December 15, 2011

Secure Cross Domain Data Transfers with Raytheon's High Speed Guard

News Report

As announced in a recent press release, Rayheon's High Speed Guard cross domain technology (HSG) is now commercially available as an off-the-shelf product. High Speed Guard, previously offered as a service, has been on the U.S. Department of Defense's Unified Cross Domain Management Office baseline list of approved solutions since May of 2010.

The new HSG 3.0.3 release lowers data center maintenance cost and improves monitoring by enabling consolidated network management. Previously, customers would pay for each additional feature that was added to the product. Now, through commercialization of HSG, customers can benefit from product enhancements at no charge as part of a standard maintenance agreement. Another advantage of commercialization is that HSG will no longer be sold as an appliance. This allows customers' freedom of choice in selecting a hardware platform on which to run HSG

The Technology

The sharing and movement of data from a wide variety of sources is essential to the rapid, accurate, and precise execution of almost all applications. Modern military, intelligence, and law enforcement operations, in particular, critically depend on a timely sharing of information. Data collected at higher security levels is typically processed into intelligence meant to be shared at lower security levels, including releasable data for coalition partners. Command and control systems in the field require automated access to higher security level tasking and reporting systems.

Unfortunately, the persistent threat of cyber attack, penetration, and data loss requires that only the most secure methods are utilized to allow information sharing and transfer.

Cross domain solutions provide the ability to manually or automatically access or transfer between two or more differing security domains and thus enable transfer of information among incompatible security domains or levels of classification. Current security policies require a trusted entity to independently validate data being moved between top secret, secret, releasable and unclassified networks. These products are commonly known as trusted guards, high assurance guards, or just guards. Guards typically function as proxies, providing network separation between the two systems being connected.

High Speed Guard™ (HSG) is an accredited software solution that enables highly complex, bi-directional, automated data transfers between multiple domains. HSG has demonstrated the fastest bi-directional transfer rates of more than 9 gigabits per second (Gb/s) on dual processor commodity servers, running a hardened Red Hat® Enterprise Linux® operating system with a strict Security Enhanced Linux (SELinux) policy.

HSG supports a wide variety of data transfer scenarios through the use of flexible transfer mechanisms and extensive data support. These include web services, flow real-time Moving Pictures Experts Group (MPEG2 and MPEG4) video, transfer imagery of multiple formats, imagery metadata files, eXtensible Markup Language (XML), inter-system messaging, Ground Moving Target Indicator (GMTI) data, and a wide variety of proprietary data formats.

Multiple accredited transfer mechanisms provide a variety of fixed security protections and secure transfer methods. These mechanisms include:
  • Streaming Video. High-Speed Guard enables real-time video streaming while providing unparalleled control and auditing of video streams through its MPEG2 parsing capability. This validates key metadata fields, including classification and release caveats. The High-Speed Guard provides the same validation capability for video clip files.
  • Service-Oriented Architecture (SOA) Web Services. High-Speed Guard includes built-in support forWeb services utilizing HTTP. In addition to providing complete inspection of all HTTP headers, the XML parsing capabilities provide full validation support for SOAP based services. Complete support is also provided for SOAP attachments, enabling product retrieval services with multi-gigabyte payloads, while enforcing complete data inspection routines.
  • High Performance Transfer. High-Speed Guard delivers data transactions through simultaneous, bi-directional information transfers using separate transmission sockets. This allows it to sustain rates of more than 9Gb/s on two CPU commodity commercial off-the-shelf servers running Red Hat Enterprise Linux 5 with a Strict SELinux policy.
  • Automated Secure Transfer (AST). High-Speed Guard supports file “drop box” transfers utilizing Secure Shell’s Secure Copy or FTP. AST validates files using the same rule engine as other High-Speed Guard services, a COTS virus scanner, digital signatures, or any combination thereof. Interaction with remote systems is highly customizable, including the mechanism used to indicate files are ready for transfer. Failed files can automatically be re-directed to a HRM. AST supports a “one-to-many” capability for copying files to multiple destinations in a single transaction.
High Speed Guard is deployed with an audit configuration that meets standard requirements across the cross domain community. Each deployment is enhanced with auditing specific to the data flows and security policies for that deployment. This unique auditing is driven by the Rule Engine, permitting the security policy to send any data deemed appropriate to the audit trail at any time. HSG supports local and remote log consolidation of the standard operating system syslog, binary auditing, and data transfer logging. All log and audit data is actively collected, parsed and reduced for immediate administrator notification of security eventsƒ.

High Speed Guard is engineered to satisfy cross domain security requirements for Top Secret/SCI and Below Interoperability (TSABI) and Secret and Below Interoperability (SABI) C&A processes. Multiple customers, including NGA, Federal Bureau of Investigation (FBI), Missile Defense Agency (MDA), and several classified customers have deployed HSG and received accreditation under Director of Central Intelligence Directive (DCID) 6/3, National Institute of 800-53 and 8500.2 security controls.

The Context

High-Speed Guard received its first certification and accreditation in 1998. Since then, it has been fielded to the National Geospatial - Intelligence Agency, Air Force and several other agencies that require critical infrastructures that guard U.S. classified information.

In 2002, High-Speed Guard became certified against Director of Central Intelligence Directive 6/3, Protection Level 4 - Integrity and Availability High, and Appendix E requirements.

In 2010, High-Speed Guard was added to the Unified Cross Domain Management Office (UCDMO) Baseline. UCDMO is the U.S. DoD office that provides centralized coordination and oversight of all cross domain initiatives across the U.S. DoD and the Intelligence Community.


"The commercialization of HSG provides significant advantages to customers," stated Ed Hammersla, chief operating officer for Raytheon Trusted Computer Solutions. "Now they can purchase a product license and maintenance contract and will receive all new product enhancements as well as customer support."

References: Raytheon (1,2,3,4), UCDMO (5)

No comments:

Post a Comment