Dot-Connecting Across Domains
Written by Cheryl Gerber
MIT 2010 Volume: 14 Issue: 1 (February)
Cross Domain Technology Gives Analysts a
Fuller Picture By Enabling The Flow of Information
Between Networks of Different Security Levels.
Enter Cross Domain Solutions (CDS), the secure dot connector technology allowing the flow of information between networks of different security levels. A unique, joint DoD and IC organization, the Unified Cross Domain Management Office (UCDMO), oversees the direction of CDS.
The UCDMO guides the integration of cross domain transfer and access technology toward the use of common resources, aligned with the Global Information Grid and emerging Enterprise Service architectures. The group falls under the purview of the CIO of the associate director of national intelligence and the CIO of the assistant secretary of defense, networks and information integration.
Upon its formation in 2006, the UCDMO jumped directly into the thick of technology. “In parallel with the standup of the UCDMO, we decided to take a deep dive to focus on a technology roadmap. We looked at what we have and coupled it with gap analysis, including governance, policy and certification,” said Marianne Bailey, UCDMO director.
The UCDMO filled an information-sharing and technology management gap between DoD and the IC. “There was a real need to develop a joint way to manage CDS. One of the UCDMO’s first missions was to quantify the number of CDS deployed in the field. They came up with about 100,” noted Bryan Rollins, director of Maritime Solutions, Defense Information Systems and Global Services at Lockheed Martin. “After a year or so, they had ramped it down to roughly 20 widely deployed solutions, so DoD and the IC wouldn’t have to pay for the operations and maintenance costs of having too many deployed,” said Rollins.
BASELINE SOLUTIONS
Today, as result of its work migrating from disparate, stove-piped solutions toward common, shared DoD/IC technologies, the UCDMO has whittled its “Baseline List of Solutions Available for Re-Use” down to 15 accredited and certified CDS. The current list is the first, near-term solution. (See chart on pg 12)
A baseline re-use solution must have been running already on a government-sponsored network, have an existing body of test evidence, a minimum three-year life-cycle support agreement and have been evaluated and approved by the UCDMO technical staff.
“The baseline serves as a ‘check here first’ place, because items on the baseline can save the agency time and money. Rather than re-inventing the wheel, if an agency starts with something from the baseline, it could possibly cut ‘start to operate’ time from years to months,” said Jill Savin, UCDMO communications and outreach officer.
“Some agencies are putting policies in place to instruct their information assurance and IT shops only to consider baseline solutions when looking at new cross domain needs, since these solutions are known entities. But this is an agency decision, not something mandated by the UCDMO,” Savin said.
In the meantime, some agencies will continue to use a CDS that is not on the baseline and might never be. “Some operational solutions may not be sponsored for the baseline since they aren’t appropriate for broad re-use,” she said.
One of the most widely deployed CDS currently on the UCDMO’s baseline is Version 4 of Lockheed Martin’s Radiant Mercury. Last July, the Navy awarded Lockheed an indefinite-delivery, indefinite-quantity contract to continue developing Radiant Mercury with field support for 483 systems worldwide.
Radiant Mercury Version 5.0 is now undergoing certification based on the National Institute of Standards and Technology (NIST) 800-53, the latest standard entitled “Recommended Security Controls for Federal Information Systems.”
“Version 5.0 is in alpha testing and now beginning to move into beta for NIST 800-53 testing, with the UCDMO overseeing the certification team,” said Rollins.
“The main improvement in Version 5 is that we ported it to Solaris 10 with Trusted Extensions. This provides the ability to host it on x86 and x64 chip sets, but providing the additional hardware platforms means it takes longer to certify,” he said.
The new standard abets the process of achieving UCDMO goals. “The emerging NIST 800-53 standard is important to the UCDMO to move forward, merging different certification processes and standards and bringing commonality to DoD and the IC. The UCDMO participated significantly in validating the 400 security controls that were necessary for cross domain components in NIST 800-53,” said Bailey.
REMOTE MANAGEMENT
Beginning with the 400 security controls, the UCDMO selected those required for cross domain and developed three cross domainspecific categories. “Instead of certifiers having to look at 400 security controls, they can now just look at the three sets of cross domain profiles—transfer, access and multi-level—depending on what type of CDS they are using,” Bailey said.
Radiant Mercury Version 5.0 also provides remote management, although it has yet to be widely accepted. “We also focused on the enterprise community by providing remote management, but there is still some discomfort with that capability, so it can be disabled by default and enabled only when requested and approved,” said Kevin Miller, Lockheed systems engineer manager.
“The remote management function is not yet UCDMO-certified for baseline technology, and must be accredited on a site-by-site basis,” said Ken Lewis, Lockheed engineering program manager. “However, the UCDMO and accreditors work together on accreditation to reduce the cost and time to field.”
Accreditation generally occurs on a site-by-site basis, while certification is based on products, he noted.
Another CDS currently on the UCDMO baseline list is ITT’s Information Support Server Environment (ISSE) Guard, in various iterations of Version 3.6 x.
“The latest version that is approved to field for both secret and below interoperability and top secret and below interoperability is Version 3.6.1.1,” said Dave Gray, ISSE program manager, ITT.
In June 2009, the Air Force Research Laboratory awarded ITT’s Advanced Engineering and Sciences division a contract to design, develop and integrate new capabilities into ISSE Guard, including the maintenance and installation of new software versions.
