Network segmentation is an effective tool to prevent unauthorised access to certain assets of the organization by allowing different security services to be defined for each network segment. This allows for more control over network traffic and a substantial improvement in security.

Segmentation allows network administrators to control the flow of data between subnets according to detailed policies.

‘Strong’ segmentation consists of isolating certain networks from others (security domains). No TCP/IP access between domains will be allowed.

Cross-domain arises when information needs to be transferred between security domains.

A security domain is a collection of assets usually located on a network and subjected to the same policy. Networks with different levels of classification or managed by different operational authorities or simply kept isolated for security reasons are considered as different security domains.

A firewall is a device that, depending of its configuration, allows or blocks packets and connections. When networks are nor physically separated (sub-networks) a firewall may be sufficient because packets routing and connections are allowed between them.

For the exchange of information between security domains (cross-domain), it is necessary to use other types of devices with a higher level of security: High assurance-guards or data diodes.

These devices do not allow routing of packets neither connections between domains and provide a complete break in the protocol stack.

Devices that perform the filtering of data flows are known as ‘guards’.
Depending on the risks of the interconnection (different levels of data classification, trust between authorities, existing security measures, etc.) the general security requirements will be higher or lower.
In high-assurance scenarios where very high security is needed, physical separation of the networks is additionally required.

Devices that provide this separation can be:

• Unidirectional (diodes)
• Bidirectional (high-assurance guards or gateways).

To transfer information between two networks in one direction only, a data diode is used.

Although most of them are hardware-based, hardware data diodes are those in which the guarantee that the information transfer is one-way is provided by a certified hardware element, i.e. it would be necessary mechanical manipulation (with physical access) to subvert the mechanism.

On the other hand, those known as software data diodes base the one-way transmission guarantee on some software mechanism like virtual machines or microkernels that could potentially be subverted remotely.

To transfer information securely, in both directions (bidirectional scenarios) between two separate security domains, an application security gateway is required.

They typically provide the functionalities of data flow filtering (‘guard’) and network separation. Filtering can include format control, content control and even requiring data authorisation through digital signatures. Network separation can be of greater or lesser strength depending on whether it is performed by hardware or software.