The U.S. and its allies want to empower intelligence users at disparate agencies to share information without accidentally releasing classified data or sacrificing protection from viruses or malicious code. Government organizations are increasingly turning to cross-domain computer servers to link these networks while maintaining sensitivity levels throughout the process of sharing and transmitting information.
Current U.S. security policies require trusted computer systems to independently validate data transferred among top secret, secret, releasable and unclassified networks. These products are known to information experts as trusted guards and high-assurance guards — or guards, for short. The challenge is to make these servers fast and scalable to keep pace with the growing demands for information but with no sacrifice in security.
Before guards, data could be moved from one network to another only by reviewing it manually according to security criteria and then copying cleared data onto CDs or DVDs and loading them onto the other network. This "air gap" solution did not provide the fast, automated data-sharing capabilities required by today's intelligence users. Today's guards must allow data to flow while still providing network separation similar to an air gap.
A guard has three main functions:
• Network separation.
• Mandatory access control.
• Data validation.
A guard separates networks by providing an Internet Protocol address on the high-side network as well as one on the low-side network. This allows the guard to appear as an end node — a server — on each network without making one network visible to the other. A guard specifically does not pass routing information, dynamic host configuration protocol requests, or other control-plane information from one network to the other. Guards provide proxy network connections and restrict the flow of network traffic to a constrained set of IP addresses, ports and protocols.
Mandatory access control
Guards also enforce mandatory access control, or MAC, which is one of the most enduring concepts in information assurance. MAC describes the requirements for ensuring that every action within a network, such as the transmission or displaying of data, can be traced back to a specific actor such as a human user, an application or system administrator, and that the actor has the privilege to take the action. Ensuring that these simple criteria are met — even in the face of programming errors and malicious users — typically requires a "trusted" operating system, such as Security Enhanced Linux. A trusted operating system carries label information on all components on the system — including memory, file systems and network interfaces — and provides application programming interfaces for systems such as guards to move data between security levels.
A guard must validate the data passing through it and ensure the data is authorized for transmission. Guards typically enforce different checks depending on the direction the data is flowing.
When data is passed from a higher-classified network to a lower — classified one, the guard ensures that only data authorized at the lower network's security level is passed.
Several methods are used, including:
• Classification rules to independently interrogate the data to determine its classification.
• Verification of existing labels on data.
• Verification of upstream systems' digital signature on data.
The right combination of methods depends on a particular system's data formats and security policies. For moving data from a lower network, the primary concern is the prevention of malicious content.
Raytheon high-speed guard 3.0
Raytheon entered the cross-domain arena in the late 1990s when a government organization approached the company's information assurance team about fielding a system to meet new security requirements. At the time, no solutions could adequately satisfy the program's requirements, so the team began to develop the High-Speed Guard.
Since that time, Raytheon has expanded the team to 32 engineers who support more than 35 diverse deployments of approximately 190 systems.
With such a wide deployment base, the team has encountered many different requirements and customer concerns. A large focus continues to be placed on the timely delivery of large data files. Raytheon has focused significant effort on performance to ensure that the High-Speed Guard continues to satisfy customer needs. While initial High-Speed Guards managed 870 megabits per second over 1-gigabit networks, the latest High-Speed Guard 3.0 supports more than 9 gigabits per second over 10-gigabit networks.
To achieve these performance milestones, Raytheon focused on high-performance networking and inter-process communications, in addition to the usual focus on secure coding and flexible capabilities. Long hours in the labs provided insights into low-level network driver settings and network code optimization. The team used high-performance, event-driven process models and a back-to-basics coding style to squeeze out the last few optimizations.
A general increase in security posture has also benefited the cross-domain community. Instead of trusted operating systems tied to specific hardware platforms, guards can now be built on more common systems such as Red Hat Enterprise Linux, allowing commodity x86 servers to be used, resulting in considerable hardware cost savings for customers.
High-Speed Guard 3.0 sustains full transfer rates on dual-processor commercial off-the-shelf servers running Red Hat Enterprise Linux 5 with a strict Security Enhanced Linux policy. It also includes built-in support for Web services utilizing Hypertext Transfer Protocol (HTTP), and enables real-time video streaming while providing control and auditing of video streams through its MPEG2 and MPEG4 parsing capability.
Earlier this year, the Raytheon High-Speed Guard was added to the list of cross-domain technologies maintained by the U.S. Unified Cross Domain Management Office, an organization formed in 2006 to coordinate and oversee cross-domain initiatives by the defense and intelligence communities.
The baseline list details cross-domain technologies that are in place, have a government sponsor along with a minimum three-year life-cycle support agreement.
The need to share intelligence has become one of our critical customer requirements. Data collected at higher security levels is typically processed into intelligence meant to be shared at lower security levels, including releasable data for coalition partners. Command-and-control systems in the field require automated access to higher security level tasking and reporting systems.
Current guard systems are typically limited to predefined, fixed-format data types. As customers adopt such current commercial approaches as service-oriented architectures (SOA), they introduce significant challenges for secure cross-domain implementations. Key challenges include evolving standards and new transport protocols for guards such as Standard Object Access Protocol (SOAP) over HTTP.
The Raytheon High-Speed Guard team began addressing these challenges in 2007 by providing the cross-domain solution for that year's Empire Challenge intelligence-sharing demonstration. Raytheon remains involved in Empire Challenge and will provide a full range of two-way, cross-domain information exchange at the 2010 demonstration, which concludes Aug. 13 at Fort Huachuca, Ariz. The cross-domain transfers are expected to number in the hundreds of thousands and will include traditional file transfers, live streaming video and Web service transactions via SOAP messages transmitted over HTTP.
Empire Challenge's focus on networking in a coalition environment has demonstrated the need for high-performance data sharing. It also allows developers to get feedback directly from the end users during very realistic scenarios.
At Empire Challenge 2007, U.S. officials began demonstrating the cross-domain technique for sharing information among the Distributed Common Ground System (DCGS) intelligence networks operated by the U.S. military. The main DCGS software stack, called the DCGS Integration Backbone (DIB), creates a metadata catalog summarizing the content of the data housed at the various DCGS sites. The DIB software exposes the contents of the data to intelligence analysts at DCGS sites while keeping the actual files stored safely away. When analysts enter queries, guards at each DCGS site decide which data can be transmitted across the security domains. Sharing was fairly limited in the 2007 demonstration, but cross-domain federation worked well in more challenging demonstrations in 2008 and 2009. Based on these demonstrations, we expect the U.S. to deploy the Cross Domain Federation Service in support of the war fighter.
With SOA Web service becoming the standard for new systems for our customers, Raytheon was awarded one of two 12-month proof-of-concept contracts to develop the next generation of cross-domain systems for another Defense Department customer. The Distributed SOA-Compatible Cross Domain Service program seeks to define a cross- system capable of supporting entire enterprises via a system of scalable cross-domain services accessed as Web services.
Looking to the future, Raytheon is supporting university research on natural language processing, including automatically extracting structured or semistructured information from unstructured data, and automatic data classification, assigning a level of sensitivity to data as it is created, amended, enhanced, stored or transmitted. Breakthroughs in these areas are key to further streamlining cross-domain transfer validations by creating cost-effective and accurate data classification mechanisms.
Kevin Cariker is the technology lead for Raytheon's information assurance products. Jason Ostermann is the High-Speed Guard chief engineer at Raytheon.