Professional Documents
Culture Documents
ABSTRACT: A unidirectional security gateway device is widely used to transfer data in only one direction. Therefore, this
device is implemented to send and receive data between isolated networks that disconnected for one direction to ensure information
security. Moreover, it is deployed to protect the safety and reliability of various critical infrastructures. In this paper, a
unidirectional security gateway device is designed using optical fiber for unidirectional secure data transfer from high/low security
network to low/high security network. The proposed device has the advantage of avoiding leakage sensitive information and
vulnerability scanning attack.
Keywords: unidirectional data transfer, datadiode, industrial control system, government agencies, optical fiber.
I. INTRODUCTION
Technology networks within critical infrastructure, the government, and commercial businesses form the
backbone of developed nations [1]. As the modern world continues to be more data driven and interconnected, these
networks from enterprise scale all the way down to smaller office and home networks become more efficient,
intelligent, and unfortunately, vulnerable. From industrial control system monitoring and CCTV feeds to laptops and
intelligent home appliances, every new network connection introduces a new vector for cyberattack, and the surface
area for such vulnerabilities has exploded in recent years. As such, there is a pressing, global need for more effective
tools to combat cyber threats and protect these networks from attacks that might cause severe financial, physical, or
personal damage. Best practices for protecting these networks involve simplifying, reducing, and isolating network
connections, including segmenting networks from one another by creating either a virtual or physical separation
between them. However, physical or virtual separation can prevent information and data from getting to authorized
users, and these networks often contain a wealth of information that is far too valuable to simply cut off. The traditional
security challenge has been how to limit access, minimize risk, and keep these networks secure while getting valuable
operational data to authorized users when it’s needed.
Traditional approach is as simple as one-way cable assembly that configures from a set of two transmit/receive
cables connecting two computers, with one of the cables disconnected or clipped at one end. This leaves the two
computers with a single connection over which only one computer can transmit, and the other can only receive. This
configuration cannot be hacked with software. However, as with any cable assembly architecture, a change in cable
arrangement, whether accidental or intentional, defeats the security policy. Furthermore, the data transfer rate achieved
is very slow at several Kbps that cannot be used to transfer data with big size or streaming. Another approach is
firewall-enable policy to create one-way transfer that relies on software configuration. Firewall-enable policy refers to
an implementation of one or more firewalls configured to transfer data in only on direction. Firewalls are particularly
prone to probing and malware attacks, as well as zero-day exploits of software flaws, and are completely reliant on
policy, which can be changed.
Recently, one-way data transfer systems, generically called “datadiodes,” were designed specifically to address
this security problem by providing a hardened network defense while also securely sharing data. Datadiodes include
two electrically isolated diodes (one for sending, one for receiving) which maintain physical separation of source and
destination networks. The send side diode is inherently incapable of receiving data from the receive diode, while the
receive side diode is incapable of sending data back to the send side; ensuring secure one-way-only data transfer. The
datadiode uses a purposely designed non-routable one-way protocol to transfer data from the send side to the receive
side. It is built on a fundamental one-way-only design that is hardware enforced and coupled with hardened, built-in
proxy servers for high reliability and low latency. The basic functionality inside a datadiode is fairly straightforward.
Data travels on a one-way path between two embedded computing platforms connected by a single transmitter and
receiver – typically an LED and a photodetector connected by a fiber optic cable. Data is transmitted in the form of
light by the LED through the fiber optic cable and received by the photodetector on the other side. Though they are
connected solely through the single one-way connection, the send and receive sides are otherwise physically separated,
with no shared circuitry and no ability to transfer data bidirectionally, creating what is commonly referred to as an
effective “air gap”. Datadiodes isolate and protect networks from external cyber threats, while allowing these networks
to import or export data in a highly controlled, deterministic manner. This can involve anything from Supervisory
Control and Data Acquisition (SCADA) systems generating data in a nuclear power plant to transaction data created at
a bank’s ATMs [1, 2].
Pham Thi Huyen, Dinh The Cuong, Dao Tuan Hung, Luu Duc Anh, Dong Xuan Chinh 589
As a part of every organization’s “defense-in-depth” strategy [1], with layers of security working together to
protect data and systems, datadiodes are part of an evolving first line of defense on the edge of networks. In
combination with the other layers of cybersecurity tools, devices, software, and best practices in the defense-in-depth
strategy, datadiodes help users, operators, security professionals, and everyday people to reduce risk and provide the
strongest, best chance to protect their networks and data from cyber threats. Because of this, the U.S. Department of
Homeland Security now specifically recommends datadiodes in its seven strategies to protect critical infrastructure.
