Use of Diodes for Unidirectional Gateway Security
Use special devices (diodes) to ensure data flows one way only between networks, enhancing security.
Plain language
This control is about using diodes to make sure information only flows in one direction between your private network and the public internet. This is important because if data can flow both ways, a hacker could potentially gain access to sensitive information or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Evaluated diodes are used for controlling the data flow of unidirectional gateways between an organisation's networks and public network infrastructure.
Why it matters
Without diodes, bidirectional flows can let attackers exfiltrate sensitive data or inject malicious traffic into secure networks.
Operational notes
Regularly verify diode configuration and review flow logs to confirm unidirectional data transfer integrity.
Implementation tips
- The IT manager should research and select the appropriate diodes for their network. This involves reviewing security needs and consulting with trusted vendors to find the diode device that best supports one-way data flow for your current setup.
- System administrators should install the diode devices between the internal network and the public network. This process involves physically connecting the diode to the network paths, ensuring data can only travel outwards but not return to the sensitive internal systems.
- The IT security team should configure network settings to support the diode operation. This means adjusting firewall rules and monitoring systems to support and verify that no data can flow into the network through alternate paths.
- IT staff should regularly test the functionality of the diodes. This can be done by simulating data transfer attempts from the public network toward the private network and ensuring these attempts are blocked.
- Managers should organise training for staff on the importance of unidirectional data flow. This includes awareness of why the diode is in place and how staff actions can help maintain secure communication practices.
Audit / evidence tips
-
Askthe procurement records of diode devices: Request to see purchase orders and invoices related to the diodes installed
Goodincludes documentation showing purchase specifics and alignment with system requirements
-
Aska network diagram showing diode placement: Review diagrams that outline the network setup and diode locations
Goodshows up-to-date diagrams with clear annotations for each diode
-
Askconfiguration settings of installed diodes: Request system logs or screenshots showing current settings
Goodshows secure configurations consistent with manufacturer and security guidance
-
Asktest reports on diode operation effectiveness: Request records of any tests conducted to verify diode performance
Goodincludes comprehensive test results confirming expected diode performance
-
Asktraining records on diode usage: Request documentation of any staff training sessions about the diode's purpose and operation
Goodincludes recent training records and feedback indicating increased staff understanding
Cross-framework mappings
How ISM-0643 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0643 requires organisations to use evaluated diodes to enforce one-way data flow in unidirectional gateways between internal networks... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.14 | ISM-0643 requires evaluated diodes to control data flow in unidirectional gateways between internal networks and public network infrastru... | |
| Annex A 8.22 | ISM-0643 requires evaluated diodes to enforce one-way data flow at a unidirectional gateway between organisational networks and public ne... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.