TCP/UDP Streams

Introduction

Under normal (non-Diode) circumstances, TCP protocol guarantees delivery and avoids data loss. But TCP Protocol handshaking and control requires bi-directional communications between the initiating TCP Data Sender and the responding TCP Data Receiver. This bi-directional communication is not possible in MetaDefender Optical Diode because a Data Diode, by definition, implements a physically enforced one-way communication.

In this document, we will explain How MetaDefender Optical Diode handles these situations and what strategies OPSWAT have implemented to minimize data loss, also we will explain how to configure MetDefender Optical Diode to perform TCP and UDP streamng.

TCP in a one-way environment

The Trusted (BLUE) side of MetaDefender Optical Diode establishes a Read TCP connection with the specified data source on the Trusted network and reads data from the data source. That data is transmitted across the fiber optic link in a proprietary non-routable packet format to the UnTrusted (RED) side of the Data Diode. The RED side of the Data Diode establishes a Write TCP connection with the specified data destination on the UnTrusted network and then streams the data from BLUE via TCP to the specified destination.

If the RED side is not able to transmit data to its specified destination as quickly as the BLUE side is transmitting, then RED must buffer that data. If this situation persists, then RED will be overrun with data as it runs out of buffer space. Buffer overrun results in data loss.

Several mechanisms can be implemented to reduce data loss due to buffer overrun:

• Control of the bit rate for a TCP Stream on BLUE.
• Control of the buffer size for a TCP Stream on RED.

These mechanisms are available via the OPSWAT MetaDefender Optical Diode Web Interfaces on both the BLUE and the RED MetaDefender Optical Diode appliances.

Bit Rate Control

A TCP Stream or a collection of TCP Streams configured for a given TCP Port connection on BLUE can be constrained to a specific bit rate. This slows down the transmission rate of data across the Diode and alleviates potential data loss due to overrun on RED.

Bit Rate Control is configured using the OPSWAT MetaDefender Optical Diode Web Interface on the BLUE side. Having smaller bitrates would alleviate data overruns but notice that data transfer would be slower as well.

Buffer Size Control

All TCP data transmitted from BLUE to RED is accumulated in a buffer on RED. Each TCP Stream or a collection of TCP Streams configured for a given TCP Port connection on RED has its own buffer. Each buffer entry is a block of data, where the block ranges from one to several thousand bytes.

Buffer size is configured using the OPSWAT MetaDefender Optical Diode Web Interface on the RED side. The default size of the buffer is 5000 entries and the size of an entry would be from 1 to 9000 Bytes. Having bigger buffers would alleviate data overrrun in RED side, but notice that this would consume sytem memoy as well.

Prerequisites

Before you configure any transfer parameters:

• Ensure MetaDefender Optical Diode BLUE and MetaDefender Optical Diode RED network addresses are configured.
• Ensure the current license and personality are uploaded.

BLUE side configuration

Go to the management UI and insert user and password to login.

Click the Streams link and then click on the Action button to deploy the Action menu, then select Add Stream.

Complete the following:

• Channel: You have to choose one channel number.

• Type: Type of stream being tracked. In MetaDefender Optical Diode Unilateral is the only option available
• Name: Name of the stream
• Protocol: select TCP or UDP depending on the stream you want to create.
• Source port: Port number of the source IP.
• Source addresses: IP address(es) in the BLUE zone where the stream will originate. If you are entering more than one address, separate the addresses with a semicolon.
• Enabled: checkbox to enable/disable the stream.
• Max Sessions: Maximum number of sessions for the stream
• Bitrate: Maximum bitrate that BLUE side will reach for this stream. We would need to tune this bitrate to avoid overload in the RED side. For more details, please read TCP Streaming with MetaDefender Optical Diode.
• Description: user-friendly description.

After filling in the fields, click on the Submit button to save configuration.

RED side configuration

Go to the management UI and insert user and password to login.

Click the Streams link and then click on the Action button to deploy the Action menu, then select Add Stream.

Complete the following:

• Channel: You have to choose one channel number.

• Type: Type of stream being tracked. In MetaDefender Optical Diode Unilateral is the only option available
• Name: Name of the stream
• Protocol: Select TCP or UDP depending on the stream you want to create. It needs to match with the protocol configured in BLUE side
• Destination port: Port number of the destination IP.
• Destination address: IP address in the RED zone where the stream will terminate. You can enter only one address.
• Terminate on Failure: This checkbox controls what happens in the event of data overrun. When the box is checked, the relevant connection on RED will be closed, all data buffers discarded and a new connection re-opened to allow for synchronization recovery. If left unchecked, the relevant connection remains intact and communication continues after the data buffers have been discarded.
• Max Buffer Items: select the size of the buffer items queued on RED. For high speed streams, a larger buffer is preferred in order to avoid data overruns. Please, note that buffering data consumes memory. For more details, please read TCP Streaming with MetaDefender Optical Diode.
• Enabled: checkbox to enable/disable the stream.
• Description: user-friendly description.

After filling in the fields, click on the Submit button to save configuration.

Modify a stream

In the Streams section, click on the stream you want to modify and the Edit Stream menu will be displayed. Modify the Stream and Submit changes.