Accessing and sending data securely across security domains

Similar documents
Thales Service Definition for PSN Secure Gateway Service for Cloud Services

CYBER SECURITY Audit, Test & Compliance

HANDBOOK 8 NETWORK SECURITY Version 1.0

The Human Component of Cyber Security

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Did you know your security solution can help with PCI compliance too?

Top tips for improved network security

Additional Security Considerations and Controls for Virtual Private Networks

Injazat s Managed Services Portfolio

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

e2e Secure Cloud Connect Service - Service Definition Document

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

SPAM FILTER Service Data Sheet

74% 96 Action Items. Compliance

Protecting Your Organisation from Targeted Cyber Intrusion

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Nuclear Plant Information Security A Management Overview

How To Secure Your Business

Achieving PCI-Compliance through Cyberoam

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Intelligent Solutions for the Highest IT Security Requirements

Information security controls. Briefing for clients on Experian information security controls

IT Security. Securing Your Business Investments

Information Technology Security Guideline. Network Security Zoning

Unified Threat Management, Managed Security, and the Cloud Services Model

External Supplier Control Requirements

Protecting your information

DOBUS And SBL Cloud Services Brochure

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

The evolution of data connectivity

Building A Secure Microsoft Exchange Continuity Appliance

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Secure networks are crucial for IT systems and their

INSTANT MESSAGING SECURITY

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Network Service, Systems and Data Communications Monitoring Policy

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Advantages of Managed Security Services

A Decision Maker s Guide to Securing an IT Infrastructure

Cyber Essentials Questionnaire

Lot 1 Service Specification MANAGED SECURITY SERVICES

Guidance Regarding Skype and Other P2P VoIP Solutions

Intelligent Solutions for the Highest IT Security Demands

Deploying Firewalls Throughout Your Organization

Proxy Services: Good Practice Guidelines

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Network Security Guidelines. e-governance

Best Practices for Outdoor Wireless Security

Thales Service Definition for IL3 Encrypted Overlay for Cloud Services

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

ZyWALL USG ZLD 3.0 Support Notes

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Thales e-security Financial and Operational Benefits of using Datacryptor R4.02 in your network

Firewall Architecture

SCADA SYSTEMS AND SECURITY WHITEPAPER

The Cyber Threat Profiler

Achieving SOX Compliance with Masergy Security Professional Services

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Implementing Deep-Secure guards in NATO Information Exchange Gateways

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Clearswift SECURE File Gateway

Table of Contents. Page 2/13

How To Prevent Hacker Attacks With Network Behavior Analysis

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Reducing the Cyber Risk in 10 Critical Areas

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

BYOD Guidance: Architectural Approaches

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

A Network Design Primer

How to complete the Secure Internet Site Declaration (SISD) form

Network & Information Security Policy

Network Security Administrator

BlackRidge Technology Transport Access Control: Overview

CMPT 471 Networking II

Managed Encryption Service

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI Requirements Coverage Summary Table

EA-ISP-012-Network Management Policy

NZQA Expiring unit standard 6857 version 4 Page 1 of 5. Demonstrate an understanding of local and wide area computer networks

ICANWK406A Install, configure and test network security

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Transcription:

In this White Paper Connectivity is good. Secure connectivity is essential. This white paper by Thales UK explains how Thales Gateway Services protect the exchange of data across security domains. It discusses how these services can be managed, either by Thales or supported by Thales on site, and integrated with existing infrastructure to form an integral part of the secure communications architecture. White Paper Accessing and sending data securely across security domains August 2013

