Sie sind auf Seite 1von 6

Secure, Unidirectional Data Flow with Network Taps

White Paper
Data diodes refer to unidirectional network links used in some high-security network architectures. This paper explains how data diodes are used to secure information and protect against intrusions; it also shows that Net Optics Taps and other monitoring access and control devices are, in fact, data diodes.

The Highs and Lows of a Secure Environment


When the highest possible data security is needed, an air gap is maintained between the secure domain and the rest of the world. The secure network domain simply has no physical connection to the outside world, so nothing can enter or leave by wire or wireless, only by sneaker net. (Sneaker net means a person carrying a removable storage device.) However, in many high-security environments, unidirectional security is sufficient, and a data diode is employed to allow traffic to flow in one direction only between two network domains. The more secure domain is known as the high side, and the less secure domain is the low side. Depending on the application, the data diode permits traffic flow from the low side to the high side, or vice versa. (The name data diode comes from the term diode, which is an electronic component that allows electrical current to flow in one direction but not the other.) Data flow is restricted to move only from the low (less secure) side to the high (more secure) side when the goal is to keep information secure within the high side. Figure 1 illustrates this type of application. In this case, a defense contractor must ensure that confidential data cannot leave the premises, at least not by way of the network. A data diode connecting the defense contractors network to the internet prevents any traffic from leaving the defense contractors network, satisfying the security requirement. However, the data diode does allow data from outside to move into the defense contractors network so the contractor can receive important information from partners and suppliers.

Tra c can ow in this direction data can be sent to the Defense Contractor

High Side (More secure)

Defense Contractor

Internet
Low Side (Less secure)

Tra c can NOT ow in this direction Defense Contractors data is secure

Data Diode

Figure 1: A data diode prevents confidential data from leaving the more secure high side

July 2011

-1-

Secure, Unidirectional Data Flow with Network Taps


White Paper
Data flow is restricted to move only from the high (more secure) side to the low (less secure) side when the goal is to prevent intrusions and infections, but allow sharing of information from the high side. Figure 2 illustrates this type of application. In this case, a voting machine is connected through a data diode to the Internet, enabling the machine to send its vote count results to vote counting headquarters and to Web sites, while being completely secure from intruders hacking into the voting machine.

Tra c can ow in this direction the Voting Machine can send vote counts to headquarters

High Side (More secure)

Voting Machine

Internet
Low Side (Less secure)

Tra c can NOT ow in this direction Intruders cannot hack into the Voting Machine

Data Diode

Figure 2: A data diode prevents intrusions into the more secure high side

How a Data Diode Works


A data diode is easy to build, in principle. Figure 3 shows a data diode constructed by simply breaking one fiber in a duplex cable to prevent information flow in one direction.

Full duplex ber cableeach direction of tra c ow has a dedicated ber

Return ber broken. There is no path for data to ow from the switch to the router.

X
Switch
-2-

Router

Figure 3: A simple data diode made by breaking one fiber in a duplex cable

July 2011

Secure, Unidirectional Data Flow with Network Taps


White Paper
If it is that easy to create a data diode, what are data diode vendors providing? It turns out that, in practice, breaking one of the fibers stops communication in not one, but both directionsbecause most networking protocols depend on two-way communication to establish and maintain connections. To take an example, you cannot get any data from a Web site unless you can first send a request to the Web site. For another example, if a TCP request does not receive an acknowledgement, the TCP connection terminates and no data is transferred. In order to make one-way communication work, a sophisticated data diode terminates the full duplex connection on each side of the communications with proxy servers, while allowing information to flow only one way between the proxy servers. This arrangement is illustrated in Figure 4.

Data Diode Server


Proxy Proxy

Router

Switch

Figure 4: A data diode server terminates full duplex protocols at each end with proxy servers, while permitting only one-way traffic between the proxies

Network Monitoring Taps Are Data Diodes (but Span ports are not!)
Network monitoring applications use unidirectional communications intrinsically, because mirrored copies of network traffic flow one wayto the monitoring tooland not the other way, from the monitoring tool back to the network. Network Taps are natural data diodes, and the most secure way to connect a monitoring tool to the network. Note that switch Span ports, which are often used to send traffic to monitoring tools, are NOT data diodes. They are bidirectional connections, and, through inadvertent or malicious misconfiguration, can inject data into the network. Therefore, Span ports not suitable for high-security installations.

Router

Full Duplex Tra c Flow

Net Optics Fiber Tap

Switch Mirrored Copy of Tra c One Way Tra c Flow

Span Port Bidirectional Connection!

Protocol Analyzer

Protocol Analyzer

Figure 5: Network taps are natural data diodes; switch Span ports are not!

July 2011

-3-

Secure, Unidirectional Data Flow with Network Taps


White Paper
The traffic flowing from the Tap to the monitoring tool is a mirrored copy of raw network traffic, so no protocol handshakes are expected from the monitoring tool. Therefore, proxy servers are not needed, and the simple data diode model of Figure 3 is exactly what is implemented in a Tap. In the case of a Fiber Tap, the fibers that would carry data from the tool to the Tap are completely absent. This can be seen in Figure 6.

