Design for a TCP/IP transparent FPGA-based network diode

Abstract

The urgency for high-security products for industrial networks is increasing as malicious hackers are improving their accessibility tools. A common practice for a company to protect its sensitive data is network segmentation. The network is segmented in different domains with distinctive security levels. The sensitive data is stored and managed within the domain of the highest security level. To access this domain from another domain of a lower security level, a highly reliable connection is required. You want to have full control over the incoming and outgoing data flow between these network segments. A variety of solutions provide a highly-secured connection to link those segments which differ in range of features and control. An upcoming trend is the network diode. This device will allow data flow in only one direction. All the flows going into the opposite direction are being blocked. However, to feature an arbitrary flow between two network segments, the diode should consist of a numerous amount of properties. To narrow down the optional features a network diode should provide, this thesis will focus on TCP streams. TCP is one of the most common protocols used in internet traffic. Furthermore, TCP is a challenging protocol as it is a connection-oriented bidirectional protocol, which is intrinsic controversial with the concept of the data diode. To ensure the security of the data diode, this thesis will focus on a complete hardware design of the data diode. Software inside the data diode is still a risk for a security breach. This thesis will investigate the critical operations of TCP to implement them in the data diode. The aim is to utilise TCP's characteristic operations of the acknowledgement managing, the sliding window system, the congestion control algorithm, and explores the advantage of existing TCP options. To evaluate the feasibility of a high performance data diode featuring TCP, the system is broken down to project the behaviour of a TCP stream on a one-way connection device. This results in two separate TCP connections, with only the precious data as common shared information. This model requires a buffer at one side of the diode to transmit data in a TCP stream. To analyse and examine the influence of the diode configuration to the size of the buffer, a diode module is created to simulate in a OMNeT++ environment. From this simulation tool, a minimal set of parameters can be extracted that are essential to configure the data diode. With the assumption of having control on the network management at the trusted side of the diode, a configuration without a congestion control algorithm and without adding radical TCP options is recommended to minimise the required buffer size. Thereafter, this thesis proposes a high-level hardware design to implement the data diode on a hardware project. The design focuses on the high data rate which should be available to satisfy the data diode's requirements. Finally, this thesis concludes with an elaboration on the assumptions of the limitations of the network environments and recommends features to implement in future work.