A unidirectional data transfer technology is a technique that prevents the leakage of important data due to
external hacking and security-related accidents. Recently, it has been introduced into a separate network such as
military network/control network to enhance security [3, 4]. It denotes one of external network data transmission
technologies, and blocks a physical line that enables data to be transmitted from an internal network to an external
network. Thus, this technology completely deletes the external threats. A unidirectional security gateway system using
this technique is a network system, which data can travel in only one direction. A datadiode is a hardware-enforced
unidirectional data control network appliance which enables the transfer of data across physically separated networks
to be done securely without the risks of any data leakage [2]. Data is transmitted using one-way fiber optic
communication thus it is physically impossible for data to flow in the opposite direction, even if the datadiode
malfunctions. The control of data flow is also enforced at the application layer by deliberate selection of appropriate
communication protocols.
To design a unidirectional security gateway system, transfer protocol and solutions ensuring the reliability are
taken into consideration. User Datagram Protocol (UDP) is one of the most commonly used protocols of the Internet
Protocol Suite. UDP’s simple transmission model without implicit connectivity provides a fast way to transmit data [8].
Since UDP protocol allows performance-oriented design and offers the unidirectional functionality, UDP protocol is
suitable for control protocol in the unidirectional data transfer system. In addition, forward error correction as well as
data sequence implementations are required to ensure reliability for unidirectional data transfer [7,8].
Currently, most of research focus on designing a unidirectional security gateway system to protect the industrial
control systems, which transfers data in only one direction from high security network to low security network.
However, critical infrastructures such as military and government exist the isolate networks that have a need of
deploying data from low security network to high security network in only one direction. Designing a unidirectional
security gateway system to transfer data in only one direction that can apply for both from a low security network to a
high security network and from a high security network to a low security network is required.
In this paper, a unidirectional security gateway device is designed using optical fiber to separate physically two
networks, which can apply to transfer data in only one direction from a low security network to a high security network
or in reverse way to avoid leakage sensitive information and vulnerability scanning attack. The rest of the paper is
organized as follows. Section II illustrates the architecture and detailed mechanism of the proposed system. Section III
shows the implementation results of the proposed system. In section IV, the conclusions are given.
II. DESIGN OF THE PROPOSED UNIDIRECTIONAL SECURITY GATEWAY DEVICE
A. Overview applications of the proposed unidirectional security gateway device
Fig 1. Application of the unidirectional security gateway device for securing critical information infrastructure
Fig. 1 shows a common application of the unidirectional security gateway device (datadiode) is to protect
secured networks from external threats [5, 6]. In such cases, it is critical for the systems to be working properly rather
than to ensure that the data being transmitted is secured. Examples of such use cases would be in the critical
information infrastructure sectors such as utilities. By connecting the SCADA networks to the enterprise information
technology (IT) networks securely with a datadiode, operational statuses of individual utility plants can continue to be
monitored centrally while remaining isolated from any cyber threats.
590 DESIGN OF UNIDIRECTIONAL SECURITY GATEWAY DEVICE FOR SECURE DATA TRANSFER
Fig 2. Application of the unidirectional security gateway device for securing information and file transfer
Another application of the datadiode is to protect highly confidential or sensitive information, as shown in Fig. 2.
Common examples of such use cases would be in defence or banking sectors [3]. The datadiode will ensure a
unidirectional transfer of data from an unsecured network (e.g. internet) to a trusted or closed network (e.g. intranet). In
addition, the datadiode can be deployed together with a file cleansing solution to ensure that malware does not infiltrate
the closed network.
B. Architecture of the proposed unidirectional security gateway device
changes optical signal to transfer data. Receive data manager performs the same function with transfer data manager in
unidirectional transmit system. Receive data manager uses transfer data sequence number and contents filter to check
reliability and security of transfer data. Forward error correction in receive data manager implements decoding to
correct receive data to enhance the reliability of transfer data. Receive application is responsible for connection
establishment and IP/Port filter between the receive host and unidirectional receiver in a higher security area. This
module supports TCP, UDP, FTP, et al., and IP/Port filter is applied to allow authorized access in the whitelist for
security reinforcement.