Executive Summary Connectivity is good. Secure connectivity is essential. This white paper by Thales UK describes how Thales Gateway Services enable the exchange of data across security domain data exchanges. It then goes on to discuss how they can be managed, either by Thales or supported by Thales on the customer s site, and integrated with existing secure communications architecture. Government and private sector organisations operate in an ever more connected world. The demands on networks are increasing, from remote access of users geographically separated from their offices to cross-domain exchanges. Very few networks can now avoid the widespread use of electronic messaging or e-mail to support government and business processes. Yet the capability to exchange such vast quantities of data between networks representing different security domains can potentially leave secure networks vulnerable to data leakage and subject to external attacks. Thales sees Strength in Depth rather than a single level of protection as the best approach to countering the cyber threat to data networks. Furthermore, network managers are increasingly required to interconnect networks to provide a network of networks. In the United Kingdom, for example, UK Government policy mandates Government departments to use Public Services Network (PSN) compliant architectures. The resulting pan-government connectivity provides major operational and cost benefits but also drives the need for Cross Domain Gateways and guards. Thales is a leading provider of secure connectivity in the UK as part of the PSN Framework, securing the first contract award by a Government department and is now leading the industry teams examining the next generation of Gateway Services to be made available from April 2014. Thales sees Strength in Depth rather than a single level of protection as the best approach to countering the cyber threat to data networks. Multiple defences and filters must be correctly integrated to achieve the highest levels of protection without introducing delays and over-complicated procedural measures. To this end, Thales provides secure Gateway Services across the requirement spectrum: Web, Mail, Cross Domain, and Remote Access. There are multiple ways Gateways can be managed, either by Thales in its existing capability or supported by Thales on the customer s site. Thales believes that procuring the technology as a managed service is typically a lower risk route for customers. This allows service levels that suit the customer s specific needs to be agreed, underwritten through Service Level Agreements that provide contractually enforced commitments. Thales already provides services of this nature to UK Government departments and agencies, the wider public sector, and commercial customers. The key to the overall security of the network is combining extensive management functions, typically from a Network Operations Centre (NOC), combined with Security Event and Incident Management provided through a suitable Security Operations Centre (SOC). These functions can be deployed taking advantage Accessing and sending data securely across security domains - August 2013 2

of As a Service offerings. Alternatively, Thales can support customers in developing, or integrating these capabilities into, their own NOC or SOC. This discussion builds upon both Thales expertise in providing secure networks and our understanding of current customer requirements, in terms of how data may be accessed and sent across security domains. It draws on our research and development activities, including our newly built Cyber Security Operations Centre that delivers these services to wider markets, and the thought leadership we provide to the UK Cabinet Office. It describes, at a high-level, how Thales would undertake the relevant tasks associated with the definition, design, provision and implementation of secure Gateways across customer networks. About Thales Thales UK is part of the wider Thales Group, a global leader in integrated security solutions that deliver critical capability and value to its government and private sector customers in defence, aerospace, space and transport markets. In 2012, Thales Group generated revenues of 14.01 billion with 66,500 employees in over 50 countries. With 22,500 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales capabilities cover a broad spectrum of civil and non-civil expertise, from comprehensive physical and cyber security capabilities; sophisticated air, land and sea defence systems; mass transport control systems; nuclear data processing and control system, to secure communications systems. Our 7,000+ employees across the United Kingdom are focused on meeting the needs of our customers in domestic and key export markets. Thales UK s technologies, based on dual civil and military capabilities, are world-beating, from the Royal Navy s next generation Queen Elizabeth-class Aircraft Carrier to securing 80% of the payment transactions worldwide. The organisation draws upon, and contributes to, the technical and business strength of the global Thales Group. Thales UK has the capability and capacity, technically and financially, to deliver safe, secure and resilient programmes both within the UK and into the international market place, with a particular excellence in delivering solutions that are predicated on best of breed COTS technologies whilst recognising the need to configure the solution to the specific capability and business requirements of individual customers. This approach ensures our solutions satisfy all appropriate safety, resilience and capability criteria while still addressing affordability, interoperation with existing technology and infrastructure and scalability to evolve with customers changing operational requirements. Accessing and sending data securely across security domains - August 2013 3

Context: Gateways, Impact Levels & Management Functions This white paper refers to the four types of Gateways: Web Gateways Content filtering (this can be URL or media orientated), policy enforcement, and malicious code detection (signature based or real-time detection). Mail Gateways Detection of malicious code contained within e-mails and e-mail attachments, phishing attacks, word searches, intellectual property control, and e-mail protective marking. Cross Domain Gateways (CDGs) The controlled secure connection of networks (potentially at different security levels) allowing controlled, secure, and auditable information flow, utilising a combination of data diodes, file transfer Gateways, and FTP Gateways, etc. Cross Domain Gateway Services can also support network management or security management functions (within the Network Operations Centre (NOC) and Security Operations Centre (SOC)) allowing data to be collected from multiple networks simultaneously without cross-contamination of data on those networks. Remote Access Solutions (RAS) Encrypted remote access for remote users with strong authentication at IL3 and IL4. Thales works with the Pan Government Accreditor in the UK to ensure that any Gateway Services provided meet the security criteria for secure operation on the networks within which they are deployed. Impact Levels are the UK Government s current standard method of assessing the impact of possible compromise to the security of information throughout the public sector. Impact level 3 (IL3) is, for example, comparable to UK RESTRICTED and IL5 to UK SECRET. In addition to Gateway Services, Thales offers comprehensive encryption services (also known as encryption overlays). IL3 and IL4 encryption overlay services provide encryption layers that include certificate and key management functions. The key to the overall security of the network are extensive management functions within the NOC, combined with protective monitoring from the SOC. These functions can be deployed taking advantage of As a Service Thales offerings. Alternatively, Thales can support customers in developing or integrating the capabilities into their own NOC or SOC. Accessing and sending data securely across security domains - August 2013 4

