Usecases

Data diodes in practice

Concrete examples of how hardware-enforced one-way communication protects critical networks against cyber attacks, ransomware, and data exfiltration.

Usecase 01

Camera network & NVR server

IP cameras are vulnerable IoT devices that use bidirectional communication by default. An attacker who compromises a single camera can pivot through the camera network into the entire building or security system. A data diode makes this physically impossible.

UNSECURED NETWORK SECURED NETWORK Camera 01 192.168.10.11 Camera 02 192.168.10.12 Camera 03 192.168.10.13 PoE+ PoE Switch Cisco SG350-28P ADVENICA SD100E DATA DIODE RTSP / UDP → Video stream → ✕ BLOCKED NVR NVR Server 192.168.20.10 Secured segment
Allowed data flow (one-way)
Physically blocked return path
🛡️

No lateral movement

A compromised camera cannot reach the secured network. No command channel back.

🎥

Full-HD video stream

Video data flows uninterrupted via RTSP/UDP. No latency, no quality loss.

🔒

NVR fully isolated

The recording server is physically unreachable from the camera network. Evidence remains intact.

Usecase 02

Veeam backup & offsite vault

Ransomware increasingly targets backup systems. If the primary backup network is compromised, attackers can encrypt the backups too. A data diode in front of the offsite vault makes backups permanently unreachable for attackers — while replication continues uninterrupted.

PRODUCTION NETWORK ISOLATED BACKUP VAULT PRODUCTION VMs / Servers Veeam B&R Backup Server Backup repository Local Backup Repository NAS / SAN Backup job Copy job DATA DIODE Veeam protocol proxy ✕ NO RETURN PATH Backup Vault Isolated, immutable storage Restore Point 1 2026-03-28 Restore Point 2 2026-03-29 Restore Point 3 2026-03-30 IMMUTABLE · WORM STORAGE · NO WRITE ACCESS ✓ Ransomware hits production → Vault fully intact & recoverable
Backup replication (one-way)
Attack path physically severed
🦠

Ransomware-proof

Attackers cannot reach the vault — no write access, no commands, no encryption possible.

♾️

Immutable backups

Restore points are stored immutably. Even a compromised Veeam server cannot modify the vault.

Automatic replication

Veeam copy jobs continue running normally. No manual tapes or disk transfers required.

Usecase 03

Secure database replication

OT environments collect process data continuously — from robots, PLCs, SCADA systems and historians. That data is valuable for analytics, reporting and AI models on the IT side. But allowing a direct database connection between OT and IT creates a two-way channel that attackers can exploit. A data diode enforces one-way replication at the hardware level: data flows out, attacks cannot flow in.

OT NETWORK IT NETWORK Robot / CNC OPC UA SCADA / HMI MQTT PLC Modbus TCP SOURCE DB Historian OT Database DATA DIODE DB replication → ✕ BLOCKED TARGET DB Read-only replica IT Database Microsoft Azure AWS Analytics
One-way data replication
Return path physically impossible
🏭

OT stays isolated

No IT system can reach back into the OT network. A compromised cloud instance or analytics server cannot affect production.

📊

Full data availability on IT side

Process data, historian values and sensor readings flow continuously to Azure, AWS or on-premise analytics platforms without interruption.

📋

NIS2 & IEC 62443 compliant

Hardware-enforced OT/IT separation satisfies Article 21 of NIS2 and the network segmentation requirements of IEC 62443.

A solution for your situation?

Every environment is different. We design the right airgap solution for your specific security challenge.

Get in touch View products