SlideShare a Scribd company logo

Data diode

Download as PPTX, PDF
A
Aman Verma

A unidirectional network (also referred to as a unidirectional security gateway or data diode) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security. They are most commonly found in high security environments such as defense, where they serve as connections between two or more networks of differing security classification –also known as a "cross domain solution." This technology is also found at the industrial control level for such facilities as nuclear power plants, electric power generation/distribution, oil and gas production, water/wastewater, airplanes (between flight control units and in-flight entertainment systems), and manufacturing

Technology
1 of 43
Data Diode Aman Ranjan Verma Anand Kumar Jha Megha Sharma S. Pravin Sumit Bothra Under the guidance of: Harish Reddy Image Source: owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf
Problem Description Complexity and frequency of cyber attacks against plant control systems is rising, as is the corporate demand for real time access to plant control system data. Supervisory Control and Data Acquisition/Industrial Control Systems (SCADA/ICS) perform an essential role in ensuring the safe, reliable operation of critical infrastructure. High availability requirements and often safety related functionality demand that these systems be protected against deliberate and inadvertent incidents which could compromise their operation. Image Source: https://www.youtube.com/watch?v=qtWYVihHz5w
Traditional Solutions To The Problem : A study performed by the Centre for the Protection of National Infrastructure (CPNI) identified that when connecting control systems to external networks, only a small number of architectures are typically used, these range from hosts with dual network interface cards to multi-tiered combinations of switches and routers. The study concluded however, that the most secure, manageable and scalable segregation architectures were those based on a three zone system such as a De-Militarised Zone (DMZ). A DMZ provides a means of protecting two networks from each other whilst still allowing for the sharing of data or resources. Creating a DMZ involves placing a firewall offering three or more interfaces, or a pair of firewalls between the plant system and the external network.
DMZ(De-Militarised Zone ) https://cdn.ttgtmedia.com/rms/onlineimages/sdn-dmz_network_architecture_mobile.png
The use of a DMZ is not without its drawbacks. Vulnerabilities can exist within the firewalls and the shared systems that could allow an attacker to gain control of the DMZ and launch further attacks against the control system. These vulnerabilities can arise due to incorrectly configured firewall rule sets, unauthorised administrative access or from errors in the design or implementation of the various components of the DMZ. Even a properly configured and maintained DMZ is not immune from the possibility of 0-day (previously unknown) exploits that could provide a means of attack. Drawbacks of DMZ
Firewall • At their most basic, firewalls work like a filter between your computer/network and the Internet. • You can program what you want to get out and what you want to get in. Everything else is not allowed. Image Source: https://www.comodo.com/resources/home/how-firewalls-work.php Drawbacks • It can degrade your system's performance as Packet filtering takes time. • Firewall policies can be very restrictive and can limit users from performing legitimate operations. • Using backdoor exploits limits the firewall's capability to secure your network, as data transmitted through these back doors is not filtered or examined at all.
Gateway •A gateway is a node (router) in a computer network, a key stopping point for data on its way to or from other networks. Thanks to gateways, we are able to communicate and send data back and forth. •When a computer-server acts as a gateway, it also operates as a firewall and a proxy server. A firewall keeps out unwanted traffic and outsiders off a private network. •A proxy server is software that "sits" between programs on your computer that you use (such as a Web browser) and a computer server—the computer that serves your network. Drawbacks • If a gateway fails, then communication will be lost on the network. • Troubleshooting a gateway can be difficult as different tools are necessary for finding problems on computers with different protocols. This communication cannot be restored until the problem is located.
Data Diode Technology
Diode  Diodes are semiconductor devices, in which current flows in only one direction based on biasing voltage applied.  If diodes are forward biased, then they act like a short circuit and allow current to flow through it.  If diodes are reverse biased, then they act like an open circuit and hence no current flows through it.
What is Data Diode?  Data diodes are hardware devices or software that are used to implement unidirectional data transfer between two devices.  In data diodes, there is one device which only sends data to the network and the other device which only receives data through the network. Data Send Only Data Receive Only
OPTICAL DATA DIODE
OPTICAL DATA DIODE Requirements: • Three fibre optic transceivers • Two Ethernet cards • Power supply • fibre optic and copper cable 12 • A data diode is a computer security device that restricts the communication along a network connection between two computers so that data can only be transmitted in one direction. • Since the data diode has a single fiber-optic cable, it is impossible to reverse transmissions due to the basic laws of physics https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
