Overview

DD1000i is an integrated network device that enables unidirectional data flow and physical network separation using optical technology. The device consists of a hardware Data Diode containing an optical fiber with a transmitter on one side and a receiver on the other. Surrounding the Data Diode are two proxy servers, enabling efficient and reliable information transfer from the source network to the destination network.

The proxy server connected to the source, or Upstream, network provides services translating bidirectional communication into a unidirectional protocol that can be transferred through the Data Diode hardware. The proxy server connected to the destination, or Downstream, network receives and recreates the original data before sending it on to the intended receiver.

The integrated proxy servers facilitate architecture design and cause minimal impact on existing systems while providing the means to take control of the information flow between security domains.

System components & functions

The DD1000i consists of the following components:

• DD1000i - The physical device that is connected between the two networks that should exchange information.

• Upstream DD Engine - An integrated proxy server running DD Engine firmware. It manages data transfer and protocol services on the source network. It also hosts the Upstream DD Manager.

• Upstream DD Manager - A web-based administration tool, allowing an administrator to manage the Upstream DD Engine.

• Downstream DD Engine - An integrated proxy server running DD Engine firmware. It manages data transfer and protocol services on the destination network. It also hosts the Downstream DD Manager.

• Downstream DD Manager - A web-based administration tool, allowing an administrator to manage the Downstream DD Engine.

• Services - Enables protocol specific communication between networks over the Data Diode. A DD Engine can host several services. See Services for further information about available protocols.

Information flow

When a message is sent from one network to another where both networks are connected to a DD1000i, the Upstream DD Engine validates the format of the data. If the format is approved, the data is transferred over the Data Diode to the Downstream DD Engine where the message is reconstructed and sent to the intended receiver on the other network.

The following activities are performed:

Step 1Step 2Step 3Step 4Step 5Step 6Step 7Step 8Step 9

• Data is sent to the DATA IN port on the DD1000i.

• The data packages are collected in the Upstream DD Engine.

• The entire message is restored.

• The message is divided according to the loaded Service.

• The content is structured to fit the internal service.

• The content is transferred uni-directionally, through the Data Diode, to the Downstream DD Engine.

• The entire message is restored.

• The message is divided into data packages.

• The data packages are sent on the DATA OUT port to the intended receiver.

Recommended workflow

The following information describes a typical procedure when setting up a DD1000i for the first time.

The following activities must be performed:

Step 1Step 2Step 3Step 4Step 5

• Mount and connect the hardware according to the instructions in Setup.

• Generate required certificates and keys according to the instructions in Certificates.

• Access Local admin and configure basic device settings. This includes setting IP addresses for ports and importing certificates.

• Import generated client and CA certificates in a web browser on the computer that will communicate with the DD Manager, see Administration interfaces.

• Access the DD Manager using the web browser and configure the DD Engine with Service Channels and Features.

note

The setup procedure must be performed on both the Upstream and Downstream sections of the DD1000i.