International Journal of Scientific Research in Information Systems and Engineering
Volume 3, issue 1, April – 2017. ISSN 2380-8128
UNIDIRECTIONAL DATA TRANSFER: A SECURE SYSTEM TO PUSH THE DATA FROM
A HIGH SECURITY NETWORK TO A LOWER ONE OVER AN ACTUAL AIR-GAP
Atila Bostan, Department of Computer Engineering, Atılım University, Ankara, Turkey
Email: atila.bostan @atilim.edu.tr
Gökhan Şengül, Department of Computer Engineering, Atılım University, Ankara, Turkey
Email: gokhan.sengul@ atilim.edu.tr
Murat Karakaya, Department of Computer Engineering, Atılım University, Ankara, Turkey
Email: murat.karakaya@ atilim.edu.tr
ABSTRACT
The term “air-gap” is typically used to refer physical and logical separation of two computer networks. This
type of a separation is generally preferred when the security levels of the networks are not identical. Although the
security requirements entail parting the data networks, there is a growing need for fast and automatic transfer of
data especially from high-security networks to low-security ones. To protect security sensitive system from the
risks originating from low-security network, unidirectional connections that permit the data transfer only from
high to low-security network, namely information-diodes, are in use. Nonetheless, each diode solution has its
drawbacks either in performance or security viewpoints. In this study, we present a unidirectional data transfer
system in which the primary focus is data and signal security in technical design and with a plausible and
adaptable data transfer performance. Such that the networks do not touch each other either in physically or
logically and the transfer is guaranteed to be unidirectional. Apart from avoiding the malicious transmissions from
low to high-security network, we claim that the proposed data diode design is safe from emanation leakage with
respect to the contemporary sniffing and spoofing techniques.
Keywords –data security, data diode, information diode, air gap, signal security, multi-level security
networks.
—————————— ——————————
1. INTRODUCTION
Central to the proliferation of automatic
information-processing is the ease and speed of
information and data sharing achieved by this
technology [1]. In contemporary information
processing systems it is hard to find one which does
not share any information (import or export) with
some others [2]. Hence an information system is
generally supposed to be exporting or importing
information in a given configuration. When a
system is connected to other one or a network of
systems then several security considerations rise.
Thus secure ways of information sharing and access
should be developed. Nevertheless, security is
generally deemed to be a hurdle against information
and data dissemination or access [3]. In the current
state of the information technologies there are
considerable number of security tools and
configurations which aims to secure information
access and usage [4,5,6]. However, common
understanding is that when a systems shares the
information with some others the security risks
come out as well.
Aside from the other security considerations in
information sharing, in this study the focus is on the
security mechanisms in transferring the data from
one system to another. Although the definition of
subject matter sounds like the data transfer is one-
way, readily available data communication
technologies, by default, necessitate two-way
communication infrastructure [7,8]. Since in most of
the communication protocols acknowledgements,
which informs the successful delivery of the
transmissions, play an important role. While there
are several transport layer services and applications
that transmit or receive only [9, 10], they generally
run on a duplex communication infrastructure.
Furthermore, unless the transfer of signal is assured
to be one-way on physical layer, merely transmitting
the data from one system to another on transport or
application layer does not guarantee that the system
is safe from security risks which stem from the other
peers or from the network connected. Malicious
incidences were generally detected to be covertly
exploiting the available channels in the
infrastructure used [11, 12, 13]. Hence, in order to
be safe from clandestine attacks it is better to nullify
the infrastructure that they can utilize.
