Copyright © 2015 Raytheon Company. All rights reserved.

Cross Domain Guards

to Support All Missions

Jason Ostermann

Chief Engineer, Transfer Solutions

No export controlled data - IIS2015-536

Cross Domain and Need To Share

Cross Domain Solutions provide secure mechanisms to transmit data across security boundaries– Between networks at different classifications, compartments, or under different

authorities

Many missions are now dependent on using data from across a boundary and/or providing data across a boundary– Stove-pipes are no longer effective

The need to share must be balanced against the need to protect– What risk does the connection introduce to the environment?

– How is that risk captured and monitored?

11/11/2015 2

Cross Domain Trends

11/11/2015 3

Dissolving Security Perimeter

Evolving Security ControlsAdvancements in Data Driven

Attacks

More Advanced Integrations

Increasing

Connectivity

More Dangerous

Threat Landscape

Evolving

Requirements

Mobility and Cloud Computing

Increasing Data Mobility Increasing Data Volume

Persistent Adversaries

Increasing Data Complexity

From Machine-to-Machine

– Fully automated, predictable

interactions

To person-to-machine

– Typically complex unstructured data,

on-demand processing

To person-to-person

– Immediate collaboration, complex data

sharing

From well structured messages

– Simple formats posing little risk

To semi-structured files

– More opportunities for data hiding

To highly complex data

– Difficult to evaluate in an automated

fashion

11/11/2015 4

Breadth of Cross Domain Missions

Cross Domain Requirements Take Many Forms

Traditional guidance: use multiple solutions,each targeted at one requirement

Increasing Cross Domain Complexity

Ever increasing capabilities exert pressure on cross domain

systems

Once upon a time, basic file transfers were sufficient– Timelines were flexible, data was relatively basic

Modern systems require more advanced interfaces– Enterprise integrations, real time messaging systems, strict latency

requirements, standards based interfaces

Adapting enterprise systems to accommodate the CDS is no

longer acceptable

11/11/2015 5

Raytheon|Websense at a Glance

11/11/2015 6

San Antonio

Garland

San

FranciscoSalt Lake City

American ForkChampaign

Dayton Herndon

Annapolis

Junction

Frederick

Boston

New York/New Jersey

Overview

Recent integration between Raytheon Cyber

Products and Websense

400 employees focused on Government and

advanced Commercial products

Headquarters: Austin, Texas and Herndon,

Virginia

Broad portfolio of Commercial and Government

security products

Government Product Portfolio

Cross Domain Products

Government Market Focused

Trusted Thin Client®

Trusted Access Mobile

High Speed Guard™

Small Format Guard™

Locations Enterprise Experience

Trusted Gateway System™

Trusted Print Delivery™

Trusted Mail System™

WebShield

SimShield™

Commercial Product Portfolio

SureView® and TRITON®Products

Enterprise Market Focused

SureView® Analytics

SureView® Threat Protection

SureView® Insider Threat

SureView® Memory Integrity

TRITON APX

AP-WEB

AP-DATA

AP-EMAIL

SureView® Family of Products

11/11/2015 7

Provides end-to-end visibility, context, and protection across enterprise

SureView Threat Protection:

Detects zero-day attacks across

web, email, and endpoints

SureView Insider Threat:

Complete visibility into and

context around end user activity

and behavior

SureView Memory Integrity:

Detect live malware on Linux

SureView Analytics:

Rapid search, analysis, and

visualization

Cross Domain Product Line

11/11/2015 8

Access and Transfer Solutions

Trusted Thin Client®

Trusted Gateway System™

A C C E S S

T R A N S F E R

SimShield™ T R A N S F E R

Small Format Guard™ T R A N S F E R

Trusted Print Delivery™ T R A N S F E R

Trusted Mail System™ T R A N S F E R

High Speed Guard™

WebShield T R A N S F E R

T R A N S F E R

Access to multiple networks at multiple levels

from a single workstation

Highly flexible automated machine-to-machine

transfer system for structured data. “Back office”

Manual inspection for sensitive high to low

transfer of unstructured data. “Front office”.

