Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.

com/about-data-diodes

owlcyberdefense.com

Learn About Data Diodes — Owl

Cyber Defense
13-16 minutes

“A piece of hardware that physically enforces a one-way flow of

data. As one-way data transfer systems, data diodes are used as
cybersecurity tools to isolate and protect networks from external
cyber threats and prevent penetration from any external sources.
A data diode sits at the edge of the network security perimeter;
relying on its physical hardware components to mitigate all
network cyber threats against the network while simultaneously
allowing the transfer of data out of the network in a highly
controlled, deterministic manner.”

— The Definitive Guide to Data Diode Technologies

1 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

THE DEFINITIVE GUIDE TO DATA DIODE TECHNOLOGIES -

FROM SIMPLE TO STATE OF THE ART

What Exactly is a Data Diode?

2 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

The simplest example is an RS-232 cable.  These

cables can be used to connect computing
platforms and only contain three pins: transmit,
receive, and ground. If the receive pin was
removed then data could only physically be
transmitted and NOT received.  This allows data to
be sent with no path for anything (or anyone) to
gain access through the cable into the computer
or network. While secure, the first problem is that
the protocols used over the connection are
expecting responses which are no longer being
provided.  So not only is the cable “broken” but
now the protocols are also broken and either
won’t operate at all or will fall into some kind of
recovery mode where they try to compensate for
disrupted communications (multiple-retries, etc.).

3 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

An Owl data diode goes way beyond a disabled

cable; it is a hardware-based electronic device
designed with two separate circuits – one send-
only, and one receive-only – which physically
constrain the transfer of data to one direction only
and form an “air gap” between the source and
destination networks.  As described below, Owl
provides a multi-layered, patented approach to the
design of our data diodes.

Data diodes are used to defend networks from

cyber-attacks and transfer information generated
within the protected network in a one-way fashion
to end-users outside the network. In this way, data
can be sent to the cloud, a remote monitoring
facility, support engineers, regulatory bodies or

4 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

any other end-user that needs access, without

creating a vulnerability or threat vector into the
network.

Data diodes separate and create boundaries between trusted

and untrusted networks and straddle the demarcation line
between them. This separation between networks is more
commonly known as network segmentation. This is a basic and
vital part of any comprehensive cybersecurity strategy. It is
perhaps simplest to think of data diodes as digital one-way
valves for data, allowing data to flow out, without a way back in.

Data diodes can be used to protect very small network

segments, such as an individual industrial controller, a car, or a
database, or they can be used to protect a very large segment,
such as an entire nuclear power plant.

Initially based on a patent from Sandia National

Labs, Owl data diode technology has been built
from the ground up in its purest form,
incorporating the one-way flow into the design of
all components; from the transmitter and receiver,
to the transfer protocol, all the way down to the
electricity on the circuit boards, physically
ensuring a fail-safe, deterministic one-way-only
data transfer. The send side is incapable of
receiving data, and the receive side is incapable of
sending data.

5 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

In addition, because there is no shared circuitry

beyond the one-way connection, data diodes are
considered by many regulatory bodies to
effectively create an air gap, or a physical
separation between networks. The hardware-
based nature of data diodes, enforced by the
fundamental laws of physics, places them at the
highest possible level of security, short of
physically disconnecting the network and not
allowing any data to flow in or out.

“The hardware-based nature of data diodes, enforced by the

fundamental laws of physics, places them at the highest possible
level of security, short of physically disconnecting the network
and not allowing any data to flow in or out.”

The core of all Owl data diode solutions is the linked pair of two
Communication Cards (one send-only and one receive-only) that
together form the basis of the data diode. Along with the cards,

6 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

all Owl data diodes include management software, proxies to

interface to external applications, and protocol conversion, with
other features available as required. Owl data diode
Communication Cards vary in size and capabilities, from the
world’s smallest, that are the size of a quarter and transfer data
at just over 1 Mbps, to the specialized cards installed in single
box solutions that support transfer up to 1 Gbps, to the PCIe
cards that are fitted into standalone servers and support
throughput of up to 10 Gbps.

Owl data diode products are deployed either as an

all-in-one, single box solution (OPDS/OCDS
product lines) with the pair of Communication
Cards included in the single device, or with two
separate Owl-designed PCIe Communication
Cards (send & receive), each installed on their
own server and connected solely through a single
fiber optic cable.

OPDS-5D, OPDS-100D, OPDS-100, & OPDS-1000

Owl data diode products are deployed either as an all-in-one,

single box solution (OPDS/OCDS product lines) with the pair of

7 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

Communication Cards included in the single device, or with two

separate Owl-designed PCIe Communication Cards (send &
receive), each installed on their own server and connected solely
through a single fiber optic cable.