On the other hand signal emanation security is
another dimension when two systems with different
security levels run within close perimeters. There
are technical and physical measures developed to
prevent spying on leaking emanations. The most
commonly accepted and referred set of standards in
this area is named TEMPEST. TEMPEST’s name is
believed to have been a code name used during
development by the U. S. government in the late
IJSRISE © 2017
http://www.ijsrise.com
pg. 35
International Journal of Scientific Research in Information Systems and Engineering
Volume 3, issue 1, April – 2017. ISSN 2380-8128
1960s, but at a somewhat later stage, it became an
acronym for Telecommunications Electronics
Material Protected from Emanating Spurious
Transmissions [14]. In essence, TEMPEST defines
the minimum set of technological and physical
measures to be followed in order to be safe from
leaking emanations, including unintentional radio or
electrical signals, sounds, and vibrations [15].
In this study, we present our design of an
information diode that allows only one way of a data
transfer and can be configured to comply with
TEMPEST standards as well. In the following
section we present the design and configuration of
proposed system. In the conclusion section the
advantages and future work were reported.
2. SYSTEM DESIGN
The system has three core components, these
components are; high-end-unit, transfer-unit and
low-end-unit. Conceptual relations between these
three components are depicted in Figure 1, below.
High-endunit
Transfer-unit
traffic on low-security network may not be easily
forwarded to the transfer-unit without using proper
conversion mechanisms and having physical
connection
Moreover, on each component there are special
service software running. Detailed designs and
configurations of the three components are
described in the following sections.
2.1
High-End-Unit
This component is responsible to identify, filter
and direct the data that will be transferred to lowsecurity network. Depending on the preferred
services, it plays a communication-gateway role for
the other hosts on high-security network. Other
hosts should address the data that is to be transferred
to low-security network to high-end-unit on highsecurity network. The high-end-unit should be
functioning as an application-proxy for the preferred
applications running on the high-security network.
High-end-unit should be capable to identify and
filter data that is received and further to be relayed
to transfer-unit. In order to successfully deliver the
data to the transfer-unit, it must have well-suited
transport services as well. Conceptual design of the
modules and data flow in high-end-unit are shown
in Figure 2.
Low-endunit
Figure 1. The components of the system.
High-end-unit is a computer which is connected
to the high security part of the network and
operating under the high-security configurations.
Additionally, this unit is connected to the transfer
unit over an input/output interface other than the one
used to connect the security-high network
infrastructure. In essence, the addressing,
forwarding and communication protocol should
better be different than that of the ones used in highsecurity network. So that the data traffic on securityhigh network may not be easily forwarded to the
transfer-unit without using proper conversion
mechanisms and having physical connection.
Transfer-unit a customized hardware and
software component which guaranties the
information flow is one way. This unit consists of
two physical hardware parts with the actual air gap
in between. While one of the hardware components
is connected to high-end-unit, the other one is
connected to the low-end-unit. Details of the
transfer unit and the connection over physical air
gap are explained in section 2.2.
Low-end-unit is a computer which is connected
to low-security network and running under
compatible configurations with this network. Lowend-unit has a connection with the transfer unit over
an input/output interface other than the one used to
connect to the low-security network. So that the data
Figure 2. High-end-unit conceptual design
Application proxies should be capable to convey
the received message (not data) to the data filter in a
custom format that has the destination address and
the communication content together. Afterwards,
data filtering and logging module scan the message
and record for achieving purposes. Finally, the
message should be processed by a custom transport
service which is running a special communication
protocol with the transfer-unit.
2.2
Transfer-Unit
Transfer-unit consists of two hardware
components. The one which has a cable connection
with high-end-unit is named as transmission-part.
The other one which has a cable connection with
low-end-unit
is
named
as
receiver-part.
Transmission-part has transport module which is
facing towards the high-end-unit and an optical
transmitter. On the other hand, the receiver-part has
optical sensor and transport module which is facing
IJSRISE © 2017
http://www.ijsrise.com
pg. 36
International Journal of Scientific Research in Information Systems and Engineering
Volume 3, issue 1, April – 2017. ISSN 2380-8128
towards low-end-unit. Schematic
transfer unit is shown in figure 3.
diagram
of
transmitter-part. In order to prevent any misuse of
the channel from low side to high side, feedback
mechanism should be implemented on electronic
circuit level. By this way, the communication speed
would
get
higher
with
the
achieved
acknowledgement
signal
and
ease
of
synchronization. Typical design of proposed
feedback mechanism is shown in Figure 4.