Gateways in Practice Web Gateway Where? Protection from outside networks is of vital importance to organisations. This is especially important where high Impact Level networks are connected to low Impact Level networks or even public domains such as the internet (IL0). The data that is passed between the protected domain and the outside world needs filtering, checking, and policing against policy requirements. This is achieved by a Web Gateway. What? Web Gateways provide a secure means to connect a high security network to a lower security network. Web traffic may flow between the high and low networks subject to defined set of rules and policies managed by the Gateway Service. The high network users are then able to receive the information they need whilst ensuring that the secure high-side network cannot be compromised by either lowside users requesting information from the high-side or by deliberate attack. Figure 1 illustrates a situation where users of a secure network require internet access to support their roles. The web traffic passes through the Gateway, is processed against a rule set and, using assessment algorithms, it is then either allowed to or denied to continue to its destination. Secure Network Authentication at the Web Gateway does not authorise this user to access the internet, their web traffic is blocked. Web Gateway Internet Figure 1 - Web Gateway connecting a secure network to the internet to provide user internet access. In some cases there may be shared applications that are accessed via a web interface. In this case Web Gateways can interact with authentication systems (either provided by the customer or by Thales as part of the Web Gateway Service) to validate users. Users may be individuals, or potentially organisations or networks, allowed access to the shared application. Accessing and sending data securely across security domains - August 2013 5

Secure Network User attemps to access external application but authentication is denied. User attemps to access an external shared application and access is granted by the Gateway. Web Gateway Authentication Service Secure Network Hosting Application Shared Application Authentication Service Authenticates Users for the Gateway in this case. Authentication services can be provided at the Gateway if required. Figure 2 - Web Gateway controlling a connection to shared applications / databases with customer authentication services. Figure 2 illustrates the Web Gateway authenticating users to a shared application. In this scenario, the users access their workstations within their secure network and connect via a web interface to the shared application, hosted on a separate secure network. The Gateway receives the requests for access to the shared application, verifies that the user is authorised using an external authentication service, and either permits or denies access. In the illustrated example only a single user is granted access to the shared application, as illustrated by the green line. The purple and blue lines show the authentication requests propagating through via the Web Gateway. Why? Deploying a suitably configured and managed Web Gateway enables the customer to safely and securely access Internet and web services. The customer would provide the filtering and monitoring policy embedded in the Web Gateway that will protect their systems from attack, and will provide reporting on web policy infringements. The policy is integral to the Gateway and defines what is classified an infringement, and what the user should do in the event of an infringement. Mail Gateway Where? Most networks benefit from the use of messaging or e-mail to support government or business processes. The capability to exchange e-mails between networks representing different security domains can potentially leave secure networks vulnerable to data leakage or subject to external attacks by malware using e-mail as the delivery mechanism. The e-mail data and the attachments within those e-mails passed between the protected domain and the outside world needs filtering, checking and policing against policy. This is achieved by a Mail Gateway. Accessing and sending data securely across security domains - August 2013 6

