Confidential material is often stored within classified networks that are fully isolated from the outside world. This solution is very secure – but at the same time inconvenient because even in classified, so-called red networks, data is required from less secure black networks. Typical data examples are e-mails, database or video information, or updates for anti-virus or other software. Without a direct connection to outside networks, data can only be introduced into red networks manually with a data carrier and sometimes significant delay. This involves a lot of work, is liable to errors and makes the use of real-time applications impossible.
We have developed the vs-diode to allow direct data transfer into red networks without compromising security. This solution only allows data transfer in one direction – from black to red. Flow in the opposite direction is consequently blocked, ensuring that classified data cannot cross the interface to the black network. An important feature of the vs-diode is its high performance and reliability in one-way data transfer, achieving up to 1 GBit/s throughput using the FTP protocol for file transfer, SMTP for e-mails, and generic TCP. The strength of this solution comes from the new technology used in the vs-diode, setting it apart from other solutions on the market.
The vs-diode consists of three components: two high security firewalls (application level gateways) that examine the data at the application level, and a filter with a diode function located between the firewalls. One firewall system is connected to the black network and receives the data being transferred from the sender. If required, the data can be scanned for viruses and other malicious software on reception to additionally protect the red network. The data is then forwarded via the intermediate filter system to the second firewall, which is connected to the red network. The filter system allows communication in the one direction but blocks all data transfer in the other – with a single exception: a final status message, indicating that all data has been properly received, is sent from the second to the first firewall. This minimal feedback is required by the FTP, SMTP and TCP protocols in order to ensure rapid and secure data transfer. Other protocols that work without feedback, such as UDP, are in contrast much slower and often transfer incomplete and thereby unusable data.