Welcome to Law-Forums.org!   

Advertisments:




Sponsor Links:

Discount Legal Forms
Discounted Legal Texts


Tcp Applicaions On Data Diode

Patents & Trademarks Discussion Forum

Tcp Applicaions On Data Diode

Postby Ario » Sat Nov 19, 2016 2:41 pm

Sir,

Most of the applications(web browsing, FTP, E-mail etc..) needs TCP protocol. On Data Diode how these applications will be implemented???

Regards

ANSWER: There are 2 ways:

1) First way is to put proxies at each side of the data diode.  The proxies speak TCP/IP to the hosts on "their side" of the data diode, and use some proprietary mechanism to go one-way over the diode.  For example in the case of a HTTP get from a web server if a web server was on the higher security side of a data diode - the proxy on the high side would have a list of pages that the web server contains and it might periodically send all pages to the proxy on the low side, the proxy on the low side would act as a web server to the clients on the low side.  When the low side proxy got a GET request from a client it would just serve the pages it had been "pushed" during the last push interval from the high side proxy.

2) second way - which is patented - is to use a 3rd party proxy that is able to connect to both sides of the diode.  acknowledgements(like TCP acks) come from the proxy even though the TCP transmits going the other direction would be sent directly through. Needless to say the data diode doesn't work well when there is a need for bidirectional communication at the application level, you would not be able to buy a book off Amazon using a shopping cart through a data diode.  A data diode is only useful when information can flow in one direction.  For example if you were remotely monitoring a nuclear power plant and you did not need to remotely control the reactor, you just needed to keep an eye on the power level of the reactor from a remote insecure location.

The fundamental point of a data diode is to prevent remote control.  If a diode is implemented from high side to low side it does not prevent leakage of sensitive information, but it does prevent users on the low side from affecting the kind of information the high side presents - the high side can only disseminate information that it's programmers have determed is OK to present.

If a diode is implemented from low side to high side it cannot prevent damage from being done from low side to high side - a low side user could for example send an rsh command to "rm -r /" to a secure server - but once more it does prevent low side users from getting any data at all from the high side

Thus, the security abilities of a data diode are likely tremendously overrated by the general public - it's primary usefulness is to impede the ability of an attacker from the kind of send-and-get-immediate-feedback scenario that would be characteristic of a remote attacker who was unfamiliar with the network behind a diode, from quickly mapping it out through a discovery procedure.  However it does not prevent security leakage.

---------- FOLLOW-UP ----------

Same functionality can also be achieved with Firewall by defining proper rules…  In such case how come firewall and data diode get differ...
Ario
 
Posts: 41
Joined: Mon Jan 13, 2014 12:03 pm

Tcp Applicaions On Data Diode

Postby Claude » Sun Nov 20, 2016 7:30 pm

Sir,

Most of the applications(web browsing, FTP, E-mail etc..) needs TCP protocol. On Data Diode how these applications will be implemented???

Regards

ANSWER: There are 2 ways:

1) First way is to put proxies at each side of the data diode.  The proxies speak TCP/IP to the hosts on "their side" of the data diode, and use some proprietary mechanism to go one-way over the diode.  For example in the case of a HTTP get from a web server if a web server was on the higher security side of a data diode - the proxy on the high side would have a list of pages that the web server contains and it might periodically send all pages to the proxy on the low side, the proxy on the low side would act as a web server to the clients on the low side.  When the low side proxy got a GET request from a client it would just serve the pages it had been "pushed" during the last push interval from the high side proxy.

2) second way - which is patented - is to use a 3rd party proxy that is able to connect to both sides of the diode.  acknowledgements(like TCP acks) come from the proxy even though the TCP transmits going the other direction would be sent directly through. Needless to say the data diode doesn't work well when there is a need for bidirectional communication at the application level, you would not be able to buy a book off Amazon using a shopping cart through a data diode.  A data diode is only useful when information can flow in one direction.  For example if you were remotely monitoring a nuclear power plant and you did not need to remotely control the reactor, you just needed to keep an eye on the power level of the reactor from a remote insecure location.

The fundamental point of a data diode is to prevent remote control.  If a diode is implemented from high side to low side it does not prevent leakage of sensitive information, but it does prevent users on the low side from affecting the kind of information the high side presents - the high side can only disseminate information that it's programmers have determed is OK to present.

If a diode is implemented from low side to high side it cannot prevent damage from being done from low side to high side - a low side user could for example send an rsh command to "rm -r /" to a secure server - but once more it does prevent low side users from getting any data at all from the high side

Thus, the security abilities of a data diode are likely tremendously overrated by the general public - it's primary usefulness is to impede the ability of an attacker from the kind of send-and-get-immediate-feedback scenario that would be characteristic of a remote attacker who was unfamiliar with the network behind a diode, from quickly mapping it out through a discovery procedure.  However it does not prevent security leakage.

---------- FOLLOW-UP ----------

Same functionality can also be achieved with Firewall by defining proper rules…  In such case how come firewall and data diode get differ...
Claude
 
Posts: 34
Joined: Fri Mar 14, 2014 1:14 am

Tcp Applicaions On Data Diode

Postby Kaycie » Sat Nov 26, 2016 10:01 am

The firewall can be compromised, and once it is done so it can be used as a jumping off point to run the kind of send-and-get-immediate-feedback scenario that would be characteristic of a remote attacker who was unfamiliar with the network behind the firewall, and wanted to map it out through a discovery procedure.

A data diode cannot be used as a jumping off point because even if the insecure side proxy is completely "owned" by the remote attacker over a network, the remote attacker still cannot establish a 2-way connection to the secure side because the connection itself is only one way.  A data diode implies that the connection has a physical component that makes it only one direction.  For example an ethernet connection with the transmit pair missing, etc.

I hope I get a high score on your homework. ;-)
Kaycie
 
Posts: 24
Joined: Wed Apr 09, 2014 10:06 am


Return to Patents & Trademarks

 


  • Related topics
    Replies
    Views
    Last post
cron