CDSE Workshop CDS Concepts and Definitions Elaine M. Caddick Principal Cybersecurity Engineer 19 July 2016 Approved for Public Release; Distribution Unlimited. Case Number 16 2506 2016 The MITRE Corporation. ALL RIGHTS RESERVED. 2016 The MITRE Corporation. All rights reserved.
CDS Concepts and Definitions 2016 The MITRE Corporation. All rights reserved.
3 First, Some Definitions Information Security Policy Aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information (CNSSI No. 4009) Security Domain A collection of entities to which applies a single security policy executed by a single authority. (FIPS 188) Source: FIPS PUB 188, Standard Security Label for Information Transfer, 6 September 1994 Source: CNSSI No. 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015
4 What is a Cross Domain Solution (CDS)? Controlled Interface A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems. (CNSSI No. 4009) Cross Domain Solution (CDS) A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains. (CNSSI No. 4009) Controlled Interface Firewall CDS Transfer Access Multilevel Source: CNSSI No. 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015
Wide Range of Controlled Interfaces 5
6 Types of CDSs Data Transfer Solutions A Transfer CDS facilitates the movement of data between information systems operating in different security domains Examples: Information Support Server Environment (ISSE) Guard, Radiant Mercury (RM) Guard, Raytheon High Speed Guard (HSG) Access Solutions A cross domain solution that provides access to a computing platform, application, or data residing on different security domains from a single device without any data transfer between the various domains Examples: Raytheon Trusted Thin Client (TTC), AFRL SecureView (SV) Multi-Level Solutions A Multi-level CDS uses trusted labeling to store data at different classifications and allows users to access the data based upon their security domain and credentials Examples: Oracle Cross Domain Security Express (CDSE), General Dynamics Trusted Network Environment (TNE) Source: UCDSMO definitions and CNSSI No. 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015
7 CDS Functionality Provides the ability to access and/or transfer electronic data between two or more differing security domains User and service functionality Extend mission functions to operate across domains Provide protection Prevents leakage of data from the high side to the low side Defends against attacks from the low side Maintains separation of the security domains Mitigate risk Loss of confidentiality, integrity and availability Components of Larger Functional Architecture
Other CDS Capabilities 8 Capabilities may include: Filtering - eliminate data based on pre-defined criteria (e.g., data type, classification) Keyword Search - search for dirty words ; clean word capabilities emerging Integrity Checks - verify that data has not been modified Transliteration - reformat data Sanitization - remove or edit sensitive data so that resulting data is less sensitive Regrading - changes to sensitivity labels (i.e., classification and caveats) Malicious Code Checks - check for presence of viruses Cleaning - remove background data, remove active content, remove malicious content
9 CDS versus Firewall CDS Generally implemented on trusted platform Connects domains at different levels Opens doors that are normally closed Prevents data leakage Filters data at application level Few services allowed through (e.g., E-mail, messages, file transfer) Often no IP forwarding Performs downgrading Firewall Not generally implemented on trusted platform Connects domains at same level Closes doors that are normally open Controls network services Filters packets at protocol level; may proxy packets at application level More services allowed through (e.g., file transfer, E- mail, TELNET, HTTP) Some types offer IP forwarding No downgrading performed, because none is required
Controlled Interface Comparison 10 Feature Stateful Firewalls Next Generation Firewalls Proxy Firewalls Cross Domain Solutions (Transfer) Shallow Packet Inspection Yes Yes Yes Yes Protocol Anomaly Detection Partially Yes Yes Yes Stream Based Scanning Yes Yes Yes Deep Packet Inspection Yes Yes Yes File Based Scanning Yes Yes Deep Content Inspection Yes Yes Deep Content Sanitization Trusted Platform Mandatory Access Controls Role Based Access Controls Yes Yes Yes Yes Increasing Assurance, Specialization, and Cost Decreasing Performance Source: Potential Foundational Graphics for XBIS, Scott Hall, 24 October 2012
What does it mean to be Trusted? 11 A Combination of Functionality & Assurance Functional Capabilities Mandatory Access Controls Labels Type enforcement Separation Kernel Integrity Assurance Measures Functional and penetration testing Requirements, design and code analysis Special Analysis (e.g., covert channel analysis) Configuration management/trusted distribution Objective: Establish confidence that behavior is predictable, reliable and appropriate Completeness Correctness Resistance to attack Strength of implementation
Why is CDS so hard to do? 12 A CDS is a high value target Features and high level of assurance needed for CDS not typically found in mainstream COTS products It requires a specialty skill-set that crosses many engineering disciplines It opens up high risk communication flows not previously available Due to risk of domain connections, policies create extra steps, impose restrictions, and add requirements Limited technology available - Market not large enough for COTS vendors The special requirements, restrictive policies, trusted technologies, unique threats, and high risk of cross domain connections demand extraordinary knowledge, skill and focus on the part of the CDS engineering and testing community
13 Who Do I Talk To About CDS? Unified Cross Domain Services Management Office (UCDSMO) E-Mail: NIPRNet: info-ucdsmo@nsa.gov SIPRNet: info-ucdsmo@nsa.smil.mil JWICS: info-ucdsmo@nsa.ic.gov Telephone: Unclassified: 240-373-0796 Secure: 763-2470 Web Sites: Intelink-U: https://intelshare.intelink.gov/sites/ucdsmo SIPRNet: http://intelshare.intelink.sgov.gov/sites/ucdsmo JWICS: http://intelshare.intelink.ic.gov/sites/ucdsmo
14 Questions