ONE-WAY IN A TWO-WAY WORLD

The cybersecurity value proposition of deterministic, one-way

communication is clear, but for some, how a one-way data diode
works in a world dominated by two-way protocols can cause
confusion. In order to address the expected “handshakes” or
acknowledgments of two-way protocols in a one-way system,
data diodes employ a proxy on both the send and receive sides.
Rather than the source communicating directly with the
destination, the source communicates with the send side proxy
on the data diode. That two-way conversation is then converted
to a one-way data transfer across to the receive side of the
diode. Then the receive side proxy initiates a new two-way
communication with the destination and completes the data
transfer to the destination endpoint.

THIRD PARTY TESTED

To meet the stringent requirements of government agencies, the

Department of Defense and the Intelligence community, Owl
products have been tested and accredited by independent third
parties. We have EAL Common Criteria ratings that prove our
technology provides a deterministic one-way transfer of
information.

COMPARISON TO FIREWALLS & OTHER TECHNOLOGIES

8 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

The primary difference between hardware-based data diodes

versus firewalls and unidirectional gateways is that it is physically
impossible to send data of any kind in the reverse direction.
Therefore data diodes are inherently immune to the
misconfiguration, back-doors and vulnerabilities present in these
other technologies.

WHERE DID DATA DIODES COME FROM?

Since the early 1990’s, data diodes have met the elite
cybersecurity needs of the most demanding users, including the
US DoD and intelligence agencies. From initial deployments in
national labs, branches of defense and intelligence agencies, the
use of data diodes has spread to other government agencies and
then into highly regulated critical infrastructure operations like
nuclear power plants. Today, data diodes are in widespread use
globally across many industries (power generation, telecom,
transportation, financial services, data centers, mining,
water/wastewater, etc.). As cyber attacks continue to increase
and prove that “standard” cybersecurity technologies (firewalls,
RBAC, etc.) aren’t enough anymore, organizations are turning to
data diodes to provide the only cybersecurity that absolutely
cannot be hacked.

9 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

OPDS Supports DHS 7 Strategies

As a part of the first line of defense against

cyberattacks in the US, the Department of
Homeland Security (DHS) regularly provides
guidance to organizations on cybersecurity best
practices and practical advice on tools and
implementation. Recently the DHS, with input from
the FBI and the NSA, released a paper with
recommendations to protect sensitive networks;
specifically pointing to the use of data diodes.

Owl has also created a second response document, in which the

DHS ‘Seven Steps’ are mapped directly to the use of data

10 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

diodes, illustrating real-life use cases and guidance on how to

achieve the DHS best practices.

We recommend reading these papers to get an understanding of

what data diodes are capable of, how they fit into a defense-in-
depth strategy, and ways that they may be useful to secure your
network or environment.

While these papers focus on “critical infrastructure”, it is

important to remember that data diodes are agnostic to data,
networks, and industries, and work with a range of data types,
protocols, and networks. So even if you represent a hotel, a law
firm, or a university, data diodes are powerful tools that can
probably help you with your network cybersecurity needs.

A proven, hardware-based cybersecurity

technology, data diodes are an intricate and
differentiating part of Owl cross domain solutions
(CDS). The function of a cross domain solution is
to move information in one direction from one
network domain or enclave to another, most times
changing from one security level to another, either
to a higher or lower level (unclassified-NIPRNet to
Secret-SIPRNet, Secret to Top Secret-JWICs, etc.).

Owl offers a series of data diode cross domain solutions, from

high-bandwidth server based solutions, to all-in-one appliance
solutions, including highly mobile tactical solutions and even
miniaturized solutions.

11 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

Owl’s patented data diode technology is a hardware-based

solution, specifically designed for one-way data transfers. A data
diode, similar to a diode circuit, is physically limited to one
direction.  No amount of configuration changes, malware installs,
or credential stealing can change this Owl CDSs utilize two data
diodes in series, the first one sending data out of one network
and the second receiving the data in a different network. The
send diode is physically restricted to only send and the receive
side is physically restricted to only receive.

The Owl data diodes use one-way optical separation within the
CDS and enforce a network protocol break between the
networks.  The protocol break converts all data packets to a non-
routable Asynchronous Transfer Mode (ATM) cell.

“The Owl data diodes use one-way optical separation within the
CDS and enforce a network protocol break between the
networks.  The protocol break converts all data packets to a non-
routable Asynchronous Transfer Mode (ATM) cell.”

By implementing these two features Owl ensures the source and

destination networks are not connected by an electrical wire, and
the networks are not communicating via common routable
protocols.  Combined, these features ensure 100% network
confidentiality enforced by segmentation.

Owl CDS are then coupled with a hardened Linux Operating

System and mission specific data/content inspection.  The
hardened Linux OS provides for the continued availability of the

12 of 13 3/25/19, 9:33 AM
Learn About Data Diodes — Owl Cyber Defense about:reader?url=https://www.owlcyberdefense.com/about-data-diodes

system, and the content inspection ensures the integrity of the

data flows between the networks.

The most significant advantages of a hardware-based solution,

rather than software-based like other CDSs, are that it cannot be
hacked or manipulated and can offer the fastest data rates
available in a CDS, up to 10Gbps.

13 of 13 3/25/19, 9:33 AM