This simple and cheap setup is the easiest way to give data diode training/workshops and develop dataflows. Since this is not a real data diode it should not be used in production. This €25 euro functional data-diode demonstrator
can be ordered at most electronic shops.
In this setup we used 2 TP-Link MC210CS single mode Gigabit mediaconverters, one single mode 50/50 splitter and an optional fiber filter for additional security. The main idea behind this setup is that we connect the TX to the RX on the sender and use the Y-cable to listen on the sender. Since there is no TX connected on the receiving mediaconverter data cannot flow back.
On Gitub Klockcykel modified the TP-Link mediaconverter to be used with only one fibre. This is a great DIY hardware data diode solution but be aware that modifying hardware could be dangerous.
In this setup we used 3 TP-Link MC200CM multi mode MC210CS single mode Gigabit mediaconverters and a PLC Fibre Splitter 1X4 SC/UPC-interface. 1 for sending, 3 for receiving. This setup can also be done with just 2 or 4 receivers.
Please note that the splitter is single mode, not multi mode! Example of a 2-way splitter on Amazon
The TX-mediaconverter TX-port is connected with the IN-fiber from the splitter and the 4th splitted fiber to the RX-port to simulate a link.
The RX3 mediaconverter RX-port is connected with the 3th splitter fiber.
The RX2 mediaconverter RX-port is connected with the 2th splitter fiber.
The 1th fiber is not connected but could also be connected to a mediaconverter but there were only three mediaconverters available.
This way we created a one to many data diode setup but this could also be done with a 1x2 PLC splitter with only 2 mediaconverters.
See 2nd simplified image.
This is the most common setup with a sender and receiver and the data diode in the middle.
To be able to send and receive data via separate interfaces causing a protocol break for most network attacks. This setup also provides control over the received and sent data. You could argue that this is not the idea when using data diodes but 2 unidirectional sessions with separated and software filterd paths is more secure than a bidirectional firewall. In this example we send an OpenSSL certificate request through the data diode to be signed by the CA. After signing the CA sends the signed certificate through the second data-diode back to the sender.
Since we are using one way communication it's also possible to use multiple data diodes and destinations using a switch.
This example shows an example to distribute NTP to multiple networks. Note that this configuration does not support NTPv4 foley's.
In this example we prevent the IDS from connecting to the switch via the SPAN port.
For testing data diode applications on one machine it's possible to create a Ubuntu VM with 2 interfaces connected to separate local networks. Using the application daemonlogger you can forward all packets from the first interface to the second.
Understand the difference between multi mode and single mode fiber. We noticed network errors on the TX proxy. The cause was a single mode fiber splitter in combination with multi mode mediaconverters. TCPDUMP output:
20:10:26.441796 MPCP, Opcode Pause, length 46
20:10:26.442321 MPCP, Opcode Pause, length 46
20:10:26.442845 MPCP, Opcode Pause, length 46
...... and many more.....
So depending on your cables you can use the MC200CM multi mode or MC210CS single mode media converters.