U.S. military and intelligence missions and organizations are increasingly collecting and sharing information over the internet and other networks with varying (or unknown) levels of security. This information sharing is often essential for achieving operational goals, especially in joint and coalition environments. However, sharing data over the internet and other “high threat networks” presents a significant cybersecurity challenge.
In its Raise the Bar guidance, the National Cross Domain Strategy and Management Office (NCDSMO) provides updated standards for protecting secure networks against the risks lurking within high threat networks. Owl Cyber Defense provides an industry-leading line of Cross Domain Solutions that can help military and intelligence organizations meet these new requirements and protect their networks and systems from constantly evolving cyber threats.
Defining “High Threat”
A high threat network is a network in which a known or suspected threat actor is or could be operating. High threat networks may also be networks that lack sufficient cyber security measures, or where the network ownership and security posture is unknown. In a given use case, a high threat network might be the internet, a coalition partner network, or any other network with a lower security classification that is connected to a secure U.S. network.
The use of high threat networks has grown in recent years and is expected to grow further. The NCDSMO’s Raise the Bar guidelines were developed to manage the risks inherent in these connections, and are now impacting missions and organizations that need to transfer data over high threat networks without exposing sensitive information or secure networks to external threats.
Hardware-Enforced Domain Separation
One of the most significant elements in the Raise the Bar guidelines is the requirement that any traffic to or from a high-threat network needs to pass over a hardware-enforced one-way transfer mechanism, such as a data diode.
Hardware-enforced one-way transfer minimizes the risk that a threat actor on a high threat network will be able to access or control a secure network. Unlike software-only firewalls, which are vulnerable to a wide range of exploits, data diodes are deterministic and cannot be made to send data backward across a connection.
In addition, transmission protocols are terminated on the “send” side of a data diode, and only the packet payload is transferred to the “receive” side. On the “receive” side, a new protocol session is established, concealing send-side network information such as MAC addresses. This protocol break also provides protection against Ripple20-style attacks, which conceal malicious data in packet headers rather than payloads.
RTB-Ready Cross Domain Solutions
All of Owl’s Cross Domain Solutions include a data diode for hardware-enforced one-way data transfer. For use cases requiring bidirectional data flow, separate data paths—each incorporating a data diode—enable communication to and from a high threat network.
To learn more about Owl Cross Domain Solutions and how they can help your organization manage the risks of high threat networks, contact us today.