 Three fibre optic transceivers, the third fibre optic transceiver is required simply to supply a carrier signal to the lower side transceiver which will not work if it does not see the appropriate carrier signal.  Two ethernet cards. One ethernet card is put in each of the gateway work stations so that the two workstations are linked by a dedicated sub-network in order to avoid the possibility of packet collision with other network traffic  A power supply for the third fibre optic transceiver. The power for this could be tapped from the cable that connects the other fibre optic transceiver to the low side ethernet card, if this card can supply enough power for two cards.  Appropriate fibre optic and copper cable to make connections as in next figure. 13 Optical Data Diode(Conti…) https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
Implementation 14 Destination Source https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
Optical Data Diodes(Conti...) • An optical data diode neatly separates into a hardware component and a software component. • The configuration of the hardware is entirely responsible for providing confidentiality security. • The software is responsible for providing the functionality or services through the one way link. • Software like virus checkers can be added to provide integrity protection, although this is not at the same high level of assurance as the confidentiality assurance provided by the optical data diode. 15https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
16https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018]. Destination Source
Advantages • The design of the optical data diode is very simple. Assurance that it is prohibiting communication in the reverse direction is confirmed by visual inspection of the configuration. • The simple design should also enable easy accreditation by the local accrediting authority. • Such a data diode can be built easily. 17 Disadvantages • The main disadvantage of this design is the fact that the delivery of data from the low side to the high side is in theory unreliable. • In practice it can be very reliable but there is no absolute guarantee that delivery will always occur.
Data Diodes using Proxy Servers in Modbus Protocol
Typical Modbus TCP Communication  The Modbus TCP Communication is based on Client / Server Request-Response Communication  In this Protocol, the Client (MTU) requests for data. Based on the request received by the Server (RTU) , the response is provided to the Client.
Data Diode Model For Modbus Protocol RTU Server Proxy Server 1 Proxy Server 2 MTU Client Request Request Response Response
Data Diode Model For Modbus Protocol  The RTU Server and Proxy 1 Server communicates at Modbus Port no 502. The Proxy 1 acts like a Client with respect to RTU and sends request to the RTU. The RTU checks the request, and based on the request, sends a response to the Proxy Server 1.  The Proxy Server 1 acquires the data, the forwards the data to the Proxy Server 2. Here the data transfer is unidirectional and hence the data transfer cannot take place from Proxy Server 2 to Proxy Server 1. Hence the data diode is implemented between Proxy Server 1 and Proxy Server 2. Here is transferred from any port other than 1 to 1023 port.  The MTU requests data from Proxy Server 2 form the same Port 502. Here the proxy acts like the RTU Server and thus provides data to the MTU. The MTU then forwards the data to the database as well as to the HMI.
Port : 502 RTU Proxy 1 Proxy 2 MTU Port : 502Port : 4000 Data Transfer in Data Diodes
Demonstration Server Proxy 1 Proxy 2 Client
For acquiring Different Field Device data RTU Server Proxy Server 1 Proxy Server 2 MTU Client Request Request Response Response
Advantages of Data Diode  Since the data transfer is unidirectional, it is very much secure and it is very much difficult to conduct an attack at the RTU/Server  It can be applicable on various other protocols and is not only bound to Modbus.  Even if any attack is successfully conducted at the MTU, the attacker cannot perform any attack at the RTU as the Proxies only communicate in unidirectional mode. Disadvantages  Since the data transfer is unidirectional in nature, actuators cannot be used in the above model. Hence it limits our usage to only to sensors and the control signals cannot be sent through it.  The Data can still be retrieved from Proxy Server 1, but no control commands can be given.
Applications  SCADA System  IoT  In Isolating a Server from the Corporate Network
Data Diode using ATM Protocol
Data Diode using ATM Protocol • Hardware based cyber security(Dual Diode). • Hardware is designed to only be one-way. • Impervious to software changes or attacks. • Either it will work as intended to work or will not work at all. • Deploy non-routable ATM protocol break between the two segmented network. Source: Owl Cyber Defense Server Client Send only Receive only
Why ATM(Asynchronous Transfer Mode) ? • It was designed to move large amount of data asynchronously. • Large data rates. • High quality (high bandwidth optical fiber). • No packet loss.  As a result we get quality of service, non routable protocol break which maintains 100% confidentiality and it’s all forced in hardware so it can’t change.  The optic cable doesn’t have any security and if any attacker want to intercept data through cable, ATM protocol doesn’t allow since it doesn’t have the concept of source and destination address. Source: Owl Cyber Defense