What? Figure 3 shows how the Mail Gateway provides protection to the high security network from both low security networks and the internet by examining the e-mail s content, its attachments for malware (deep content inspection on files), and addressee and originator authenticity. It thereby identifies any unsolicited emails (spam), and blocked senders or destinations. Figure 3 Mail Gateway provides a secure connection mechanism for checked e-mail to flow between secure networks to low security and public domain networks. Low Security Network Mail Relay Mail Gateway The Gateway detects words within an E-mail that are on a prohibited list (a list designed to prevent data leakage) The E-mail is blocked. High Security Network The Gateway detects the Malware within an E-mail from an external party and blocks the E-mail. Mail Relay Internet Recognised User sends an E-mailto a user on the Low Security Network. This user may also send E-mails to Users on the High Security Network. Cyber Attacker attemps to inject Malware into the Secure Network by sending it as an attachment to an E-mail. In addition, Mail Gateways can be configured to capture e-mails that do not conform to set rules (either from within the secure network or entering into it). This can be used to alert the originator or, in some cases, an administrator or security personnel to a potential security breech. Why? The benefits to the customer from this Gateway include the assurance that all incoming and outgoing email traffic has been scanned to ensure it conforms to policy, and that the security boundaries for all three high impact networks are maintained. The use of black lists, white lists and keyword searches will bar or quarantine emails that may have breached policy. A self-release function with an associated audit trail and report may be implemented for a set of defined infringement alerts. Accessing and sending data securely across security domains - August 2013 7

Cross Domain Data Exchange Where? Increasingly, network managers are required to interconnect networks to provide a network of networks. In the UK, for example, Government policy mandates Government Departments, including the Ministry of Defence and the Emergency Services, to use Public Services Network (PSN) compliant architectures. The resulting pan-government connectivity enables competition between those providers that have met exacting requirements. Customers across Government can reduce costs, rather than fund multiple designs, and have come to depend on common industry standards. This network of networks has driven the need for Cross Domain Gateways and guards. Thales is a leading provider of secure connectivity in the UK as part of the PSN Connectivity and Services Frameworks. In addition to the Mail and Web traffic above, other data may be required to pass between networks at different security levels. For example, users may need access to streamed CCTV footage across network boundaries. Others may need the ability to transfer unclassified documents between domains. A cross domain data exchange is therefore distinguished from other Gateways in that cross domain covers browse-down, secure audited file transfer and data streaming functions. For example: User Transfers Files Across Domains A user sends data (in the form of files) from their domain to another network within a different domain (different Impact Level). User Streams Data (e.g. Media) Across Domains A user streams secure media content from CCTV systems between networks of different domains (Impact Level). User Browses (Remote Desktop) Inter Domain To support business functions, a user is required to browse file structures within a different domain (Impact Level). What? Figure 4 shows a Cross Domain Gateway supporting file data transfer functions by providing a secure path for data to flow between networks of different security levels, subject to policy and content checking. Accessing and sending data securely across security domains - August 2013 8

Low Security Network Data Repository Cross Domain Gateway The Gateway detects that a file is protectively marked and prevents the data passing to the lower security network to stop leakage. High Security Network The Gateway blocks the attempted file transfer as it does not conform to the policy restrictions allowed. The transfer of a file between the data repositories is carried out as it is within Policy. Users can then gain access to the transferred files within the data repositories within their network domains. Data Repository Figure 4 Cross Domain Gateway providing a controlled and secure data exchange mechanism between networks of different security levels. Why? This Gateway Service enables the secure and reliable exchange of data and files between security domains. It therefore allows Government departments to securely communicate with each other. The policy driven Gateway will ensure that the appropriate scanning of files using deep packet inspection techniques will detect any malware or suspect formats, and quarantine the offending files, thus protecting the customer s network and the user s data. The SOC will be automatically alerted and the appropriate action taken to prevent further abuse or to facilitate the identification of the originator of any cyber attack. Application Data Exchange and Messaging Gateways Where? Where applications are required to communicate across security domains to support business processes, more complex solutions may be required. Application Messaging Gateways (also known as Application Programming Interface or API Gateways) offer that functionality by providing a capability to enforce policy, translate messages, and authenticate applications, along with a secure path for the allowed data to propagate from one application to another. What? Figure 5 illustrates an API Gateway providing a secure bridge between applications on Networks A and B (Network A being high security). The API Gateway is capable of a number of functions: protecting the data that is being sent and checking that data for malicious content; authenticating any sender applications, and additional translation functions. Accessing and sending data securely across security domains - August 2013 9

