I have read data diodes are often used where high security is needed, like in military or critical infrastructures. However, most are UDP based. Modern diodes do support TCP protocol like SMTP, syslogs. However, I have not seen one that says it support HTTP or HTTPS. Is that even possible for a data diode ?
Asked
Active
Viewed 675 times
1
-
http(s) works on a request/response model; 2-way communication. – dandavis Feb 19 '17 at 09:47
1 Answers
3
A data diode is used to transfer data in one direction only and make sure that no data can travel in the other direction. HTTP works by the client sending a request to the server and the server sending a response back to the client. Since a diode would allow data to pass in one direction only it would mean that either the request gets passed to the server but not the response back or that the response gets passed to the client but not the request to the server. This means simple HTTP pass through would not be possible.
But, it would be possible to emulate the servers behavior on the client side of the diode the following way: the client transfers the request to the diode which transfers the request to the server and then sends an emulated response to the client. Of course this emulated response can at most signal failure or success since the original response from the server is unknown at the client side. Thus such emulation might be useful for HTTP uploads only and can not be used to retrieve information from the server.
It would also be possible to use the diode in the other direction, i.e. to only pass the servers response to the client but not the clients request to the server. In this case the server side of the diode would need to emulate the clients request which means that only a single preconfigured request would be possible. Thus this scenario might be useful for polling a specific fixed URL only.
I'm not aware of any product which implements such functionality for HTTP. But I know a product which does similar emulations for FTP and SMTP (mail).
But at the end the strict one-way-only design of a diode can make it unusable in many use cases where highly restricted but still bi-directional communication is needed. In such cases task-specific application level gateways might be the way to go which can severely restrict which kind of requests the client can send and which kind of responses the server can send back.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
-
Thanks for the explanation. What's a next alternative to diodes that could support HTTP but still protects a network like a diode, although not that 100% like a diode. thanks. – Pang Ser Lark Feb 18 '17 at 16:07
-
@PangSerLark: *"...like a diode, although not that 100% like a diode..." - this is a very vague and therefore unusable specification of what you need. If one-way is too strict in filtering and simple firewalls are too loose you probably need something customized for the exact unknown use case, i.e. what are the exact restrictions you need, if you need any certifications, how much self-protection the appliance should have etc. It is also possible that there is no product yet which fits you unknown use case. – Steffen Ullrich Feb 18 '17 at 16:24