hardware specifications and security certifications

Fox DataDiode
Technical Data Sheet
The Fox DataDiode Hardware is the device that guarantees one-
wayness of a network connection. With it, you can assure that
secrets remain secret, and critical systems are not manipulated.
The Fox DataDiode is the only one-way solution worldwide that has
seen overwhelming independent confirmation of its security claims,
and has a Common Criteria Evaluation higher than EAL4+: EAL7+.
Moreover, the Fox DataDiode is the only one-way solution that
guarantees one-wayness on a physical level: it does not have software,
firmware or FPGAs. Hence, it cannot be exploited or wrongly
configured.

Please see the product sheets Fox DataDiode for protecting secrets and
Fox DataDiode for Industrial Control Systems for more non-technical
information.
 Physical

Government Edition and Business Edition 1 unit high 19” rack mountable unit
Dimensions casing WxDxH 427.00x222.00x41.60 (mm)
Dimensions frontpanel WxDxH 482.60x3.00x43.65 (mm)
Fox DataDiode – Government Edition Dimensions outer WxDxH 482.60x225.00x43.65 (mm)
Both front panel and rear panel have connectors;
the to be connected cables will require some space
Casing material Aluminium
Fox DataDiode – Business Edition Weight 1692 gram
Rear panel functions power inlet, power switch, fuses
The Fox DataDiode is available in two flavors. Front panel functions power status LED
The Government Edition is the flagship version activity LED
that has been certified for all kinds of special incoming (upstream) network connection
uses, governments worldwide endorse it outgoing (downstream) network connection
to protect their sensitive information. The
Business Edition is the economic option
Power
that has no special independent security
certifications. Power inlet: IEC 60320-C14 (male)
Power input: 90 – 250 VAC, 50 – 60 Hz
Selected partners of Fox-IT have an OEM Fuses 2 times T4AL250V; 5x20 mm; fuse speed T
branded version of the Fox DataDiode.
BTU 41
The device has only one external power inlet,
internally it has two power supplies for high availability

Network
Incoming (upstream) network connection and outgoing (downstream) network connection:
Multimode optical fiber
Laser Class 1 according to EN 60825-1
IEEE-802.3z Gigabit Ethernet (1000Base-SX) at 1.25 Gbps *)
850nm VCSEL
Supported cable length (max.) 220 to 550 meters **) dependent on cabling,
see IEEE 802.3-2008 Section 3 Table 38-2 p.109
Incoming (upstream) network Duplex “SC” connector, receiver and transmitter
connection (IEC 61754-4)
Outgoing (downstream) network Simplex “SC” connector, transmitter only
connection (IEC 61754-4)
*)
1.25Gbps is the transport layer link speed, the actual throughput is lower and depends on the software
used at the proxy servers
**)
Typically the Fox DataDiode hardware is installed with and connected to proxy servers in the same rack. These proxy
servers can be equipped with the network connection of choice

Environment
Operating environment 0 °C – 55 °C, max 90% humidity, non-condensing
Fox DataDiode properties relevant to NATO Storage environment 0 °C – 80 °C, max 90% humidity, non-condensing

