Cross Domain Solutions vs Firewalls

Cross Domain Solutions vs Firewalls

Transferring data securely between networks or systems with different security requirements is one of the fundamental challenges of cybersecurity. For a typical organization, the solution is a firewall. A well-configured firewall can stop outsiders from accessing a company network, block malicious applications, and prevent unauthorized data sharing by employees.

A firewall will also fail, inevitably, when subjected to sophisticated attacks. For the average retailer, manufacturer, or other organization, that’s an acceptable risk. The consequences of security breaches might be unpleasant, but they’re usually survivable. In fact, many companies—having accepted that their networks will be breached—include lawsuits, regulatory fines, and other costs associated with breaches in their annual budgets.

But for military commands, intelligence services, and critical infrastructure operators, network breaches are not an acceptable risk, because even a single breach has the potential to cost lives. These organizations still need to send data across network boundaries, though, so they rely on something far more reliably secure than firewalls: cross domain solutions.

A cross domain solution (CDS) addresses the same problem as a firewall: the need to control data transfers between high-security networks and lower-security networks. But where firewalls provide (at best) reasonable protection, cross domain solutions provide maximum assurance.

Firewalls are a software-based technology, usually designed to run on a general-purpose operating system with its own inherent vulnerabilities. A CDS is a combination of software and hardware, using a hardened operating system and specialized tools like Security-Enhanced Linux. Cross domain solutions provide multiple layers of filtering and content inspection, and provide a “protocol break” (in the form of a data diode), to enable secure connections between trusted and untrusted network domains.

Because they are intended for the highest-security, highest-risk use cases, cross domain solutions are subject to intense validation and testing. In U.S. military and intelligence security operations, the term “cross domain solution” is used specifically to describe technology that has passed an extremely rigorous testing process administered by the National Cross Domain Strategy Management Office (NCDSMO), a unit of the National Security Agency.

Only CDS products that have been accredited by the NCDSMO can be used for U.S. military and intelligence applications, and products used by the U.S. for those purposes cannot be sold for commercial use. Furthermore, the products may not be exported, with the exception of military and intelligence use by other countries within the “Five Eyes” (the United States, United Kingdom, Australia, New Zealand, and Canada).

However, other cross domain solutions—including products that are functionally equivalent to the technology used by U.S. military and intelligence—are available to foreign military services and critical infrastructure operations. These solutions provide the same capabilities, including content inspection, filtering, and data flow control, but use a different code base than the US-only solutions.

Owl Cyber Defense provides NCDSMO-accredited cross domain solutions for military and intelligence applications, and also manufactures the only exportable, US-validated CDS available for commercial or defense deployments worldwide. For more details on what makes a cross domain solution different, check out our Learn About Cross Domain Solutions page.

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Paul Nguyen DoD Account Director

Proven Solutions for Navy “Data Maneuverability” @ AFCEA WEST

Hi, I’m Paul Nguyen, one of the new leaders of Owl’s DoD Mission Support team. I joined Owl Cyber Defense (Owl) earlier this month, just in time to be a part of our annual corporate o...
January 31, 2024

Owl SEER Lab MiniBlog 1: CVE-2023-21093

Hello and welcome to the launch of the Owl Cyber Defense System Evaluation, Exploitation, and Research (SEER) Laboratory miniblog! This is the very first in a line of forthcoming posts. ...
September 26, 2023

Reduce Cyber Stress (at least at work) by Implementing Data Diode Enforced Segmentation

In today's digital age, cybersecurity professionals play a crucial role in ensuring the safety and security of an organization's sensitive information. With the rise of cyberattacks, it's...
April 20, 2023