III. IMPLEMENTATION RESULTS
Fig 5. Web application interface for users in both sender and receiver using unidirectional secure gateway device
To evaluate the reliability of the proposed unidirectional secure gateway device, an experiment is performed
with the parameters as shown in Table 2. The proposed unidirectional secure gateway device is used to transmit data
with different size files (1G, 1.5G, 3G, 5G, 10G) at different transmission rates (100 Mbps, 200 Mbps, 300 Mbps),
record test data, and calculate the FLR (file loss rate) using the formula as FLR = LossFile/SendFile. The experiment
results show that file loss does not occur at transmission rate lower than 300Mbps. When transmission rate is higher
than 300Mbps, there exists file loss in the receive side.
Table 2. Experiment parameters to evaluate the file loss using unidirectional secure gateway device
No. Parameters Values
1 Transmission rate (Mbps) 100, 200, 300
2 Sending protocol UDP
3 Bandwidth 1Gbps
4 Test file size (byte) 1G, 1.5G, 3G, 5G, 10G
5 Test number 100
IV. CONCLUSION
In this paper, a design of unidirectional security gateway device as V10-DATADIODE is implemented to
guarantee reliability and security of transfer data. The experiment results show that the device achieved a throughput of
300 Mbps without any data loss. Furthermore, a web application is developed for users that can upload multiple files
simultaneously. V10-DATADIODE has high performance and can be used in unidirectional data transfer for industrial
control area as well as in military and government where the isolate networks are available. The proposed device
demonstrates a variety of applications such as file transfer, database backup, UPD streaming that transfer data in only
one direction in the isolate networks.
ACKNOWLEDGMENT
This work was supported by National Laboratory of Information Security, Ha Noi, Vietnam.
REFERENCES
[1] Scott W. Coleman, “The definitive guide to datadiode technologies from simple to state of the art”, Aug. 2019.
[2] ST Electronics, “DigiSAFE Datadiode”, 2019.
[3] Data Breach QuickView Report, Data Breach Trends - Year End 2017, Risk Based Security, Inc.
[4] Andrew Ginter, “Unidirectional security gateways: NOT your grandma’s datadiodes”,
[5] Youngjun Heo, Jungchan Na, "Development of unidirectional security gateway appliance using intel 82580EB NIC
interface," 2016 International Conference on Information and Communication Technology Convergence (ICTC), pp. 1194-1196,
2016.
[6] Y. Heo, B. Kim, D. Kang and J. Na, "A design of unidirectional security gateway for enforcement reliability and security of
transmission data in industrial control systems," 18th International Conference on Advanced Communication Technology (ICACT),
pp. 310-313, 2016.
[7] Lin Honggang, “Research on Packet loss issues in Unidirectional Transmission”, Journal of computers, vol. 8, No. 10, Oct. 2013.
[8] Valentin Stanciu, Mugurel Ionut Andreica, Vlad Olaru, and Nicolae Tapus, “Design and development of a UDP-based
connection-oriented multi-stream one-to-many communication protocol”, Journal of telecommunications and information
technology, Jan. 2012.
Pham Thi Huyen, Dinh The Cuong, Dao Tuan Hung, Luu Duc Anh, Dong Xuan Chinh 593
Phạm Thị Huyền, Đinh Thế Cường, Đào Tuấn Hùng, Lưu Đức Anh, Đồng Xuân Chinh
TÓM TẮT: Thiết bị cổng an toàn một chiều được sử dụng rộng rãi để truyền dữ liệu chỉ theo một chiều. Do đó, thiết bị này
được thực hiện để gửi và nhận dữ liệu giữa các mạng cách ly mà không được kết nối theo chiều ngược lại để đảm bảo an toàn thông
tin. Hơn nữa, thiết bị cổng an toàn một chiều được khai thác để bảo vệ tính an toàn và tính tin cậy của các hạ tầng trọng yếu. Trong
bài báo này, thiết bị cổng an toàn một chiều được thiết kế sử dụng sợi quang cho việc truyền dữ liệu an toàn một chiều từ mạng có
độ bảo mật cao/thấp tới mạng có độ bảo mật thấp/cao. Thiết bị được đề xuất có ưu điểm là tránh được việc rò rỉ các thông tin mật
và tấn công dò quét lỗ hổng.