In the example here, Application B sends data that is not authorised for transmission to Application A on the secure network. The policies and rules set within the API Gateway prevent this data from propagating to the destination secure network. Other data that meets the policy and rule set applied at the API Gateway propagates through to Application A. Secure Application A API Gateway Secure Network A Application B Network B Figure 5 API Gateway enabling application messages to pass from two networks of different security levels subject to defined policies and rules. Why? The benefits to the customer from this Gateway are derived from the levels and types of security that may be required for any data exchanges across multiple, separate high Impact Level networks, namely the LAN (customer intranet), WAN 1 (internet), and WAN2 (limited access from external public sources). API Gateways enable both the safe exchange of application messages between networks of different security levels, and the connection of applications that would not otherwise be able to communicate with each other. It does this by providing a translation mechanism that can deconstruct application messages and reconstruct them in a format compatible with the target application. An API provides the necessary hook in the software to allow another programmer to interface his new code/ application. This provides the flexibility for the software to be developed by other parties without compromising the integrity (and IP) of the original code. Accessing and sending data securely across security domains - August 2013 10

This translation mechanism not only applies to application data, but also any authentication/security tokens that are passed from one application to another. It consequently permits messaging services to be deployed more widely with the resultant increases in operational efficiency. Enabling applications to securely interact and exchange data across different security domains will allow systems architects and application managers to benefit from the increasing number of groupware and automation application features that rely on this interaction. Secure Remote Access Service (RAS) Gateways Where? Remote access to networks enables internal or authenticated external users to continue working securely even when offsite. This may include access to applications, files, and internal web content. It may be applicable in the following situations: User securely connects to customer network remotely via unsecure bandwidth connection A customer user connects to their host network from a remote location to access applications, files, and web content. External user securely connects to customer network remotely via unsecure bandwith connection An external user is authenticated and connected to the customer s host network from a remote location to access applications, files and web content as permitted by the customer s access policy. What? Thales has developed secure remote access services available at both IL3 and IL4 security levels for a variety of uses. Remote access solutions include hardware and software encryption mechanisms, key material distribution, service management, and the vital activity logging for audit and investigation purposes. Figure 6 shows how remote users can connect to the secure network from an off site location via the internet or a VPN connection. In this example a single user has been granted permission to connect to the network and has an experience consistent with being directly connected to that network within the customer site or normal place of work. Accessing and sending data securely across security domains - August 2013 11

Secure Network Remote Access Gateway Internet The Remote Access Gateway does not recognise the user (cannot authenticate the user) and denies the user access to the Secure Network. A Cyber Attacker attempts to gain access to the Secure Network using a comnnection to the Remote Access Gateway. Figure 6 RAS solution enabling users to connect via the internet to secure networks whilst protecting against unauthorised intrusions. Figure 6 also shows an attempt by an unauthorised user to connect to the customer s secure network. The Remote Access Gateway attempts to authenticate this user, in doing so the attacker fails to authenticate and the Gateway denies access and reports the intrusion event. Why? This Gateway type allows the customer to enable, manage, and monitor remote access to both approved staff and any approved third parties. The benefits in operational efficiency and convenience are derived from reduced requirements for travel and shorter delays in accessing or updating information. A Remote Access Gateway will authenticate only those that have permission to access the network and control which services and information is accessed. This provides a safe and secure method of providing third arties with limited access to information and a channel to interact more closely with third party systems such as order processing, financial transactions and data base updates. Secure Gateway Deployment There are multiple ways in which secure Gateways can be deployed, depending on the customer s needs and security requirements. Thales has the NOC and SOC capability and expertise to manage the customer s Gateway Services in the UK, or can support the customer in integrating, building and/or managing its own capability on their own site. Accessing and sending data securely across security domains - August 2013 12

The following diagrams provide two examples of how SOC and NOC services can be securely connected to Gateway Services deployed within data centres (Figure 7) or at existing customer sites (Figure 8). Data Centre Customer Site Security Operations Centre Gateway Customer Network (Secure) Bearer Network Operations Centre Figure 7 - Management of Gateways deployed in a central data centre. Data Centre Customer Site Security Operations Centre Gateway Customer Network Bearer Network Operations Centre Figure 8 - Gateway Management with Gateways deployed within customer sites. Service based at remote data centre Figure 7 shows Gateway Services hosted and managed at Thales Data Centres. The services are provided via a bearer to the customer networks using an appropriate secure overlay such as an encrypted link or secure protocol, for example IPSec or a PKI connection. This approach can also support multiple Gateways providing services across many SSB locations. Accessing and sending data securely across security domains - August 2013 13