Detailed view Server Client IP Proxy IP Proxy Ethernet ATM transport Ethernet Air Gap Routing Table • Payload of datagrams are embedded into non-routable ATM cell which then is transmitted using ATM channel number. The routing table looks for ATM channel number and decides what to do with the data. • Also in this scenario the inside IP address does not make it to the outside.
• Driven by the integration of services and performance requirements of both telephony and data networking(IP Based). • Transmit information in small fixed size packets, cells(allowed fast h/w switching) • Cells are transmitted asynchronously. • The Network is connection oriented.(statistical multiplexing) • Each cell is 53 bytes long – 5 bytes header and 48 bytes payload. • ATM is independent of transmission medium. They may be sent on a wire or fiber by themselves or they may also be packaged inside the payload of other carrier systems. • Making an ATM call requires first sending a message to setup a connection. Subsequently all cells follow the same path to the destination. About ATM statistical multiplexing : similar to dynamic bandwidth allocation (DBA)
ATM Vs Telephony • Phone networks are synchronous(periodic). • Phone network uses circuit switching whereas ATM network uses “Packet” or “Cell” switching with virtual circuits. • In phone networks, all rates are multiple of 64 kbps. With ATM we can get any rate, and we can vary our rate with time. Source: https://www.youtube.com/watch?v=IPuLZSOye4c (NPTEL)
ATM Vs Data Networks(IP Based) • ATM cell – Fixed/small Size • IP Packets: Variable size • ATM uses 20 Byte global addresses for signaling and 32-bit locally-assigned labels in cells. Whereas IP uses 32-bit global addresses in all packets. • ATM offers sophisticated traffic management whereas TCP/IP: congestion control is packet loss-based. Source: https://www.youtube.com/watch?v=IPuLZSOye4c (NPTEL)
ATM: Fixed size Packets • Simpler Buffer Hardware Packet arrival and departure requires us to manage fixed buffer sizes. • Simpler scheduling Each cell takes a constant chunk of bandwidth to transmit. Drawback: Overhead for sending small amount of data. Segmentation and reassembly cost.
ATM Layer • AAL Convergence sublayer SAR: Segmentation and reassembly sublayer • ATM Layer Performing Routing, Switching, traffic management, multiplexing • Physical Layer PMD: Physical Medium Dependent sublayer Transmission Convergence sublayer Image Source: http://www.rfwireless-world.com/images/ATM-protocol-stack.jpg
Industries in need of Data Diode as cyber security • Nuclear Power Plant (between process control plant and their outside business network). • Fossil and hydro generation plant. • Oil and Gas companies. • Petrochemical, water management and wastewater. • Mining companies. A fossil fuel power station is a power station which burns a fossil fuel such as coal, natural gas, or petroleum to produce electricity.  Our work is to explain our technology and use cases and see how it can fit into their architecture.
Firewall Based Mechanism
Firewall Based Mechanism Image Source: owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf
Firewall Based Mechanism (Conti…) •Relies on Software Configuration •They communicate through Ethernet cables. •A pair of firewalls configured back-to-back provide a more secure implementation •Firewall on source side is configured to filter traffic from source side •Firewall on destination side is configured to deny the traffic from destination side. Prone to Malware attacks due to vulnerabilities of software-based solutions.
Comparative Assessment of Various Data Diode Implementation Techniques Specifications Optical Data Diode Proxy Based Data Diode ATM Based Data Diode Firewall Based Mechanism Connection One- Way with optical fiber One-way with proxy servers One –Way with optical fiber One-way with Software Configured Protocol UDP MODBUS ATM TCP-IP Routability Routable Routable Non-Routable Routable Reliability Unreliable Unreliable Highly Reliable Reliable Throughput Low Low High Moderate Image Source: owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf
 Expanding Domain Of Data Diodes in Govt, Military, Critical Infrastructure, Financial Services, Telecommunications.  The Cybersecurity goal of any organization to minimize risks while preserving data availability seems achievable with the advent of ATM Based Data Diode  Advanced Technology will enable network segments to get smaller, providing better security.  As IoT expands, Security becomes prime concern & Data Diodes provide promising solution  The Unhackable nature of Hardware based solutions with new innovations for greater efficiency, flexibility & performance presents a bright future ahead. CONCLUSION / WAY FORWARD
References owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf https://www.owlcyberdefense.com/about-data-diodes/ A study of cyber security policy in industrial control system using data diodes, IEEE Paper https://www.opswat.com/blog/why-data-diodes-are-essential-isolated-and-classified-networks https://www.baesystems.com/en/product/data-diode-solution The Technique of Network Diode, IEEE Paper https://www.advenica.com/en/cds/data-diodes The application of data diodes for securely connecting nuclear power plant safety systems to the corporate IT network, IEEE Paper https://en.wikipedia.org/wiki/Unidirectional_network
Data diode

