Beruflich Dokumente
Kultur Dokumente
White Paper
Data diodes refer to unidirectional network links used in some high-security network architectures. This paper explains how data diodes are used to secure information and protect against intrusions; it also shows that Net Optics Taps and other monitoring access and control devices are, in fact, data diodes.
Tra c can ow in this direction data can be sent to the Defense Contractor
Defense Contractor
Internet
Low Side (Less secure)
Data Diode
Figure 1: A data diode prevents confidential data from leaving the more secure high side
July 2011
-1-
Tra c can ow in this direction the Voting Machine can send vote counts to headquarters
Voting Machine
Internet
Low Side (Less secure)
Tra c can NOT ow in this direction Intruders cannot hack into the Voting Machine
Data Diode
Figure 2: A data diode prevents intrusions into the more secure high side
Return ber broken. There is no path for data to ow from the switch to the router.
X
Switch
-2-
Router
Figure 3: A simple data diode made by breaking one fiber in a duplex cable
July 2011
Router
Switch
Figure 4: A data diode server terminates full duplex protocols at each end with proxy servers, while permitting only one-way traffic between the proxies
Network Monitoring Taps Are Data Diodes (but Span ports are not!)
Network monitoring applications use unidirectional communications intrinsically, because mirrored copies of network traffic flow one wayto the monitoring tooland not the other way, from the monitoring tool back to the network. Network Taps are natural data diodes, and the most secure way to connect a monitoring tool to the network. Note that switch Span ports, which are often used to send traffic to monitoring tools, are NOT data diodes. They are bidirectional connections, and, through inadvertent or malicious misconfiguration, can inject data into the network. Therefore, Span ports not suitable for high-security installations.
Router
Protocol Analyzer
Protocol Analyzer
Figure 5: Network taps are natural data diodes; switch Span ports are not!
July 2011
-3-
Fiber Tap
Optical Splitter Optical Splitter
Router
Switch
Monitoring Breakout Cable No path for data to ow into the network link
Protocol Analyzer
The Fiber Tap is a device that consumes no power and needs no electricity. It is simply two optical splitters in a small chassis. Each splitter takes the signal being received at each network port and splits it in two, sending part of the signal down its usual path on the network, and the other part to the monitoring tool. To save space, the Fiber Tap brings both monitoring fibers out a single connector, but it is important to note that this duplex fiber connector does not carry its usual bidirectional signals, but rather two fibers that both carry signals in the outbound direction. Net Optics provides a special monitoring breakout cable to break these two signals out to two standard duplex connectors which attach to two ports on the monitoring tool. The two connectors that go to the tools have fibers only in the direction carrying traffic into the tool. The sides of the connectors on the outbound sides of the monitoring tools ports have no fibers, and therefore there is no path to carry traffic back to the network. The Tap is a perfect data diode. The network traffic cannot be disrupted even if a signal is maliciously driven into the monitoring fiber back towards the network. The physics of the optical splitter guarantees that the signal will propagate towards the transmitting end of the network cable only, and not to the receiving end, so there would be no impact on the network traffic.
July 2011
-4-
MAC
MAC
MAC
MAC
X
PHY PHY PHY
X
PHY
Router
Switch
Protocol Analyzer
In a Gigabit or 10 Gigabit copper Tap, the reverse traffic path cannot be broken right at the connector because the Ethernet Physical Interfaces (PHYs) negotiate which pins will be used for transmitting data and which for receiving data. (This feature is called Medium Dependent InterfaceMDIor, more properly, auto-MDIX. It is the reason why you never need to worry about crossover cables anymore.) Therefore, the break in the reverse traffic path is made between the PHY and the Media Access Controller (MAC), where the pin directions are fixed. The effect is the same: no physical path exists to carry traffic from the monitoring tool back to the network.
Data Monitoring Switches and Network Controller Switches Are Data Diodes
All Net Optics devices that support integrated inline tapping use these same topologies for fiber or copper interfaces to guarantee that the device acts as a true data diodeit is physically impossible to send data from the monitoring tool (or from the devices management interface, or from the device itself) to the inline network link. A sampling of such products include: DirectorTM inline DNMs models DNM-100 (copper) and DNM-200 (fiber) iLink AggTM inline models LA-2405 (copper) and LA-2410 (fiber) Regeneration TapsTM models RGN-GCU-IL8 (copper) and RG-830X (10G fiber) iTapTM Port Aggregators models IPA-CU3 (copper) and IPA-50SR-XFP (10G fiber) Fiber and Copper Network Taps models TP-CU3-ZD (copper) and TP-800X (10G fiber)
July 2011
-5-
For further information about Network Taps and other data diode solutions:
Net Optics, Inc. 5303 Betsy Ross Drive Santa Clara, CA 95054 (408) 737-7777 info@netoptics.com www.netoptics.com
Distributed by:
Network Performance Channel GmbH Ohmstr. 12 63225 Langen Germany +49 6103 906 722 info@np-channel.com / www.np-channel.com
July 2011
-6-