Bi-directional Cross-Domain Enablement

The ability to share information between disparate systems in real time is key to enhancing the capability and efficiency of an organisation and the systems they support. In these scenarios difficulties often arise, when information systems of differing classification or caveats with policy and physical restrictions, are unable to directly connect. However, there remains an operational requirement to share information between these systems.

Data transfer between those organisational networks is essential and must occur without introducing new threat vectors. Utilising an Owl Cyber Defense data diode (OPDS-1000) nullifies those threats and provides high assurance, hardware-enforced, unidirectional transfer that securely moves data between operational networks, without increasing risk.

The OPDS-1000 is an accredited, certified, multi-purpose, 1U rack ountable cybersecurity appliance, designed to create a physical defensive perimeter around those systems. Optimised for more demanding command and control applications, the OPDS-1000 can support 1Gbps of throughput and provides software interfaces for a broad range of applications that generate operational data (sensor, data points, database historians, syslog messages, alarms, etc.).

A bi-directional capability utilises two OPDS-1000 appliances in an inverse configuration to allow a unidirectional outbound and a separate unidirectional inbound data plane. Both appliances facilitate multiple concurrent data streams and support multiple protocols in tandem to allow system owners to authorise and release information between two systems within 2U of rack space.

4Secure have developed a compendium of software tools (Trusted Filter™) that work in tandem with any OWL appliance to facilitate a bi-directional cross-domain solution. Multiple protocol support, together with rigorous content filtering allows for pre-authorised, releasable information to be shared between disparate systems across unidirectional links. These segregated unidirectional dataflows enable information to flow between secure networks with the requisite boundary protection and content filtering, with minimal configuration and administration overhead.

Additionally, in operational environments this solution can enable full motion video, sensor feeds, geospatial and positional data feeds to flow into a higher classification system, empowering operators to generate tasking required in real-time. Outbound data flows allow operators to retain C2 of assets and the ability to initiate tasks on systems that reside outside of their traditional network boundary. The solution can allow COTS systems to be controlled and their sensor data utilised from higher classification networks without compromising the security of the network.

4Secure TrustedFilter™ framework is a set of software tools designed to enhance any OPDS platform, enabling a full cross-domain solution. TrustedFilter™ is designed and utilised to enable syntactic checking of data prior to crossing the unidirectional gateway, performing data-loss prevention, ensuring only authorised data is allowed to leave its host network.

TrustedFilter™ framework supports multiple protocols and data types, including but not limited to; XML and JSON schema validation within TCP streams and HTTP requests, granular HTTP request filtering, TLS termination, AMQP/ MQTT and file transfer with enhanced content inspection (file-type checks, manifest checks and third-party filtering scripts).

In addition to the protocol filtering, 4Secure’s 4BDT application stack enables inherently two-way, bi-directional TCP applications to operate via two physically separate unidirectional OPDS appliances.

The bi-directional solution also utilises TrustedFilter™ on the inbound and outbound gateway as a control mechanism for data leaving a higher classification network and to perform syntactic and semantic checks on inbound data, ensuring that only data that has passed through the onboard TrustedFilter verification engine is able to reach the higher classification system.