fbpx
Wikipedia

Cross-domain solution

January 01, 1970

A cross-domain solution (CDS) is an integrated information assurance system composed of specialized software, and sometimes hardware, that provides a controlled interface to manually or automatically enable and/or restrict the access or transfer of information between two or more security domains based on a predetermined security policy.[1][2] CDSs are designed to enforce domain separation and typically include some form of content filtering, which is used to designate information that is unauthorized for transfer between security domains or levels of classification,[3] such as between different military divisions, intelligence agencies, or other operations which depend on the timely sharing of potentially sensitive information.[4]

The goal of a CDS is to allow a trusted network domain to exchange information with other domains, either one-way or bi-directionally, without introducing the potential for security threats. CDS development, assessment, and deployment are based on comprehensive risk management. Every aspect of an accredited CDS is usually evaluated under what is known as a Lab-Based Security Assessment (LBSA)[citation needed] to reduce potential vulnerabilities and risks. The evaluation and accreditation of CDSs in the United States are primarily under the authority of the National Cross Domain Strategy and Management Office (NCDSMO) within the National Security Agency (NSA).

CDS filter for viruses and malware; content examination utilities; in high-to-low security transfer audited human review. CDS sometimes has security-hardened operating systems, role-based administration access, redundant hardware, etc.

The acceptance criteria for information transfer across domains or cross-domain interoperability is based on the security policy implemented within the solution. This policy may be simple (e.g., antivirus scanning and whitelist (or "allowlist") check before transfer between peer networks) or complex (e.g., multiple content filters and a human reviewer must examine, redact, and approve a document before release from a high-security domain[5]).[6] Unidirectional networks are often used to move information from low-security domains to secret enclaves while assuring that information cannot escape.[7][8] Cross-domain solutions often include a High Assurance Guard.

Though cross-domain solutions have, as of 2019, historically been most typical in military, intelligence, and law enforcement environments, one example is the flight control and infotainment systems on an airliner.[9]

Types edit

There are three types of cross-domain solutions (CDS) according to Department of Defense Instruction (DoDI) 854001p. These types are broken down into Access, Transfer, and Multi-level solutions (MLS) and all must be included in the cross-domain baseline list before Department of Defense-specific site implementations.[10] Access Solution "An access solution describes a user’s ability to view and manipulate information from domains of differing security levels and caveats. In theory, the ideal solution respects separation requirements between domains by preventing overlapping data between domains, which ensures data of different classifications cannot ‘leak’ (i.e. data spill) between networks at any host layer of the OSI/TCP model. In practice, however, data spills are an ever-present concern that system designers attempt to mitigate within acceptable risk levels. For this reason, data transfer is addressed as a separate CDS".[11] Transfer Solution offers the ability to move information between security domains that are of different classification level or different caveat of the same classification level. Multi-level Solutions "Access and transfer solutions rely on multiple security levels (MSL) approaches that maintain the separation of domains; this architecture is considered multiple single levels. A multi-level solution (MLS) differs from MSL architecture by storing all data in a single domain. The solution uses trusted labeling and integrated Mandatory Access Control (MAC) schema as a basis to mediate data flow and access according to user credentials and clearance to authenticate read and write privileges. In this manner, an MLS is considered an all-in-one CDS, encompassing both access and data transfer capabilities."[11]

Unintended consequences edit

In previous decades, multilevel security (MLS) technologies were developed. These enforced mandatory access control (MAC) with near certainty. Automated information systems sometimes share information contrary to the need to avoid sharing secrets with adversaries. When the ‘balance’ is decided at the discretion of users, the access control is called discretionary access control (DAC), that is more tolerant of actions that manage risk where MAC requires risk avoidance.

