Data Diode Mode
DataHub version 11 offers data diode mode for tunnel/mirroring, providing an extra layer of security to ensure that absolutely no data passes into the OT system. Support for multiple protocols like OPC UA, OPC Classic, MQTT, and Modbus in a unified namespace is fully maintained in data diode mode, allowing you to integrate legacy systems or diverse data sources.
There are three tunnel/mirror options: outbound tunnel with no data diode, data diode software emulation, and data diode hardware support.
Client-Server model – not secure
Most industrial protocols, such as OPC UA, make a client-server connection. This not secure for remote data access, as it requires opening a port in the firewall to allow an inbound connection. Instead, an outbound DataHub tunnel/mirror connection should be used.
Outbound tunnel with no data diode
An outbound DataHub tunnel/mirror connection keeps all inbound firewall ports closed by reversing the traditional client-server roles, connecting from the data source outbound to the data user. Tunnel/mirroring can support SSL and it blocks external attacks on the data source. However, because the data flow is bidirectional, a compromised program on the data user side could attack the data source, sending malformed TCP packets to be processed.
Data diode software emulation
Using data diode mode with DataHub Tunnel/Mirror offers software emulation of a data diode at the data source that discards all incoming TCP control packets and SSL protocol packets. All application data is discarded without being processed, so a compromised data user cannot attack the data source. The only thing exposed to attack is the SSL implementation, if SSL is being used. Since all application data is discarded, data flow over this connection is strictly unidirectional.