Recommended

Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring toolsQaswarBosan
 
Apple talk
Apple talkApple talk
Apple talkSagar Raravi
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcpSparsh Samir
 
Anatomy of an AP
Anatomy of an APAnatomy of an AP
Anatomy of an APAruba, a Hewlett Packard Enterprise company
 
DCS Introduction
DCS IntroductionDCS Introduction
DCS IntroductionPranavAutomation
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xAruba, a Hewlett Packard Enterprise company
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 

Recommended

Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring toolsQaswarBosan
 
Apple talk
Apple talkApple talk
Apple talkSagar Raravi
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcpSparsh Samir
 
Anatomy of an AP
Anatomy of an APAnatomy of an AP
Anatomy of an APAruba, a Hewlett Packard Enterprise company
 
DCS Introduction
DCS IntroductionDCS Introduction
DCS IntroductionPranavAutomation
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xAruba, a Hewlett Packard Enterprise company
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
Artificial Intelligence in the Network
Artificial Intelligence in the Network Artificial Intelligence in the Network
Artificial Intelligence in the Network Michelle Holley
 
CCDE Experience
CCDE ExperienceCCDE Experience
CCDE ExperienceHimawan Nugroho
 
What is Ethernet
What is EthernetWhat is Ethernet
What is EthernetSimplilearn
 
Ethernet
EthernetEthernet
EthernetMihika Shah
 
M2M technology in IOT
M2M technology in IOTM2M technology in IOT
M2M technology in IOTshashidharPapishetty
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network DesignConferencias FIST
 
CAN (Controller Area Network) Bus Protocol
CAN (Controller Area Network) Bus ProtocolCAN (Controller Area Network) Bus Protocol
CAN (Controller Area Network) Bus ProtocolAbhinaw Tiwari
 
Chapter 7
Chapter 7Chapter 7
Chapter 7Ali Broumandnia
 
SCADA
SCADASCADA
SCADASABARINATH C D
 
Ieee 802.11 wireless lan
Ieee 802.11 wireless lanIeee 802.11 wireless lan
Ieee 802.11 wireless lanParthipan Parthi
 
Distributed IP-PBX
Distributed IP-PBX Distributed IP-PBX
Distributed IP-PBX Bangladesh Network Operators Group
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applicationsUchi Pou
 
Everything you should know about SCADA
Everything you should know about SCADAEverything you should know about SCADA
Everything you should know about SCADAChaiTik Yong
 
Communication Protocols
Communication ProtocolsCommunication Protocols
Communication ProtocolsPranavAutomation
 
Scada
ScadaScada
Scadabilly_lx
 
Network Management Fundamentals - Back to the Basics
Network Management Fundamentals - Back to the BasicsNetwork Management Fundamentals - Back to the Basics
Network Management Fundamentals - Back to the BasicsSolarWinds
 
Ch1 internet Networks
Ch1 internet NetworksCh1 internet Networks
Ch1 internet Networkscairo university
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
SENSOR NETWORK PLATFORMS AND TOOLS
SENSOR NETWORK PLATFORMS AND TOOLSSENSOR NETWORK PLATFORMS AND TOOLS
SENSOR NETWORK PLATFORMS AND TOOLSjuno susi
 
Top Down Network Design - ebrahma.com
Top Down Network Design - ebrahma.comTop Down Network Design - ebrahma.com
Top Down Network Design - ebrahma.comPawan Sharma
 
Introduction to computer_lec_05_fall_2018
Introduction to computer_lec_05_fall_2018Introduction to computer_lec_05_fall_2018
Introduction to computer_lec_05_fall_2018Ramadan Babers, PhD
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEIRJET Journal
 

More Related Content

What's hot

Artificial Intelligence in the Network
Artificial Intelligence in the Network Artificial Intelligence in the Network
Artificial Intelligence in the Network Michelle Holley
 
What is Ethernet
What is EthernetWhat is Ethernet
What is EthernetSimplilearn
 
CAN (Controller Area Network) Bus Protocol
CAN (Controller Area Network) Bus ProtocolCAN (Controller Area Network) Bus Protocol
CAN (Controller Area Network) Bus ProtocolAbhinaw Tiwari
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applicationsUchi Pou
 
Everything you should know about SCADA
Everything you should know about SCADAEverything you should know about SCADA
Everything you should know about SCADAChaiTik Yong
 
Network Management Fundamentals - Back to the Basics
Network Management Fundamentals - Back to the BasicsNetwork Management Fundamentals - Back to the Basics
Network Management Fundamentals - Back to the BasicsSolarWinds
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
SENSOR NETWORK PLATFORMS AND TOOLS
SENSOR NETWORK PLATFORMS AND TOOLSSENSOR NETWORK PLATFORMS AND TOOLS
SENSOR NETWORK PLATFORMS AND TOOLSjuno susi
 
Top Down Network Design - ebrahma.com
Top Down Network Design - ebrahma.comTop Down Network Design - ebrahma.com
Top Down Network Design - ebrahma.comPawan Sharma
 

What's hot (20)

Artificial Intelligence in the Network
Artificial Intelligence in the Network Artificial Intelligence in the Network
Artificial Intelligence in the Network
 
CCDE Experience
CCDE ExperienceCCDE Experience
CCDE Experience
 
What is Ethernet
What is EthernetWhat is Ethernet
What is Ethernet
 
Ethernet
EthernetEthernet
Ethernet
 
M2M technology in IOT
M2M technology in IOTM2M technology in IOT
M2M technology in IOT
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network Design
 
