Network security's one-way data street

 

Connecting state and local government leaders

Maintaining a highly secure network environment is paramount for the military as well as for civilian agencies working in intelligence or law enforcement.

Maintaining a highly secure network environment is paramount for the military as well as for civilian agencies working in intelligence or law enforcement. But how does information from less secure sources get into the secure network? And does the fact that a network is completely secure mean that users can't access nonclassified data from their terminals without opening up a security hole?The Tenix Datagate Interactive Link Suite from Tenix America can address these questions by preserving separate secure networks while allowing users to access data and the Internet from a single PC.To test the system we set up two networks in the GCN Lab. The first was modeled after the Secret IP Router Network, which the Defense Department uses to exchange classified information in a totally secure environment. The second network was modeled after DOD's NIPRnet, the Unclassified but Sensitive Internet Protocol Router Network (formerly the Non-Classified IP Router Network). Our servers ran Microsoft Windows 2003, Red Hat Linux and Sun Solaris, all of which are supported by Tenix software.Although NIPRnet is not classified, there is still a lot of sensitive data on it. Conceivably, an analyst or other authorized user may want to take some of the data found there and upload it to SIPRnet for inclusion in a report. This can be achieved securely using the Interactive Link Suite, which is a surprisingly low-tech solution to a high-tech problem. The heart of the suite is the $30,000 Interactive Link Data Diode, which sits between the two networks.The Data Diode is like an air gap network, but allows a one-way fiber connection from the low-security net to the high-security one.Here's how it works. If, for example, you're looking at a satellite map of Iraq over the low-security network and need to use images of various fires around Baghdad, you would open up your photo editing program and cut out the part of the image that you need. Then you copy the image to your clipboard in the normal way by pressing CTRL-C, or selecting Copy from the program menu.You then select an icon in the system tray that says 'Transfer to high security network' and the transfer happens. The data is then placed into a receiving folder on the secure network. The software will not let you initiate a transfer in the other direction.The network can restrict certain file types from transferring. We set up our test connection to allow only image and text files to make the jump, figuring it might be a good thing to restrict executable files from entering the secure network. When we tried to send an .EXE file across, even if we renamed the file, it was blocked. This is a helpful feature for preventing a virus from getting into the secure network, although it's probably a good idea to have a firewall and virus scanner on the secure side just to be sure. If you have administrator access, you can temporally allow .EXE files to enter the secure network by changing the settings.To make the transfer possible, you also need a $500 keyboard switch for each client PC. The Interactive Link Thin Client Keyboard Switch is similar to a standard keyboard, video, mouse switch, but only has two buttons in the front, which let you switch between the high-security and low-security networks. Big front panel lights tell you which network you're currently using. The keyboard switch comes with tamper-evident tape, so nobody can switch the labels on a user to try and trick them into entering secret data on the less-secure network.Through the KBS you can simultaneously access both networks on your screen, though the low-security network will run in a Window. When you have the KBS set to the less-secure network, your cursor won't be able to leave that network's window without first switching the KBS back over to the secure network. Like a Citrix server, the low-security network has no idea that anything actually exists outside of the windowed environment.Also like a Citrix server, you'll experience some lag when working on the less-secure network. The diode can process a maximum of 100 Mbps, though with overhead that number is more like 80 Mbps. The lag comes from manipulating a system remotely. We found the lag isn't too bad, but you'll notice it if you try to move icons around on the screen.To really test the system, we tried to stream video from the low-security network to the high-security net. This would seem impossible given the one-way diode in the middle, but actually worked surprisingly well. You simply initiate the stream from the low-security network and tell the software that you intend to stream the data to the high-security net. Then on the high-security network you 'catch' the stream.In our tests, the video signal only had to travel a short distance, although it could have gone further. Still, the system presents some unique problems processing video. Remember, the highly secure receiving system can't send any feedback to the less-secure network: The transfer is one way. Therefore it can't tell the host system when there is packet loss and ask that the transfer be throttled down or lost packets be re-sent. At minimum the receiving server would need to be as powerful as the sender; in a best-case scenario it should be faster.Tenix sells a variety of what it calls Data Pump applications that you can add to the system. These Data Pumps automate data transfers and interface with other programs such as virus scanners.The system has endured rigorous security testing, including the National Information Assurance Partnership run by the National Security Agency and the National Institute of Standards and Technology. The Diode is certified at EAL 7, which is the highest possible in the program. The keyboard switch is certified at EAL 5+. The only security caveat is that because keyboards have a buffer, someone could theoretically be typing classified data and if the network switches, a few characters may spill over into the unclassified space. We were unable to reproduce this in the lab, but enterprising hackers might be able to. Tenix is working on a keyboard that eliminates this problem and hopes to get the entire system certified to EAL 7.It's safe to say the Interactive Link Suite is a secure piece of equipment. We found no security holes or overall problems in our rigorous testing. If you need less-secure networks to share data with highly secure ones, but can't have data ever go the other way, this is among the most iron-clad solutions you can find short of hand-delivering files.

Tenix platform allows exchange between disparate networks

















Two networks on one PC















X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.