Why Firewalls Aren’t Enough
To regular network administrators the idea that “data diodes only allow traffic to flow in one direction” may seem like a rather mundane concept, since it’s something which is normally realized with a simple firewall rule.
The data diode is different in that it can guarantee one-directioness. This may sound far more provocative than intended; some readers may with a hint of annoyance be thinking “surely you’re not claiming that my firewall has security holes?” The answer to that is “I don’t know, neither do you, and precisely that is the problem.”
Preventing Leakage and Side-Channel Exploits
The reason it’s so important to guarantee that a data diode can not leak any information in the “wrong” direction is two-fold:
- There can be unintended chatter on a LAN. Some applications on the network may on occasion broadcast packets. Programs may send data on wrong interface (either due to bugs or misconfiguration). Programs may have bugs that cause uninitialized parts of buffers to contain information which may leak sensitive data.
- In case an attacker in the less secure end of a data diode manages to install a custom program in the more secure side of the data diode, it must not be possible to use this to extract data through a data diode link, despite running their own code in the high-security LAN. This means that not only must it not disallow data packets to pass in the wrong direction, it must also prevent export of information by any means, like modulating link speed, link status, power consumption on the network cable, etc.
This means that data diodes must be designed so that no data can leak in the wrong direction, whether it be as regular data packets or any side-channel which can be used to.