CAN (Controller Area Network) Bus Protocol
CAN (Controller Area Network) Bus ProtocolCAN (Controller Area Network) Bus Protocol
CAN (Controller Area Network) Bus Protocol
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
SCADA
SCADASCADA
SCADA
 
Ieee 802.11 wireless lan
Ieee 802.11 wireless lanIeee 802.11 wireless lan
Ieee 802.11 wireless lan
 
Distributed IP-PBX
Distributed IP-PBX Distributed IP-PBX
Distributed IP-PBX
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applications
 
Everything you should know about SCADA
Everything you should know about SCADAEverything you should know about SCADA
Everything you should know about SCADA
 
Communication Protocols
Communication ProtocolsCommunication Protocols
Communication Protocols
 
Scada
ScadaScada
Scada
 
Network Management Fundamentals - Back to the Basics
Network Management Fundamentals - Back to the BasicsNetwork Management Fundamentals - Back to the Basics
Network Management Fundamentals - Back to the Basics
 
Ch1 internet Networks
Ch1 internet NetworksCh1 internet Networks
Ch1 internet Networks
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring System
 
SENSOR NETWORK PLATFORMS AND TOOLS
SENSOR NETWORK PLATFORMS AND TOOLSSENSOR NETWORK PLATFORMS AND TOOLS
SENSOR NETWORK PLATFORMS AND TOOLS
 
Top Down Network Design - ebrahma.com
Top Down Network Design - ebrahma.comTop Down Network Design - ebrahma.com
Top Down Network Design - ebrahma.com
 

Similar to Data diode

Introduction to computer_lec_05_fall_2018
Introduction to computer_lec_05_fall_2018Introduction to computer_lec_05_fall_2018
Introduction to computer_lec_05_fall_2018Ramadan Babers, PhD
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEIRJET Journal
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEKate Campbell
 
Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...
Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...
Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...Deepak Shankar
 
Intern
InternIntern
InternAwake9
 
SCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionSCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionRapidAcademy
 
Redundant Gateway for industrial Ethernet ring. White Paper. WoMaster
Redundant Gateway for industrial Ethernet ring. White Paper. WoMasterRedundant Gateway for industrial Ethernet ring. White Paper. WoMaster
Redundant Gateway for industrial Ethernet ring. White Paper. WoMasterWoMaster
 
Computer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsComputer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsSubas Paudel
 
Module name is Networks 512 As the demand for faster and .pdf
Module name is Networks 512 As the demand for faster and .pdfModule name is Networks 512 As the demand for faster and .pdf
Module name is Networks 512 As the demand for faster and .pdffreddysarabia1
 
05 - Networking Components and Devices.ppt
05 - Networking Components and Devices.ppt05 - Networking Components and Devices.ppt
05 - Networking Components and Devices.pptssuserf7cd2b
 
Wireless security
Wireless securityWireless security
Wireless securitySalma Elhag
 
COM526_Lecture 1.pdf
COM526_Lecture 1.pdfCOM526_Lecture 1.pdf
COM526_Lecture 1.pdfSherefHesham
 
Install network cable module CSS NC2
Install network cable module CSS NC2Install network cable module CSS NC2
Install network cable module CSS NC2wilfredo dela cerna
 
Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)Siddique Ibrahim
 
Practical communications considerations for protection engineers
Practical communications considerations for protection engineersPractical communications considerations for protection engineers
Practical communications considerations for protection engineersJose J. Rodriguez Alvarez, MEM
 
1. Ch # 02 1st year computer science notes
1. Ch # 02 1st year computer science notes1. Ch # 02 1st year computer science notes
1. Ch # 02 1st year computer science notesmuhammadFaheem656405
 

Similar to Data diode (20)

Introduction to computer_lec_05_fall_2018
Introduction to computer_lec_05_fall_2018Introduction to computer_lec_05_fall_2018
Introduction to computer_lec_05_fall_2018
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
 
Networks
Networks Networks
Networks
 
Introduction to computer_lec_05
Introduction to computer_lec_05Introduction to computer_lec_05
Introduction to computer_lec_05
 
Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...
Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...
Mastering IoT Design: Sense, Process, Connect: Processing: Turning IoT Data i...
 
