Hello all, The below article https://www.synergistscada.com/building-your-own-d... uses a fiber optic data diode along with Nginx as a reverse proxy. The author states: "TCP/IP client-server reverse proxies on either end of the data diode can be setup to respond to the hand shaking requests automatically without the need to actually send any data back to the insecure network. The client-server proxies solution should work in most cases however, through testing should be completed in a lab environment before deploying a data diode solution into an ICS." And "Step 5 Configure your Reverse Proxy Depending on the data you want to replicate you can either configure an open source reverse proxy like nginx (engine x) and use your databases web services to replicate the data. Step 6 Disconnect one of the fiber optic ST connectors Once you have your two proxy servers configured and communicating to each other you can simply disconnect one of the two fiber ST connectors. You will likely need to spend time properly configuring your reverse proxy servers to relay the information correctly and you will need to write some scripts in your database to perform the continuous data replication." He however does not provide any working configuration. We would love to implement this and I greatly appreciate any help. If someone can at least just point me in the right direction I would be eternally grateful. Thank you.
on 2013-03-16 21:38
on 2013-03-17 09:17
I urge caution using this approach to a data diode. The question you ask is a very important one: where can I find a working configuration? Do not get me wrong, it is possible to make such approaches work, I have seen them in my companies test lab. The question you have to consider is reliability and trust. How reliable does the solution need to be? My experiece has been making something work in a test lab is relatively easy. However, making something work in a deployed environment, thus sustainable 24/7/365 is much harder. Intermittent data losses will happen over time? How does your application manage these? How do you implement re-synchronisation (can't be triggered automatically, as there is no feedback loop). Sorry, I am not answering your question directly, rather rasiing issues you need to consider before building something yourself. These issues are explored further iat the links below. Link: http://colinrobbins.me/2013/02/07/diy-data-diode-for-1612/ (reliability question) Link: http://colinrobbins.me/2013/03/12/can-you-trust-yo... (trust question) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,237446,237451#msg-237451
on 2013-03-17 12:33
On 17 March 2013 10:17, Camayoc <email@example.com> wrote: > manage these? How do you implement re-synchronisation (can't be triggered > automatically, as there is no feedback loop). Thank you for your response. I have read both links before and understand the implications. I just wanted to see this work and simply cannot believe how expensive commercial solutions are.
on 2013-03-17 13:46
I'd argue the commercial solutions are value for money, given the complexities. By I accept I am biased :-) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,237446,237457#msg-237457
on 2013-03-18 15:23
From: "Camayoc" <firstname.lastname@example.org> > I'd argue the commercial solutions are value for money, given the > complexities. Not to mention most organizations that would need such a device like having someone to hold accountable (usually via lawsuit) when it fails. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.