These documents provide standards guidance on risk management:

  1. "Recommended Security Controls for Federal Information Systems & Organizations". Computer Security Division - Computer Security Resource Center. National Institute of Standards and Technology (NIST). 2011-11-16., SP 800-53 Rev3[citation needed]
  2. "Security Categorization and Control Selection for National Security Systems" (PDF). The Committee on National Security Systems (CNSS)., Instruction No. 1253[citation needed]

References edit

  1. ^ . Information Assurance Support Environment. Defense Information Systems Agency (DISA). 2011-11-16. Archived from the original on 2008-03-26. Retrieved 2012-01-16.
  2. ^ "Learn About Cross Domain Solutions". Owl Cyber Defense. Aug 25, 2020. from the original on 2020-09-21.
  3. ^ "Cloud Computing Strategy" (PDF). DTIC.MIL. (PDF) from the original on August 16, 2016.
  4. ^ Aristotle, Jacob. Cross-Domain Solution.
  5. ^ Slater, T. "Cross-Domain Interoperability", Network Centric Operations Industry Consortium - NCOIC, 2013
  6. ^ "Cross Domain Solutions - Ensuring Complete Data Security".
  7. ^ "Nexor Data Diode". Nexor. Retrieved 3 June 2013.
  8. ^ "Dual Data Diode Information Transfer Products". Owl Cyber Defense, LLC. Retrieved 2019-08-20.
  9. ^ "Can an Airplane Get Hacked? (Probably.)". Interset. 2017-01-04. Retrieved 2019-03-07.
  10. ^ "CNSSI-4009" (PDF). RMF.org. (PDF) from the original on 2020-02-28. Retrieved 28 February 2020.
  11. ^ a b Smith, Scott (28 February 2020). "Shedding Light on Cross Domain Solutions". SANS Institute Information Security Reading Room. from the original on 2020-02-28. Retrieved 28 February 2020.

Unified Cross Domain Management Office (UCDMO), Cross Domain Overlay, 1 December 2011, ver 1.0; provides extensive security control guidance to implement CDS platform address security controls for hardware and software, enforced with advanced inspections.

January 01, 1970
cross, domain, solution, this, article, multiple, issues, please, help, improve, discuss, these, issues, talk, page, learn, when, remove, these, template, messages, this, article, possibly, contains, original, research, please, improve, verifying, claims, made. This article has multiple issues Please help improve it or discuss these issues on the talk page Learn how and when to remove these template messages This article possibly contains original research Please improve it by verifying the claims made and adding inline citations Statements consisting only of original research should be removed October 2009 Learn how and when to remove this message This article contains content that is written like an advertisement Please help improve it by removing promotional content and inappropriate external links and by adding encyclopedic content written from a neutral point of view February 2020 Learn how and when to remove this message This article s use of external links may not follow Wikipedia s policies or guidelines Please improve this article by removing excessive or inappropriate external links and converting useful links where appropriate into footnote references February 2020 Learn how and when to remove this message Learn how and when to remove this message A cross domain solution CDS is an integrated information assurance system composed of specialized software and sometimes hardware that provides a controlled interface to manually or automatically enable and or restrict the access or transfer of information between two or more security domains based on a predetermined security policy 1 2 CDSs are designed to enforce domain separation and typically include some form of content filtering which is used to designate information that is unauthorized for transfer between security domains or levels of classification 3 such as between different military divisions intelligence agencies or other operations which depend on the timely sharing of potentially sensitive information 4 The goal of a CDS is to allow a trusted network domain to exchange information with other domains either one way or bi directionally without introducing the potential for security threats CDS development assessment and deployment are based on comprehensive risk management Every aspect of an accredited CDS is usually evaluated under what is known as a Lab Based Security Assessment LBSA citation needed to reduce potential vulnerabilities and risks The evaluation and accreditation of CDSs in the United States are primarily under the authority of the National Cross Domain Strategy and Management Office NCDSMO within the National Security Agency NSA CDS filter for viruses and malware content examination utilities in high to low security transfer audited human review CDS sometimes has security hardened operating systems role based administration access redundant hardware etc The acceptance criteria for information transfer across domains or cross domain interoperability is based on the security policy implemented within the solution This policy may be simple e g antivirus scanning and whitelist or allowlist check before transfer between peer networks or complex e g multiple content filters and a human reviewer must examine redact and approve a document before release from a high security domain 5 6 Unidirectional networks are often used to move information from low security domains to secret enclaves while assuring that information cannot escape 7 8 Cross domain solutions often include a High Assurance Guard Though cross domain solutions have as of 2019 historically been most typical in military intelligence and law enforcement environments one example is the flight control and infotainment systems on an airliner 9 Types editThere are three types of cross domain solutions CDS according to Department of Defense Instruction DoDI 854001p These types are broken down into Access Transfer and Multi level solutions MLS and all must be included in the cross domain baseline list before Department of Defense specific site implementations 10 Access Solution An access solution describes a user s ability to view and manipulate information from domains of differing security levels and caveats In theory the ideal solution respects separation requirements between domains by preventing overlapping data between domains which ensures data of different classifications cannot leak i e data spill between networks at any host layer of the OSI TCP model In practice however data spills are an ever present concern that system designers attempt to mitigate within acceptable risk levels For this reason data transfer is addressed as a separate CDS 11 Transfer Solution offers the ability to move information between security domains that are of different classification level or different caveat of the same classification level Multi level Solutions Access and transfer solutions rely on multiple security levels MSL approaches that maintain the separation of domains this architecture is considered multiple single levels A multi level solution MLS differs from MSL architecture by storing all data in a single domain The solution uses trusted labeling and integrated Mandatory Access Control MAC schema as a basis to mediate data flow and access according to user credentials and clearance to authenticate read and write privileges In this manner an MLS is considered an all in one CDS encompassing both access and data transfer capabilities 11 Unintended consequences editThis section does not cite any sources Please help improve this section by adding citations to reliable sources Unsourced material may be challenged and removed November 2023 Learn how and when to remove this message In previous decades multilevel security MLS technologies were developed These enforced mandatory access control MAC with near certainty Automated information systems sometimes share information contrary to the need to avoid sharing secrets with adversaries When the balance is decided at the discretion of users the access control is called discretionary access control DAC that is more tolerant of actions that manage risk where MAC requires risk avoidance These documents provide standards guidance on risk management Recommended Security Controls for Federal Information Systems amp Organizations Computer Security Division Computer Security Resource Center National Institute of Standards and Technology NIST 2011 11 16 SP 800 53 Rev3 citation needed Security Categorization and Control Selection for National Security Systems PDF The Committee on National Security Systems CNSS Instruction No 1253 citation needed References edit Cross Domain Enterprise Service CDES Information Assurance Support Environment Defense Information Systems Agency DISA 2011 11 16 Archived from the original on 2008 03 26 Retrieved 2012 01 16 Learn About Cross Domain Solutions Owl Cyber Defense Aug 25 2020 Archived from the original on 2020 09 21 Cloud Computing Strategy PDF DTIC MIL Archived PDF from the original on August 16 2016 Aristotle Jacob Cross Domain Solution Slater T Cross Domain Interoperability Network Centric Operations Industry Consortium NCOIC 2013 Cross Domain Solutions Ensuring Complete Data Security Nexor Data Diode Nexor Retrieved 3 June 2013 Dual Data Diode Information Transfer Products Owl Cyber Defense LLC Retrieved 2019 08 20 Can an Airplane Get Hacked Probably Interset 2017 01 04 Retrieved 2019 03 07 CNSSI 4009 PDF RMF org Archived PDF from the original on 2020 02 28 Retrieved 28 February 2020 a b Smith Scott 28 February 2020 Shedding Light on Cross Domain Solutions SANS Institute Information Security Reading Room Archived from the original on 2020 02 28 Retrieved 28 February 2020 Unified Cross Domain Management Office UCDMO Cross Domain Overlay 1 December 2011 ver 1 0 provides extensive security control guidance to implement CDS platform address security controls for hardware and software enforced with advanced inspections Retrieved from https en wikipedia org w index php title Cross domain solution amp oldid 1186866573, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.