Cross Domain Solutions vs Firewalls

Cross Domain Solutions vs Firewalls


Transferring data securely between networks or systems with different security requirements is one of the fundamental challenges of cybersecurity. For a typical organization, the solution is a firewall. A well-configured firewall can stop outsiders from accessing a company network, block malicious applications, and prevent unauthorized data sharing by employees.

A firewall will also fail, inevitably, when subjected to sophisticated attacks. For the average retailer, manufacturer, or other organization, that’s an acceptable risk. The consequences of security breaches might be unpleasant, but they’re usually survivable. In fact, many companies—having accepted that their networks will be breached—include lawsuits, regulatory fines, and other costs associated with breaches in their annual budgets.

But for military commands, intelligence services, and critical infrastructure operators, network breaches are not an acceptable risk, because even a single breach has the potential to cost lives. These organizations still need to send data across network boundaries, though, so they rely on something far more reliably secure than firewalls: cross domain solutions.

A cross domain solution (CDS) addresses the same problem as a firewall: the need to control data transfers between high-security networks and lower-security networks. But where firewalls provide (at best) reasonable protection, cross domain solutions provide maximum assurance.

Firewalls are a software-based technology, usually designed to run on a general-purpose operating system with its own inherent vulnerabilities. A CDS is a combination of software and hardware, using a hardened operating system and specialized tools like Security-Enhanced Linux. Cross domain solutions provide multiple layers of filtering and content inspection, and provide a “protocol break” (in the form of a data diode), to enable secure connections between trusted and untrusted network domains.

Because they are intended for the highest-security, highest-risk use cases, cross domain solutions are subject to intense validation and testing. In U.S. military and intelligence security operations, the term “cross domain solution” is used specifically to describe technology that has passed an extremely rigorous testing process administered by the National Cross Domain Strategy Management Office (NCDSMO), a unit of the National Security Agency.

Only CDS products that have been accredited by the NCDSMO can be used for U.S. military and intelligence applications, and products used by the U.S. for those purposes cannot be sold for commercial use. Furthermore, the products may not be exported, with the exception of military and intelligence use by other countries within the “Five Eyes” (the United States, United Kingdom, Australia, New Zealand, and Canada).

However, other cross domain solutions—including products that are functionally equivalent to the technology used by U.S. military and intelligence—are available to foreign military services and critical infrastructure operations. These solutions provide the same capabilities, including content inspection, filtering, and data flow control, but use a different code base than the US-only solutions.

Owl Cyber Defense provides NCDSMO-accredited cross domain solutions for military and intelligence applications, and also manufactures the only exportable, US-validated CDS available for commercial or defense deployments worldwide. For more details on what makes a cross domain solution different, check out our Learn About Cross Domain Solutions page.

Solving the Data Format Problem with Daffodil

It goes without saying that to be useful anywhere, data has to be in some sort of format. But every time you start using a new data format, you have to tell your software how to use it, a...
November 5, 2020
Device Assessment
Charlie Schick Business Development Manager - Healthcare

Why Do A Medical Device Assessment, Part 5: Cracked Wide Open

This is final post of a five-part series on the what, why, and how we inspect medical devices. In the previous installments, I talked about why we inspect devices, the mindset that gui...
November 3, 2020
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 4: Access Granted

In the last post, we got up close and personal with the device, and now it was time to really try to dig into the administrative functions. While the unauthenticated (non-password-protect...
October 29, 2020