ARCHITECTURE COMPARISON

Data diode vs firewall: which boundary does OT need?

Firewalls and data diodes solve different problems. The right choice depends on whether the required data flow must be bidirectional or can be made strictly one-way.

The fundamental difference

A firewall is a bidirectional network control. It permits or denies traffic according to software rules, connection state, users, applications and inspection policies. Its strength is flexibility: authorised systems can communicate in both directions while unwanted traffic is filtered.

A data diode is a unidirectional boundary. Hardware makes one direction physically impossible. It does not decide whether an inbound packet is allowed; there is no inbound network channel through which that packet can arrive.

  • Firewall: policy-enforced, configurable and bidirectional
  • Data diode: hardware-enforced and unidirectional

Security assumptions and failure modes

A firewall depends on correct configuration, current software and the behaviour of every permitted service. A vulnerable allowed service, stolen credential or rule error can create an inbound path. Firewalls remain essential controls, but they manage risk rather than eliminating bidirectional connectivity.

A data diode reduces dependency on rule correctness for directionality. Middleware can fail, stop or deliver malformed business data, but it cannot create a physical reverse network path. This makes the architecture attractive for high-consequence OT boundaries.

When a firewall is the right tool

Use a firewall when the business process requires controlled two-way communication: remote administration, interactive applications, request-response APIs or command traffic. Network segmentation, allow-listing, strong authentication and monitoring should then limit the exposed surface.

  • Remote support and administration
  • Applications requiring responses across the boundary
  • Multiple authorised bidirectional services

When a data diode is the stronger choice

Use a diode when information only needs to leave OT and inbound communication is unnecessary or prohibited. Historian replication, telemetry, production reporting and security-event export are natural candidates.

Many architectures use both technologies. Firewalls segment systems within each side, while the diode enforces the one-way trust boundary between them.

  • Deterministic OT-to-IT export
  • High-consequence or regulated environments
  • Flows that can be redesigned as publish-only

SIDE-BY-SIDE

Data diode vs firewall comparison

Criterion Data diode Firewall
Traffic direction Physically one-way Bidirectional, controlled by policy
Enforcement Hardware transmit-only path Software rules, state and inspection
Inbound attack path No reverse network path through the diode Possible through permitted services or configuration errors
Protocol handling Requires proxies or middleware on both sides Can pass approved sessions directly
Remote administration Not through the one-way channel Possible when explicitly authorised
Operational flexibility Lower; flow must be designed as outbound Higher; policies can support many services
Typical use Historian, telemetry, files, logs and event export Segmentation, controlled access and bidirectional applications

The comparison is not about declaring one technology universally better. A firewall offers the flexibility required by many operational workflows. A diode offers a stronger directional guarantee when that flexibility is unnecessary and the cost of an inbound path is too high.

DECISION PROCESS

Choose according to the required information flow

Begin by documenting the minimum flow, not the current network implementation. Ask whether IT genuinely needs to initiate a session into OT or whether the business only needs measurements, production records, events or files to arrive in IT. A publish-only requirement is a strong candidate for a diode.

If commands, interactive queries, remote maintenance or transaction acknowledgements must cross the boundary, a firewall-based conduit may be necessary. Reduce the exposure with protocol breakpoints, application proxies, jump hosts, allow-lists, strong authentication and monitored sessions.

  • Choose a diode when the approved flow is outbound, deterministic separation is required and middleware can reconstruct delivery.
  • Choose a firewall when a justified business process requires controlled two-way communication.
  • Use both when internal zones need flexible segmentation but the highest-trust boundary must remain physically one-way.
FAILURE SCENARIOS

What happens when controls fail?

If a firewall rule is too broad, a permitted service is vulnerable or credentials are compromised, traffic may cross in a direction that policy did not intend. Defence in depth, monitoring and rapid configuration management reduce this risk, but the underlying network interface remains capable of bidirectional communication.

If data-diode middleware fails, transfer can stop, records can queue or application data can be rejected. The physical direction does not change. The primary operational risk is loss of availability or exhausted buffering rather than creation of an inbound network session. This distinction matters when safety and consequence drive the design.

Neither device validates the complete business meaning of data by itself. Both architectures still require source governance, application security, monitoring and incident response.

POC CHECKLIST

How to compare the options in a proof of concept

  • Demonstrate the exact source, destination, protocol and required update rate.
  • Interrupt the destination and verify buffering, alarms and automated recovery.
  • Attempt reverse connections and document the technical enforcement boundary.
  • Test malformed records, certificate expiry and loss of network connectivity.
  • Measure latency, throughput, storage retention and replay behaviour.
  • Review how operators monitor health and how administrators apply changes.
  • Confirm which residual risks remain outside the diode or firewall itself.
FAQ

Frequently asked questions

Does a data diode replace every firewall?

No. Firewalls still segment networks and control traffic on each side of the diode.

Is a firewall with one-way rules equivalent?

No. A one-way firewall rule is software policy on bidirectional hardware; a true diode removes the physical reverse path.

Can both be used together?

Yes. Defence-in-depth designs commonly combine internal firewalls with a diode at the one-way OT-to-IT boundary.

NEXT STEP

Apply the architecture to a real industrial data flow.

Start with one source, one destination and a measurable security or operations objective.