domain is known as the high side, and the less secure domain is the low side. Depending on the application, the

Transcription

1 Data diodes refer to unidirectional network links used in some high-security network architectures. This paper explains how data diodes are used to secure information and protect against intrusions; it also shows that Net Optics Taps and other monitoring access and control devices are, in fact, data diodes. The Highs and Lows of a Secure Environment When the highest possible data security is needed, an air gap is maintained between the secure domain and the rest of the world. The secure network domain simply has no physical connection to the outside world, so nothing can enter or leave by wire or wireless, only by sneaker net. ( Sneaker net means a person carrying a removable domain is known as the high side, and the less secure domain is the low side. Depending on the application, the not the other.) goal is to keep information secure within the high side. Figure 1 illustrates this type of application. In this case, leaving the defense contractor s network, satisfying the security requirement. However, the data diode does allow data from outside to move into the defense contractor s network so the contractor can receive important information from partners and suppliers. Traffic can flow in this direction data can be sent to the Defense Contractor High Side (More secure) Defense Contractor Internet Low Side (Less secure) Data Diode Traffic can NOT flow in this direction Defense Contractor s data is secure Figure 1: July

2 is to prevent intrusions and infections, but allow sharing of information from the high side. Figure 2 illustrates this type of application. In this case, a voting machine is connected through a data diode to the Internet, enabling the machine to send its vote count results to vote counting headquarters and to Web sites, while being completely secure from intruders hacking into the voting machine. Traffic can flow in this direction the Voting Machine can send vote counts to headquarters High Side (More secure) Voting Machine Internet Low Side (Less secure) Data Diode Traffic can NOT flow in this direction Intruders cannot hack into the Voting Machine Figure 2: How a Data Diode Works Full duplex fiber cable each direction of traffic flow has a dedicated fiber Return fiber broken. There is no path for data to flow from the switch to the router. Figure 3: July

3 If it is that easy to create a data diode, what are data diode vendors providing? It turns out that, in practice, protocols depend on two-way communication to establish and maintain connections. To take an example, you cannot get any data from to the Web site. For another example, if a TCP request does not receive an acknowledgement, the TCP connection terminates and no data is transferred. In order to make one-way communication work, a sophisticated data diode terminates the full duplex connection the proxy servers. This arrangement is illustrated in Figure 4. Data Diode Server Proxy Proxy Figure 4: Network Monitoring Taps Are Data Diodes (but Span ports are not!) Network monitoring applications use unidirectional communications intrinsically, because mirrored copies of network Network Taps are natural data diodes, and the most secure way to connect a monitoring tool to the network. Note Therefore, Span ports not suitable for high-security installations. Full Duplex Traffic Flow Net Optics Span Port Fiber Tap Mirrored Copy of Traffic One Way Traffic Flow Bidirectional Connection! Figure 5: Network taps are natural data diodes; switch Span ports are not! July

4 handshakes are expected from the monitoring tool. Therefore, proxy servers are not needed, and the simple data carry data from the tool to the Tap are completely absent. This can be seen in Figure 6. Fiber Tap Optical Splitter Optical Splitter No path for data to flow into the network link Monitoring Breakout Cable Figure 6: Network taps are natural data diodes The Fiber Tap is a device that consumes no power and needs no electricity. It is simply two optical splitters in a small chassis. Each splitter takes the signal being received at each network port and splits it in two, sending part of the signal down its usual path on the network, and the other part to the monitoring tool. To save space, the Fiber Tap provides a special monitoring breakout cable to break these two signals out to two standard duplex connectors which the network. The physics of the optical splitter guarantees that the signal will propagate towards the transmitting end July

5 Copper Taps Are Data Diodes Network Taps for copper media follow essentially the same topology as the Fiber Tap, as shown in Figure 7. Copper Tap No path for data to flow into the network link Figure 7: Network taps are natural data diodes Ethernet Physical Interfaces (s) negotiate which pins will be used for transmitting data and which for receiving Data Monitoring es and Network Controller es Are Data Diodes tool (or from the device s management interface, or from the device itself) to the inline network link. A sampling of Director TM ilink Agg TM Regeneration Taps TM itap TM July

6 Summary This paper has explained why data diodes are essential for creating completely secure network connections that access and control. Span ports, on the other hand, are n visibility including errors and malformed packets, totally passive behavior even when power fails, and never dropping topology, make Network Taps from Net Optics the best way to Tap into your Network. Sometimes Taps Are NOT Data Diodes As a rule, all Net Optics monitoring access and control devices are data diodes. But they say that rules are made to be broken, and the exception proves the rule. In this case, the exception is the Active Response Tap. This special type of Tap was created to meet the following customer requirement: When a monitoring Intrusion Detection System (IDS) detects certain types of illegal or unwanted network behavior, the IDS needs to be able to issue a TCP reset to the network to terminate the connection. The TCP reset is a normal set in the TCP header. In other words, the monitoring tool the IDS needs to be able to inject a packet onto the network. To meet this requirement, Net Optics developed the Active Response Tap, which is a copper Tap that has the and the connected. Active Response Taps are not data diodes, and therefore the possible security impacts should be evaluated carefully when choosing to use Active Response. But Active Response may not be the end of the story when it comes to Taps that are not data diodes. New applications are being invented that break the data diode model for monitoring access. One such invention is Link Layer Discovery Protocol (LLDP), which requires that every device, including monitoring access and control devices, must announce itself on the network to support auto-discovery of the network topology by network management systems. Like the Active Response case, LLDP requires that a small amount of traf- - rection into the network instead monitoring devices such as Intrusion Prevention Systems (IPSs) is another example where the data diode model is not appropriate. Therefore, Net Optics Bypass es, which create fail-safe ports for inline tools, are not data diodes. It will be interesting to see how the data diode model for monitoring access holds up as innovative new protocols and monitoring tools become part of the networking landscape. For further information about Network Taps and other data diode solutions: Net Optics, Inc Betsy Ross Drive Santa Clara, CA (408) [email protected] Distributed by: Network Performance Channel GmbH Ohmstr Langen Germany T: [email protected] July