Unlike firewalls, data diodes are physical hardware devices that enforce a one-way flow of data at the physical level. Most diode devices do not contain any software, logic or field-programmable gate arrays (FPGAs) and only contain a physical path for signals to travel in one direction. In some cases, such as the Advenica DD1000A, network traffic is converted to light and this stream of light is visible via a display window on the front panel.
Due to the design of data diodes and the nature of physics, electrons can only flow in one direction. Therefore, online attacks on a data diode in reverse are physically impossible. A firewall on the other hand is a software solution. Humans have programmed the software along with the inherent risk of incorporating bugs – some of which could be manifested as security vulnerabilities.
There are various examples of firewall solutions that have been hacked by exploiting such vulnerabilities. Moreover, a firewall can be complex to manage and configure. That can lead to mistakes like wrong ports being opened, which hackers may have access to.
In 2013 the Industrial Control System Cybersecurity, directed by the French Network and Information Security Agency (ANSSI) stated that is forbidden to use firewalls to connect any class 3 network, such as railway switching systems, to a lower class network or corporate network, and that only unidirectional technology is permitted