1

I have a high security network that needs to send data to a less secure network.

The connection must be physically unable to send data from the low security network to the high security network.

I would like to achieve this via a modified ethernet cable. The cable has only one TX+ to RX+ (pin 1 to 3) and one TX- to RX- (pin 2 to 6) connected. Both sending and receiving PCs are running ubuntu.

So far I have tested setting the cards to Full-Duplex Speed 100 and added an entry in the arp table of the sender for the receiver's mac address.

Accordingly, it fails. TCPdump shows no packets leaving the sending machine.

Is there anything else I can do or is there a mistake in the set-up?

Improve this question
11
  • 2
    That's usually done with a firewall.
    – Gerald Schneider
    Nov 21 at 7:31
  • @GeraldSchneider: for this application I need to guarantee no possible return communication. A data diode is one possible option but I was hoping to find a cheaper alternative.
    – Marked
    Nov 21 at 8:06
  • You need to loop tx back to rx on the sending side. Otherwise you won't get link and the card won't transmit. I can write a more complete answer later today.
    – vidarlo
    Nov 21 at 8:17
  • 2
    A unidirectional network (also referred to as a unidirectional gateway or data diode) is a network appliance or device that allows data to travel in only one direction. - so, a firewall.
    – Gerald Schneider
    Nov 21 at 8:23
  • 2
    The connection must be physically unable to send data from the low security network to the high security network. It's called a portable mass storage device.
    – Greg Askew
    Nov 21 at 13:00

2 Answers 2

Reset to default
2

For this to work, both devices needs to have RX connected.

Sender

Sender is on left, receiver is on right. This way, both sides will see link. Note that this is out of spec, as you have more load than normal, so it's recommended to use short cables and good quality NIC's, and a point to point connection rather than to a switch.

For a NIC to sense link on a 100Mb Full Duplex link, it doesn't need the TX pairs connected, only RX pairs. Furthermore, it will happily accept itself as partner. Thus, both partners will have link.

This can even be exploited into making a passive Ethernet tap, by simply connecting the TX pair to RX on a card to sniff traffic without chance of sending traffic.

Improve this answer
0
2

Short answer: no. TCP is a bidirectional protocol, the sender sends SYN to wake up the receiver and expects ACK-SYN back to say the receiver is awake before it will send anything. Hardware may sense no carrier on the cut lines and not bother to send the initial SYN.

As Gerald Schneider pointed out in a comment, the simplest way to make this work is with a hardware firewall.

Improve this answer
7
  • Is this still the case if UDP is used? My understanding was that UDP does not require bidirectional communication.
    – Marked
    Nov 21 at 8:08
  • Has to be a guess, but given that you're seeing no packets outbound, I'd have to say that your hardware, not having an RX line, is not seeing carrier from the other card, assuming no cable connection, and so is not sending anything. You're correct, though, that if you could fake a carrier, likely UDP would transit OK.
    – tsc_chazz
    Nov 21 at 8:12
  • That was my conclusion as well. The other test would be to use a switch and try to broadcast it. With the modified cable connected from the switch to the receiving NIC.
    – Marked
    Nov 21 at 8:16
  • You'd still run into the same problem. The switch, not seeing carrier from the chopped cable, would not send data out the port. Even a hub would likely not send data to an effectively empty socket.
    – tsc_chazz
    Nov 21 at 8:21
  • Yes you're right.
    – Marked
    Nov 21 at 9:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .