®

Secure, Unidirectional Data Flow with Network Taps White Paper

July 2011 - 1 -

“Data diodes” refer to unidirectional network links used in some high-security network architectures. This paper explains how data diodes are used to secure information and protect against intrusions; it also shows that Net Optics Taps and other monitoring access and control devices are, in fact, data diodes.

The Highs and Lows of a Secure Environment When the highest possible data security is needed, an “air gap” is maintained between the secure domain and the rest of the world. The secure network domain simply has no physical connection to the outside world, so nothing can enter or leave by wire or wireless, only by “sneaker net”. (“Sneaker net” means a person carrying a removable storage device.) However, in many high-security environments, unidirectional security is sufficient, and a “data diode” is employed to allow traffic to flow in one direction only between two network domains. The more secure domain is known as the high side, and the less secure domain is the low side. Depending on the application, the data diode permits traffic flow from the low side to the high side, or vice versa. (The name “data diode” comes from the term “diode,” which is an electronic component that allows electrical current to flow in one direction but not the other.)

Data flow is restricted to move only from the low (less secure) side to the high (more secure) side when the goal is to keep information secure within the high side. Figure 1 illustrates this type of application. In this case, a defense contractor must ensure that confidential data cannot leave the premises, at least not by way of the network. A data diode connecting the defense contractor’s network to the internet prevents any traffic from leaving the defense contractor’s network, satisfying the security requirement. However, the data diode does allow data from outside to move into the defense contractor’s network so the contractor can receive important information from partners and suppliers.

Internet

DefenseContractor

Low Side(Less secure)

High Side(More secure)Tra�c can �ow in this

direction — data can be sent to the Defense Contractor

Tra�c can NOT �owin this direction —

Defense Contractor’s data is secure

XData Diode

Figure 1: A data diode prevents confidential data from leaving the more secure “high” side

®

Secure, Unidirectional Data Flow with Network Taps White Paper

July 2011 - 2 -

Data flow is restricted to move only from the high (more secure) side to the low (less secure) side when the goal is to prevent intrusions and infections, but allow sharing of information from the high side. Figure 2 illustrates this type of application. In this case, a voting machine is connected through a data diode to the Internet, enabling the machine to send its vote count results to vote counting headquarters and to Web sites, while being completely secure from intruders hacking into the voting machine.

Internet

Low Side(Less secure)

High Side(More secure)

Tra�c can �ow in this direction — the Voting Machine can send vote counts to

headquarters

Tra�c can NOT �owin this direction —

Intruders cannot hackinto the Voting Machine

XData Diode

VotingMachine

Figure 2: A data diode prevents intrusions into the more secure “high” side

How a Data Diode Works A data diode is easy to build, in principle. Figure 3 shows a data diode constructed by simply breaking one fiber in a duplex cable to prevent information flow in one direction.

Router Switch

X

Return �ber broken.There is no path for data to �ow from theswitch to the router.

X

Full duplex �ber cable—eachdirection of tra�c �ow

has a dedicated �ber

Figure 3: A simple data diode made by breaking one fiber in a duplex cable

®

Secure, Unidirectional Data Flow with Network Taps White Paper

July 2011 - 3 -

If it is that easy to create a data diode, what are data diode vendors providing? It turns out that, in practice, breaking one of the fibers stops communication in not one, but both directions—because most networking protocols depend on two-way communication to establish and maintain connections. To take an example, you cannot get any data from a Web site unless you can first send a request to the Web site. For another example, if a TCP request does not receive an acknowledgement, the TCP connection terminates and no data is transferred. In order to make one-way communication work, a sophisticated data diode terminates the full duplex connection on each side of the communications with proxy servers, while allowing information to flow only one way between the proxy servers. This arrangement is illustrated in Figure 4.

Router Switch

Proxy Proxy

Data Diode Server

Figure 4: A data diode server terminates full duplex protocols at each end with proxy servers, while permitting only one-way traffic between the proxies

Network Monitoring Taps Are Data Diodes (but Span ports are not!)Network monitoring applications use unidirectional communications intrinsically, because mirrored copies of network traffic flow one way—to the monitoring tool—and not the other way, from the monitoring tool back to the network. Network Taps are natural data diodes, and the most secure way to connect a monitoring tool to the network. Note that switch Span ports, which are often used to send traffic to monitoring tools, are NOT data diodes. They are bidirectional connections, and, through inadvertent or malicious misconfiguration, can inject data into the network. Therefore, Span ports not suitable for high-security installations.

Router Switch SpanPortNet Optics

Fiber Tap

Protocol Analyzer Protocol Analyzer

Mirrored Copy of Tra�c — One Way Tra�c Flow

Full DuplexTra�c Flow

BidirectionalConnection!

Figure 5: Network taps are natural data diodes; switch Span ports are not!

®

Secure, Unidirectional Data Flow with Network Taps White Paper

July 2011 - 4 -

The traffic flowing from the Tap to the monitoring tool is a mirrored copy of raw network traffic, so no protocol handshakes are expected from the monitoring tool. Therefore, proxy servers are not needed, and the simple data diode model of Figure 3 is exactly what is implemented in a Tap. In the case of a Fiber Tap, the fibers that would carry data from the tool to the Tap are completely absent. This can be seen in Figure 6.

