Air gaps and segmentation are common concepts to secure operational technology (OT) networks with the goal of minimizing the harm of a breach and threats by isolating it to a limited part of the network. Unless an attacker obtains physical access to an air-gapped computer network, they can’t be breached.
However, air-gapped networks are difficult to deal with in practice. The headaches from maintenance alone make true air-gapped networks impractical for all but the most sensitive applications. Therefore, network engineers will often make do with software solutions such as firewalls and data diodes.
Firewalls have been a benchmark information security tool for decades, which means most network engineers are likely familiar with and use them. While data diodes have also been used for decades, their implementation has been confined to high-security facilities. They’ve recently begun to gain popularity in private and OT networks.
While firewalls have long been the bedrock for segmenting networks—there is a use case for firewalls and data diodes, even deploying both within the same network. Along with the Data diode TAP variation, it’s important to review the differences and how people may use them.
What’s the difference between a data diode and a firewall?
Firewalls are a good information security tool and a staple for securing the network. A firewall is a barrier system or ‘gatekeeper’ designed to stop, filter or redirect traffic between external and internal networks based on decisions from a built-in policy engine.
For example, certain kinds of traffic coming into the network—such as traffic from known phishing sites or botnets—may be blocked automatically. Other kinds of traffic, such as email, will be diverted through inline security tools and scanned for malware.
Because firewalls are software-based and rely on policies, attackers can sometimes take advantage of mistakes in a firewall’s configuration in order to get around it. Attackers also might take advantage of existing vulnerabilities in the firewall itself, allowing them to literally take over the firewall and then admit whatever traffic they need. Lastly, some forms of distributed denial of service (DDoS) attacks can overload the firewall and then take down the network with it, causing hours of unplanned downtime.
Data diodes are also a security barrier system, but one that enforces a physical separation between network segments using one-way data transfer protocols, designed to eliminate back door attacks or breaches.
In contrast to firewalls, data diodes are theoretically non-software based, physically forcing unidirectional traffic using hardware-based security mechanisms, allowing data to flow in one direction, stopping potential attackers from accessing network traffic.
Because data diodes aren’t policy-based, there aren’t any configuration errors for attackers to exploit. Data diodes are thought of as not relying on intelligent software processing, though they use software to convert traffic protocols from bidirectional to unidirectional. Data diodes also don’t allow external traffic, so they can’t be affected by DDoS attacks.
A data diode is a relatively simple device. Because of its simplicity, though it creates the next best thing to a physical air gap: one that’s impossible to breach from the outside.
The primary difference between data diodes and firewall use cases is data diodes provide a physical and electrical separation layer, designed to pass one-way traffic between segments to eliminate attack risks. Where firewalls provide configurable code and policy designed to stop or reroute flagged traffic from getting into the network.
What’s the difference between a data diode and a data diode TAP?
There are two different use cases at play, both based on the same concept. The typical data diode passes unidirectional traffic between network segments, such as between the operations and enterprise levels. Where data diode TAPs often send unidirectional “copies” of the traffic to security monitoring tools.
The key difference here is network TAP technology. While typical data diodes are a secure pass-through device, network TAPs provide a complete full-duplex copy of network traffic, passing all information including physical level errors. This is specifically used for continuous out-of-band monitoring and analysis, which needs packet visibility to properly inventory and secure the network.
A Data diode TAP creates an exact copy of both sides of the traffic flow, continuously 24/7 year-round, and does not drop packets, introduce delay or alter the data. They are either passive or “failsafe,” meaning traffic continues to flow between network devices if power is lost or a monitoring tool is removed, ensuring the TAP isn’t a single point of failure. Data diode TAPs offer the same high-quality visibility as network TAPs, with the added security the out-of-band traffic is one-way and does not find its way back to the network.
Additional differences include:
- Typical data diodes utilize software to convert traffic protocols from bidirectional to unidirectional. Some even offer data diodes that blur the lines between a firewall and a unidirectional data transfer, with “intelligence” software-based features and functions with IP/MAC/NIC interfaces that can be open to vulnerabilities.
- Data diode TAPs are purpose-built “unintelligent” hardware devices, whose circuitry physically doesn’t have the monitoring ports connected back to the network, rendering bidirectional traffic impossible and ensuring security tools or destinations are isolated from the network segment. They are non-IP, non-MAC type and cannot be hacked.
Which data diode TAP works best for your OT security tool?
There is no silver bullet in cybersecurity. Best practices consist of various tools, frameworks and protocols all with the purpose of a safe and secure network. Data diode TAPs are one of the components used to build a secure network architecture. Do research and find the best solution for the specific application.