Intern
InternIntern
Intern
 
SCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionSCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasition
 
Redundant Gateway for industrial Ethernet ring. White Paper. WoMaster
Redundant Gateway for industrial Ethernet ring. White Paper. WoMasterRedundant Gateway for industrial Ethernet ring. White Paper. WoMaster
Redundant Gateway for industrial Ethernet ring. White Paper. WoMaster
 
Computer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsComputer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber Ethics
 
Module name is Networks 512 As the demand for faster and .pdf
Module name is Networks 512 As the demand for faster and .pdfModule name is Networks 512 As the demand for faster and .pdf
Module name is Networks 512 As the demand for faster and .pdf
 
05 - Networking Components and Devices.ppt
05 - Networking Components and Devices.ppt05 - Networking Components and Devices.ppt
05 - Networking Components and Devices.ppt
 
Lan networks
Lan networksLan networks
Lan networks
 
Wireless security
Wireless securityWireless security
Wireless security
 
COM526_Lecture 1.pdf
COM526_Lecture 1.pdfCOM526_Lecture 1.pdf
COM526_Lecture 1.pdf
 
Install network cable module CSS NC2
Install network cable module CSS NC2Install network cable module CSS NC2
Install network cable module CSS NC2
 
Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)
 
Practical communications considerations for protection engineers
Practical communications considerations for protection engineersPractical communications considerations for protection engineers
Practical communications considerations for protection engineers
 
Basic networking
Basic networkingBasic networking
Basic networking
 
1. Ch # 02 1st year computer science notes
1. Ch # 02 1st year computer science notes1. Ch # 02 1st year computer science notes
1. Ch # 02 1st year computer science notes
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Data diode