This deployment architecture can take advantage of economies of scale and disaster recovery services that can be provided by Thales, and will co-locate the equipment close by to the NOC and SOC operations. Service deployed at customer site or Data Centre Operational and security consideration may require equipment to be located within the customer s secure physical boundaries, such as their Data Centre or equipment rooms. Gateways deployed in this way would offer the customer IT administration and design authority control over its internal infrastructure configurations. The necessary NOC and SOC services can still be provided from the Thales Service Centre as shown in Figure 8, or alternatively Thales can design, build and integrate these capabilities into the customer environment. Training for customer staff to operate the services, along with through life third line support and consultancy is also a service offered by Thales. The necessary NOC and SOC services can still be provided from the Thales Service Centre as shown in Figure 8, or alternatively Thales can design, build and integrate these capabilities into the customer environment. Training for the customer s staff to operate the services, along with through life third line support and consultancy is also a service offered by Thales. Gateway Services Integration This paper has so far reviewed typical examples how Gateways may be deployed to become an integral part of the overall secure communications architecture. The next step is to examine how they are embedded into the existing architecture and provide Strength in Depth to the network s defences. An example of integration can be seen below in the case of Web and Email Gateway Services where the necessary firewalls, IDS / IPS and anti virus are implemented along with the interconnecting switching and load balancing equipment. Web and Email Gateway Services In this instance, packets of data are passed between the protocol handling and content checking compartments of the Gateways and validated using various checking algorithms. The Gateways are constructed to ensure no data transmission is possible between the low-side and the high security side without passing through this process. Figure 9 shows the connection of a Web Gateway between a high security network (IL4) and a public domain network (IL0, i.e. the internet) with its supporting infrastructure including the required DNS. A similar configuration can be used to connect IL4 to IL3 networks. Accessing and sending data securely across security domains - August 2013 14

Firewalls and IDS/IPS Firewalls and IDS/IPS Firewalls IL0 Web Gateway IL4 IL4 Network IL4-4-4 Internet IL0-0-0 Switches Supporting IDS/IPS and Firewall components subject to security requirements to provide protection for the Web Gateway. DNS Switches Gateway providing secure connection of IL4 and IL0 networks enabling users within the IL0 network to have internet access. DNS Server Server Figure 9 - Architecture diagram for Web Gateway that connects two networks at IL4 and IL0 to enable users to have internet access subject to defined policy and rules. This configuration provides network protection against attack and data leakage while still enabling authorised users of the secure network (e.g. at IL4) to access the internet to support their day-to-day business activities. Web Gateways protect networks by enabling safe, controlled and robust control, filtering and checking mechanisms for data travelling in both directions. In some cases an amalgamated Gateway Service is a more effective approach. Figure 10 shows a Web Gateway operating within a multiple security level environment, providing a Gateway Service between a high security network (IL4) and two other networks operating at medium (IL3) and low (IL0) security levels. Where security and bandwidth constraints permit, Gateway Services can be deployed in this manner as a more cost-effective solution. Firewalls Firewalls IL3 Network IL3-3-3 Firewall, IDS/IPS components used to provide extra protection. In addition load balancing can be provided to enable multiple Web Gateways to service a single connection to support additional bandwidth. Firewalls and IDS/IPS DNS IL3 IL0 Web Gateway IL4 IL4 Network IL4-4-4 Switches Server Firewalls Internet IL0-0-0 Firewalls and IDS/IPS DNS Switches A Web Gateway configured to act as a Gateway between the IL4 network and the IL3/IL0 networks simultanously. Separate policies can be instigated for IL4 <-> IL0 and IL4 <-> IL3 connections. DNS Server Server Figure 10 - Architecture diagram for Web Gateway that connects three networks at IL4, IL3 and IL0 to enable IL4 users to have internet access and access to the IL3 intranet, subject to defined policy rules. Accessing and sending data securely across security domains - August 2013 15

In all these architectures, where multiple Gateways are deployed, load balancers may be used to manage bandwidth and provide business continuity through higher levels of availability and resilience. Cross Domain Gateway Services In a sense, all Gateways can be considered as Cross Domain as they connect two separate networks. Email and Web are just special cases that often will meet the majority of the customer s gateway requirements. Here Thales defines Cross Domain Gateways as facilitating a unique or specialised data transfer requirement between two networks within different security domains, or with different defined security policies. Examples of Cross Domain Gateway solutions are: File Transfer Gateway Services, which enable file transfers between networks of different impact levels. Browse Down Cross Domain Gateways, which are typically data diode technologies allowing one-way data transfer only. Cross Domain Application Messaging, which enforce application messaging policy across network boundaries. These Gateways can also provide translation services to translate application messages between networks if required. Remote Desktop Client Browse Down, which provide a desktop client based approach to access networks of different classification levels utilising a single client and authentication service. Data Streaming Gateways Browse Down, which enable streaming of data such as video data from CCTV cameras across network security boundaries. All of these examples require integration with the existing environment. The sections below describe a number of the technical design techniques that complete the Gateway architecture and facilitate that integration. File Transfer Gateway Services The following outlines the top-level Cross Domain Gateway architecture to support file transfer between two networks of different classification. Figure 11 shows the connection of the File Transfer Cross Domain Gateway with the required supporting infrastructure. Accessing and sending data securely across security domains - August 2013 16

