Unidirectional network
A unidirectional network (also referred to as a unidirectional security gateway or data diode) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security. They are most commonly found in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications - also known as a "cross domain solution." This technology is also found at the industrial control level for such facilities as nuclear power plants, electric power generation/distribution, oil and gas production, water/wastewater, and manufacturing[1].
Benefits
The physical nature of unidirectional networks only allows data to pass from one side of a network connection to another, and not the other way around. This can be from the "low side" or untrusted network, to the "high side" or trusted network, or vice versa. In the first case, data in the high side network is kept confidential and users retain access to data from the low side.[2] Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the Internet: the high side can receive Internet data from the low side, but no data on the high side are accessible to Internet-based intrusion. In the second case, a safety-critical physical system can be made accessible for online monitoring, yet be insulated from all Internet-based attacks that might seek to cause physical damage[1]. In both cases, the connection remains unidirectional even if both the low and the high network are compromised, as the security guarantees are physical in nature.
The controlled interface that comprises the sending and receiving elements of a unidirectional network acts as a one-way "communications protocol break" between both two-way network domains it connects. This does not preclude the use of unidirectional networks in transferring protocols like TCP/IP, which require communications (including acknowledgments) between sender and receiver. By employing TCP/IP client-server proxies prior to, and after, one-way transfer, data transported as TCP packet flows can gain the security value of unidirectional transfer.
History
The idea of unidirectional networks have been around since the 1960s. This was developed further in the 1990s by Australia's Defence Science and Technology Organisation (DSTO) in the 1990s on the data diode[3][4] and the Interactive Link.[5]
Variations
The simplest form of a unidirectional network is a simple, modified, fiber-optic network link, with send and receive transceivers removed or disconnected for one direction, and any link failure protection mechanisms disabled. Some commercial products rely on this basic design, but add other software functionality that provides applications with an interface which helps them pass data across the link.[6]
Other commercial offerings use proprietary protocols that enable one-way data transfer from protocols that usually require bidirectional links.[7]
The US Naval Research Laboratory (NRL) has developed its own unidirectional network called the Network[8] Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential covert channel if both the high- and low-side are compromised through artificially delaying the timing of the acknowledgment.[9]
Applications
There are two general models for using unidirectional network connections. In the classical model, the purpose of the data diode is to prevent export of classified data from a secure machine while allowing import of data from an insecure machine. In the alternative model, the diode is used to allow export of data from a protected machine while preventing attacks on that machine. These are described in more detail below.
One-way flow to more secure machines
In the Bell-LaPadula security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of information classifications. Examples include the hierarchy that runs from unclassified at the low end through confidential and secret to top secret. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell-Lapadula constraints can be rigidly enforced.[10]
The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied air gaps to keep classified data physically separate from any Internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an Internet connection.
Examples of this use of unidirectional technology include:
One-way flow to less secure machines
The second broad application involves systems that must be secured against attack from public networks while publishing information to such networks. For example, an election management system used with electronic voting must make election results available to the public while at the same time it must be immune to attack. The conventional solution to this is to use an air gap between the public network and the election management system, with data export by "sneakernet." The alternative is to use a data diode on the export channel.[13]
This model is applicable to a variety of critical infrastructure protection problems, where protection of the data in a network is less important than reliable control and correct operation of the network[1]. For example, the public living downstream from a dam needs up-to-date information on the outflow, and the same information is a critical input to the control system for the floodgates. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.
Common applications
Common deployments of data diode technology include:
- Remote monitoring of equipment or historical data and human-machine interfaces
- Secure printing from a less secure network to a high secure network (reducing print costs)
- Transferring application and operating system updates from a less secure network to a high secure network
- Monitoring multiple networks in a SOC
- Time synchronisation in highly secure networks
- File transfer (High to low/Low to high)
- Streaming video (High to low/Low to high)
- Sending/receiving alerts or alarms
- Sending/receiving emails
See also
References
- 1 2 3 Ginter, Andrew (2016). SCADA Security: What's broken and how to fix it. Calgary, AB, Canada: Abterra Technologies Inc. ISBN 9780995298408.
- ↑ Slay, J & Turnbull, B 2004, 'The Uses and Limitations of Unidirectional Network Bridges in a Secure Electronic Commerce Environment', paper presented at the INC 2004 Conference, Plymouth, UK, 6–9 July 2004
- ↑ Stevens, MW & Pope, M 1995, Data Diodes, DSTO Electronics and Surveillance Research Laboratory, Adelaide
- ↑ Stevens, MW 1999, An Implementation of an Optical Data Diode, DSTO Electronics and Surveillance Research Laboratory, Adelaide
- ↑ Anderson, M, North, C, Griffin, J, Milner, R, Yesberg, J & Yiu, K 1996, 'Starlight: Interactive Link', San Diego, CA, USA
- ↑ "How Data Diodes Work" (PDF). Deep-Secure.
- ↑ "Intelligent Data Diodes". Owl Cyber Defense Solutions. Retrieved 6 June 2017.
- ↑ http://www.nrl.navy.mil/itd/chacs/sites/edit-www.nrl.navy.mil.itd.chacs/files/files/networkPumpBrochure_0.pdf
- ↑ Myong, HK, Moskowitz, IS & Chincheck, S 2005, 'The Pump: A Decade of Covert Fun'
- ↑ Curt A. Nilsen, Method for Transferring Data from an Unsecured Computer to a Secured Computer, U.S. Patent 5,703,562, 30 December 1997.
- ↑ Australian Government Information Management Office 2003, Securing systems with Starlight, Department of Finance and Administration, viewed 14 April 2011, Archived 6 April 2011 at the Wayback Machine.
- ↑ Wordsworth, C 1998, Media Release: Minister Awards Pioneer In Computer Security, viewed 14 April 2011, Archived 27 March 2011 at the Wayback Machine.
- ↑ Douglas W. Jones and Tom C. Bowersox, Secure Data Export and Auditing Using Data Diodes, Proceedings of the 2006 USENIX/ACCURATE Electronic Voting Technology Workshop, 1 August 2006, Vancouver.