<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">

Visibility Solutions

Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.


Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.


The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners


Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.


Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.


Whether you are ready to make a network TAP your foundation of visibility or just have questions, please contact us. Ask us about the Garland Difference!

Firewalls vs. Data Diode — Why OT Security Teams Turn to Data Diode TAPs

Air gaps and segmentation are common concepts to secure OT networks, with the goal of minimizing the harm of a breach and threats by isolating it to a limited part of the network. Unless an attacker obtains physical access to an air-gapped computer network, they can’t be breached.

With that said, air-gapped networks are difficult to deal with in practice. The headaches that come from maintenance alone make true air-gapped networks impractical for all but the most sensitive applications. Therefore, network engineers will most often make do with software solutions that approximate air gaps—such as firewalls and data diodes.

Firewalls have been a benchmark information security tool for decades, which means that most network engineers are likely familiar with and use them. While data diodes have also been used for decades, their implementation has previously been confined to high-security facilities. They’ve only recently begun to gain popularity in private and OT networks.

While firewalls have long been the bedrock for segmenting networks—there is a use case for firewalls and data diodes, even deploying both within the same network. Along with the Data Diode TAP variation, we want to review what the differences are and how you may use them.

What’s the Difference Between a Data Diode and a Firewall?

Firewalls are a good information security tool and a staple for securing the network. A firewall is a barrier system or ‘gatekeeper’ designed to stop, filter, or redirect traffic between external and internal networks based on decisions from a built-in policy engine.

For example, certain kinds of traffic coming into the network—such as traffic from known phishing sites or botnets—may be blocked automatically. Other kinds of traffic, such as email, will be diverted through inline security tools and scanned for malware.

Because firewalls are software-based and rely on policies, attackers can sometimes take advantage of mistakes in a firewall’s configuration in order to get around it. Alternatively, attackers might take advantage of existing vulnerabilities in the firewall itself, allowing them to literally take over the firewall and then admit whatever traffic they need. Lastly, some forms of DDoS attacks can overload the firewall and then take down the network with it, causing hours of costly unplanned downtime.

Data diodes are also a security barrier system, but one that enforces a physical separation between network segments using one-way data transfer protocols, designed to eliminate back door attacks or breaches.

In contrast to firewalls, data diodes are theoretically non-software based, physically forcing unidirectional traffic using hardware-based security mechanisms – allowing data to flow in one direction, stopping potential attackers from accessing network traffic.

Because data diodes aren’t policy-based, there aren't any configuration errors for attackers to exploit. Data diodes are thought of as not relying on ‘intelligent software’ processing, though they use software to convert traffic protocols from bidirectional to unidirectional. And data diodes don't allow external traffic, so they can’t be affected by DDoS attacks.

A data diode is a relatively simple device, but because of its simplicity, it creates the next best thing to a physical air gap, one that’s literally impossible to breach from the outside.

The primary difference between data diodes and firewall use cases – are data diodes provide a physical and electrical separation layer, designed to pass one-way traffic between segments to eliminate attack risks. Where firewalls provide configurable code and policy designed to stop or reroute flagged traffic from getting into the network.

Data Diode

What’s the Difference Between a Data Diode and a Data Diode TAP?

There are two different use cases at play, both based on the same concept. The typical data diode passes unidirectional traffic between network segments, like between the operations and enterprise levels. Where Data Diode TAPs typically send unidirectional ‘copies’ of the traffic to security monitoring tools.

The key difference here is network TAP technology. While typical data diodes are a secure pass-through device, network TAPs provide a complete full-duplex copy of network traffic, passing all information including physical level errors. This is specifically used for continuous out-of-band monitoring and analysis, which needs packet visibility to properly inventory and secure the network.

A Data Diode TAP creates an exact copy of both sides of the traffic flow, continuously 24/7/365, and does not drop packets, introduce delay, or alter the data. They are either passive or “failsafe,” meaning traffic continues to flow between network devices if power is lost or a monitoring tool is removed, ensuring the TAP isn’t a single point of failure. Data Diode TAPs offer the same high-quality visibility as Network TAPs, with the added security that the out-of-band traffic is one-way and does not find its way back to the network.

Additional differences include:

  • Typical data diodes utilize software to convert traffic protocols from bidirectional to unidirectional. Some even offer data diodes that blur the lines between a firewall and a unidirectional data transfer, with ‘intelligence' software-based features and functions with IP/MAC/NIC interfaces that can be open to vulnerabilities.
  • Data Diode TAPs are purpose-built ‘unintelligent’ hardware devices, whose circuitry physically doesn’t have the monitoring ports connected back to the network, rendering bidirectional traffic impossible and ensuring security tools or destinations are isolated from the network segment. They are non-IP, non-MAC type and cannot be hacked.

Which Data Diode TAP works best for your OT Security Tool?

There is no silver bullet in cybersecurity. Best practices consist of various tools, frameworks, and protocols all with the purpose of a safe and secure network. Data Diode TAPs are just one of the components used to build a secure network architecture. Garland Technology provides three kinds of data diode, all designed to secure your OT Security traffic from attack.

Data Diode Network TAP
Data Diode Network TAPs are hardware devices designed to provide unidirectional full-duplex copies of network traffic so security and monitoring tools are able to function at peak performance. It’s ideal for uses such as non-intrusively monitoring and is often used when legacy OT network switches do not have SPAN availability or when your security tools cannot tolerate dropped packets.

Data Diode SPAN TAP
Data Diodes SPAN TAPs are purpose-built hardware devices that enforce one-way data flow for SPAN links with physical hardware separation, guaranteeing protection of critical digital systems, such as industrial control systems (ICS), from inbound cyber threats. These are ideal for situations where SPAN links must be used.

AggregatorTAP: Data Diode
AggregatorTAP Data Diodes also send one-way traffic to monitoring tools, but its advantage is that it can aggregate up to 4 TAP links or 8 SPAN ports into either one or two monitoring ports, allowing for faster monitoring throughput. These are often used when distributed networks must send various TAP or SPAN links to a central security sensor.

Looking to add Data Diode TAP visibility to your OT Security deployment, but not sure where to start? Join us for a brief network Design-IT evaluation or demo. No obligation - it’s what we love to do.

Unidirectional Data Diodes

Written by Kumar Rajaram

Kumar Rajaram is the Regional Director for APAC at Garland Technology in Australia. Kumar is passionate towards solving network visibility problems to customers across Asia Pacific.



Sign Up for Blog Updates