• Certified in the “Green Scheme” up to and

including NATO SECRET Tamper-evidence (Government Edition only)
• Listed in the NATO Information Assurance The Government Edition has been sealed in such a manner that manipulation of the device while
Product Catalogue (NIAPC). in transport or otherwise unattended can be detected afterwards. The end customer receives an
See www.ia.nato.int/niapc/Product/Fort- instruction with the relevant device-specific security features to verify from Fox-IT via separate
Fox-data-diode-FFHDD2_250 secure communication.
• A Basic Ordering Agreement (BOA) is
in place between NATO and Fox-IT, with TEMPEST protection (Government Edition only)
reference NC3A/BOA/12766. The Fox DataDiode has been designed to have virtually no compromising emanations. By using
See https://boa.ncia.nato.int/ fiber optics, galvanic separation is achieved, and no radio magnetic signals are transmitted with
boa/12766/12766.htm the information flowing through the Fox DataDiode.
• NATO Stock Number (NSN): The Government Edition Fox DataDiode (and any proxy servers ordered with it) can be provided
• Appliance including two proxy servers with certificates of the following types:
and software: 7025-17-120-2687 • NATO SDIP-27 Level A (equivalent to USA NSTISSAM Level I, formerly AMSG 720B)
• Fox DataDiode hardware only: This is the strictest standard for devices that will be operated in NATO Zone 0 environments,
7025-17-122-5997 where it is assumed that an attacker has almost immediate access (e.g. neighboring room,
• Tested by the NATO Communications and 1m distance).
Information Agency (NCIA) • NATO SDIP-27 Level B (equivalent to USA NSTISSAM Level II, formerly AMSG 788A)
• Included in the Approved Fielded Product This is a slightly relaxed standard for devices that are operated in NATO Zone 1
List (AFPL) environments, where it is assumed that an attacker cannot get closer than about 20m (or
• Included in the NATO Master Catalogue of where building materials ensure an attenuation equivalent to the free-space attenuation of
References for Logistics (NMCRL) this distance).
• Assigned the NATO Commercial and The Fox DataDiode is listed in the BSI German Zoned Products List (BSI TL 03305) for zones 1–3.
Government Entity Code (NCAGE Code)
H1T25
 Security Certifications (Government Edition only)
The Fox DataDiode is the single most trusted high assurance IT security solution worldwide, as
shown by both the diversity and thoroughness of the security certifications listed below. Please be
aware that the list is not exhaustive, as not all security certifications are eligible for confirmation
in public.

Common Criteria EAL7+

NATO up to and including NATO SECRET, Green Scheme
Russian Federation сертификат Минобороны России на соответствие 2 уровню
контроля НДВ и РДВ *) , by ЦНИИ ЭИСУ (CNII EISU)
ФСТЭК (FSTEC) certification in process
The Netherlands up to and including Staatsgeheim GEHEIM, by NL-NCSA/NBV
(Nationaal Bureau voor Verbindingsbeveiliging)
Germany up to and including GEHEIM,
by BSI (Bundesamtes für Sicherheit in der Informationstechnik)
*)
“Certificate on code review and software testing against Russian Ministry of Defense requirements to undeclared
features (level 2) and functional requirements correspondingly”

Common Criteria Certifications (Government Edition only)

Under the Common Criteria Recognition Arrangement (CCRA), the Common Criteria (CC)
certifications are valid internationally. Consult the CC portal for details:
www.commoncriteriaportal.org. The Security Targets (STs), Certification reports and certificates
are available for download at the Fox-IT website.

CC version 3.1, revision 2 3.1, revision 2 3.1, revision 2

EAL EAL4+ EAL7+ EAL4+
Augmentations AVA_VAN.5 and ASE_TSS.2 and AVA_VAN.4 and
ALC_DVS.2 ALC_FLR.3 ALC_DVS.2
Scheme Norwegian Dutch Indian
Evaluation Facility Brightsight BV Brightsight BV ERTL East
Delft Delft Kolkata
The Netherlands The Netherlands India
Certification Body SERTIT NL-NCSA/NBV STQC
Oslo Zoetermeer New Delhi
Norway The Netherlands India

NERC-CIP Compliance
The North American Electric Reliability Corporation (NERC) develops and enforces reliability
standards. The NERC Critical Infrastructure Protection (CIP) standards provide a security
framework for the protection of Critical Infrastructures. The Fox DataDiode addresses CIP
compliance and provides an Electronic Security Perimeter (ESP) according to the overall NERC-CIP
framework. Fox-IT is a NERC-CIP compliant vendor.

