React Less. Defend More.

Unidirectional
gateway / Data Diode

Build a defensible OT network by deploying unidirectional gateways/data diodes to protect your critical systems, remote access and real-time monitoring capabilities.

Unidirectional Gateway

With the rise of Industrial IoT and digitisation, unidirectional gateways are increasingly being deployed by private enterprises to securely transmit data generated by industrial control and safety systems. A unidirectional gateway (also known as one-way gateway) is a hardware cybersecurity solution that ensures unidirectional information transfer between two networks. Traditionally relying upon a fibre optic connection to enforce one-way data transfers.
A unidirectional gateway, also known as a one-way gateway, is a communication device or system that allows information to flow in one direction only. The information is transmitted from one network to another, but in the opposite direction, it is not possible to send or receive data. This type of gateway is used in situations where it is important to limit the flow of information to one direction only, for security or other reasons.

Data Diode vs Firewall

There are a number of different terms used to describe unidirectional gateways, depending on their vendors. Unidirectional means data can travel in only one direction. A reasonable way to think of unidirectional security gateways is as “one-way valves for data”, allowing data to flow out, without a flow back in. Unidirectional gateways or data diodes are commonly used in scenarios where data needs to be transferred from a secure or trusted network to a less secure or untrusted network, without the risk of sensitive information being leaked back to the source. They can also be used to transfer data from a control network to a plant network in industrial automation and control systems, where it is important to prevent unauthorized access to the control network.

A common scenario is where unidirectional gateways provide one-way data transfers from a high-security network towards a network with a lower security level. Data can be transferred while the high-security network stays protected from attack using that connection. In this scenario, the diode is protecting the systems in the high-security network producing the data being transferred.

Unidirectional gateways and data diodes have been common for decades in high-security environments, such as defence and intelligence agency facilities. This also includes nuclear power plants and other electrical power generating facilities, manufacturing facilities, and transport systems to other networks (including the public Internet), while the gateways protect the networks containing these systems from attack.

There are several scenarios where unidirectional gateways are commonly used:

  1. Industrial control systems: Unidirectional gateways are often used to transfer data from a control network to a plant network in industrial automation and control systems, where it is important to prevent unauthorized access to the control network.

  2. Military and defense systems: Unidirectional gateways are used in military and defense systems to ensure that sensitive information is not leaked to unauthorized parties.

  3. Historian Data Server: You can prevent unauthorized access to the historian server and reduce the risk of cyberattacks, data theft, and other security incidents. The unidirectional gateway can be configured to allow only specific types of data to pass through, such as time-series data from industrial control systems

  4. Healthcare systems: In healthcare systems, unidirectional gateways are used to transfer patient data from a secure network to a less secure network, while ensuring that the sensitive information is not leaked back to the source.

  5. Remote monitoring and control systems: Unidirectional gateways are used in remote monitoring and control systems to transfer data from a remote location to a central control station, while ensuring that unauthorized access to the remote system is prevented.

  6. SCADA (Supervisory Control and Data Acquisition) systems: In SCADA systems, unidirectional gateways are used to transfer control and data from a central control system to remote field devices, while preventing unauthorized access to the control system.

OT Purdue Model Unidirectional Gateway
Purdue Model and Unidirectional Gateway / Data Diode

Is Unidirectional Gateway Stronger than Firewall?

Although unidirectional gateways are marketed to replace OT firewalls, in reality, they may only replace one layer of firewalls in an industrial network environment. There are still numerous reasons why a conventional firewall is needed, but a diode firewall can elevate the security of the most important segments of a network.

Firewalls and unidirectional gateways serve different purposes in network security and are designed to address different security challenges. While both firewalls and unidirectional gateways can provide a level of security, they are not inherently stronger or weaker than each other.

Firewalls are designed to provide a barrier between a network and the outside world, controlling the flow of incoming and outgoing traffic based on predefined rules. Firewalls are used to prevent unauthorized access to a network, prevent malware and other threats from entering the network, and control the flow of network traffic.

Unidirectional gateways, on the other hand, are designed to provide a secure path for data transfer in one direction only. They are used to transfer sensitive data from a secure network to a less secure network, or from a control network to a plant network, without the risk of sensitive information being leaked back to the source.

