Introduction to cross domain security
A Cross Domain Solution (CDS) is a system comprising security-enforcing functions tailored to mitigate the specific security risks of accessing or transferring information between security domains. A CDS may be an integrated appliance or, more commonly, be composed of discrete technologies or sub-systems, with each sub-system consisting of hardware and/or software components.
This section describes the security controls applicable to a CDS and extends upon the security controls within the prior gateways section which are also applicable. Furthermore, the Guidelines for Data Transfers is also applicable to a CDS. Finally, additional sections of these guidelines should be consulted depending on the specific type of CDS deployed.
Personnel involved in the planning, analysis, design, implementation or assessment of a CDS should refer to the Australian Cyber Security Centre (ACSC)’s Introduction to Cross Domain Solutions and Fundamentals of Cross Domain Solutions publications.
Types of Cross Domain Solution
These guidelines define two logical types of CDS: a Transfer CDS and an Access CDS. These logical definitions are more closely aligned with how a CDS is described and sold by vendors and system integrators. Vendors may also offer a combined Access and Transfer solution.
Regardless of logical configuration, the underlying mechanisms in each CDS will consist of a low to high data transfer path, a high to low data transfer path, or both. Data filtering and other security controls are then applied to mitigate threats applicable to the system’s operating context, including specific data paths and business cases.
A Transfer CDS facilitates the transfer of information, in one (unidirectional) or multiple (bi-directional) directions between different security domains.
An Access CDS provides the user with access to multiple security domains from a single device. Conceptually, an Access CDS allows remote interaction with one or multiple systems in a different security domain, such as a ‘virtual desktop’, and does not allow users to move data between security domains.
Applying the security controls
In all cases the gateway or CDS assumes the highest sensitivity or classification of the connected security domains.
When to implement a Cross Domain Solution
There are significant security risks associated with connecting highly classified systems to the internet or to a lower classified system. An adversary having control of, or access to, a gateway or CDS can invoke a serious security risk.
Security Control: 0626; Revision: 4; Updated: Sep-18; Applicability: S, TS
When connecting a highly classified network to any other network from a different security domain, a CDS is implemented.
Consultation when implementing or modifying a Cross Domain Solution
CDS environments can be complex to deploy and manage securely, as such, the likelihood of a network compromise is increased. Secure CDS implementations ensure that the security policy of each security domain involved is upheld in a robust manner across all physical and logical layers of the connection between domains.
Security Control: 0597; Revision: 6; Updated: Sep-18; Applicability: S, TS
When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with.
Security Control: 0627; Revision: 5; Updated: Sep-18; Applicability: S, TS
When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with.
Separation of data flows
A CDS connecting highly classified systems to other potentially internet-connected systems should implement robust security enforcing functions, including content filtering and isolated paths, to ensure data flows are appropriately controlled.
Security Control: 0635; Revision: 5; Updated: Dec-19; Applicability: S, TS
A CDS between a highly classified network and any other network implements isolated upward and downward network paths.
Security Control: 1521; Revision: 1; Updated: Dec-19; Applicability: S, TS
A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model.
Security Control: 1522; Revision: 1; Updated: Dec-19; Applicability: S, TS
A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows.
In addition to the security controls listed in the event logging and auditing section of the Guidelines for System Monitoring, a CDS should have comprehensive logging capabilities to establish accountability for all actions performed by users. Effective logging practices can increase the likelihood that unauthorised behaviour will be detected.
Due to the criticality of data import and export functions provided by a CDS, organisations should regularly assess the performance of a CDS’s data transfer policies against the security policies the CDS has been deployed to enforce.
Security Control: 0670; Revision: 4; Updated: Sep-18; Applicability: S, TS
All security-relevant events generated by a CDS are logged and regularly analysed.
Security Control: 1523; Revision: 0; Updated: Sep-18; Applicability: S, TS
A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains.
It is important that users know how to use a CDS securely. This can be achieved via training before access is granted, and reinforced by logon banners and awareness messages.
Security Control: 0610; Revision: 6; Updated: Apr-19; Applicability: O, P, S, TS
Users are trained on the secure use of a CDS before access to the CDS is granted.
Further information on topics covered in this section can be found in the following cyber security guidelines:
- Guidelines for Cyber Security Incidents
- Guidelines for Physical Security
- Guidelines for Evaluated Products
- Guidelines for ICT Equipment
- Guidelines for System Hardening
- Guidelines for System Management
- Guidelines for System Monitoring
- Guidelines for Networking
- Guidelines for Data Transfers.
Further information on the basics of a CDS can be found in the ACSC’s Introduction to Cross Domain Solutions publication at https://www.cyber.gov.au/acsc/view-all-content/publications/introduction-to-cross-domain-solutions.
Further information on the fundamentals of a CDS can be found in the ACSC’s Fundamentals of Cross Domain Solutions publication at https://www.cyber.gov.au/acsc/view-all-content/publications/fundamentals-of-cross-domain-solutions.