A Cross Domain Solution can be thought of as a firewall on steroids. Typically used between networks with different classification levels, a CDS provides a controlled interface at the network boundary. The CDS configuration determines what types of protocols and data can be exchanged between the networks. There are two broad categories of CDS: Transfer (files, streaming data) and Access (browsing, login). Data diodes are a subset of CDS that support one-way traffic. CDS come in many form factors including enterprise, tactical, and cloud-based.

A significant difference between CDSs and general-purpose firewalls is the accreditation and authorization process. In the U.S., CDSs are evaluated against a set of requirements developed by the National Cross Domain Strategy & Management Office (NCDSMO). Requirements are updated annually to address emerging threats. Products are tested against these requirements by an independent Government-sponsored lab. Products must be updated periodically to remain in compliance with the requirements. Compliant products are listed on the NCDSMO Baseline (which is classified). This process is known as Raise-the-Bar or RTB – our adversaries never stop, systems have to continuously improve.

Why would you want a CDS?

If you have found this page, you are probably required to use a CDS because of the classification levels of the networks you are connecting. As cyber threats become increasingly complex, CDS technology is finding commercial use for protecting the “crown jewels”. A CDS can be used effectively as long as there is a well-defined interface and boundary where the data can be controlled. For example, data diodes can often be used to protect the integrity of a SIEM – event information/logs are allowed in, but no interactive sessions are supported with the monitored network.

There are many reasons to AVOID using a CDS. They are expensive. Administering a CDS is challenging – installing, configuring, and monitoring require specialized skills and training. Unlike typical firewalls, CDSs are not flexible. They are designed to only allow specific data. Where they are needed, this is a good thing – flexibility is typically what trips up firewalls.

RTB Security is here for you

Understanding today’s complex network architectures and where various security mechanisms should be used is daunting. Understanding the RTB process and ever-evolving requirements is even worse. With decades of experience building, testing, certifying, deploying and maintaining network security solutions, we can provide assistance at every step in the journey.