Cross Domain Solutions enable strictly controlled and filtered information exchange between domains with different security or protection needs, for instance databases, servers, applications, or combinations thereof. But there are different kinds of Cross Domain Solutions – unidirectional and bidirectional. In this know-how, we clarify the differences and the functionalities of the solutions.
What is a Cross Domain Solution?
Cross Domain Solutions (CDS) address the concept of communicating, sharing, or moving information between domains and apply validation, transformation and filtering to the exchange.
The purpose is to apply strict information-level control information transfers, whereas highly assured security addresses cybersecurity threats such as manipulation, data leakage and intrusion.
How does a Cross Domain Solution work?
Cross Domain Solutions include three types of information exchange principles:
- Bidirectionally to tailor information exchange.
- Unidirectional for ensuring integrity or confidentiality of domains.
- Airgap between systems using manual transfer and control of the information.
Bidirectional information exchange
Bidirectional gateways allow for a strictly controlled two-way filtered information flow. It uses filters in both directions and information is always controlled using full message inspection. The filter can allow information to pass depending on several factors e.g. source/destination addresses, file formats, attributes or the presence of a digital signature.
Unidirectional information exchange
For unidirectional information exchange, a data diode can be used. Guaranteeing a unidirectional flow of information means sensitive information can be transferred without jeopardising the integrity or the confidentiality of the network, depending on how the data diode is used. Another benefit lies in the technology of a data diode. Being hardware and not software based means it cannot be attacked by malicious code and intrusion is thereby prevented. A data diode allows you to transfer the data without putting the security of the network at risk.
Data diodes are the failsafe way to protect sensitive systems and confidential data. Data diodes are hardware devices, also called "unidirectional security gateways", which sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction. The built-in fiber optical connection and the fact that the internal receiver cannot transmit information makes it physically impossible for data to travel in the opposite direction. And as it is not software, it cannot be directly attacked by malicious code, which results in high assurance.
A high assurance data diode protects assets for operators within critical infrastructure (ICS/SCADA) and defence industries. However, along with digitalisation and the increase of sophisticated cyberattacks, every organisation that operates with sensitive information has great use of a data diode to protect its valuable information and securely exchange data.
To be able to communicate with bidirectional protocols, proxy services are needed. The proxy services convert bidirectional protocols into unidirectional protocols, so it can be transferred over the data diode. By using a proxy service, Advenica’s SecuriCDS data diode can handle common communication protocols. Such services translate these protocols into unidirectional protocols, offering you data communication with the impenetrable security of one-directional hardware.
A Security Gateway can be compared to a firewall as it regulates what traffic that can enter and exit a network. A firewall is a device with the purpose to protect your network by only blocking known bad traffic to enter or exit. It monitors and filters what packets are blocked based on its configuration.
With a firewall, it is difficult to know exactly what information is being exported or imported into the system. Organisations that have sensitive and confidential information and that operate in critical infrastructure, public sector or the defence industry, need their networks to keep a higher level of security. That is why additional solutions to a firewall are needed, such as a high-assurance Security Gateway.
A Security Gateway only forwards received information when it complies with a certain policy which is derived from your organisation's information security policy. The policy implemented in the Security Gateway defines accepted structures, formats, types, values, and even digital signatures. When a message is sent from one security domain to another across the Security Gateway, information in the message is analysed and validated according to the configured policy. Approved parts of the received message are put into a new message which is sent to the intended receiver in the other domain. In this way, you know that only allowlisted information crosses this boundary.
Do you want to know more about what products and solutions we can offer? Read more here!
Learn more about our data diodes!
Learn more about our ZoneGuard!