Now, an idea is making its way out of the murky worlds of government, industrial, and high-security networks into commercial awareness - unidirectional gateways, better known as data diodes. They're network appliances that pass data in one direction only, and they do it in hardware. Unlike a firewall, which blocks traffic only if its software is correctly configured, the laws of physics prevent data going the wrong way through a data diode. Data diodes have been around since the mid '80s, and were invented by people with highly classified networks who nevertheless needed to pass selected information out to networks with a lower security rating. Data diodes provided a connection allowing that but completely eliminating any pathway through which an attacker who'd compromised the less secure network could touch the good stuff. Physically, data diodes are if anything simpler than ordinary gateways. Somewhere within any normal network connection, there's a physical circuit that transmits data and another that receives it. In networks the problems with data diodes are software, specifically data transmission protocols. The whole of the internet is designed to detect and correct errors in data transmission. Packets are sent with extra information that the receiver can use to check for data integrity, and if there's been corruption or other problems, the receiver sends back a request for retransmission. Transmitters need these signals to operate properly, and data diodes block them. A data diode that was only hardware would be completely incompatible with modern systems. The answer is to have software in the data diode that creates the reverse traffic each protocol needs so that it looks as if it's a normal network as far as possible. Data diodes will always need to be incorporated with intelligence and finesse. One particular incident illustrates why data diodes are so in vogue with industry sectors where significant physical infrastructure needs to be integrated with IT systems. Routing the security cameras through data diodes would have eliminated them as an attack vector, while keeping the sensors on the secure side of a data diode isolated network segment would have stopped them being disabled. If you don't happen to run a pipeline or highly classified networks, data diodes still have potentially significant applications. Take database replication, where an attacker who manages to compromise one network for the purposes of ransomware, say, won't be able to attack the copy behind a data diode. It's no miracle cure, of course, as very few commercial systems can be neatly isolated from data input, control, and requests, but as a design option that can significantly reduce a system's attack surface. Data diodes play a big and increasingly important part in partitioning the truly critical from more vulnerable environments.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000