Overview

The Data Diode Engine (DD Engine) is a proxy software designed to work seamlessly with hardware data diodes to enable secure, one-way data flows between network zones. This makes for a modular implementation which allows the customer to choose the host machines on which the proxies run. It allows flexibility in choosing the infrastructure best suited for specific environment and compliance needs.

The proxy server connected to the source network, provides services translating bidirectional communication into a unidirectional protocol that can be transferred through the Data Diode hardware. The proxy on the destination network, receives and recreates the original data before it is sent to the intended receiver.

System components & functions

A DD Engine setup consists of the following components:

• Data Diode - A physical data diode that is connected between the two proxies.

• DDE Upstream proxy - A DD Engine proxy hosted on the source network, from which data is sent. Managing data transfer, protocol services on the source network and hosting the DD Manager.

• Upstream DD Manager - An administration tool allowing an administrator to manage the Upstream functionality. The application is hosted on the DDE Upstream proxy.

• DDE Downstream proxy - A DD Engine proxy hosted on the destination network, from which data is sent. Managing data transfer, protocol services on the destination network and hosting the DD Manager.

• Downstream DD Manager - An administration tool allowing an administrator to manage the Downstream functionality. The application is hosted on the DDE Downstream proxy.

• Services - Enables protocol specific communication between networks over the Data Diode. A DD Engine can host several services. See Services for further information about available protocols.

Information flow

When a message is sent from one network to another where both networks are connected to a DD Engine, the Upstream proxy validates the format of the data. If the format is approved, the data is transferred over the Diode to the Downstream proxy where the message is reconstructed and sent to the intended receiver on the other network. Below the information flow is presented in 9 steps.

The following activities are performed:

Step 1Step 2Step 3Step 4Step 5Step 6Step 7Step 8Step 9

• Data is sent to the DATA IN port on the DD Engine Upstream. The DATA IN port is the physical port to which the source network is connected.

• The data packages are collected in the DDE Upstream proxy.

• The entire message is reconstructed.

• The message is divided according to the service.

• The content is restructured.

• The content is transferred uni-directionally, through the Data Diode, to the DDE Downstream proxy.

• The entire message is reconstructed.

• The message is divided into data packages.

• The data packages are sent on the DATA OUT port to the intended receiver. The DATA OUT port is the physical port to which the destination network is connected.

Recommended workflow

The instruction below describes a typical procedure when setting up a DD Engine for the first time.

The following activities are performed:

Step 1Step 2Step 3Step 4Step 5

• Mount, connect and install the DD Engine on the chosen hardware according to the instructions in Setup.

• Generate required certificates and keys (see Certificates).

• Access Local admin to configure device. This includes setting IP addresses for ports and importing certificates.

• On the computer which will communicate with the DD Manager, import generated certificates in a web browser (see Administration interfaces).

• In the web browser, access the DD Manager interface and Configure the device with Service Channels and Features.

warning

The workflow must be performed on both sides of the Data Diode.