Data diode vs firewall: which boundary does OT need?
Firewalls and data diodes solve different problems. The right choice depends on whether the required data flow must be bidirectional or can be made strictly one-way.
The fundamental difference
A firewall is a bidirectional network control. It permits or denies traffic according to software rules, connection state, users, applications and inspection policies. Its strength is flexibility: authorised systems can communicate in both directions while unwanted traffic is filtered.
A data diode is a unidirectional boundary. Hardware makes one direction physically impossible. It does not decide whether an inbound packet is allowed; there is no inbound network channel through which that packet can arrive.
- Firewall: policy-enforced, configurable and bidirectional
- Data diode: hardware-enforced and unidirectional
Security assumptions and failure modes
A firewall depends on correct configuration, current software and the behaviour of every permitted service. A vulnerable allowed service, stolen credential or rule error can create an inbound path. Firewalls remain essential controls, but they manage risk rather than eliminating bidirectional connectivity.
A data diode reduces dependency on rule correctness for directionality. Middleware can fail, stop or deliver malformed business data, but it cannot create a physical reverse network path. This makes the architecture attractive for high-consequence OT boundaries.
When a firewall is the right tool
Use a firewall when the business process requires controlled two-way communication: remote administration, interactive applications, request-response APIs or command traffic. Network segmentation, allow-listing, strong authentication and monitoring should then limit the exposed surface.
- Remote support and administration
- Applications requiring responses across the boundary
- Multiple authorised bidirectional services
When a data diode is the stronger choice
Use a diode when information only needs to leave OT and inbound communication is unnecessary or prohibited. Historian replication, telemetry, production reporting and security-event export are natural candidates.
Many architectures use both technologies. Firewalls segment systems within each side, while the diode enforces the one-way trust boundary between them.
- Deterministic OT-to-IT export
- High-consequence or regulated environments
- Flows that can be redesigned as publish-only
Data diode vs firewall comparison
| Criterion | Data diode | Firewall |
|---|---|---|
| Traffic direction | Physically one-way | Bidirectional, controlled by policy |
| Enforcement | Hardware transmit-only path | Software rules, state and inspection |
| Inbound attack path | No reverse network path through the diode | Possible through permitted services or configuration errors |
| Protocol handling | Requires proxies or middleware on both sides | Can pass approved sessions directly |
| Remote administration | Not through the one-way channel | Possible when explicitly authorised |
| Operational flexibility | Lower; flow must be designed as outbound | Higher; policies can support many services |
| Typical use | Historian, telemetry, files, logs and event export | Segmentation, controlled access and bidirectional applications |
The comparison is not about declaring one technology universally better. A firewall offers the flexibility required by many operational workflows. A diode offers a stronger directional guarantee when that flexibility is unnecessary and the cost of an inbound path is too high.
Choose according to the required information flow
Begin by documenting the minimum flow, not the current network implementation. Ask whether IT genuinely needs to initiate a session into OT or whether the business only needs measurements, production records, events or files to arrive in IT. A publish-only requirement is a strong candidate for a diode.
If commands, interactive queries, remote maintenance or transaction acknowledgements must cross the boundary, a firewall-based conduit may be necessary. Reduce the exposure with protocol breakpoints, application proxies, jump hosts, allow-lists, strong authentication and monitored sessions.
- Choose a diode when the approved flow is outbound, deterministic separation is required and middleware can reconstruct delivery.
- Choose a firewall when a justified business process requires controlled two-way communication.
- Use both when internal zones need flexible segmentation but the highest-trust boundary must remain physically one-way.
What happens when controls fail?
If a firewall rule is too broad, a permitted service is vulnerable or credentials are compromised, traffic may cross in a direction that policy did not intend. Defence in depth, monitoring and rapid configuration management reduce this risk, but the underlying network interface remains capable of bidirectional communication.
If data-diode middleware fails, transfer can stop, records can queue or application data can be rejected. The physical direction does not change. The primary operational risk is loss of availability or exhausted buffering rather than creation of an inbound network session. This distinction matters when safety and consequence drive the design.
Neither device validates the complete business meaning of data by itself. Both architectures still require source governance, application security, monitoring and incident response.
How to compare the options in a proof of concept
- Demonstrate the exact source, destination, protocol and required update rate.
- Interrupt the destination and verify buffering, alarms and automated recovery.
- Attempt reverse connections and document the technical enforcement boundary.
- Test malformed records, certificate expiry and loss of network connectivity.
- Measure latency, throughput, storage retention and replay behaviour.
- Review how operators monitor health and how administrators apply changes.
- Confirm which residual risks remain outside the diode or firewall itself.
Frequently asked questions
Does a data diode replace every firewall?
No. Firewalls still segment networks and control traffic on each side of the diode.
Is a firewall with one-way rules equivalent?
No. A one-way firewall rule is software policy on bidirectional hardware; a true diode removes the physical reverse path.
Can both be used together?
Yes. Defence-in-depth designs commonly combine internal firewalls with a diode at the one-way OT-to-IT boundary.
Apply the architecture to a real industrial data flow.
Start with one source, one destination and a measurable security or operations objective.