The bidirectional reality of firewalls
Stateful inspection depends on seeing flows and maintaining session context. Operators continuously tune rules, patches, and vendor behaviour. That is acceptable for many enterprise boundaries—but in OT, reverse-path risk (management plane exposure, latent CVEs, misconfiguration under pressure) can be unacceptable for certain zones.
What a data diode changes
A diode constrains the discussion from “what packets might return?” to “no physical return path exists for exploit-bearing traffic.” Monitoring and file extraction can still occur outbound, while inbound remote-control surfaces are structurally removed.
Practical comparison framework
- Use firewalls where bilateral communications are genuinely required and compensating controls are mature.
- Add hardware-enforced one-way segments where monitoring must leave the plant but inbound paths must remain categorically blocked.
Official Connexite comparison document
Download the concise comparison brief:
For model selection context, see also the ConnexONE datasheet (PDF).