Firewalls Firewalls Firewalls and IDS/IPS IL3 Network IL3-3-3 Cross Domain Gateway IL3 IL4 IL4 Network IL4-4-4 Switches Supporting IDS/IPS and Firewall components subject to security requirements to provide protection for the Web Gateway. DNS Server Gateway providing secure connection of IL4 and IL3 for the transfer of data by Users subject to Policies. DNS Server Figure 11 - Architecture diagram for Cross Domain Gateway (File Transfer) providing data exchange capabilities between IL4 and IL3 networks subject to policies. The File Transfer Gateway provides a secure method of transfer between security domains but is essentially seen as an air gap by other network devices. The Gateway Service enables files to be transferred subject to defined policies and permissions using a graphical user interface that sets files for transfer (via the checking engine). This provides a path for data (files) to be passed between security domains. Browse Down Cross Domain Gateways Browse Down Cross Domain Gateways such as Data Diodes provide single direction traffic for data transfer between different security domains. Diodes can be managed solutions with scripting and content checking included. Figure 12 provides a schematic of a file transfer through a Data Diode. Firewalls Firewalls Firewalls and IDS/IPS IL3 Network IL3-3-3 Browse Down Gateway IL3 IL4 IL4 Network IL4-4-4 Switches File Repository Server A browse down Gateway enabling one way traffic flow from the IL3 network to the IL4 network enabling users on the IL4 network to view the IL3 network data. File Repository Server Figure 12 Cross Domain Gateway (Browse Down) enabling one-way data exchange between an IL4 and IL3 network subject to policies. Accessing and sending data securely across security domains - August 2013 17

Data Diodes can be used in tandem to provide controlled connections that are bi-directional. It is possible to configure dual Data Diode configurations, connecting two networks of different security levels. These Data and Additional Diodes may be in place in the reverse direction purely to provide a level of flow control where needed to avoid data loss. Application Messaging and Message Translation Gateway Services It is possible to develop Application Messaging and Message Translation Gateways to incorporate application layer services. Typically: Application Messaging Checking Cross Domain. Application Messaging Translation (Security Tokens, etc.) Cross Domain. Application Message Policy Enforcement based on Defined Policies. Integration of these sophisticated devices includes integration with the applications themselves. Thales can provide the necessary expertise either directly or through Thales application partner organisations. Browse Down Gateway Services These services enable users to access data at different security levels using a single client rather than multiple desktops. Beyond the obvious benefits of facilitating more efficient working practices, the customer can also derive the following: Secure Client Services that allow access to multiple desktops within different security domains from a single workstation. Browse Down clients within a desktop environment enabling users to use multiple desktops from a single computer. Data streaming is a specialised case of Cross Domain Gateway providing automatic streaming of data between networks examples of which are as follows: File data streaming between locations (automatic and not subject to human in the loop checking). Media data streaming, for example CCTV video and audio streaming across network boundaries. Browse down Gateway architectures and design are highly dependent upon the applications security approaches and architectures deployed in the existing networks. Integration and realisation of the benefits available would rely upon a joint approach between Thales and the customer to develop the appropriate technical design, assurance, and operational processes. Accessing and sending data securely across security domains - August 2013 18