  • 1. Data Diode Aman Ranjan Verma Anand Kumar Jha Megha Sharma S. Pravin Sumit Bothra Under the guidance of: Harish Reddy Image Source: owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf
  • 2. Problem Description Complexity and frequency of cyber attacks against plant control systems is rising, as is the corporate demand for real time access to plant control system data. Supervisory Control and Data Acquisition/Industrial Control Systems (SCADA/ICS) perform an essential role in ensuring the safe, reliable operation of critical infrastructure. High availability requirements and often safety related functionality demand that these systems be protected against deliberate and inadvertent incidents which could compromise their operation. Image Source: https://www.youtube.com/watch?v=qtWYVihHz5w
  • 3. Traditional Solutions To The Problem : A study performed by the Centre for the Protection of National Infrastructure (CPNI) identified that when connecting control systems to external networks, only a small number of architectures are typically used, these range from hosts with dual network interface cards to multi-tiered combinations of switches and routers. The study concluded however, that the most secure, manageable and scalable segregation architectures were those based on a three zone system such as a De-Militarised Zone (DMZ). A DMZ provides a means of protecting two networks from each other whilst still allowing for the sharing of data or resources. Creating a DMZ involves placing a firewall offering three or more interfaces, or a pair of firewalls between the plant system and the external network.
  • 5. The use of a DMZ is not without its drawbacks. Vulnerabilities can exist within the firewalls and the shared systems that could allow an attacker to gain control of the DMZ and launch further attacks against the control system. These vulnerabilities can arise due to incorrectly configured firewall rule sets, unauthorised administrative access or from errors in the design or implementation of the various components of the DMZ. Even a properly configured and maintained DMZ is not immune from the possibility of 0-day (previously unknown) exploits that could provide a means of attack. Drawbacks of DMZ
  • 6. Firewall • At their most basic, firewalls work like a filter between your computer/network and the Internet. • You can program what you want to get out and what you want to get in. Everything else is not allowed. Image Source: https://www.comodo.com/resources/home/how-firewalls-work.php Drawbacks • It can degrade your system's performance as Packet filtering takes time. • Firewall policies can be very restrictive and can limit users from performing legitimate operations. • Using backdoor exploits limits the firewall's capability to secure your network, as data transmitted through these back doors is not filtered or examined at all.
  • 7. Gateway •A gateway is a node (router) in a computer network, a key stopping point for data on its way to or from other networks. Thanks to gateways, we are able to communicate and send data back and forth. •When a computer-server acts as a gateway, it also operates as a firewall and a proxy server. A firewall keeps out unwanted traffic and outsiders off a private network. •A proxy server is software that "sits" between programs on your computer that you use (such as a Web browser) and a computer server—the computer that serves your network. Drawbacks • If a gateway fails, then communication will be lost on the network. • Troubleshooting a gateway can be difficult as different tools are necessary for finding problems on computers with different protocols. This communication cannot be restored until the problem is located.
  • 9. Diode  Diodes are semiconductor devices, in which current flows in only one direction based on biasing voltage applied.  If diodes are forward biased, then they act like a short circuit and allow current to flow through it.  If diodes are reverse biased, then they act like an open circuit and hence no current flows through it.
  • 10. What is Data Diode?  Data diodes are hardware devices or software that are used to implement unidirectional data transfer between two devices.  In data diodes, there is one device which only sends data to the network and the other device which only receives data through the network. Data Send Only Data Receive Only
  • 12. OPTICAL DATA DIODE Requirements: • Three fibre optic transceivers • Two Ethernet cards • Power supply • fibre optic and copper cable 12 • A data diode is a computer security device that restricts the communication along a network connection between two computers so that data can only be transmitted in one direction. • Since the data diode has a single fiber-optic cable, it is impossible to reverse transmissions due to the basic laws of physics https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
  • 13.  Three fibre optic transceivers, the third fibre optic transceiver is required simply to supply a carrier signal to the lower side transceiver which will not work if it does not see the appropriate carrier signal.  Two ethernet cards. One ethernet card is put in each of the gateway work stations so that the two workstations are linked by a dedicated sub-network in order to avoid the possibility of packet collision with other network traffic  A power supply for the third fibre optic transceiver. The power for this could be tapped from the cable that connects the other fibre optic transceiver to the low side ethernet card, if this card can supply enough power for two cards.  Appropriate fibre optic and copper cable to make connections as in next figure. 13 Optical Data Diode(Conti…) https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
  • 15. Optical Data Diodes(Conti...) • An optical data diode neatly separates into a hardware component and a software component. • The configuration of the hardware is entirely responsible for providing confidentiality security. • The software is responsible for providing the functionality or services through the one way link. • Software like virus checkers can be added to provide integrity protection, although this is not at the same high level of assurance as the confidentiality assurance provided by the optical data diode. 15https://www.researchgate.net/publication/267954959_An_Implementation_of_an_Optical_Data_Diode [accessed Jul 17 2018].
  • 17. Advantages • The design of the optical data diode is very simple. Assurance that it is prohibiting communication in the reverse direction is confirmed by visual inspection of the configuration. • The simple design should also enable easy accreditation by the local accrediting authority. • Such a data diode can be built easily. 17 Disadvantages • The main disadvantage of this design is the fact that the delivery of data from the low side to the high side is in theory unreliable. • In practice it can be very reliable but there is no absolute guarantee that delivery will always occur.
  • 18. Data Diodes using Proxy Servers in Modbus Protocol
  • 19. Typical Modbus TCP Communication  The Modbus TCP Communication is based on Client / Server Request-Response Communication  In this Protocol, the Client (MTU) requests for data. Based on the request received by the Server (RTU) , the response is provided to the Client.
  • 20. Data Diode Model For Modbus Protocol RTU Server Proxy Server 1 Proxy Server 2 MTU Client Request Request Response Response
  • 21. Data Diode Model For Modbus Protocol  The RTU Server and Proxy 1 Server communicates at Modbus Port no 502. The Proxy 1 acts like a Client with respect to RTU and sends request to the RTU. The RTU checks the request, and based on the request, sends a response to the Proxy Server 1.  The Proxy Server 1 acquires the data, the forwards the data to the Proxy Server 2. Here the data transfer is unidirectional and hence the data transfer cannot take place from Proxy Server 2 to Proxy Server 1. Hence the data diode is implemented between Proxy Server 1 and Proxy Server 2. Here is transferred from any port other than 1 to 1023 port.  The MTU requests data from Proxy Server 2 form the same Port 502. Here the proxy acts like the RTU Server and thus provides data to the MTU. The MTU then forwards the data to the database as well as to the HMI.
