Fox Data Diode

• Home
• Products
• Applications

• 2-Way Diodes

  How to setup two-way e-mail communication between two differently classified networks securely?

  Communication

  Communication is intended to be used in a bidirectional matter, where sender and receiver exchange information without any hassle. The problem is that communication between two differently classified networks is submitted to strict security rules. Specifically rules regarding the declassification of information i.e. before it is allowed to leave the classified network. In classified environments Data Diodes are used to transport information from the unclassified network to the classified network securely. However, when information is declassified it is still transported manually using a media carrier like USB or CD to the unclassified network.

  The disadvantage of manual transporting (declassified) information is that it's not real-time, it's time consuming and it introduces additional security risks since information is transported in an uncontrolled matter (humans).

  We describe one of the possible solutions of setting up a secure two-way communication within environment where information must be declassified and transported outside of the classified environment. To conduct this process in a controlled matter the solution uses Strict Content Filters together with multiple Fox DataDiodes to create a secure zone (DMZ).

  

  Demilitarized zones

  The Fox DataDiodes create an additional layer of security between two networks i.e. Demilitarized zone (DMZ) . Although generally firewalls are used, the more secure solution would be of using two sequentially placed Data Diodes. The diodes ensure that information always flows through the DMZ in a controlled matter without compromises. Between the diodes a Strict Content Filter is placed to check the outbound and inbound information.

  Strict Content Filter

  When information is transmitted from the Black network to the Red network the integrity of the information should be ensured. This is done by a Strict Content Filter which checks the content of the information.

  Content checking can be done in a variety of ways e.g. by only allowing XML information to pass through the diode followed by an XML gateway to check the 'signature' of the XML file. Another solution would be to change the format of the transmitted information in such a way that it can be checked by the content filter e.g. using OCR software or making a screen capture of the document.

  Even if information can only travel in one direction, it is advised to always implement a mechanism that ensures the integrity and availability of the Red network.Declassification can be used in a similar ways as classification. A Strict Content Filter checks, logs and ensures only intended information leaves the classified network.

  Declassification can be used in a similar ways as classification. A Strict Content Filter checks, logs and ensures only intended information leaves the classified network.

• Network Monitoring

  Various industry standard IT infrastructure monitoring systems are capable of watching hosts and services in a network. These systems enable organizations to identify and resolve network problems before they affect business processes. Organizations with classified and unclassified networks are forced to run at least two separate monitoring systems, one in the unclassified and one in the classified network. The Fox DataDiode centralized monitoring solution provides a bird's eye view of the status of the entire network using e.g. Nagios and the Fox DataDiode.

  Monitoring the status of the entire network is cumbersome because you have to check the status on multiple systems. As a result, the availability of the systems can be threatened. The benefit of a centralized monitoring solution is that it provides a higher availability of the complete network.

  

  Business Benefits

  Nagios

  Monitoring the status of the entire network is cumbersome because you have to check the status on multiple systems. As a result, the availability of the systems can be threatened. The benefit of a centralized monitoring solution is that it provides a higher availability of the complete network.

• Network Printing

  How to setup ONE printer for classified and unclassified networks without degrading security?

  In every organization printing is a valuable asset, on both the classified and unclassified networks. Since these networks usually are not connected, printing on both networks is a separate process, with separate devices and maintenance. The problem is that it's not always clear which printer is for which network and that both printers need to be maintained.

  

  Business Benefits

  Printing

  Setting up ONE printer for both networks creates more clarity since all printing jobs are sent to ONE printer regardless whether this is classified or unclassified information. Instead of buying and maintaining multiple printers, only ONE printer has to be purchased, maintained and monitored. 

• Oracle Replication

  Databases provide an easy way of organizing, storing and accessing large volumes of information. This (sensitive) information is also required in classified environment.

  Use Case

  Airplane passenger lists are stored by immigration in large databases and made available to various classified organizations and agencies. Information is usually manually moved from one environment to another, which is a tedious and time consuming process. Furthermore, it introduces additional security risks when this information is transported using media carriers.

  Active DataGuard

  The Oracle Replication application together with the Fox DataDiode is able to provide an automatic replication solution of Oracle database. This ensures the availability of the database information in the classified environment without degrading security.

  Oracle Replication uses standard tools from Oracle and adapts them for usage over a one-way connection such as the Fox DataDiode. Active Data Guard for Oracle Databases 11g is used to create a replicated standby database. on the classified side while our application provides the means of transporting information from one side to another through the Fox DataDiode.

  More information on Oracle Active Data Guard can be found at:

  • Active DataGuard (redirect to Oracle Website)

• Windows Updates

  How to run Windows Server Update Services (WSUS) in your isolated classified network through the Fox Data Diode?

  

  WSUS

  WSUS

  WSUS provides a software update service for Microsoft products such as Windows and Office. These software updates provide: Security updates, bug fixes and new features. It's crucial to update isolated classified (Red) networks, but inconvenient while they are not connected to unclassified (Black) networks such as the Internet.

  With automatic Microsoft updates in your classified network you no longer have to worry about security vulnerabilities. In addition you get the latest bug fixes and features from Microsoft.

News

• Article: "Data Diode Technology Can Help Solve Complex Smart Grid Cyber Security Issues"
• Fox-IT Partners with MatrikonOPC to improve security of SCADA networks
• Newsletter January 2011
• NATO Green Scheme
• New video: The DataDiode explained
• Fox DataDiode receives Common Criteria EAL 7+

Read more

Events

• NATO Information Assurance Symposium (NIAS)

Read more

Certifications

• Common Criteria EAL 7+
• Common Criteria EAL 4+
• NATO Secret (NS)
• NATO Green Scheme Evaluated
• NL-NCSA (Secret)
• BSI (Secret)
• NERC-CIP Compliance Vendor

Read more