More secure than a firewall, more reliable than a data diode
The Cybersecurity and Infrastructure Security Agency (CISA) recently released guidance focused on securing Industrial Control Systems (ICS) to help protect U.S. critical infrastructure and maintain national security. The guidance identifies eight focus areas and recommendations on ICS network architecture and perimeter security. Network architecture and perimeter security recommendations establish the need for implementing a segmented, multi-layered network architecture and the establishment of a DMZ to secure the ICS infrastructure.
Instead of firewalls, the recommendation specifically calls out the use of one-way communication diodes where possible to prevent external access. Firewalls can play a role in a defense-in-depth strategy, but they should not be your only line of defense.
The Fallibility of Firewalls
Firewalls are prone to misconfiguration and human error, which will compromise your network segmentation strategy and leave your infrastructure prone to attack. As a result, firewalls must be continually monitored and kept up to date, resulting in significant recurring operational costs as well as high compliance reporting costs.
Unlike firewalls, data diodes or unidirectional gateways are designed to enforce one-way data flows, which creates a highly secured perimeter around critical assets. Originally designed for military applications and used to secure data transfers between networks of different security classifications, data diodes have gained acceptance in critical infrastructure markets over the past decade. Diodes are used to enforce a secure perimeter between lower ICS layers and the DMZ and are designed to replicate data from the ICS to the DMZ and high layers.
Firewalls can be complex to configure, operate and prone to security vulnerabilities. This is highlighted by the many CVEs continually published by the major firewall vendors, a cumulative number of nearly fifty (50) published security bulletins, several of them critical, including Apache Log4j exposures. To solve these challenges, an entire tech category has arisen dedicated to firewall streamlining and automation of firewall operations, including Algosec, Tufin, Skybox and others. Unidirectional security gateways are thus an important component to enforce one-way communications.
Unidirectional Security Gateway or Data Diode?
While data diodes are designed to provide excellent “airgap” level security, their architecture results in data reliability issues. The source side of the data diode cannot detect the operational status of the destination side, nor can it know the availability of the destination network or endpoint. If the destination network is less than ideal or the endpoint is not available, the source side of the data diode will continue to transfer data, resulting in data loss and synchronization issues. In an attempt to overcome these issues, data diode vendors have implemented data retransmission, which consumes network bandwidth and doesn’t fully alleviate data loss. As the volume of data shared between OT and IT continues to grow, the operational cost of data diodes due to data loss and synchronization issues will become a growing financial burden to industrial operations.
| Capability | Unidirectional Security Gateway | Firewalls | Data Diode | Note |
| One-way data transfer | Firewalls are inherently two-way, can be configuration for one-way transfer | |||
| Non-routable protocol break | Firewalls route TCP or UDP packets | |||
| Low operational cost | Firewalls require recurring monitoring of rules and configurations, analysis of logs and alerts, and active monitoring for compliance | |||
| Assured data delivery | Data diode source side blindly delivers to destination, resulting in potential data loss and synchronization issues | |||
| Low network bandwidth utilization | Data replication across a diode often requires retransmission and data backfill to ensure data integrity, consuming bandwidth | |||
| Network connectivity status | Data diodes lack the ability to throttle data based on network connectivity status | |||
| Data synchronization, overrun protection | Data diodes are a weak link when source and destination need to be synchronized. Data diodes experience data loss if the destination is not available. |
Reliable and Secure Data Transfers with NetWall
OPSWAT’s NetWall Unidirectional Security Gateway was architected to address these limitations. NetWall enforces unidirectional data flow and uses a non-routable protocol between source and destination servers, complying with NERC CIP and other standards. Through its patent-pending assured delivery architecture, data is reliably transmitted to the destination without requiring retransmission or a periodic data backfill operation. NetWall also supports data throttling, meaning data is reliably delivered even if there are intermittent network issues. This makes NetWall an ideal solution for real-time monitoring of industrial assets and for securely connecting OT data to cloud-based resources.
NetWall is highly scalable, supports a wide range of industrial protocols, and is easy to deploy. Once racked, NetWall can be configured and made operational in under an hour. After it’s configured, NetWall runs headless, further enhancing its security profile. OPSWAT designed NetWall to meet the growing demands of OT/IT convergence, providing more security than a firewall and more reliability and cost effectiveness than a data diode.
Source : https://www.opswat.com/blog/secure-one-way-communication-unidirectional-security-gateway
