Unidirectional Security Gateways (Solution Insights)

With the widespread outbreaks of ransomware, viruses and other malicious software across the internet, alternative methods of securing the corporate network are being considered. One of these methods is known is the “unidirectional network”. A unidirectional network is created through the use of a “unidirectional security gateway”, so you may also see this term being used. While this method is highly secure, its stringent controls, high cost, and the lack of maturity of standards and solution providers in this space limits the viability of this solution for mid-market companies and definitely excludes it from small business use, except in very limited scenarios.

Overview of the Solution

Using this method, the corporate network is separated into two parts: unsecured and secured. A network device (referred to as a unidirectional security gateway) is installed between the unsecured and secured network. The gateway only allows data to flow from the secured network to the unsecured network—thus the unidirectional flow.

The gateway controls network traffic between the two networks at the physical and data link level (see OSI Model diagram). This is different from most firewalls and routers, which operate at the network and transport layers. This is important because the only way to bypass the security at the gateway is to be physically present to manipulate the network traffic.

The unsecured network which typically has internet connectivity is only allowed read access to the secured network. With this feature, if a user on the unsecured network invokes the installation of malware and other malicious software from hackers via the internet, it is highly improbable that the software can infect the secure network, as execute/write access from the unsecured to secure network is restricted.

However, if internet browsing is allows from the secure network, this does not prevent a user on the secure network from infecting the secure network.

Application of the Solution

While this solution provides a high level of security, current solution also has a fairly high cost of implementation and maintenance. Given that, this solution has limited usability for small and mid-sized entities. An example of a network environment that is suitable to implement is utilities (i.e. power plants) where corporate networks are separate from the network which includes the software the controls the generators. The gateway would be used to protect the operational network with the generators. This would prevent a user from the corporate network from allowing a hacker to gain access to the operational network.

Another way this solution could be used is where information on the secure network has a high requirement to prevent disclosure. For example, an ideal type of network environment to implement the methodology is the military where highly classified information is stored. In a case such as this, the gateway could be configured to not allow reading of secured information by users on the unsecure network.

Because this is a niche methodology, there are a handful of vendors that offer products in the space. The cost is on the higher end of most likely out of budget considerations for small and medium sized businesses (SMB). Additionally, products in the area are highly proprietary, so implementation and technical support is very dependent on a single vendor. Care must be taken when considering these types of solutions as until the technology and vendors reach a higher level of maturity, there is significant risk to the future sustainability of the solution.

About the Author: Addie Lui, CISA, CISM, CISSP, CTGA

Addie is the leader of IntrapriseTechKnowlogies LLC’s (ITK) IT Risk Management practice and serves as the Chief Information Security Officer for both ITK itself and the clients to whom ITK provides IT governance and risk management services. Addie can be reached at addie@intraprise.us.