Learn About Cross Domain Solutions
High-Assurance Network Security Solutions
What is a “Cross Domain Solution” (CDS)?
The U.S. National Institute of Standards and Technology (NIST) defines cross domain solutions as:
“A form of controlled interface (a boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems) that provides the ability to manually and/or automatically access and/or transfer information between different security domains.”
Do I Need a CDS?
Nearly every organization must deal with sending information to and from their trusted network domain. The average organization has over 300 third-party or external direct connections to their network, not to mention the internet. Cross domain solutions are intended for use in high value networks where insurance-based security measures, such as firewalls, SIEM, and IDS, are not sufficient to ensure the security of the trusted domain.
“Good enough” is not acceptable for organizations that operate in high risk environments, such as military, critical infrastructure, or intelligence operations. You must have high-assurance security with advanced content filtering to ensure not just the security of your trusted domain, but more importantly, secure information sharing without risk of unauthorized data exposure, data corruption, or data leakage.
Cross domain solutions were developed specifically to provide absolute network integrity assurance and data confidentiality to the networks of the U.S. Government, intelligence community (IC), and defense branches. Today, they are also in use in critical infrastructure, commercial, and international defense and intelligence applications, providing secure data transfers between vital networks.
How are CDSs Different?
Firewalls are a software-enforced transfer technology that provides protocol separation of network and application infrastructures, through network and protocol filtering. Firewalls are usually based on general purpose operating systems (e.g., Linux, Solaris) and do not provide domain separation capabilities.
Data diodes are a hardware-enforced one-way transfer technology (e.g., Optical, FPGA) that provides assured separation of network infrastructures. They are a critical technology for eliminating infiltration or exfiltration attack vectors at the network level between network infrastructures, and as such are often utilized within CDSs as an enforcement mechanism.
One-Way Transfer (OWT) systems are hardware-enforced one-way transfer technology coupled with separate software-enforced transfer technology. The source network infrastructure becomes the “Pitcher” and destination network infrastructure is the “Catcher” for the one-way data flow. OWT can provide network separation and some network, protocol, and content filtering capabilities but are typically difficult to configure and usually based on general purpose operating systems (e.g., Linux, Solaris).
Key Security Principles of a CDS
- Policy enforcement
- Known-good / whitelisting
- Content filtering & quarantine
- Data transformation & normalization
- Data provenance
- Protocol break
- Flow control
- Defense in depth
- Secure by design
- Independent assessments and LBSA
- Trusted platforms (OS) & components
- Secure administration
- Secure failure
- Opaque operation
- Regular maintenance, training & support
Filtering & Transformation
Data filtering is one of the key differentiators of cross domain solutions from other network security solutions. There are both standard data filters that have been developed by government agencies and standards bodies, and custom filters which can be designed for fit-for-purpose applications. These data filters fall into two categories: Structured and Unstructured.
Structured Content Filtering
Uniform content or “fixed format” messages, including text or schema-based XML, is filtered using a process known as linear pipeline. This straightforward approach applies a series of filters and checks in order, each separated into isolated, independent tasks, with handoffs from one to the next.
Unstructured Content Filtering
Complex content or unstructured data, e.g., MS Office, PDF, or imagery, is broken down into more basic elements and filtered using a process known as recursive decomposition. This divide and conquer approach involves decomposing data so that it can be inspected using standard content filters. In some cases, custom filters may still be required for specific data formats.
“Known good” – Security principle similar to whitelisting, in which the system blocks any unexpected data, protocols, ports, etc. and only allows that which is known to be authorized and expected/requested on the appropriate pathway.
Domain Separation & Protocol Break
In order to assure true domain separation, cross domain solutions incorporate a hardware-enforced network segmentation and protocol break via data diodes. Data flows are transmitted between domains on one-way transfers, with a protocol termination on the send side, and a protocol resume on the receive side.
For bidirectional use cases, the CDS can be configured to route acknowledgements and other data through a separate return path.
Defense in Depth
Each function within the transfer and filtering must be created and implemented independently, reducing or eliminating a single point of failure by compromising a single component or programming code.
CDS security measures must be non-bypassable, including within the data stream, the device hardware, and the physical environment, or a threat could find and exploit “backdoors” and other circumvention methods.
Accreditation & Certification
Cross domain solutions are subject to accreditation by the U.S. Government, administered by the a unit of the National Security Agency (NSA) called the National Cross Domain Strategy Management Office (NCDSMO).
NCDSMO certification requires a meticulous lab-based security assessment (LBSA) which involves thoroughly testing every aspect of the device. Once passed, the device can be eligible for the “Baseline List” of solutions certified for U.S. intelligence and defense use.
As the testing under the NCDSMO LBSA is far more rigorous than other standards, such as Common Criteria EAL, it typically supersedes any other certifications.
Want to learn more? Download The Definitive Guide to Cross Domain Solutions! This ebook is intended to help guide you through the various types, technologies, benefits, and uses of cross domain solutions.