Unidirectional Secure Information Transfer via RabbitMQ

TL;DR

This paper explores using open source technology to securely and cost-effectively mirror message bus data over data diodes with end-to-end encryption, enabling secure transfer of sensitive information.

Contribution

It demonstrates that open source solutions can effectively mirror message bus data over data diodes with encryption, providing a practical, low-maintenance security-proof transfer method.

Findings

Successful mirroring of message bus data over data diodes

End-to-end encryption ensures data confidentiality

Open source approach reduces costs and complexity

Abstract

Protecting computer systems handling possible sensitive information is of the utmost importance. Those systems are typically air-gapped with data diodes to assure that no information can physically flow back. Traditional computer protocols like HTTP or SOAP which are normally used to transport information between computers are typical bi-directional communication protocols and are thus unsuitable to be used over a data diode. Currently the only commercially available protocols over a data diode sold by vendors are file-based protocols. Other protocols can be custom made but are expensive and proprietary. There are currently no open source solutions to stream data in a generic way over a data diode other than those file-based solutions. Purpose of the dissertation is to research if open source technology can be used to mirror the contents of a messagebus over a data diode to get a cost effective security-proof and almost maintenance-free solution. and to further research if this technology can be used to transfer not only plain text data but also data sensitive by nature by using end-to-end encryption so that this information could even be admitted as evidence. Method used to validate the research is a practical case study that shows how a sensor stream can send unencrypted and encrypted events over a data diode of arbitrary size via a message bus which are transparently and securely transferred and re-emitted internally without any kind of configuration management. Results show that it is indeed possible to successfully mirror data from a Message Bus over a data diode and it is thus worthwhile to further invest in this technology.