U

Start » Learning Centre » Know-how » What is a Cross Domain Solution?

What is a Cross Domain Solution?

Cross Domain Solutions enable strictly controlled and filtered information exchange between domains with different security or protection needs. But there are different kinds of Cross Domain Solutions – unidirectional and bidirectional. In this know-how, we clarify the differences and the functionalities of the solutions.

Cross Domain Solutions enable strictly controlled and filtered information exchange between domains with different security or protection needs, for instance databases, servers, applications, or combinations thereof. But there are different kinds of Cross Domain Solutions – unidirectional and bidirectional. In this know-how, we clarify the differences and the functionalities of the solutions.

What is a Cross Domain Solution?

Cross Domain Solutions (CDS) address the concept of communicating, sharing, or moving information between domains and apply validation, transformation and filtering to the exchange.

The purpose is to apply strict information-level control information transfers, whereas highly assured security addresses cybersecurity threats such as manipulation, data leakage and intrusion.

 

How does a Cross Domain Solution work?

Cross Domain Solutions include three types of information exchange principles:

  • Bidirectionally to tailor information exchange.
  • Unidirectional for ensuring integrity or confidentiality of domains.
  • Airgap between systems using manual transfer and control of the information.

Bidirectional information exchange

Bidirectional gateways allow for a strictly controlled two-way filtered information flow. It uses filters in both directions and information is always controlled using full message inspection. The filter can allow information to pass depending on several factors e.g. source/destination addresses, file formats, attributes or the presence of a digital signature.

Unidirectional information exchange

For unidirectional information exchange, a data diode can be used. Guaranteeing a unidirectional flow of information means sensitive information can be transferred without jeopardising the integrity or the confidentiality of the network, depending on how the data diode is used. Another benefit lies in the technology of a data diode. Being hardware and not software based means it cannot be attacked by malicious code and intrusion is thereby prevented. A data diode allows you to transfer the data without putting the security of the network at risk.

 

Cross Domain Solution

Data diodes

Data diodes are the failsafe way to protect sensitive systems and confidential data. Data diodes are hardware devices, also called “unidirectional security gateways”, which sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction. The built-in fiber optical connection and the fact that the internal receiver cannot transmit information makes it physically impossible for data to travel in the opposite direction. And as it is not software, it cannot be directly attacked by malicious code, which results in high assurance.

A high assurance data diode protects assets for operators within critical infrastructure (ICS/SCADA) and defence industries. However, along with digitalisation and the increase of sophisticated cyberattacks, every organisation that operates with sensitive information has great use of a data diode to protect its valuable information and securely exchange data.

To be able to communicate with bidirectional protocols, proxy services are needed. The proxy services convert bidirectional protocols into unidirectional protocols, so it can be transferred over the data diode. By using a proxy service, Advenica’s SecuriCDS data diode can handle common communication protocols. Such services translate these protocols into unidirectional protocols, offering you data communication with the impenetrable security of one-directional hardware.

Strengths with a data diode

There are several strengths with a data diode:

  • Their ability to ensure security in insecure systems, and to protect and preserve legacy systems. By using data diodes, legacy systems can be protected without overhauling the entire operational system.
  • Its hardware aspect. By using a hardware system, data diodes remove, to a large extent, the possibility of user error.
  • The long-term operating costs are low. After initial investment of purchase and system integration, the savings in maintenance and administration costs make the data diode an efficient network security solution in the long run.
  • The way they reduce the cybersecurity risk. The diode’s strict properties mean that you can completely rule out certain types of risks if you use a diode. For example. you know that the network can not leak information and can thus only focus on managing risks with privacy and malware.

Read more about Advenica’s data diodes!

 

Use Cases where data diodes can be used

Here some different use cases where data diodes can be used to increase security:

  • import and export files between different zones
  • connect a integrity-sensitive OT system to other systems
  • centralised log collection in security-sensitive systems
  • transfer critical information, eg from a SCADA system to an administrative office network
  • Windows and Linux system updates

Read more about the different Use Cases.

 

Data diodes

Security gateways

A Security Gateway can be compared to a firewall as it regulates what traffic that can enter and exit a network. A firewall is a device with the purpose to protect your network by only blocking known bad traffic to enter or exit. It monitors and filters what packets are blocked based on its configuration.
With a firewall, it is difficult to know exactly what information is being exported or imported into the system. Organisations that have sensitive and confidential information and that operate in critical infrastructure, public sector or the defence industry, need their networks to keep a higher level of security. That is why additional solutions to a firewall are needed, such as a high-assurance Security Gateway.

A Security Gateway only forwards received information when it complies with a certain policy which is derived from your organisation’s information security policy. The policy implemented in the Security Gateway defines accepted structures, formats, types, values, and even digital signatures. When a message is sent from one security domain to another across the Security Gateway, information in the message is analysed and validated according to the configured policy. Approved parts of the received message are put into a new message which is sent to the intended receiver in the other domain. In this way, you know that only allowlisted information crosses this boundary.

What is the difference between a Security Gateway and a firewall?

A Security Gateway can be compared to a firewall as it regulates what traffic that can enter and exit a network. A comparison to explain the difference between a Security Gateway and a firewall could be to visualise an airport. The firewall would be the check-in desk where a simple check is performed, such as identity and ticket control. The Security Gateway would be the security control where you are more scrutinised, your bags are looked through, you go through body visitation, and so on.

A firewall is a device with the purpose to protect your network by only blocking known bad traffic to enter or exit. It monitors and filters what packets are blocked based on its configuration.

For some types of businesses, a firewall is simply not enough.

With a firewall, it is difficult to know exactly what information is being exported or imported into the system. A firewall configuration often becomes complex, which increases the risk of misconfiguration. Firewalls also do not separate administration and data flow in a way that protects the information from insiders. Organisations that have sensitive and confidential information and that operate in critical infrastructure, public sector or the defence industry, need their networks to keep a higher level of security. That is why additional solutions to a firewall are needed.

Do you want to know more about when you need stronger protection than a firewall? Read our White Paper!

 

Do you want to know more about what products and solutions we can offer? Read more here!

Learn more about our data diodes and about our ZoneGuard!

New call-to-action

Pdf images

Related articles