Air-Gap Security and Data Diodes: Controlled Data Transfer Between Isolated Networks

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Air-gapped networks achieve network isolation by eliminating all network connectivity — no internet, no corporate network, no wireless. The isolation is the security control. The challenge: air-gapped networks still require data movement. Industrial control systems need software updates and signature file updates. Air-gapped environments need to export logs to a security operations center that is not air-gapped. Classified networks need to receive data from lower-classification networks.
Every path that allows data into or out of the air-gapped network is a potential attack vector. The history of air-gap attacks shows that attackers reliably find and exploit these paths. Data diodes (unidirectional security gateways) provide a hardware-enforced solution: data physically can only flow in one direction because the hardware is incapable of bidirectional transmission.
Air-gap attack vectors: how isolated networks get compromised
Understanding how air-gapped networks are breached informs the controls needed to defend them.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Data diodes: hardware-enforced unidirectional transfer
A data diode is a cybersecurity hardware device that enforces one-way data flow at the physical layer. The most common implementation uses fiber optic hardware: a transmit-only fiber optic transceiver on the sending side and a receive-only transceiver on the receiving side with no transmit capability — making it physically impossible for any data to flow from the receiving network back to the sending network.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Cross-domain solutions (CDS): bidirectional with content inspection
Data diodes enforce strict one-way transfer. Cross-domain solutions (CDS) allow bidirectional transfer between networks of different classification levels but subject all content to inspection and filtering by a guard system that enforces transfer policies — only approved data types, verified against policy, are allowed to cross.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
USB control procedures for air-gapped environments
For environments where data diodes are not deployed or where ad hoc media transfer is operationally necessary, USB and removable media procedures are the primary air-gap protection control.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Air-gapped networks provide strong isolation but every data transfer path is an attack surface. Data diodes hardware-enforce one-way transfer for log export, telemetry collection, and update delivery — eliminating the bidirectional attack path that traditional network connections create. For environments requiring bidirectional transfer between different security domains, cross-domain solutions with content inspection policy provide controlled data movement with inspection enforcement. For environments where neither is deployed, USB scanning stations and write-once media procedures reduce but do not eliminate the risk of air-gap bridging attacks.
Frequently asked questions
Are data diodes appropriate for most enterprises, or just government and critical infrastructure?
Data diodes are most commonly used in government/defense, industrial control systems, and critical infrastructure because those environments have formal air-gap requirements. Most commercial enterprises do not operate truly air-gapped networks — they manage network segmentation with firewalls rather than physical isolation. However, data diodes are increasingly used in commercial environments for specific high-value one-way flows: exporting logs from a PCI cardholder data environment to a SIEM without creating a bidirectional connection, transferring financial transaction data from trading systems to analysis infrastructure, and protecting manufacturing floor OT systems from IT network threats. If your environment has a segment that should only send data out and never receive connections from outside, a data diode is the right control.
Can malware survive a data diode transfer?
A data diode enforces network isolation but does not inspect content — a malware-infected file transferred through a data diode arrives on the receiving network intact. The data diode prevents network-layer attack paths back to the sending network but does not prevent malware delivered through the allowed data flow. Content that traverses a data diode should be scanned for malware before being processed on the receiving end. The diode's value is preventing the attacker from establishing network connectivity back through the diode, not preventing malware delivery through the diode's intended data channel.
What protocols work over data diodes?
Because data diodes prevent TCP's acknowledgment (ACK) packets from returning to the sender, standard TCP-based protocols (FTP, SFTP, HTTP) do not work natively across a data diode. Data diode vendors provide proxy software that converts TCP-based applications to UDP (which does not require acknowledgments) on the sending side and reconstructs the TCP session on the receiving side. Common supported protocols via vendor proxies: syslog (UDP natively), OPC-UA (industrial protocol), file transfer (vendor-specific protocol over UDP), and video streaming (UDP multicast). Protocol support varies by vendor — verify that your specific required protocols are supported before selecting a data diode product.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
