Protocols
Protocols are the fundamental building-blocks of the Fox DataDiode. Based on file transfer protocols or streaming data protocols virtually any application can be build.
-
CIFS/SMB
The Fox DataDiodes software standard supports the Common Internet File System (CIFS) used by e.g. Windows to share file over a network. CIFS is also know as Server Message Block (SMB).
The solution is transparent for users, since they push files from the BLACK network just as if they where directly connecting to the RED side. The Fox DataDiode software supports NTLMv2 for authentication. The solution supports files but also (sub)-folders. Multiple parallel CIFS shares are allowed. Users can be limited by the administrator in having access to specific shares and group of shares. The throughput of CIFS is 100Mbit/s.
-
FTP
FTP stands for File Transfer Protocol and is supported standard in the Fox DataDiode software. FTP is used to transfer documents from the unclassified side, through the Fox DataDiode solution and forwarded to an FTP server on the classified side. The following drawing gives a general setup of FTP through the Fox DataDiode:
The Fox DataDiode software provides various modes of FTP transfers between the BLACK and RED proxy, such as fast forward mode or store and forward mode. Through the web-interface the user can manager access control to FTP shares and manage the flow of information after it leaves the RED proxy. The throughput of this solution is 100 Mbit/s and both file and (sub)-folders are supported.
-
FTP/S (SSL)
Both the BLACK and RED proxy support FTP based on SSL (FTP/S). The login credentials and the data channel are encrypted to provide a secure channel when accessing the Fox DataDiode proxies.
FTP/S is a standard option of the Fox DataDiode software.
-
NTP
The Network Time Protocol (NTP) is used to synchronize the clocks on computer systems. Often a so called NTP server is used to provide highly accurate time to clients. Usually, the BLACK proxy can be configured to connect to an NTP server somewhere on the Internet, but this is impossible for the RED proxy, since it cannot connect to a server that is not part of the RED network. Therefore the BLACK proxy sends its time to the RED proxy, which can then function as (near) NTP server in the RED domain (less than one second time difference).
NTP is a standard solution of the Fox DataDiode software.
-
SMTP (Email)
The Fox DataDiode software allows email to be sent to a secure (RED) network. It takes into account that the domain name of this secure network must remain secret. The BLACK proxy is configured to know which email it must forward to the RED proxy. The RED proxy, in its turn, is configured to forward all incoming email to a certain domain.
As shown in the figure above, the secret domain name on the RED network is 'reddomain.local'. The BLACK proxy will be configured to forward all email destined for addresses ending with '@confi.local'. When the RED proxy receives such email, it will replace 'confi.local' with 'reddomain.local' and then pass it through to a mail server on the RED network.
The chain of events consists of 9 steps:
- The client creates an email, destined for user@confi.local.
- This email is sent to the mail server on the BLACK network.
- The mail server fetches the MX-record of the domain 'confi.local'. This identifies the BLACK proxy as the destination mail server.
- The mail server delivers the mail to the BLACK proxy via SMTP.
- The BLACK proxy sends the mail to the RED proxy via the hardware Data Diode.
- The RED proxy rewrites the domain of the email recipient from @confi.local to @reddomain.local.
- The RED proxy fetches the MX-record of the domain 'reddomain.local'. This identifies the mail server on the RED network as the destination mail server.
- The RED proxy delivers the message to the mail server via SMTP.
- The client retrieves the message from the mail server.
-
Syslog/SNMP
The Fox DataDiode software supports Syslog/SNMP based on the UDP streaming protocol. This feature enables users to send syslog messages, SNMP traps, video streams etc. from the black to the red network. Since different ports can be used for UDP data transfer, setting these port numbers is part of the configuration. The port numbers for the BLACK and RED proxy must be the same, but the RED proxy offers the possibility to forward data to different port numbers on the destination target.
As illustrated in the above figure, two clients send simultaneously UDP streams through the Fox DataDiode solution. On the BLACK proxy the administrator can configure the source IP address and source port. On the RED proxy the target IP and target port can be configured for each stream individually.
Streaming through the Fox DataDiode can reach throughputs up to 800 MBits/s.
-
TCP
The Fox DataDiode supports raw socket data transfers based on TCP. The diode software on the BLACK side acts as a listening server that receives raw data from systems on the network and forwards it through the hardware Data Diode. The RED proxy server receives the data and uses a client raw socket to forward this data to the specified destination on the network.
TCP is natively supported by the Fox DataDiode windows service and optional for the OpenBSD Fox DataDiode software.
-
UDP
The Fox DataDiode software supports one-way UDP traffic. This feature enables users to send syslog messages, SNMP traps, video streams etc. from the black to the red network. Since different ports can be used for UDP data transfer, setting these port numbers is part of the configuration. The port numbers for the BLACK and RED proxy must be the same, but the RED proxy offers the possibility to forward data to different port numbers on the destination target.
As illustrated in the above figure, two clients send simultaneously UDP streams through the Fox DataDiode solution. On the BLACK proxy the administrator can configure the source IP address and source port. On the RED proxy the target IP and target port can be configured for each stream individually.
Streaming through the Fox DataDiode can reach throughputs up to 800 MBits/s.