ISSE Version 4.0 is in development now, with formal testing slated for this summer. “We are supporting Solaris 10 with Trusted Extensions, x86 hardware and full end domain network transfer connectivity,” said Gray. “We are currently performing requirements analysis and studying the security issues associated with the virtualization of cross domain components in ISSE 4.0. We will virtualize components when possible based on approvals from the certification and accreditation communities and the UCDMO.”
Trusted Computer Solutions has three CDS on the UCDMO baseline list. The company’s Multi-Domain Dissemination Service version 3.2 provides both access and transfer. Its Secure Office Trusted Thin Client version 1.3 offers desktop access.
The Trusted Gateway System (TGS) version 2.1 P1 also provides transfer. Like all cross domain providers, Trusted Computer is concerned with providing security in the depth of the operating system. Its CDS run on Solaris Version 8.0, Red Hat Enterprise Linux 5.0 and a version of XTS, a BAE Systems proprietary operating system dedicated to CDS. “We re-platformed the gateway on Linux so it could run on multiple hardware platforms, giving the government more choices,” said Ed Hammersla, chief operating officer, Trusted Computer.
Security at this level is built down deep in the kernel by necessity. “CDS have security mechanisms built into the heart of the operating systems to protect from security breaches, which makes it easier for the security accreditation community to permit the deployment of approved CDS,” Hammersla said.
Securing information as it travels across domains also involves digging deep into desktop content using technology such as PuriFile, an ITT component that inspects Microsoft Office and Adobe files before they are emailed. “PuriFile looks for transgressions in the files such as metadata or other hidden content for data loss prevention,” said John Ivory, ITT director of Innovation and Commercialization.
Inspecting the metadata reveals such information as the names of authors, last printing time and the IP address where the document was last edited. PuriFile also scours documents for inadvertent data, such as a deletion or, for example, a bar chart from an Excel spreadsheet that had been cut and pasted into a Powerpoint slide but retains the spreadsheet information behind the chart. It also searches for deliberate malicious content and misplaced so-called “dirty words”—classified code names of missions, people or places that are not supposed to be moved outside of specified classification levels.
Certification of content inspection components such as PuriFile is not done separately. “When it’s embedded in a CDS, PuriFile is certified as a component of the CDS, as a virus scanner would be,” said Ivory.
In August 2009, ITT integrated PuriFile with Trusted Computer’s TGS and Lockheed Martin’s Radiant Mercury products. “The incorporation of the PuriFile tool in Radiant Mercury helps ensure the data integrity and security of cross domain information amongst multiple level users,” said Lockheed’s Rollins.
XML PROCESSING
One of the primary technologies that has evolved significantly in CDS is eXstensible Markup Language (XML). Recommended by the World Wide Web Consortium (W3C), XML is widely deployed computer language used to specify data elements in a human readable way with tags and attributes. It is also used for sharing data on the Web.
“Our initial XML processing capability was rudimentary, but then the whole world went XML, so the NSA funded CDS vendors to add advanced XML processing, “said ITT’s Gray.
ITT then added eXtensible Stylesheet Language Transformations (XSLT) as part of its filtering capability. “XSLT can transform data from XML in, to HTML out,” Ivory said.
ITT also added an XML schema language called REgular LAnguage for XML Next Generation (RELAX NG), which specifies a simple, compact pattern for the structure and content of XML documents.
RELAX NG is used in International Standards Organization standards.
XML schema languages support the ability for end users to describe data filtering and validation, an important aspect of information assurance in service-oriented architecture (SOA), for example. SOA is based on flexible designs used during development and integration for a Web-based suite of services that can be used across multiple platforms and domains with disparate applications. XML is frequently used to interface between the services.
In the world of highly secure classified information, cryptography is a necessity. Binding metadata cryptographically, for example, enables data integrity. While not yet widely adopted in SOA, cryptobound IA metadata is essential for establishing the trust relationships that are needed by the cross domain community.
The UCDMO is working to advance CDS by using technologies such as SOA, XML schemas and the crypto-binding of IA metadata for secure data provenance. “The trusted labeling of data will help enable CDS to incorporate more automated decision-making processes and help make cross domain enterprise services more capable,” said Melinda Whitfield, UCDMO chief of strategic planning and communications.
Another Internet technology now certified and used by the highest security classifications is Keyboard Video and Mouse over Internet Protocol (KVM over IP). “More and more we see NSA approving KVM over IP. So we use them today in the field operationally for local area networks. They are not wireless. They are still wired through standard network connections over secure channels, but in the future we’ll use them for wide area networks,” said Gray.
One of the most salient challenges to achieving the full use of consolidated, common cross domain technologies has nothing to do with technology, but rather with people. In terms of governance, while the UCDMO is a formally established organization, agency CIOs have retained their authority. “It’s up to them to determine whether they want to implement our recommendations or not,” Bailey pointed out. “Our success depends on our collaboration with the CIOs.”
The established testing community provides a good example of the human cultural challenges. “The testing community is accustomed to controlling their own CDS, and now we are asking them to accept testing from others and to build camaraderie among the testers,” said Bailey.
As DoD and IC move increasingly toward common enterprise services, the future of CDS rests on collaboration, cooperative information sharing and ease of use. “Authorized users should be able to access information on different networks and classification levels regardless of where it resides,” Bailey said. ♦
