Network security's one-way data street
Tenix platform allows exchange between disparate networks
Maintaining a highly secure network environment is paramount for the military as well as for civilian agencies working in intelligence or law enforcement. But how does information from less secure sources get into the secure network? And does the fact that a network is completely secure mean that users can't access nonclassified data from their terminals without opening up a security hole?
The Tenix Datagate Interactive Link Suite from Tenix America can address these questions by preserving separate secure networks while allowing users to access data and the Internet from a single PC.
To test the system we set up two networks in the GCN Lab. The first was modeled after the Secret IP Router Network, which the Defense Department uses to exchange classified information in a totally secure environment. The second network was modeled after DOD's NIPRnet, the Unclassified but Sensitive Internet Protocol Router Network (formerly the Non-Classified IP Router Network). Our servers ran Microsoft Windows 2003, Red Hat Linux and Sun Solaris, all of which are supported by Tenix software.
Although NIPRnet is not classified, there is still a lot of sensitive data on it. Conceivably, an analyst or other authorized user may want to take some of the data found there and upload it to SIPRnet for inclusion in a report. This can be achieved securely using the Interactive Link Suite, which is a surprisingly low-tech solution to a high-tech problem. The heart of the suite is the $30,000 Interactive Link Data Diode, which sits between the two networks.
The Data Diode is like an air gap network, but allows a one-way fiber connection from the low-security net to the high-security one.
Here's how it works. If, for example, you're looking at a satellite map of Iraq over the low-security network and need to use images of various fires around Baghdad, you would open up your photo editing program and cut out the part of the image that you need. Then you copy the image to your clipboard in the normal way by pressing CTRL-C, or selecting Copy from the program menu.
You then select an icon in the system tray that says 'Transfer to high security network' and the transfer happens. The data is then placed into a receiving folder on the secure network. The software will not let you initiate a transfer in the other direction.
The network can restrict certain file types from transferring. We set up our test connection to allow only image and text files to make the jump, figuring it might be a good thing to restrict executable files from entering the secure network. When we tried to send an .EXE file across, even if we renamed the file, it was blocked. This is a helpful feature for preventing a virus from getting into the secure network, although it's probably a good idea to have a firewall and virus scanner on the secure side just to be sure. If you have administrator access, you can temporally allow .EXE files to enter the secure network by changing the settings.Two networks on one PC
To make the transfer possible, you also need a $500 keyboard switch for each client PC. The Interactive Link Thin Client Keyboard Switch is similar to a standard keyboard, video, mouse switch, but only has two buttons in the front, which let you switch between the high-security and low-security networks. Big front panel lights tell you which network you're currently using. The keyboard switch comes with tamper-evident tape, so nobody can switch the labels on a user to try and trick them into entering secret data on the less-secure network.
Through the KBS you can simultaneously access both networks on your screen, though the low-security network will run in a Window. When you have the KBS set to the less-secure network, your cursor won't be able to leave that network's window without first switching the KBS back over to the secure network. Like a Citrix server, the low-security network has no idea that anything actually exists outside of the windowed environment.
Also like a Citrix server, you'll experience some lag when working on the less-secure network. The diode can process a maximum of 100 Mbps, though with overhead that number is more like 80 Mbps. The lag comes from manipulating a system remotely. We found the lag isn't too bad, but you'll notice it if you try to move icons around on the screen.
To really test the system, we tried to stream video from the low-security network to the high-security net. This would seem impossible given the one-way diode in the middle, but actually worked surprisingly well. You simply initiate the stream from the low-security network and tell the software that you intend to stream the data to the high-security net. Then on the high-security network you 'catch' the stream.
In our tests, the video signal only had to travel a short distance, although it could have gone further. Still, the system presents some unique problems processing video. Remember, the highly secure receiving system can't send any feedback to the less-secure network: The transfer is one way. Therefore it can't tell the host system when there is packet loss and ask that the transfer be throttled down or lost packets be re-sent. At minimum the receiving server would need to be as powerful as the sender; in a best-case scenario it should be faster.
Tenix sells a variety of what it calls Data Pump applications that you can add to the system. These Data Pumps automate data transfers and interface with other programs such as virus scanners.
The system has endured rigorous security testing, including the National Information Assurance Partnership run by the National Security Agency and the National Institute of Standards and Technology. The Diode is certified at EAL 7, which is the highest possible in the program. The keyboard switch is certified at EAL 5+. The only security caveat is that because keyboards have a buffer, someone could theoretically be typing classified data and if the network switches, a few characters may spill over into the unclassified space. We were unable to reproduce this in the lab, but enterprising hackers might be able to. Tenix is working on a keyboard that eliminates this problem and hopes to get the entire system certified to EAL 7.
It's safe to say the Interactive Link Suite is a secure piece of equipment. We found no security holes or overall problems in our rigorous testing. If you need less-secure networks to share data with highly secure ones, but can't have data ever go the other way, this is among the most iron-clad solutions you can find short of hand-delivering files.