In conclusion, while firewalls and unidirectional gateways both play an important role in network security, the choice between them depends on the specific requirements of the application and the level of security required. A firewall may provide a more comprehensive security solution for a network, while a unidirectional gateway may be a better solution for transferring sensitive data in specific scenarios.

Safe Integration with OT Networks

The integration with IT/OT networks is seamless and without introducing Internet-based cyber threats. Unlike firewalls, which require changes in IP tables (unless they are installed in transparent mode), data diodes can be installed quickly.

Unidirectional vs. Bidirectional Firewall

The unidirectional gateway allows alerts to be sent in only one direction. The changes that occur in the source ObjectServer are copied in the destination ObjectServer or application, but when changes are made in the destination ObjectServer or application these changes are not copied in the source ObjectServer. Unidirectional gateways can be treated as archiving tools.

A bidirectional gateway provides permission to send an alert from the source ObjectServer to the target or exact destination ObjectServer or application and also provides a reply to the source ObjectServer.

In a bidirectional gateway configuration, the changes formed in the content of a source ObjectServer are copied into a destination ObjectServer or application, and the destination ObjectServer or application copies it’s alerts in the source ObjectServer. Bidirectional gateways can be treated as synchronisation tools.

A unidirectional firewall only allows data to flow in one direction, typically from a less secure network to a more secure network. This type of firewall is used in situations where it is important to limit the flow of information to one direction only, for security or other reasons. Unidirectional firewalls are commonly used to transfer sensitive data from a control network to a plant network in industrial automation and control systems, where it is important to prevent unauthorized access to the control network.

A bidirectional firewall, on the other hand, allows data to flow in both directions. This type of firewall is used to provide a barrier between a network and the outside world, controlling the flow of incoming and outgoing traffic based on predefined rules. Bidirectional firewalls are commonly used to prevent unauthorized access to a network, prevent malware and other threats from entering the network, and control the flow of network traffic.

In conclusion, the choice between a unidirectional firewall and a bidirectional firewall depends on the specific requirements of the application and the level of security required. A unidirectional firewall may be a better solution for transferring sensitive data in specific scenarios, while a bidirectional firewall may provide a more comprehensive security solution for a network.

A unidirectional gateway is a network appliance or a dumb device that allows data to travel in only one direction. Also known as data diodes, it can be found most commonly in high security environments, such as nuclear plants or railways, where they serve as connections between two or more networks of differing security classifications.

Different vendors use different terms such as unidirectional gateway, data diode and diode firewall and although there might be some slight differences between them, ultimately, they all serve the same purpose; to send the traffic in only one direction.

Although sometimes unidirectional gateways are called unidirectional firewalls, they are very different. There are no routing rules on unidirectional gateways, so technically they cannot be called firewalls.

Firewalls have become an inseparable part of our security strategy and each organisation needs at least a firewall to separate the IT and OT networks. Adding a data diode is a question of security maturity, industry compliance and risk appetite.

A unidirectional gateway may replace “one layer” of firewalling in an OT network, for instance, to protect the historian server, but in general, it will complement the other firewalls.

The Unidirectional Gateway can be installed between two physically isolated networks, such as an OT network and an IT network. The Gateway can be configured to allow data to flow only from the OT network to the IT network, and not the other way around. This way, any sensitive data stored on the trusted network can be shared with the untrusted network without the risk of the OT network being compromised.

Data diodes and firewalls are both security mechanisms used to protect networks, but they serve different purposes and have different functionalities. Here’s a comparison between the two:

1. Purpose:
Data diodes: Enable one-way data transfer, typically from a more secure to a less secure network.
Firewalls: Monitor and control both incoming and outgoing network traffic based on predefined security rules.


2. Functionality:
Data diodes: Ensure strict unidirectional flow of data, preventing any possibility of unauthorized access or information leakage.
Firewalls: Filter network traffic based on various criteria and provide additional security features like NAT, VPN, and intrusion detection/prevention.

3. Deployment:
Data diodes: Used in environments requiring highly controlled and secured data transfer, such as military, government, or critical infrastructure sectors.
Firewalls: Widely deployed in corporate networks, data centers, and home networks to protect against cyber threats.

4. Security Level:
Data diodes: Provide a high level of security with physically enforced unidirectional data transfer.
Firewalls: Offer configurable security based on defined rules and policies, effective against many types of cyber threats but may not provide the same level of assurance as data diodes for strict unidirectional data transfer requirements.