insights

What are Cross Domain Solutions (CDS)?

A cross domain solution (CDS) is a system that allows users to safely transfer information between domains with differing security levels.

Data is the most valuable resource for many organisations. Traditional approaches to ringfencing sensitive networks are no longer sufficient in a world that demands bidirectional communication for work and cloud services. Connectivity, however, introduces new vulnerabilities. To address these challenges, organisations—especially those handling sensitive information, like government departments—differentiate between 'high' and 'low' trust domains based on data security classifications. 

For example, while a police force's database of witnesses and suspects resides in a high-trust domain, officers may also need access to lower-trust services like email. CDS creates a secure end-to-end connectivity between IT systems with differing trust levels, blocking cyber-attacks and potential data loss. Unlike traditional firewalls that focus on software-based network segregation, CDS incorporates security measures at the hardware level, offering protection against network protocol attacks, content-based attacks, and unauthorised data export. This allows organisations to maintain robust data security while ensuring necessary information flow across different trust domains.

What are the types of Cross Domain Solutions?

When considering cyber technology strategies, there are three technologies to consider:
 

1. Software CDS 

A software CDS uses only software to transfer data between different security domains. The most common example is a firewall. Typicall software offers flexibility as it can be easily updated and is cost-effective, but is itself vulnerable to cyber-attacks.

2. Hardware-only CDS

A hardware-only CDS uses physical hardware devices to transfer data between different security domains. These are more secure because they guarantee one-way data flow, and are purpose built but lack the flexibility of software-based solution.

3. Hybrid CDS

A hybrid CDS combines both hardware and software, providing a flexible, scalable and secure solution.  Hybrid CDS gives the increased security of the hardware, while offers the flexibility of the software.

Types of Cross Domain Solutions

Why would I use Cross Domain Solutions?

Cross Domain Solutions are essential in environments where the risk of exposing sensitive or classified information is high and traditional security measures such as firewalls and IDS are not enough. Traditionally, CDS have been primarily used in central government departments such as the Ministry of Defence, law enforcement and intelligence agencies. However, the decreasing cost has made them accessible to a wider range of applications, including critical national infrastructure (e.g. rail networks, power plants, nuclear decommissioning sites, healthcare systems, financial services).

Managing cyber risks

How do hybrid Cross Domain Solutions work?

Typically, a CDS integrates hardware and software components for secure data transfer:

  • Hardware (e.g. data diode) safely links low security with the high security network and enables data flow in one direction only. This protects against network protocol attacks by breaking the protocol at the hardware level and reconstructing it securely. Often data diodes also inspect the structure of the data.
  • Software (e.g. firewall) monitors and manages incoming and outgoing network traffic, acting as a protective barrier.  Software on the low-security network prepares the data for transfer, while software on the high-security network verifies and secures the data before it is released.

Oakdoor® data diodes perform several critical functions

Oakdoor® Hardware Security Solutions provide uncompromising protection to data, safeguard sensitive information, and guard critical networks. With robust security features, seamless integration, and compatibility with existing infrastructure, Oakdoor® cyber security hardware provides a critical layer of protection against cyber threats – enabling organisations to remain compliant, mitigate risks, and safeguard their valuable assets.

  • Network protocol attack protection: When importing data, the diode forces a protocol break that terminates a transmission path, extracts the information from the data flow, and starts a new transmission path. It removes potentially malicious protocol content and wraps the information in known good protocol headers before transmitting it into the high domain.
  • Content-based attack protection: Uses hardware-enforced syntactic and semantic verification to confirm the content coming into the network is malware- and error-free.
  • Protection against the unauthorised export of information: Enforces a one-way data flow, ensuring only authorised data types enter and leave the high-trust domain.
How to design the most optimal Cross Domain Solution?

Considerations when choosing a Cross Domain Solution

To create the most effective Cross Domain Solution (CDS), it's crucial to integrate both hardware and software components seamlessly. A CDS bridging a low and high security network can have lots of users and high quantities of data passing over it, making it essential to balance the data rates and capabilities of both its hardware and software elements. 

For example, the Oakdoor 10 Gigabit data diode addresses the need for high data throughput in applications like video streaming, ensuring efficient and secure data flow while maintaining a seamless user experience.

When designing your CDS, consider compatibility between hardware and software so both components work together effectively and consider your data requirements to tailor your CDS to the specific needs of your application.

Advice on the latest techniques for protecting against cyberattack are available from organisations such as the NCSC (UK) or the NCDSMO (USA). Their guidance starts at the architectural level, ensuring that data is protected at rest and in transit, going right down to the lowest levels of the protocol. This ensures that systems and data are protected against network and content-based attacks.

Guidance for Cross Domain Solutions

Frequently Asked Questions

What are the benefits of using Cross Domain Solutions?

  • Enhanced security for sensitive data 
  • Protection against more sophisticated cyber attacks

 
Do Cross Domain Solutions have any disadvantages?

  • Higher cost than traditional software-based solutions
  • Requires specialised knowledge to implement effectively

 

Is a data diode a Cross Domain Solution?

A data diode is the hardware component within a CDS used for enforcing unidirectional data flow. The Oakdoor Import Diodes also implement syntactic verification content inspection,


What is a high to low Cross Domain Solution?

A CDS that facilitates secure data transfer from a high-security domain to a lower-security domain. This is typically labelled as data export.


What is the difference between a Cross Domain Solution and a firewall?

A firewall focuses on network traffic management and is software-based, though it may use a number of integrated hardware accelerators for key functions. A CDS uses hardware content verification to protect subsequent software for more robust security across different trust domains.

Get in touch

Whether to request a demo or discuss your cybersecurity requirements, we look forward to hearing from you.