Employing Simplex Data Circuits for Ultra-High-Security Networking

Patton, W. Glendon Flowers
Once upon a time, full-duplex transmission was introduced as a groundbreaking network technology. Now, in the age of multiplying cyber attacks, we have good reasons to revert to simplex circuits. Unidirectional connections provide network protection and offer reliable, hardware-based, cyber security.

Data diodes can provide hardware-based simplex communication circuits. Most commonly implemented in high-security environments, including classified government, military intelligence, and national defense, data diodes provide unidirectional data communication between networks that have different security classifications.

Given the rise of industrial IoT and digitization, this technology can now be found at the industrial control level for such facilities as nuclear power plants, power generation, and safety-critical systems like railway networks. With a data diode installed on the outbound port, the high-security network cannot be penetrated by software bugs or malicious code.

Operational data is securely transferred out of the secure OT network through a data diode to data repositories. Remote users retrieve OT data without exposing the OT network to security attacks.

Data Diodes Combined with NDR. Also known as a unidirectional security gateway, a data diode is a hardware-based, simplex networking solution that can be installed to segment a network and defend it from malicious attacks. When data diodes are combined with an NDR (Network Detection and Response) platform, such as Vectra, the network security solution is extremely effective. An extra-fancy (and much longer!) name for a data diode is a deterministic one-way boundary device.

Data Diodes: What are they? How are they used?
Available in various shapes and sizes, a data diode is a unidirectional network communication device that enables safe, one-way data transfer data between two networks. One might think of it as a non-return valve. It allows data transmission in only one direction. Because it cannot and will not receive data, any and all data trying to enter the network is blocked. Data diodes are designed to maintain physical and electrical separation between source and destination networks. A data diode allows a high-security network or segment to send data to external systems and users—such as a regulatory body, the cloud, or a remote-monitoring facility—without exposing the secure network to external threats.

Types of Data Diodes. Currently-existing data diode technologies include hardware-only, optical fiber, optical isolation, electrical, and electromagnetic. Most popular in today’s market are hardware and optical, which is essentially a modified optical cable.

Data diodes can be used to protect network segments of all sizes, from a single controller to an entire facility.

Network Diagram with Data Diode

Controlled Data Flow
Data diodes are hardware-enforced data transfer solutions that use the laws of physics to provide a security mechanism that cannot be hacked.

Secure Monitoring and Control Network

What is Network Detection and Response (NDR)?
Network Detection and Response (NDR) is a technology solution that improves cybersecurity. The discipline has evolved from a practice once known as network traffic analysis. Over the years, as the complexity of network traffic has increased, the proportion of potentially malicious traffic has also increased. So, the activities around traffic analysis have become more security-focused. In recent times, human monitoring and simple behavioral analytics have evolved into NDR, which employs machine learning combined with automated threat-discovery and incident-response mechanisms.

NDR focuses on machine learning and analytical techniques—raising the bar compared with rules-based security tools such as firewalls. These intelligent tools model network behavior using continuous real-time traffic analysis while alerting network administrators about anomalous behavior or traffic patterns that indicate system malfunctions or external attacks.

NDR monitors an organization’s network in real-time, 24/7.

IDS. Similar to traditional Intrusion Detection Systems (IDS)—which focus on monitoring the network perimeter for intruders and generating alerts when an attack is detected—NDR solutions focus on analyzing network communications in order to detect and investigate threats. Compared with IDS, a chief differentiator is that NDR provides automated responses, including:

  • triggering commands to a firewall to drop suspicious traffic
    manual responses — providing threat-hunting and incident response information to dig deeper
  • NDR solutions move beyond merely detecting threats, actually responding to threats in real-time using native controls while supporting a wide range of integrations with other cybersecurity tools or solutions: security orchestration, automation, and response (SOAR) for example.

Security information and event management (SIEM) is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.

How does Vectra work together with data diodes?
Vectra supports data diodes on any of its physical appliance Sensor capture ports that provide SFP+ 10 Gbps connections. As of this writing, Vectra appliances that support Patton data diodes include the X29v2 and the S101v2.
Vectra has validated Patton FiberPlex SFP+ modules that function as data diodes. These SFP+ modules will always be deployed in pairs:

  • One RX module in the Vectra Sensor
  • One TX module in the switch or packet broker, which feeds the Sensor network traffic

Additional information can be found at https://www.patton.com/sfx-10dd/

There is really no debate over whether data diodes are more secure than software-only security solutions (firewalls)—they are. Patton data diodes are physically enforced with a hardware-based security mechanism and provide 100% confidentiality and segmentation between networks. Firewalls, in contrast, enforce configurable policies implemented in software. Data diodes are not vulnerable to software bugs, zero-day exploits, or misconfiguration—all of which vulnerabilities can afflict a firewall. Data diode hardware also provides protection from the unknown—something which no software-based security system can do.
They do not need regular patching or maintenance to stay secure, and the enforcement mechanism never becomes less effective over time.