  • 22. Port : 502 RTU Proxy 1 Proxy 2 MTU Port : 502Port : 4000 Data Transfer in Data Diodes
  • 24. For acquiring Different Field Device data RTU Server Proxy Server 1 Proxy Server 2 MTU Client Request Request Response Response
  • 25. Advantages of Data Diode  Since the data transfer is unidirectional, it is very much secure and it is very much difficult to conduct an attack at the RTU/Server  It can be applicable on various other protocols and is not only bound to Modbus.  Even if any attack is successfully conducted at the MTU, the attacker cannot perform any attack at the RTU as the Proxies only communicate in unidirectional mode. Disadvantages  Since the data transfer is unidirectional in nature, actuators cannot be used in the above model. Hence it limits our usage to only to sensors and the control signals cannot be sent through it.  The Data can still be retrieved from Proxy Server 1, but no control commands can be given.
  • 26. Applications  SCADA System  IoT  In Isolating a Server from the Corporate Network
  • 27. Data Diode using ATM Protocol
  • 28. Data Diode using ATM Protocol • Hardware based cyber security(Dual Diode). • Hardware is designed to only be one-way. • Impervious to software changes or attacks. • Either it will work as intended to work or will not work at all. • Deploy non-routable ATM protocol break between the two segmented network. Source: Owl Cyber Defense Server Client Send only Receive only
  • 29. Why ATM(Asynchronous Transfer Mode) ? • It was designed to move large amount of data asynchronously. • Large data rates. • High quality (high bandwidth optical fiber). • No packet loss.  As a result we get quality of service, non routable protocol break which maintains 100% confidentiality and it’s all forced in hardware so it can’t change.  The optic cable doesn’t have any security and if any attacker want to intercept data through cable, ATM protocol doesn’t allow since it doesn’t have the concept of source and destination address. Source: Owl Cyber Defense
  • 30. Detailed view Server Client IP Proxy IP Proxy Ethernet ATM transport Ethernet Air Gap Routing Table • Payload of datagrams are embedded into non-routable ATM cell which then is transmitted using ATM channel number. The routing table looks for ATM channel number and decides what to do with the data. • Also in this scenario the inside IP address does not make it to the outside.
  • 31. • Driven by the integration of services and performance requirements of both telephony and data networking(IP Based). • Transmit information in small fixed size packets, cells(allowed fast h/w switching) • Cells are transmitted asynchronously. • The Network is connection oriented.(statistical multiplexing) • Each cell is 53 bytes long – 5 bytes header and 48 bytes payload. • ATM is independent of transmission medium. They may be sent on a wire or fiber by themselves or they may also be packaged inside the payload of other carrier systems. • Making an ATM call requires first sending a message to setup a connection. Subsequently all cells follow the same path to the destination. About ATM statistical multiplexing : similar to dynamic bandwidth allocation (DBA)
  • 32. ATM Vs Telephony • Phone networks are synchronous(periodic). • Phone network uses circuit switching whereas ATM network uses “Packet” or “Cell” switching with virtual circuits. • In phone networks, all rates are multiple of 64 kbps. With ATM we can get any rate, and we can vary our rate with time. Source: https://www.youtube.com/watch?v=IPuLZSOye4c (NPTEL)
  • 33. ATM Vs Data Networks(IP Based) • ATM cell – Fixed/small Size • IP Packets: Variable size • ATM uses 20 Byte global addresses for signaling and 32-bit locally-assigned labels in cells. Whereas IP uses 32-bit global addresses in all packets. • ATM offers sophisticated traffic management whereas TCP/IP: congestion control is packet loss-based. Source: https://www.youtube.com/watch?v=IPuLZSOye4c (NPTEL)
  • 34. ATM: Fixed size Packets • Simpler Buffer Hardware Packet arrival and departure requires us to manage fixed buffer sizes. • Simpler scheduling Each cell takes a constant chunk of bandwidth to transmit. Drawback: Overhead for sending small amount of data. Segmentation and reassembly cost.
  • 35. ATM Layer • AAL Convergence sublayer SAR: Segmentation and reassembly sublayer • ATM Layer Performing Routing, Switching, traffic management, multiplexing • Physical Layer PMD: Physical Medium Dependent sublayer Transmission Convergence sublayer Image Source: http://www.rfwireless-world.com/images/ATM-protocol-stack.jpg
  • 36. Industries in need of Data Diode as cyber security • Nuclear Power Plant (between process control plant and their outside business network). • Fossil and hydro generation plant. • Oil and Gas companies. • Petrochemical, water management and wastewater. • Mining companies. A fossil fuel power station is a power station which burns a fossil fuel such as coal, natural gas, or petroleum to produce electricity.  Our work is to explain our technology and use cases and see how it can fit into their architecture.
  • 38. Firewall Based Mechanism Image Source: owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf
  • 39. Firewall Based Mechanism (Conti…) •Relies on Software Configuration •They communicate through Ethernet cables. •A pair of firewalls configured back-to-back provide a more secure implementation •Firewall on source side is configured to filter traffic from source side •Firewall on destination side is configured to deny the traffic from destination side. Prone to Malware attacks due to vulnerabilities of software-based solutions.
  • 40. Comparative Assessment of Various Data Diode Implementation Techniques Specifications Optical Data Diode Proxy Based Data Diode ATM Based Data Diode Firewall Based Mechanism Connection One- Way with optical fiber One-way with proxy servers One –Way with optical fiber One-way with Software Configured Protocol UDP MODBUS ATM TCP-IP Routability Routable Routable Non-Routable Routable Reliability Unreliable Unreliable Highly Reliable Reliable Throughput Low Low High Moderate Image Source: owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf
  • 41.  Expanding Domain Of Data Diodes in Govt, Military, Critical Infrastructure, Financial Services, Telecommunications.  The Cybersecurity goal of any organization to minimize risks while preserving data availability seems achievable with the advent of ATM Based Data Diode  Advanced Technology will enable network segments to get smaller, providing better security.  As IoT expands, Security becomes prime concern & Data Diodes provide promising solution  The Unhackable nature of Hardware based solutions with new innovations for greater efficiency, flexibility & performance presents a bright future ahead. CONCLUSION / WAY FORWARD
  • 42. References owlcyberdefense-ebook_the-definitive-guide-to-data-diode-technologies.pdf https://www.owlcyberdefense.com/about-data-diodes/ A study of cyber security policy in industrial control system using data diodes, IEEE Paper https://www.opswat.com/blog/why-data-diodes-are-essential-isolated-and-classified-networks https://www.baesystems.com/en/product/data-diode-solution The Technique of Network Diode, IEEE Paper https://www.advenica.com/en/cds/data-diodes The application of data diodes for securely connecting nuclear power plant safety systems to the corporate IT network, IEEE Paper https://en.wikipedia.org/wiki/Unidirectional_network