Fiber Tap
Optical Splitter Optical Splitter

Router

Switch

Monitoring Breakout Cable No path for data to ow into the network link

Protocol Analyzer

Figure 6: Network taps are natural data diodes

The Fiber Tap is a device that consumes no power and needs no electricity. It is simply two optical splitters in a small chassis. Each splitter takes the signal being received at each network port and splits it in two, sending part of the signal down its usual path on the network, and the other part to the monitoring tool. To save space, the Fiber Tap brings both monitoring fibers out a single connector, but it is important to note that this duplex fiber connector does not carry its usual bidirectional signals, but rather two fibers that both carry signals in the outbound direction. Net Optics provides a special monitoring breakout cable to break these two signals out to two standard duplex connectors which attach to two ports on the monitoring tool. The two connectors that go to the tools have fibers only in the direction carrying traffic into the tool. The sides of the connectors on the outbound sides of the monitoring tools ports have no fibers, and therefore there is no path to carry traffic back to the network. The Tap is a perfect data diode. The network traffic cannot be disrupted even if a signal is maliciously driven into the monitoring fiber back towards the network. The physics of the optical splitter guarantees that the signal will propagate towards the transmitting end of the network cable only, and not to the receiving end, so there would be no impact on the network traffic.

July 2011

-4-

Secure, Unidirectional Data Flow with Network Taps


White Paper Copper Taps Are Data Diodes
Network Taps for copper media follow essentially the same topology as the Fiber Tap, as shown in Figure 7.
Copper Tap

MAC

MAC

MAC

MAC

X
PHY PHY PHY

X
PHY

No path for data to ow into the network link

Router

Switch

Protocol Analyzer

Figure 7: Network taps are natural data diodes

In a Gigabit or 10 Gigabit copper Tap, the reverse traffic path cannot be broken right at the connector because the Ethernet Physical Interfaces (PHYs) negotiate which pins will be used for transmitting data and which for receiving data. (This feature is called Medium Dependent InterfaceMDIor, more properly, auto-MDIX. It is the reason why you never need to worry about crossover cables anymore.) Therefore, the break in the reverse traffic path is made between the PHY and the Media Access Controller (MAC), where the pin directions are fixed. The effect is the same: no physical path exists to carry traffic from the monitoring tool back to the network.

Data Monitoring Switches and Network Controller Switches Are Data Diodes
All Net Optics devices that support integrated inline tapping use these same topologies for fiber or copper interfaces to guarantee that the device acts as a true data diodeit is physically impossible to send data from the monitoring tool (or from the devices management interface, or from the device itself) to the inline network link. A sampling of such products include: DirectorTM inline DNMs models DNM-100 (copper) and DNM-200 (fiber) iLink AggTM inline models LA-2405 (copper) and LA-2410 (fiber) Regeneration TapsTM models RGN-GCU-IL8 (copper) and RG-830X (10G fiber) iTapTM Port Aggregators models IPA-CU3 (copper) and IPA-50SR-XFP (10G fiber) Fiber and Copper Network Taps models TP-CU3-ZD (copper) and TP-800X (10G fiber)

July 2011

-5-

Secure, Unidirectional Data Flow with Network Taps


White Paper Summary
This paper has explained why data diodes are essential for creating completely secure network connections that access and control. Switch Span ports, on the other hand, are n visibility including errors and malformed packets, totally passive behavior even when power fails, and never dropping topology, make Network Taps from Net Optics the best way to Tap into your Network.

Sometimes Taps Are NOT Data Diodes


As a rule, all Net Optics monitoring access and control devices are data diodes. But they say that rules are made to be broken, and the exception proves the rule. In this case, the exception is the Active Response Tap. This special type of Tap was created to meet the following customer requirement: When a monitoring Intrusion Detection System (IDS) detects certain types of illegal or unwanted network behavior, the IDS needs to be able to issue a TCP reset to the network to terminate the connection. The TCP reset is a normal set in the TCP header. In other words, the monitoring toolthe IDSneeds to be able to inject a packet onto the network. To meet this requirement, Net Optics developed the Active Response Tap, which is a copper Tap that has the PHY and the MAC connected. Active Response Taps are not data diodes, and therefore the possible security impacts should be evaluated carefully when choosing to use Active Response. But Active Response may not be the end of the story when it comes to Taps that are not data diodes. New applications are being invented that break the data diode model for monitoring access. One such invention is Link Layer Discovery Protocol (LLDP), which requires that every device, including monitoring access and control devices, must announce itself on the network to support auto-discovery of the network topology by network management systems. Like the Active Response case, LLDP requires that a small amount of trafrectioninto the network instead monitoring devices such as Intrusion Prevention Systems (IPSs) is another example where the data diode model is not appropriate. Therefore, Net Optics Bypass Switches, which create fail-safe ports for inline tools, are not data diodes. It will be interesting to see how the data diode model for monitoring access holds up as innovative new protocols and monitoring tools become part of the networking landscape.

For further information about Network Taps and other data diode solutions:
Net Optics, Inc. 5303 Betsy Ross Drive Santa Clara, CA 95054 (408) 737-7777 info@netoptics.com www.netoptics.com

Distributed by:
Network Performance Channel GmbH Ohmstr. 12 63225 Langen Germany +49 6103 906 722 info@np-channel.com / www.np-channel.com

July 2011

-6-