Fiber Tap

Router Switch

X X

MonitoringBreakout Cable

Protocol Analyzer

No path for datato �ow into thenetwork link

OpticalSplitter

OpticalSplitter

Figure 6: Network taps are natural data diodes

The Fiber Tap is a device that consumes no power and needs no electricity. It is simply two optical splitters in a small chassis. Each splitter takes the signal being received at each network port and splits it in two, sending part of the signal down its usual path on the network, and the other part to the monitoring tool. To save space, the Fiber Tap brings both monitoring fibers out a single connector, but it is important to note that this duplex fiber connector does not carry its usual bidirectional signals, but rather two fibers that both carry signals in the outbound direction. Net Optics provides a special monitoring breakout cable to break these two signals out to two standard duplex connectors which attach to two ports on the monitoring tool. The two connectors that go to the tools have fibers only in the direction carrying traffic into the tool. The sides of the connectors on the outbound sides of the monitoring tool’s ports have no fibers, and therefore there is no path to carry traffic back to the network. The Tap is a perfect data diode.

The network traffic cannot be disrupted even if a signal is maliciously driven into the monitoring fiber back towards the network. The physics of the optical splitter guarantees that the signal will propagate towards the transmitting end of the network cable only, and not to the receiving end, so there would be no impact on the network traffic.

®

Secure, Unidirectional Data Flow with Network Taps White Paper

July 2011 - 5 -

Copper Taps Are Data Diodes Network Taps for copper media follow essentially the same topology as the Fiber Tap, as shown in Figure 7.

Copper Tap

Router Switch

X X

Protocol Analyzer

No path for datato �ow into thenetwork link

MAC

PHY

MAC

PHY

MAC

PHY

MAC

PHY

Figure 7: Network taps are natural data diodes

In a Gigabit or 10 Gigabit copper Tap, the reverse traffic path cannot be broken right at the connector because the Ethernet Physical Interfaces (PHYs) negotiate which pins will be used for transmitting data and which for receiving data. (This feature is called Medium Dependent Interface—MDI—or, more properly, auto-MDIX. It is the reason why you never need to worry about crossover cables anymore.) Therefore, the break in the reverse traffic path is made between the PHY and the Media Access Controller (MAC), where the pin directions are fixed. The effect is the same: no physical path exists to carry traffic from the monitoring tool back to the network.

Data Monitoring Switches and Network Controller Switches Are Data Diodes All Net Optics devices that support integrated inline tapping use these same topologies for fiber or copper interfaces to guarantee that the device acts as a true data diode—it is physically impossible to send data from the monitoring tool (or from the device’s management interface, or from the device itself) to the inline network link. A sampling of such products include:

● DirectorTM inline DNMs models DNM-100 (copper) and DNM-200 (fiber) ● iLink AggTM inline models LA-2405 (copper) and LA-2410 (fiber) ● Regeneration TapsTM models RGN-GCU-IL8 (copper) and RG-830X (10G fiber) ● iTapTM Port Aggregators models IPA-CU3 (copper) and IPA-50SR-XFP (10G fiber) ● Fiber and Copper Network Taps models TP-CU3-ZD (copper) and TP-800X (10G fiber)

®

Secure, Unidirectional Data Flow with Network Taps White Paper

July 2011 - 6 -

SummaryThis paper has explained why data diodes are essential for creating completely secure network connections that

access and control. Switch Span ports, on the other hand, are n

visibility including errors and malformed packets, totally passive behavior even when power fails, and never dropping

topology, make Network Taps from Net Optics the best way to Tap into your Network.

As a rule, all Net Optics monitor-ing access and control devices are data diodes. But they say that rules are made to be broken, and the exception proves the rule. In this case, the exception is the Active Response Tap. This special type of Tap was created to meet the following customer requirement: When a monitor-ing Intrusion Detection System (IDS) detects certain types of illegal or unwanted network behavior, the IDS needs to be able to issue a TCP reset to the network to terminate the connec-tion. The TCP reset is a normal

set in the TCP header. In other words, the monitoring tool—the IDS—needs to be able to inject a packet onto the network. To

meet this requirement, Net Opticsdeveloped the Active Response Tap, which is a copper Tap that has

the PHY and the MAC connected. Active Response Taps are not data diodes, and therefore the possible security impacts should be evalu-ated carefully when choosing to use Active Response.

But Active Response may not be the end of the story when it comes to Taps that are not data diodes. New applications are being invent-ed that break the data diode model for monitoring access. One such invention is Link Layer Discovery Protocol (LLDP), which requires that every device, including moni-toring access and control devices, must announce itself on the net-

work to support auto-discovery of the network topology by network management systems. Like the Active Response case, LLDP re-quires that a small amount of traf-

-rection—into the network instead

monitoring devices such as Intru-sion Prevention Systems (IPSs) is another example where the data diode model is not appropriate. Therefore, Net Optics Bypass Switches, which create fail-safe ports for inline tools, are not data diodes. It will be interesting to see how the data diode model for monitoring access holds up as innovative new protocols and monitoring tools become part of the networking landscape.

For further information about Network Taps and other data diode solutions:Net Optics, Inc.5303 Betsy Ross DriveSanta Clara, CA 95054

(408) 737-7777info@netoptics.comwww.netoptics.com

Sometimes Taps Are NOT Data Diodes

Distributed by:

Network Performance Channel GmbH Ohmstr. 1263225 LangenGermany

+49 6103 906 722info@np-channel.com / www.np-channel.com