Firewalls vs. Data Diodes
To see is to believe
When talking about data Diodes, a question that people often ask is, “So, what’s the difference between firewalls and Data Diodes?”
We say that the two are complementary, as Data Diodes provide additional security measures for especially vulnerable network segments. Looking into more detail, however, it is clear that firewalls and Data Diodes have totally different concepts.
Firewalls separate two networks or systems, but permit restricted bi-directional data flow between them. Based on the pre-established routing rules, they determine whether the data can move between your IT and OT. All firewalls achieve this function by software. Although some may run on dedicated hardware, they are still driven by software—the software and hardware are just separated. Firewalls allow data to flow in both directions, and therefore allow potential interference from the open network to enter the operational, or critical, one. We never know what’s happening inside them. When poorly configured or containing intrinsic vulnerabilities, firewalls can become risk factors.
In contrast to firewalls, Data Diodes use a different approach to separate two networks—by isolating them at the physical layer. Data flows only in one direction, from secure sites to open networks, and there is no way for data to be transferred in the reverse direction, as there is no door for this route. Proxy servers in the OT and the IT run independently of each other to send OT data to the IT side. Obviously, this mechanism reduces system flexibility, but it also increases security levels. Even in the worst case scenario, where an IT proxy server is compromised, important assets or systems on the OT side are still under protection. Data Diodes are quite similar to the air-gap approach, but permit real-time data transmission.