreme for a machine control network.

Click to expand...

I think in effect it may be a firewall in all but name as some data diodes can also be configured to allow data across both ways.

Data Diode only allows one side to initiate a TCP conversation and it does so using hardware and not just software rules. Firewall can do the same thing but can be (IS) more difficult to set up and can do much more nuanced filtering.

mad4x4 said:

Can anyone recommend a Datadiode that is cost effective or would we be better with a 2 port Firewall (if they exist)

Looking to try and get data from an OT system to an IT system

Click to expand...

Wikipedia link

https://en.wikipedia.org/wiki/Unidirectional_network

My limited understanding of what our IT guys call a data diode .. involves a device in the Secure (Control) domain, one in the DMZ, and one in the Unsecure (admin). The 'secure' server 'knows' who it is talking to on the less secure side and checks once in a while (every second? Every 100 ms?) if there is pending communication. The unsecure side then responds. So it is IP traffic, but S-L-O-W-E-R as the unsecure side waits for communication from the secure side before RESPONDING.

2 hops, from control -> dmz, and DMZ -> admin, before going to whatever database is storing the reporting/alarming/historical data. I believe that there is also some encryption ... that's a bit out of my depth

The less secure side cannot initiate communication. Apparently that removes a large number of attack vectors? The encryption is supposed to prevent an attacker with IP address and port knowledge from impersonating the applicable servers and use some sort of buffer overflow attack.

I think this is layer 3 stuff (7 layer network model). The layer 2 stuff (ARP et al) ... maybe acts normally? Not sure. Again - out of my depth!

We use a Cisco firewall, like everyone else ... with the DMZ, port monitoring and blocking, etc

The vendor that 'consumes' the data should be able to recommend a data diode that works with their data collection software. Your part should be making sure that it won't break anything on you side