Cross Domain Solutions vs Firewalls

Cross Domain Solutions vs Firewalls

Transferring data securely between networks or systems with different security requirements is one of the fundamental challenges of cybersecurity. For a typical organization, the solution is a firewall. A well-configured firewall can stop outsiders from accessing a company network, block malicious applications, and prevent unauthorized data sharing by employees.

A firewall will also fail, inevitably, when subjected to sophisticated attacks. For the average retailer, manufacturer, or other organization, that’s an acceptable risk. The consequences of security breaches might be unpleasant, but they’re usually survivable. In fact, many companies—having accepted that their networks will be breached—include lawsuits, regulatory fines, and other costs associated with breaches in their annual budgets.

But for military commands, intelligence services, and critical infrastructure operators, network breaches are not an acceptable risk, because even a single breach has the potential to cost lives. These organizations still need to send data across network boundaries, though, so they rely on something far more reliably secure than firewalls: cross domain solutions.

A cross domain solution (CDS) addresses the same problem as a firewall: the need to control data transfers between high-security networks and lower-security networks. But where firewalls provide (at best) reasonable protection, cross domain solutions provide maximum assurance.

Firewalls are a software-based technology, usually designed to run on a general-purpose operating system with its own inherent vulnerabilities. A CDS is a combination of software and hardware, using a hardened operating system and specialized tools like Security-Enhanced Linux. Cross domain solutions provide multiple layers of filtering and content inspection, and provide a “protocol break” (in the form of a data diode), to enable secure connections between trusted and untrusted network domains.

Because they are intended for the highest-security, highest-risk use cases, cross domain solutions are subject to intense validation and testing. In U.S. military and intelligence security operations, the term “cross domain solution” is used specifically to describe technology that has passed an extremely rigorous testing process administered by the National Cross Domain Strategy Management Office (NCDSMO), a unit of the National Security Agency.

Only CDS products that have been accredited by the NCDSMO can be used for U.S. military and intelligence applications, and products used by the U.S. for those purposes cannot be sold for commercial use. Furthermore, the products may not be exported, with the exception of military and intelligence use by other countries within the “Five Eyes” (the United States, United Kingdom, Australia, New Zealand, and Canada).

However, other cross domain solutions—including products that are functionally equivalent to the technology used by U.S. military and intelligence—are available to foreign military services and critical infrastructure operations. These solutions provide the same capabilities, including content inspection, filtering, and data flow control, but use a different code base than the US-only solutions.

Owl Cyber Defense provides NCDSMO-accredited cross domain solutions for military and intelligence applications, and also manufactures the only exportable, US-validated CDS available for commercial or defense deployments worldwide. For more details on what makes a cross domain solution different, check out our Learn About Cross Domain Solutions page.

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Data Field Anomaly Detection

Addressing Secure Cross Domain Log Data Aggregation for DCO & CSfC

The latest version of the Raise the Bar (RTB) initiative introduced by the National Cross Domain Strategy & Management Office (NCDSMO) requires that all U.S. government entities which...
August 16, 2021

Best Practices for OT-to-Cloud Connectivity

Cloud connectivity offers a wealth of benefits for energy providers and other critical infrastructure operators. Sending data from operational technology devices to the cloud allows asset...
August 9, 2021

Cross Domain Solution Assessment & Authorization: Part 2 – Acronyms, Assessments, and Everything in Between

In our previous post, we discussed the purpose and goals of Assessment & Authorization (A&A) processes for various technologies, specifically with regard to U.S. Government testin...
June 30, 2021