Firewalls vs Data Diodes vs Unidirectional Security Gateways
Which one is right for securing your OT environment?
Waterfall team
When securing critical systems, businesses often compare firewalls vs data diodes, exploring their strengths, limitations, and use cases. But there’s a third contender in the conversation: Unidirectional Security Gateways. Understanding all these technologies can help businesses choose the best solution for their OT security requirements.
Let’s compare firewalls vs data diodes vs unidirectional security gateways:
Understanding all these technologies can help businesses choose the best solution for their OT security requirements.
Firewalls: Packet-level Gatekeepers
What Are Firewalls?
Firewalls are network security devices and software that monitor and control incoming and outgoing traffic based on predefined security rules. They act as a barrier between trusted and untrusted networks, allowing or blocking traffic based on rules that an admin user has set.
How Do Firewalls Work?
Firewalls can either be set to block certain traffic and allow everything else, or to allow only certain traffic, and block everything else. The latter is generally the most secure option, but there is an ongoing delicate dance between securing the network, while keeping it functional and useful for everyone that is using it. Each company and every department will have a different risk profile and therefore will also have a different set of security requirements. Nothing worse than Sales being blocked from viewing a potential customer’s website because their security profile doesn’t match the requirements set by the finance department. Unplugging the firewall and not letting any traffic go through would also be secure, but the lack of functionality is the reason we don’t do that.
Firewalls inspect data packets traversing the network to decide if it should be allowed or if it should be blocked. There are a few common techniques firewalls use to filter traffic:
Packet Filtering: Examining packet headers, such as IP addresses and ports, to enforce security the rules that have been set by the admin. This approach provides a basic level of protection by blocking unauthorized packets. Pretty much any firewall solution offers this level of protection.
Stateful Packet Inspection: Tracks the state of active connections and determines if incoming packets are part of an established session. This method is more sophisticated than simple packet filtering, offering better security against spoofing or unexpected traffic. This is a fairly advanced method of packet filtering and firewalls that offer stateful inspection typically costs more. Stateful packet inspecting also eats up more network resources and can disrupt the speed of the network’s communication. And worst of all, stateful inspection can lead to unexpected disconnections and “half-open” connections if one side remains idle for too long.
Application Layer Filtering: Analyzes packet data at the application layer (Layer 7 of the OSI Model) to detect and block malicious activity, such as SQL injection or unauthorized file transfers. This type of filtering has grown crucial for modern threats targeting specific applications, and other advanced threats. Filtering the application layer is fairly resource intensive because of the deep packet inspections and payload analysis, and may result in poorer latency compared to simpler firewalls. There is also a good degree of added complexity when setting up these kinds of firewalls, especially in a large and dynamic environment.
Firewall Advantages
Versatility: Firewalls can handle complex traffic scenarios, including bidirectional communication, making them suitable for a wide range of network activity.
Scalability: Firewalls can be deployed in a wide range of setups, from small office networks to large and expansive enterprise systems.
Granular Control: Admins can create highly detailed security policies to regulate very specific traffic types, applications, and users.
Low Upfront Costs: Firewall hardware costs much less to buy than data diodes and unidirectional security gateways. However, the staff resources required to setup and manage the firewall makes this cost advantage negligible to all except the smallest operations.
Firewall Limitations
Misconfigurations and Vulnerabilities: Firewalls rely on having the correct configuration and the latest updates. Misconfigured rules and unpatched vulnerabilities can expose the networks to threats. There are cyberattackers that specifically seek out these kinds of misconfigurations and unpatched updates because they are familiar with how to find them, and know how to exploit them.
Continuous Management: Regular updates, log monitoring, and policy reviews are needed to maintain effective firewall security, which can demand significant resources. Without an ongoing maintenance effort, the firewall security posture will degrade to dangerous levels within just a few months.
Susceptibility to Insider Threats: Since firewalls primarily guard external perimeters, malicious activity originating from within the trusted network can easily bypass them. Since firewalls are poised to protect against outside threats, once someone is already “inside” the network, the firewall doesn’t take on any roles to stop them.
Data Diodes: The One-Way Valve for Data
What Are Data Diodes?
Data diodes are hardware-based devices that enforce a one-way data flow. They physically ensure that data can only move from one network to another without allowing any return traffic. Data diodes are typically used by either militaries who can’t risk having any of their security supply chain reliant on anyone but themselves, or by factories running fairly simple OT telemetry that can be viewed remotely without requiring any incoming requests to output them.
How Data Diodes Work?
A data diode’s hardware design includes a transmitter and receiver, typically with optical isolation, to guarantee unidirectional flow. This design eliminates the possibility of any return traffic, creating an unbreachable barrier against remote attacks.
Advantages of a Data Diode
Security: The hardware-restricted one-way flow of information ensures that no data or commands can ever travel back into the protected network. This ensures that no matter how talented the cyber
Simplicity: With fewer configuration requirements compared to firewalls, data diodes reduce the risk of user error. They also require a higher degree of simplicity for the telemetry they are passing along. If the OT telemetry is already fairly simple to begin with, then data diodes provide a sufficient solution.
Data Diode Limitations:
Limited Functionality: By design, data diodes do not support any bidirectional communication, which can complicate workflows requiring synchronization, acknowledgment, or feedback traffic. Even outbound data that requires just a few tiny packets to start and end its transfer are not going to work because those start and end packets will never make it to the server to make their requests.