Other Certifications
Fox DataDiode security certifications for the CE safety & Directive 2002/95/EC Restriction of Hazardous Substances (RoHS)
Russian Federation environmental EMC Directive 2004/108/EC: Electromagnetic
certification Compatibility (EMC)
The security certifications of the Fox DataDiode ETSI EN 300 386 V1.4.1 (2008-04)
all have the Fox DataDiode hardware as its
scope, as the security guarantee of one- EN 55022:2006 + A1:2007 Class A
wayness is enforced by the hardware of the EN 55024:1998 + A1:2001 + A2:2003
tangible device. Safety Directive 2006/95/EC: Low Voltage
BS EN 60950-1:2006 + A1:2010
However, the scopes of the Russian security
certifications include the software that comes EN60825-1 (Laser Class 1)
with the device, which is to be run on the Russian Federation GOST R *) ГОСТ Р
proxy servers (see page 4 of this document). and Customs Union EMC – CU TR ТР ТС 020/2011 Электромагнитная
As a result, these certifications do not only safety & environmental 020/2011 Совместимость Технических Средств
warrant the enforced one-wayness of the Fox certification
Safety – CU TR ТР ТС 004/2011 О Безопасности
DataDiode hardware, but do also warrant 004/2011 Низковольтного Оборудования
absence of undeclared features (e.g. backdoors *)
Due to changes in Russian legislation, the GOST R / ГОСТ Р certification is no longer required
and spyware) in the Fox DataDiode software.
This extended certification scope is a result of
Export Control and Customs
the Russian government vision on IT security
The Fox DataDiode is designed and produced by Fox-IT in the Netherlands. A certificate of
certifications.
origin (COO) is available upon request. The Fox Data Diode is categorized under Export Control
Classification Number (ECCN) 5A002a7 of the list of dual-use goods and technologies of the
The certified software can be collected from
Wassenaar Arrangement (WA-LIST). The Harmonized System code (HS code) of the Fox DataDiode
trusted Russian sources and GOST fingerprints
is 8517620009. Fox-IT holds the necessary export licenses to be able to internationally provide
are available upon request.
the Fox DataDiode to a very wide range of customers. Contact Fox-IT in case you have export
control questions specific to your circumstances.
 Fox-IT appreciates your application scenario
Fox-IT has prepared special product collateral to address the considerations of various customer
groups and product setups. Consult Fox DataDiode for Industrial Control Systems if your goal is to
protect your assets against manipulation. Consult Fox DataDiode for protecting secrets if your goal is
to protect your secrets and prevent data leakage.

A complete Fox DataDiode setup

A complete Fox DataDiode setup typically consists of more than just the Fox DataDiode hardware
only. A typical setup has a proxy server on two sides of the Fox DataDiode, which convert
bi-directional protocols in a one-way protocol (on the upstream side) and vice versa (on the
downstream side).

Fox-IT offers flexibility in the way that these proxy servers and the converting software are set up.

• Customers that want to choose their own server hardware and server OS, and may want to
run other services or daemons on the same hardware, can choose the Fox DataDiode Windows
Core or the Fox DataDiode Linux Core which provide basic but powerful stackable features like
support for TCP, UDP and file and directory mirroring.
• Customers that want a hassle-free turn key solution, Fox-IT provides the Fox DataDiode
Appliance, a complete package consisting of the Fox DataDiode, two rack mountable servers
with pre-installed software which supports seamless integration into office environments
and built-in support for many common file transfer protocols like SMB, FTP, SCP, and can be
configured using a user friendly web interface.

upstream downstream
Applications Applications

Fox-IT Fox-IT
Core software Core software

OS OS

Hardware / server Hardware / server

Fox DataDiode

There are many software solutions provided by Fox-IT to leverage the value of the Fox DataDiode.
These solutions operate at the application level. Solutions include, but are not limited to the
Fox DataDiode PI Replicator and the Fox DataDiode Modbus Replicator.

Fox-IT prevents, solves and mitigates the most

serious threats as a result of cyber-attacks, fraud
and data breaches with innovative solutions for
government, defense, law enforcement, critical
infrastructure, banking, and commercial enterprise
clients worldwide. Our approach combines human
intelligence and technology into innovative solutions
that ensure a more secure society. We develop custom
and packaged solutions that maintain the security
of sensitive government systems, protect industrial
control networks, defend online banking systems, and
secure highly confidential data and networks.
022-010-EN
for a more secure society
U MAI 永捷有限公司
台北:02-77467419
高雄:07-9766772
www.justumai.com.tw