Figure 3. Transfer-Unit conceptual design.
The transport module in the transmitter-part is
responsible to communicate with the high-end-unit
by using special communication protocol. Whereas
the transport module in receiver-part is responsible
to communicate with low-end-unit by using the
customized protocol as well. Optical transmitter and
sensor units should have at least a pair of optical
transmitter and sensor devices, but may have several
pairs in parallel. Important point in this design is
that the transmitter-part can only transmit, while the
receiver-part can only receive signals, as they do not
have the other physical devices. Therefore, this
design guaranties one way information (signal) flow
on physical layer.
With the purpose of having faster transfer speed,
the number optical transmitter and sensor device
pairs may be increased. Otherwise, single pair
transfer speed will be limited with a one-bit serial
transfer.
The air-gap between transmitter-part and
receiver-part should be clear and free from any
optical interference and blockage. Moreover, the
distance between these two components should be
big enough to comply with the TEMPEST criteria as
well. It would be a plausible installation if the
transfer-unit is installed in a controlled room or box.
To prevent any signal leakage, it is advised to power
these two parts with different power sources. In case
it is required to prevent optical dissemination,
nonconductive pipe-like material may also be used
between optical transmitter and sensor pairs.
It is obvious that that there will be no
acknowledgement/negative-acknowledgement from
receiver-part to transmitter-part which can inform
the transmission is successful or nor. This problem
should be mitigated by eliminating the sources of
optical noise in the transfer-unit.
The other palpable communication problem
between the transmitter and receiver parts is the
synchronization of the pairs. Depending on the
sensor capabilities, the solution can be either
utilizing a preamble or discriminating between nosignal and at least two different intensity levels of
optical signal. In later case, a simple solution may
be inserting a no-signal between bit transmissions.
Since 0 and 1 are identified with different optical
intensities.
Another extension to the transfer-unit can be the
inclusion of signal feedback from receiver-part to
Figure 4. Feedback mechanism.
2.3
Low-End-Unit
Low-end-unit is responsible to receive the
messages from transfer-unit and send or service
them in to the low-security network. Low-end-unit
may function as application proxy as well. Keeping
log on low-end-unit will help in debugging and error
correction efforts. Conceptual design of the modules
and data flow in low-end-unit are shown in Figure 5.
Figure 5. Low-end-unit conceptual design
Transport module communicates with the
receiver-part of the transmitter-unit by using a
customized communication protocol. Although data
filter and logging module is optional, it is advised
for error detection and communication tracing
purposes. Whenever received messages transferred
to the application proxies, it is their responsibility to
send or disseminate the message into low-security
network.
3. CONCLUSIONS
As computer systems and networks get
connected to each other, information sharing
becomes a substantial requirement. But this
cooperation brings about the security risks as well,
since not all the systems run on similar security
settings. System administrators are reluctant to take
on additional security risks that stem from
information sharing. Undoubtedly, it is very
common for a system which runs on a higher
security setting oblige to transfer some information
to a lower security system or network.
There are several studies in the literature which
claim to reduce the security risks in information
transfer between the networks with different
IJSRISE © 2017
http://www.ijsrise.com
pg. 37
International Journal of Scientific Research in Information Systems and Engineering
Volume 3, issue 1, April – 2017. ISSN 2380-8128
security levels. Considerable number of the studies
rely on application level measures, where several of
them are developed on operating systems level. In
any case, most of the transfer mechanisms proposed
so far keep utilizing a duplex communication
infrastructure for the sake of communication speed
and synchronization requirements. Therefore, these
proposals mostly criticized for still having
considerable security risks that originate from the
other network.
Our proposal presented in this study has no
physical connection between high-security and lowsecurity networks. In other words, there is an actual
air-gap between the networks. Hence the leaking
emanations are prevented even on the power lines as
well. Our design opt out the communication speed
on account of guaranteeing the one-way data
transfer. However, the design is more compatible
with the TEMPEST requirements than the other
alternatives. It would be a convenient way if the
application proxies running on the high-end-unit
inform the clients on that their messages will be
relayed to the other network after a reasonable time
delay. Similarly, the application proxies running on
the low-end-unit inform the clients on that the
message I subject to a significant time delay and the
communication is one-way only. Development of
the application proxies for both of the networks and
specification of customized communication
protocols to run in between transfer-unit and highend, low-end units are recommended as future
works.
4. REFERENCES
[1] Salehie Mazeiar and Ladan Tahvildari,
"Autonomic computing: emerging trends and
open problems." ACM SIGSOFT Software
Engineering Notes. Vol. 30. No. 4. ACM, 2005
[2] Adams, Jonathan, and Tamar Loach. "Comment:
A well-connected world." Nature 527.7577
(2015): S58-S59.
[3] Yan, Fan, Yang Jian-Wen, and Cheng Lin.
"Computer Network Security and Technology
Research."
2015
Seventh
International
Conference on Measuring Technology and
Mechatronics Automation. IEEE, 2015.
[4] Layton, Timothy P., “Information Security:
Design, implementation, measurement, and
compliance.”, CRC Press, 2016.
[5] Sim, Jae-Yoon, and Kyung-Ho Lee., "A Study
on Information Access Control Policy Based on
Risk Level of Security Incidents about IT
Human Resources in Financial Institutions.",
Journal of the Korea Institute of Information
Security and Cryptology 25.2 (2015): 343-361.
[6] Peltier, Thomas R., “Information Security
Policies, Procedures, and Standards: guidelines
for
effective
information
security
management.”, CRC Press, 2016.
[7] Information Sciences Institute University of
Southern California, “Internet Protocol Darpa
Internet Program Protocol Specification”,
Internet Engineering Task Force (IETF), 1981,
[Online]
Available: https://tools.ietf.org/html/rfc791
[8] Kota, Sastri, et al. "Multimedia satellite
networks and TCP/IP traffic transport." arXiv
preprint arXiv:1603.08020 (2016).
[9] Paila T., Walsh R., Luby ., Roca V., Lehtonen
R., “File Delivery over Unidirectional
Transport”, Internet Engineering Task Force
(IETF),
2012,
[Online]
Available : https://tools.ietf.org/html/rfc6726
[10] Holbrook H., Cain B., Haberman B., “Using
Internet Group Management Protocol Version 3
(IGMPv3) and Multicast Listener Discovery
Protocol Version 2 (MLDv2) for SourceSpecific Multicast”, Internet Engineering Task
Force
(IETF),
2006,
[Online]
Available: https://tools.ietf.org/html/rfc4604
[11] Banerjee, Anindya, et al., "Method and
apparatus for detecting malicious software
activity based on an internet resource
information database." U.S. Patent No.
8,978,139. 10 Mar. 2015.
[12] Tran, Manh Cong, and Yasuhiro Nakamura,
"Suspicious Domain Filtering Based on Autoware Communication Features." ITC-CSCC:
International Technical Conference on Circuits
Systems, Computers and Communications.
2015.
[13] Greally, Andrew, and Christina Thorpe,
"Investigating Near Field Communication as a
Method of Malware Propagation." IT&T
(2015): 19.
[14] Definition of TEMPEST, TechTarget [Online].
Available:
http://searchsecurity.techtarget.com/definition/T
empest
[15] TEMPEST (Codename), Wikipedia [Online].
Available:
https://en.wikipedia.org/wiki/Tempest_(codena
me)
IJSRISE © 2017
http://www.ijsrise.com
pg. 38