Unidirectional network

From Wikipedia, the free encyclopedia

A unidirectional network (also referred to as a data diode) is a network cable or connection modified to allow data to travel only in one direction, used in guaranteeing information security. They are most commonly found in high security environments such as defence, where they serve as connections between two or more networks of differing security classifications.

Contents 1 Benefits and limitations 2 History 3 Variations 4 Applications 5 References

[edit] Benefits and limitations

The physical nature of unidirectional networks only allows data to pass from one side (referred to as the 'low' side) of a network connection to another (referred to as the 'high' side), and not the other way around. The benefits for the users of the high side network are that their data is kept confidential while they have access to data from the low side^[1]. Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the internet. Traditionally the data would be vulnerable to intrusions from the internet, however with a unidirectional network separating a high side with sensitive data, and a low side with internet connectivity, one can achieve the best of both worlds. This holds true even if both the low and the high network are compromised, as the security guarantees are physical in nature.

However protocols normally used over network connections, such as TCP/IP, that require acknowledgments to be sent back, cannot be used over a unidirectional network. This prevents a large number of programs from being able to function normally over such a network. Importantly the Unidirectional Network does not prevent viruses or other malicious programs from being transferred on to the high network and compromising the integrity and availability of the data. Furthermore since the low side cannot receive data from the high side, it can never reliably establish that data has been successfully transferred^[1].

[edit] History

The idea of unidirectional networks have been around since the 1960s, however only recently has this been developed into a commercial product. Work done by Australia's Defence Science and Technology Organisation (DSTO) in the 1990s on the data diode ^{[2] [3]} and the interactive link ^[4] has resulted in a commercialised product by Tenix and Fox-IT.

[edit] Variations

The most common form of a unidirectional network is a simple modified fibre optic cable, with send and receive transceivers removed for one direction. Commercial products rely on this basic design, but add other software functionality.

Tenix's Interactive Link Data Diode has achieved a security evaluation of ITSEC E6, which is the highest possible under those criteria and an EAL7+ under the Common Criteria. It is used in Commercial, Government and Defense applications.

The Tenix Interactive Link System (DSTO's Starlight)^[4] provides a unidirectional network combined with an Interactive Link KBS that allows the use of both the low side and the high side from the same PC. This allows a user to work on the high side network, and have an XWindow session of the low side network. Additional software functionality is also present allowing copy and paste between the low side and the high side. The Interactive Link System has an E6 evaluation level under ITSEC and an EAL5+ under the Common Criteria.

Waterfall Solutions uses a proprietary transfer protocol.

Waterfall’s solution uses a transmitter and a receiver such that the TX is physically capable of transmitting only to the RX and the RX is only physically capable of receiving data from the TX. This ensures complete unidirectionality with no possibility of remote manipulation of the system.

The US Naval Research Laboratory (NRL) has developed its own Unidirectional Network called the Data Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows a more protocols to be used over the network, but introduces a potential covert channel if both the high and low side are compromised through artificially delaying the timing of the acknowledgment^[5].

The Owl Computing Technologies "Dual Diode" system uses specially designed ATM network interface cards that operate in pairs. The send-only card is installed in a host computer platform on the low side, along with interfacing software. The receive-only card is is similarly installed on a host computer platform on the high side. Each card is administered by the network to which it belongs, while a passive optical fiber connects the two cards and defines the network boundary. One-way data transfer is enforced in hardware on both sides of the optical link. Owl systems move data in a variety of formats including files, directory structures, UDP packets, and TCP streams. Advanced hash algorithms are used to validate data received on the high side. Multiple computing platforms are supported, including Solaris, Linux, and Windows. Owl systems are fully developed commercial products that are certified, accredited, and widely deployed throughout the US Intelligence community.

The Fort Fox Data Diode (Fox-IT) is based on a true unidirectional network coupling. The Fort Fox Hardware Data Diode is a separate hardware unit that receives a full double fiber cable on the receiving side and just uses a single fiber for sending packets on the sending side. The Hardware Data Diode does not contain any logic or processing and is therefore unable to make mistakes and can guarantee complete unidirectionality. The hardware Data Diode can be used by itself to transfer UDP packets from one network to another network. The Fort Fox Data Diode solution contains two additional proxy servers: One on the black side and one on the red side. These proxy servers allow for more stateful protocols to be used over the Data Diode, like SMTP and FTP. In addition UDP can be used as well to transfer data. The Fort Fox Data Diode also contains logic to provide (near) NTP support on the receiving network.

[edit] Applications

The majority of unidirectional network applications is in defence, and defence contractors. These organisations traditionally have applied network separation to keep classified data physically separate from any internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an internet connection.

Other users of unidirectional technology include:

• Government^[6]
• Commercial Companies^[7]
• E-Commerce
• Intelligence Organisations

Despite the apparent wide use of this technology from the above list, in reality its very rarely used outside of the defence industry due to the limitations on data transfer.

[edit] References

1. ^ ^{a b} Slay, J & Turnbull, B 2004, 'The Uses and Limitations of Unidirectional Network Bridges in a Secure Electronic Commerce Environment', paper presented at the INC 2004 Conference, Plymouth, UK, 6-9 July 2004
2. ^ Stevens, MW & Pope, M 1995, Data Diodes, DSTO Electronics and Surveillance Research Laboratory, Adelaide
3. ^ Stevens, MW 1999, An Implementation of an Optical Data Diode, DSTO Electronics and Surveillance Research Laboratory, Adelaide
4. ^ ^{a b} Anderson, M, North, C, Griffin, J, Milner, R, Yesberg, J & Yiu, K 1996, 'Starlight: Interactive Link', San Diego, CA, USA
5. ^ Myong, HK, Moskowitz, IS & Chincheck, S 2005, 'The Pump: A Decade of Covert Fun'
6. ^ Australian Government Information Management Office 2003, Securing systems with Starlight, Department of Finance and Administration, viewed 8 August 2006, <http://www.agimo.gov.au/publications/2003/06/transform/defence>
7. ^ Wordsworth, C 1998, Media Release: Minister Awards Pioneer In Computer Security, viewed 9 August 2006, <www.defence.gov.au/minister/1998/240-98.doc>