Learn About Cross Domain Solutions

High-Assurance Network Security Solutions

What is a “Cross Domain Solution” (CDS)?

icon

The U.S. National Institute of Standards and Technology (NIST) defines cross domain solutions as:

“A form of controlled interface (a boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems) that provides the ability to manually and/or automatically access and/or transfer information between different security domains.”

Do I Need a CDS?

Are you transferring data between domains that do not trust each other (two - or more - parties)?

Nearly every organization must deal with sending information to and from their trusted network domain. The average organization has over 300 third-party or external direct connections to their network, not to mention the internet. Cross domain solutions are intended for use in high value networks where insurance-based security measures, such as firewalls, SIEM, and IDS, are not sufficient to ensure the security of the trusted domain.

Do you require content filtering?

“Good enough” is not acceptable for organizations that operate in high risk environments, such as military, critical infrastructure, or intelligence operations. You must have high-assurance security with advanced content filtering to ensure not just the security of your trusted domain, but more importantly, secure information sharing without risk of unauthorized data exposure, data corruption, or data leakage.

Who Uses a CDS?

Cross domain solutions were developed specifically to provide absolute network integrity assurance and data confidentiality to the networks of the U.S. Government, intelligence community (IC), and defense branches. Today, they are also in use in critical infrastructure, commercial, and international defense and intelligence applications, providing secure data transfers between vital networks.

How are CDSs Different?

What distinguishes CDSs from other network security devices, such as firewalls and data diodes, is the combination of security technologies, including bidirectional network- and application-layer traffic and data filtering, trusted operating systems, logging and auditing, and typically a hardware-enforced domain separation (with a data diode), to provide layers of assurance rather than a single checkpoint on network access.
What distinguishes CDSs from other network security devices, such as firewalls and data diodes, is the combination of security technologies, including bidirectional network- and application-layer traffic and data filtering, trusted operating systems, logging and auditing, and typically a hardware-enforced domain separation (with a data diode), to provide layers of assurance rather than a single checkpoint on network access.
Firewalls

Firewalls are a software-enforced transfer technology that provides protocol separation of network and application infrastructures, through network and protocol filtering. Firewalls are usually based on general purpose operating systems (e.g., Linux, Solaris) and do not provide domain separation capabilities.

Data Diodes

Data diodes are a hardware-enforced one-way transfer technology (e.g., Optical, FPGA) that provides assured separation of network infrastructures. They are a critical technology for eliminating infiltration or exfiltration attack vectors at the network level between network infrastructures, and as such are often utilized within CDSs as an enforcement mechanism.

OWT

One-Way Transfer (OWT) systems are hardware-enforced one-way transfer technology coupled with separate software-enforced transfer technology. The source network infrastructure becomes the “Pitcher” and destination network infrastructure is the “Catcher” for the one-way data flow. OWT can provide network separation and some network, protocol, and content filtering capabilities but are typically difficult to configure and usually based on general purpose operating systems (e.g., Linux, Solaris).

Key Security Principles of a CDS

Context-appropriate Security-enforcing Mechanisms
  • Policy enforcement
  • Known-good / whitelisting
  • Content filtering & quarantine
  • Data transformation & normalization
  • DLP
  • Data provenance
  • Protocol break
  • Flow control
Secure Architecture and Design
  • Defense in depth
  • Secure by design
  • Redundant
  • Always-Invoked
  • Non-bypassable
System Assurance and Secure Operation
  • Independent assessments and LBSA
  • Trusted platforms (OS) & components
  • Secure administration
  • Self-protection
  • Secure failure
  • Opaque operation
  • Regular maintenance, training & support

Filtering & Transformation

Data filtering is one of the key differentiators of cross domain solutions from other network security solutions. There are both standard data filters that have been developed by government agencies and standards bodies, and custom filters which can be designed for fit-for-purpose applications. These data filters fall into two categories: Structured and Unstructured.

Structured Content Filtering

Uniform content or “fixed format” messages, including text or schema-based XML, is filtered using a process known as linear pipeline. This straightforward approach applies a series of filters and checks in order, each separated into isolated, independent tasks, with handoffs from one to the next.

Unstructured Content Filtering

Complex content or unstructured data, e.g., MS Office, PDF, or imagery, is broken down into more basic elements and filtered using a process known as recursive decomposition. This divide and conquer approach involves decomposing data so that it can be inspected using standard content filters. In some cases, custom filters may still be required for specific data formats.

“Known Good”

“Known good” – Security principle similar to whitelisting, in which the system blocks any unexpected data, protocols, ports, etc. and only allows that which is known to be authorized and expected/requested on the appropriate pathway.

Domain Separation & Protocol Break

In order to assure true domain separation, cross domain solutions incorporate a hardware-enforced network segmentation and protocol break via data diodes. Data flows are transmitted between domains on one-way transfers, with a protocol termination on the send side, and a protocol resume on the receive side.

For bidirectional use cases, the CDS can be configured to route acknowledgements and other data through a separate return path.

Defense in Depth

As a cybersecurity best practice for all systems, it’s vital to implement multiple layers of diverse defenses to prevent compromise from a single point of failure. This includes everything from the OS and hardware to the applications and data filters.
“RAIN”
Redundancy
Redundancy, especially within an air-gapped data transfer system, prevents a single side failure from impacting the security controls on the other side of the device.
Always-Invoking
By always-invoking security, there is no chance that a threat could sneak through under the guise of a trusted file or data stream.
Independent

Each function within the transfer and filtering must be created and implemented independently, reducing or eliminating a single point of failure by compromising a single component or programming code.

Non-Bypassable

CDS security measures must be non-bypassable, including within the data stream, the device hardware, and the physical environment, or a threat could find and exploit “backdoors” and other circumvention methods.

Trusted Operating System (TOS)

A trusted operating system (TOS) is an operating system that provides layered, multilevel security capabilities. In accredited CDSs, these capabilities must be sufficient to meet the National Computer Security Center (NCSC) requirements and the United States Department of Defense.

Unlike regular operating systems, the design of a trusted system is complex and delicate, involving implementation of appropriate and consistent policy features assembled together with a high degree of assurance.

Key features of a TOS include:

  • User identification and authentication
  • Mandatory access control (MAC)
  • Discretionary access control (DAC)
  • Object reuse protection
  • Complete mediation
  • Trusted path
  • Audit
  • Audit log reduction
  • Intrusion detection

Example TOSs include RHEL w/ SELinux, Android w/ SEAndroid, and TrustedSolaris.

Accreditation & Certification

Cross domain solutions are subject to accreditation by the U.S. Government, administered by the a unit of the National Security Agency (NSA) called the National Cross Domain Strategy Management Office (NCDSMO).

NCDSMO certification requires a meticulous lab-based security assessment (LBSA) which involves thoroughly testing every aspect of the device. Once passed, the device can be eligible for the “Baseline List” of solutions certified for U.S. intelligence and defense use.

As the testing under the NCDSMO LBSA is far more rigorous than other standards, such as Common Criteria EAL, it typically supersedes any other certifications.

Use Cases

H2L
L2H
Bidirectional

Learn More

Want to learn more? Download The Definitive Guide to Cross Domain Solutions! This ebook is intended to help guide you through the various types, technologies, benefits, and uses of cross domain solutions.