Skip to content

Deployment Scenarios

bmwl edited this page Nov 22, 2025 · 2 revisions

Deployment Scenarios

This page covers some theoretical deployment scenarios for the Soft Data Diode Tools (although I've only used it for the first one. PRs to this wiki are welcome!). Alot of this is really pie-in-the-sky, but I think all the listed scenarios are potentially valid.

For basic setup, see the main README.

Corporate WAN to Cloud

This is the original use case that prompted development of these tools. A corporate network needs to share internal resources (dashboards, cameras, files) with external parties or cloud services without exposing the internal network to attack. We used these tools to eliminate a DMZ, which is always a risky thing to have hanging out on the internet and a common point of initial entry for adversaries.

Network Topology

  • Sender: Internal corporate network
  • Receiver: Cheap-and-cheerful cloud VPS
  • Firewall: Corporate edge firewall with NAT

Security Characteristics

  • Corporate firewall provides NAT, making return traffic difficult
  • Internal network protected by multiple layers of security
  • Cloud server is untrusted and potentially exposed

Implementation Notes

  • This scenario benefits most from the NAT protection described in Security Model and Hardening
  • The corporate firewall's SNAT capabilities can be leveraged for additional protection
  • Consider using the eBPF packet forwarder for additional protection and lower CPU load

Hardening Priority

  1. Configure firewall SNAT to blackhole address
  2. Implement iptables rules on sender side
  3. Set up switch ACLs if the feature exists and you've got a good choke point
  4. eBPF packet mangling

Industrial Control Systems (IT/OT)

Devices in an OT network need to send data to IT systems without exposing the OT network to potential compromise.

Network Topology

  • Sender: OT network (control systems, HMIs)
  • Receiver: IT network (historians, monitoring, analytics, dashboards)
  • Firewall: Firewall between IT and OT, hopefully employing Purdue zones with an iDMZ

Security Characteristics

  • OT networks often have strict security requirements. Maybe regulations
  • May involve actual air-gaps or data diodes
  • High consequence if compromised
  • Often contain insecure devices and protocols that need all the protection they can get

Implementation Notes

  • This scenario may benefit from combining with hardware data diodes
  • Extremely conservative approach recommended
  • All mitigations should be implemented

Hardening Priority

  1. Hardware firewall with SNAT rules
  2. Switch ACLs at network boundary
  3. OS-level iptables with strict rules
  4. eBPF packet forwarder
  5. Comprehensive monitoring and alerting

Multi-Cloud Deployment

Resources in one cloud provider need to be shared with another cloud provider. Probably only useful if you need to send from a high-security cloud environment to a lower security one.

Network Topology

  • Sender: Cloud provider A (source environment)
  • Receiver: Cloud provider B (target environment)
  • Firewall: Cloud provider security groups

Security Characteristics

  • There may or may not be NAT between cloud providers
  • If they're the same provider they might egress directly to each other

Implementation Notes

  • Without NAT, you must rely more heavily on other mitigations
  • Cloud security groups can be configured to block return traffic
  • Consider using the eBPF packet forwarder for additional protection and lower CPU load
  • Both sender and receiver should be hardened equally

Hardening Priority

  1. Cloud security group rules blocking return UDP
  2. OS-level iptables rules
  3. eBPF packet mangling
  4. Comprehensive monitoring on both sides

Service Provider to Client

A service provider needs to share monitoring/video/status/file data with clients without giving clients any access back into the provider network.

Network Topology

  • Sender: Service provider network
  • Receiver: Client network or client-accessible server (eg VPS)
  • Firewall: Provider edge firewall

Security Characteristics

  • Provider network contains multiple customer data
  • Client network may be untrusted
  • Compliance requirements may be strict (and there's just a big business risk in being embarrassed by privacy or data breaches)

Implementation Notes

  • Consider separate receiver instances per client
  • Encryption keys should be unique per client
  • Implement strict network segmentation
  • Maintain audit logs for peace of mind/auditing/compliance/etc

Hardening Priority

  1. Per-client encryption keys, service accounts, authentication and network segmentation
  2. All standard mitigations
  3. Regular security assessments

Remote Office/Branch Office

Branch offices/Headquarters need to send monitoring data to each other without exposing their networks. Could be for things like acquisitions where you can't fully integrate before doing an audit.

Network Topology

  • Sender: Office network 1
  • Receiver: Office network 2
  • Firewall: Office edge device

Security Characteristics

  • Branch offices may have limited security expertise
  • With multiple offices to manage configs could get unwieldy
  • Varying network quality and reliability

Implementation Notes

  • Standardize configurations across branches. VM templates, etc
  • Implement central monitoring and management
  • Consider bandwidth limitations at branch offices
  • Use lower frame rates and resolutions to conserve bandwidth

Hardening Priority

  1. Standardized OS-level firewall rules
  2. Automated deployment, configuration and patching
  3. Centralized logging and monitoring
  4. Regular security updates and assessments

Development/Testing Environment

Development environments may need to share build status, test results, or monitoring data without exposing the dev network.

Network Topology

  • Sender: Development network
  • Receiver: Testing team or management network
  • Firewall: Standard corporate firewall

Security Characteristics

  • Lower risk tolerance than production
  • Rapid changes to configurations
  • Need for flexibility

Implementation Notes

  • Easier to implement and test mitigations
  • Good scenario for learning the tools
  • Can use less aggressive hardening
  • Valuable for testing configurations before production deployment

Hardening Priority

  1. Basic OS-level firewall rules
  2. Monitoring for educational purposes
  3. Document lessons learned for production use

Managed Service Provider

MSP needs to monitor customer environments without creating potential attack vectors into customer networks.

Network Topology

  • Sender: Customer network
  • Receiver: MSP monitoring infrastructure
  • Firewall: Customer edge firewall

Security Characteristics

  • Have to maintain customer security and trust
  • Multiple customer networks to manage
  • Need for strong separation between customers

Implementation Notes

  • Unique encryption keys per customer
  • Separate receiver instances or ports per customer
  • Customer-controlled firewall rules
  • Transparent operation preferred

Hardening Priority

  1. Comprehensive audit logging
  2. Clear documentation for customers

Moving files into a DR environment

Move data from production into a DR or cleanroom environment without exposing it to attack

Network Topology

  • Sender: Corporate backups or fileservers
  • Receiver: DR environment
  • Firewall: Corporate firewall

Security Characteristics

  • Moving between zones that need to mutually maintain their integrity means an airgap is a must
  • May need more protections, like a time-based "airlock" configuration
  • Data corruption or cryptolocker'd files will get passed through, but attackers will be unable pass through to eg delete or encrypt backups

Implementation Notes

  • Firewalls can be compromised, so actual airgaps are critical here
  • Other mitigations are great, but a true airgap should make them optional

Hardening Priority

  1. Airgap
  2. Maybe a double airgap (airlock)?
  3. Still need virus and threat scanning
  4. Regular security reviews for things like unintentional cross-connects

General Recommendations for All Scenarios

  • More mitigations are probably better than less, but think about the consequences of implementing and maintaining them

  • Test incrementally and verify each mitigation individually before combining

  • Document everything like configuration, testing results, and internal how-tos

  • Have things like watchdog timers and test everything for autostart on reboot

  • Periodically review and test configurations

  • Return to the main README for basic usage

Clone this wiki locally