Expensive Bottom Line: If the data being outputted isn’t super simple, then implementing and integrating the data diodes requires a team of specialized engineers to design, integrate, and maintain the solution. This hands-on, manual approach incurs significant costs in both labor and time.
Integration Challenges: Applications and systems must be constantly adjusted to function within a unidirectional communication model, further increasing complexity and costs, while also preventing full functionality. The lack of integration options is the main reason data diodes have not caught on outside of a few use-cases. Most critical operations have complex systems that require outside and 3rd party monitoring and without the option of integrating them, it becomes very difficult to facilitate that requirement
Unidirectional Security Gateways: The evolved Data Diode, with built-in Integration that's ready to go.
What Are Unidirectional Security Gateways?
Unidirectional security gateways are the next step of the evolution from data diodes because they come with built-in software integration packages
Unidirectional gateways duplicate the OT servers and unidirectionally transfer OT data from secure networks to less secure environments while maintaining a physical one-way flow of data. The less secure users access a real-time duplicate of the OT network’s data, but have no access to the OT network itself. This is very similar to how data diodes work, but the integration step has been greatly simplified by several orders of magnitude. Unlike data diodes, unidirectional gateways make it so that everything can be set up within a few hours or days, and the middleware required to connect everything is already available and ready to install. With data diodes, the integration timeframes are much longer as everything has to be custom built and tested before it can be deployed.
How Do Unidirectional Security Gateways Work?
Unidirectional security gateways combine the hardware assurance of a data diode with pre-configured integration tools for connecting with all common industrial brands. These include features such as duplicating OT servers and historians, database mirroring, and real-time data forwarding, allowing for integration with nearly all OT systems without sacrificing OT security.
Unidirectional Security Gateways Advantages
Enhanced Usability: By providing integration capabilities, unidirectional gateways simplify the process of connecting secure networks to external systems. Without the simplified integration, there wouldn’t be much to talk about. But because integration has been made possible with just about every OT system, the overall usability of unidirectional gateways is broad and wide.
Support for Common Use Cases: Many unidirectional gateways come with pre-built solutions for replicating databases, streaming real-time telemetry, or forwarding log data. And an existing library with over a hundred connectors pretty much covers all other use cases, including legacy and out-of-support OT systems. Unidirectional gateways are used by many critical industries including, Oil & Gas, Power Generation, Manufacturing, Rail, Water & Wastewater, Metals & Mining, sensitive Facilities, and Governments.
Cyber-physical Security: Like traditional data diodes, unidirectional gateways enforce unidirectional data flow with physical hardware, preventing any remote attacks on critical systems. There is no possibility of remotely compromising the system, as that decision isn’t made by software, but by hardware. And you can’t change hardware configurations unless you are standing right next to it.
Legacy Support: OT systems that needed to be “air gapped” back in the day, can be secured nowadays with unidirectional gateways. The legacy system remains isolated with no outside access, while all its operational data is safely duplicated unidirectionally, and made accessible to users. This also applies for out-of-support legacy systems as well as otherwise obscure and unusual industrial control systems.
Comparison Table: Firewalls vs Data Diodes vs Unidirectional Gateways
Feature | Firewalls | Data Diodes | Unidirectional Gateways |
Directionality | Bidirectional | Unidirectional | Unidirectional |
Security Assurance | Depends on configuration | Hardware-restricted | Hardware-enforced |
Use Case Flexibility | Highly adaptable | Custom built | Highly adaptable |
But What About a Firewall Set to “Unidirectional”?
If I was publicly presenting the gist of this topic on-stage at a cybersecurity conference, I would imagine that right around now a voice will pipe up from the back of the crowd to cheeringly ask whether a firewall configured to enforce unidirectional traffic would work? It’s a legitimate question and it could be a cost-effective alternative to data diodes or unidirectional security gateways. There are many cases where this is done, and it is definitely better than nothing. However, this approach relies on software-based enforcement for the unidirectionality. Most of all the well-known cyberattacks remotely compromised a firewall at some step of their attack, so it is reasonable to consider the risk that if the firewall were to be remotely compromised, attackers would simply disable the unidirectional rule, as the hardware for bi-directionality is already in place. In contrast, the physical hardware of data diodes and unidirectional security gateways ensures that no software vulnerabilities can ever undermine the one-way data flow, making them far more reliable for critical systems.
The Verdict
Firewalls, data diodes, and unidirectional security gateways each play unique roles in any OT security strategy. Firewalls offer low costs along with flexibility and scalability for managing bidirectional traffic, making them indispensable in network environments. Data diodes can provide security for critical systems requiring one-way data flow, but their reliance on custom engineering teams for integration can drive costs high. Unidirectional security gateways, while more expensive than firewalls, offer an unparalleled balanced solution by combining data diode-level assurance with practical, pre-configured integration tools. Keep in mind that most OT operations will have multiple layers of firewalls, with the criticality layer between OT and IT protected with either a unidirectional security gateway, data diode, or even “air-gapped” in some cases. Data diodes or unidirectional gateways replace the firewalls guarding this criticality layer. The remainder of the firewalls remain in place.
Businesses should evaluate their specific OT security needs, operational requirements, and budget constraints to decide which combination of technologies best suits their OT environment.
Want a free consultation on where your OT/IT boundary is located? Book an appointment with our experts.
About the author
Waterfall team
Share
Trending posts
Firewalls vs Data Diodes vs Unidirectional Security Gateways
Secure Remote Access for Critical Infrastructure: What’s at Stake?
From Blind Spots to Action: OT Threats Exposed
Stay up to date
Subscribe to our blog and receive insights straight to your inbox