Conclusion This white paper from Thales UK has shown how networks secured by Thales Gateway Services can protect the exchange of data across security domains for the customer. It has shown how Thales can provide secure Gateway Services across the requirement spectrum: Web, Mail, Cross Domain, Remote Access through to Monitoring & Management services. Thales recognise Strength in Depth rather than a single level of protection as typically the lower risk route to countering the cyber threat to data and communication networks. Multiple defences and filters must be correctly integrated to achieve the highest levels of protection without introducing delays and over-complicated procedural measures. Procuring the technology as a Managed Service is typically the best route to meeting required service levels underwritten through Service Level Agreements. There are multiple ways Gateways can be managed, either by Thales in its existing SOC capability, or supported by Thales on the customer s site. The key to the overall security of the network are extensive management functions, including Network Operations, combined with the protective monitoring provided by the Security Operations Centre. These functions can be deployed taking advantage of As a Service offerings. Alternatively, Thales can support the customer in developing their own NOC and SOC capabilities. As a world leader in integrated security solutions, Thales can provide and implement secure networks. This will provide the customer with improved access to the information it requires whilst controlling and managing security risks. This white paper has only briefly examined the benefits in terms of security and operational efficiency integrated Thales Gateway architecture could deliver to the customer. This white paper has only briefly examined the benefits in terms of security and operational efficiency integrated Thales Gateway architecture could deliver to the customer. Thales UK therefore welcomes discussions with interested parties considering the implications and opportunities of secure networks. We are here to help you find a solution to your security requirements. Connectivity is good. Secure connectivity is essential. Accessing and sending data securely across security domains - August 2013 19

Appendix Glossary Term Gateway Virus / Malware / Spyware Inter Domain Impact Levels Cross Domain Gateways Definition A software and/or hardware network node device that acts as an access control point between two segregated network domains which may or may not be of different classification. A form of malicious Malware designed to be installed / loaded on a user machine and executed without the users knowledge. These terms are synonymous for the purposes of this product plan. An area of exchange between different network domains, these may operate in the same Impact Level or be different Impact Levels. A measure of the criticality of the data contained within a network if leaked into the public domain e.g. IL3 networks contain data of lower criticality than within IL4 networks. All Gateways provide a linkage between two distinct domains, however Thales defines Cross Domain Gateways as Gateways that provide a specialised connection between domains for a specific data transfer purpose e.g. CCTV video data streamed in real time, file streaming from one repository to another (automated), Citrix remote desktop clients. Acronym/Abbreviation CDG FTP IDS IL IPS NOC PSN SOC UK Definition Cross Domain Gateway File Transfer Protocol Intrusion Detection Systems Impact Level Intrusion Prevention Systems Network Operations Centre Public Services Network Security Operations Centre United Kingdom Accessing and sending data securely across security domains - August 2013 20

About Thales Whenever critical decisions need to be made, Thales has a role to play. World-class technologies and the combined expertise of 65,000 employees in 56 locally based country operations make Thales a key player in assuring the security of citizens, infrastructure and nations in all the markets we serve aerospace, space, ground transportation, security and defence. Thales is a leading supplier of security technologies to secure your people, places and information. For more than 40 years, Thales has delivered state of the art physical and cyber security solutions to commercial, critical national infrastructure, government and military customers. In all, Thales delivers cyber security projects across 50 countries, with a global network of 1,500 information security specialists working with SME and research partners that provides it with deep expertise and the agility to deliver industryleading solutions across the complete cyber spectrum. Thales believes that Good Cyber is Good Business. Thales will help you refocus your security spend to defend your organisation and prevent significant loss of revenue and reputation. Thales will ensure your competitive advantage is maintained by being able to demonstrate resilient and secure use of cyberspace. Why Thales? Thales is a world leader in providing modular, integrated cyber security solutions to protect your people, places and information: Cyber incident response Audit, assessment and compliance Virtual enterprise and network simulation and testing System integration and assurance Training and skills We are here to help - a Cyber Security partner you can trust: Global network of 1,500 information security specialists, building upon 40 years of experience Extensive domain knowledge of enterprise, defence, transport and energy sectors Trusted to secure 19 of the 20 largest banks and 80% of payment transactions worldwide Contact Us Thales UK Ltd, Mountbatten House, Basing View, Basingstoke RG21 4HJ, UK Tel: +44 (0) 1256 376633 Email: cyber@uk.thalesgroup.com Website: www.thalescyberassurance.com 2013 THALES UK LTD. This document and any data included are the property of Thales UK Ltd. No part of this document may be copied, reproduced, transmitted or utilised in any form or by any means without the prior written permission of Thales UK Limited having first been obtained. Thales has a policy of continuous development and improvement. Consequentially the equipment may vary from the description and specification in this document. This document may not be considered as a contract specification. Graphics do not indicate use or endorsement of the featured equipment or services. Accessing and sending data securely across security domains - August 2013 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information