Protecting Networks with Intelligent Diodes


  • Jason Dahlstrom
  • Stephen Taylor



data diode, google analytics, condition based maintenance, FPGA, cloud connectivity, data leak prevention


This paper explores the utility, practical nuances, performance characteristics, and attendant security risks associated with intelligent Diodes -- network appliances that regulate traffic flow by validating formats and mission payloads within the security perimeter afforded by a single Field Programmable Gate Array (FPGA). Diodes operate in the middle-ground between networks that are fully air-gapped -- i.e., completely disconnected from the Internet -- and those that are fully connected but require complex boundary defenses and security administration. As such, they provide an all-hardware, real-time alternative for protecting military vehicles and sensitive networks. Diodes are particularly useful in four core settings: when industrial plant need be connected to cloud-analytic services, such as Google-Analytics, for the purpose of process optimization; for supporting the lifecycle of military vehicles through Condition-based Maintenance; for preventing information bleed when sensor feeds must be consumed inside sensitive networks; and finally, for the reliable distributed replication of large files and databases. The devices may operate directly on protocol-specific traffic headers to dispatch or block traffic.  Alternatively, they may be customized to validate file and traffic formats. This is achieved using an automated circuit design workflow that builds a hardware parsing plugin from a formal grammar and embeds it into the FPGA. This results in custom hardware that intelligently operates on mission specific data.