The Arbit Data Diode
The Arbit Data Diode moves data from an insecure network to a secure network ensuring that no data is able to flow back. This is handles by the physical principle of the data diode.
The Arbit Data Diode solves these issues by creating a physically secure one-way communication channel from the insecure network to the secure network. This channel cannot be reversed in any way since its basic principle builds on the laws of physics.
The Arbit Data Diode is a physical data diode that eliminates the threat of remote data stealing by establishing a physically secure one-way connection with a single fiber-optic cable. The transmission is handled by two dedicated servers.
The sending server is called a pitcher and the receiving server is called a catcher. No data can be transported from the receiving network to the transmitting network. Therefore, the Arbit Data Diode is just as safe as manual data transfer, but offers the same convenience as a normal network connection.
The Arbit Data Diode has the following features:
|More hardware configurations available|
|Maximum file size limited only by available disk space|
|Based on gigabit network interfaces|
|Transports all file types and emails with full transaction control|
|Unlimited number of data channels|
|Data channel priority (on transaction basis)|
|Supports up to 24 streaming channels (video, radio, etc.)|
|Back Pressure in case of critical diskspace|
|Safe points in case of increased data flow|
|Notifications by email: Required retransmissions, Daily operational statistics, Total count and size of transactions within last 24h.|
|Operated by web-interfaces|
|No daily maintenance|
|Software based on hardened Linux|
|Support Supervisory Control and Data Acquisition (SCADA) networks|
|Support Industrial Control Systems (ICS)|
|Simple file transfer (FTP, SFTP)|
|Windows share mapping (SMB)|
|Time synchronization (NTP)|
Arbit offers several different hardware configurations for the Arbit Data Diode.
All versions are certified Common Criteria EAL 5+ with the highest possible Vulnerability Analysis (AVA_VAN.5)
Arbit Data Diode Device
This data diode consist of two enclosures (PITCHER and CATCHER) connected by a single fiber-optic cable. The PITCHER connects to the LOW side network and the CATCHER connects to the HIGH side network. Two additional computers/servers (one LOW and one HIGH) must be added to this solution in order to make a fully functional data diode. Each device can be TEMPESTED according the NATO regulations SDIP-27 Level A. The LOW side computer/server can be virtualized.
Arbit supports several different computers and servers. Contact Arbit for more information on this solution.
The Arbit Data Diode Device is ideal for deployment of the data diode where servers of a certain capacity or configuration is required.
Arbit Data Diode Unit
This product contains a fully integrated data diode in two separated enclosures. It is similar to the Arbit Data Diode Device, but doesn’t require additional servers or computers in order to operate. The enclosures are separated by a single fiber-optic cable which divides the data diode into two isolated zones, LOW and HIGH. No other connections between the enclosures exist. Each enclosure can be TEMPESTED according the NATO regulations SDIP-27 Level A.
The Arbit Data Diode Unit is ideal for quick and easy deployment and in locations where the available space is limited.
Arbit Virtual Data Diode
This product has a higher transfer rate than the regular Arbit Data Diode. It consist of one Arbit Data Diode Unit (two enclosures), and two regular servers (two enclosures). Each enclosure can be TEMPESTED according the NATO regulations SDIP-27 Level A. The regular servers can be virtualized.
The Arbit Virtual Data Diode is ideal for connections which require a very high throughput.
It’s also possible to combine LOW and HIGH side solutions of the Arbit Data Diode Unit and the Arbit Data Diode Device. This makes the Arbit Data Diode hardware very flexible.
The Arbit TRUST Gateway
No need to rely on manual processes which may circumvent security procedures due to busy operating hours, crisis or even malicious intent. The ATG checks that all data originates from an approved data source on the secure network. No rouge process or system is able to send data through or even piggyback information on approved transactions.
The ATG acts like a secure platform, where several COTS or custom checks can be performed.
One of the primary security features of the ATG is that it is based on the robust Arbit Data Diode technology. The ATG has two Arbit Data Diodes built-in. They are connected in serial, creating an isolated VOID network which is not accessible from the low side, and only accessible from the high side through a diode. This protects the VOID network against all attacks from the low side and from interactive attacks from the high side. All configuration and program code handling the VOID network is stored read-only so that it is impossible for an attack to change the system in any way. Rebooting the system is guaranteed to restore the approved configuration and the Arbit certified program code.
The Arbit TRUST Gateway has the following features:
|Divided into three zones: HIGH, VOID and LOW|
|All zones available in TEMPEST SDIP-27 Level A|
|Fiber or copper connectors to external networks|
|Low power consumption|
|Supports ”releasing Officer” function – followed by an extra manual release verification (optional “two key release”)|
|Optional external content verifiers|
|Anti virus check using OPSWAT Metadefender Core (4 – 30 commercial AV engines in parallel)|
|File type check (content based)|
|Open API for building custom content verifiers (C++ and Java)|
|Custom source system integration|
|S/MIME mail integration|
|Open API for sending transactions (C++ and Java)|
|Command line interface|
Arbit TRUST Gateway
The Arbit TRUST Gateway is separated into three isolated zones, HIGH, VOID and LOW. A single fiber-optic cable connects from HIGH to VOID and another single fiber-optic cable connects from VOID to LOW. No other connections between the zones exist. Each zone can be TEMPESTED according the NATO regulations SDIP-27 Level A.
Isolating the VOID network using data diode technology creates a secure zone where content and signature checks as well as external checks can be performed without risk of interactive attacks from the HIGH side network. The LOW side network is not able to access the VOID (or HIGH) network at all due to the single fiber connection.
It’s a diskless system, preventing modifications to the approved configuration. It forms a secure platform for building your information verification and release solution.
Adding audit log, content checkers, manual release and multi-scanning by OPSWAT Metadefender Core adds more enclosures to the complete solution. However, all external systems added will be tightly controlled by the Arbit TRUST Gateway.
Let’s Get In Touch!
Ready to start your next project with us? That’s great! Give us a call or send us an email and we will get back to you as soon as possible!