Tactical/embedded systems with little to no

administration

Web browsing of lower trust networks from

higher trust networks. “Browse down”

Live/Virtual/Constructive training and

simulation low latency messaging.

Cross domain printing to consolidate and

simplify print resources

Cross domain email for collaboration

High Speed Guard™

Secure transfer of real-time and bandwidth

intensive information such as data feeds, live video

streams, network monitoring and data ingest

Extensive support for highly complex automated

transfer requirements of big data between multiple

sensitive networks or clouds

Fully end-user maintainable

Sustains the industry’s fastest bi-directional

transfer rates: 9Gb/s on a 2 CPU platform

Flexible data inspection engine for a wide variety of

data formats and security requirements

Multiple application protocols, adaptable to custom

interfaces for file transfer, messaging11/11/2015 9

Flexibility for real-world requirements

High Speed GuardTotal Economic Impact Study (TEI)

11/11/2015 10

Full report available @ raytheoncyber.com/resources

Small Format Guard™

Tactical, mobile missions (air, ground, sea)

involving ongoing data collection (manned /

unmanned)

Messaging, file transfer, video streaming in one

system

Pre-configured mission profiles for rapid mission

adaptation

Simplified operations and maintenance procedures

Custom hardware integration for mission-specific

requirements

High Speed Guard™ reuse for A&A experience

Flexible data inspection engine

11/11/2015 11

Enterprise-grade CDS for Tactical systems

Transfer Mechanisms

11/11/2015 12

Flexible integration for how to move data

File Drop Boxes – Automated Secure Transfer

• Easy to integrate Secure Copy/SSH based

transfers

Cross Domain SNMP – Scorpion

• Consolidated network management and

operations for enterprise operations centers

Ultra High Data Rate UDP – Banshee

• Performance oriented capability for UDP

messaging

Web Services, HTTP – Hunchback

• Flexible support for SOAP and REST over

HTTP(S) and other HTTP services

Streaming Video – Hydra

• Live MPEG Transport Streams

High Performance File Transfer – JAS/DTP

• Unique protocol specifically to maximize system

performance

Lightweight Adaptable Messaging – Gargoyle

• Support for custom TCP and UDP messaging

protocols

Security Policies and Data Inspections

HSG/SFG focus on inspection policy rather than data types

Each deployment utilizes an inspection policy tailored to its

requirements and risks

Data inspection policy language can evaluate almost any data type– Capabilities within rule language and plugins determine level of effort to support

Operational systems inspect imagery (multiple formats), XML

(multiple formats), DEM, imagery support files, inter-system

messaging, GMTI, MPEG video, multiple proprietary formats– Instantiations perform both low to high and high to low

Demonstrated capability for Cursor On Target, OTH-Gold, USMTF11/11/2015 13

Flexible inspections of what data to move

Rule Engine

Data inspections are executed by the rule engine

Same engine for all transfer methods– Rules written in a plain-text command file

– Engine uses its own language with support for flow control, sequencing, native data types, comparisons, text evaluations and basic math statements

– Plugins available for enhanced data evaluations

– Provides detailed audit logging

– Training provided for the maintenance and update of rule sets

– Several deployments utilize over 50,000 logical lines of code

Rule language is similar to C– Very easy learning curve for Unix system administrators

Highly adaptable to automate high to low policies

11/11/2015 14

Flexible and extendable for emerging requirements

XML Support

XML parsing plugin provides native support for XML payloads– Utilizes Xerces (C++) to provide a full compliment of XML support

Rule engine supports partial-XML payloads– i.e., XML header on large binary data files

Also supports extracting/parsing embedded XML– i.e., dreaded CDATA escapes

Standard rule features support correlating disparate parts of the XML stream for complicated policies

Full support for XML namespaces Operationally support excessively complicated XML schema sets

– Example: 200+ schemas required to define a service, with 40+ schemas required for each message

Raytheon|Websense can assist with evaluating and hardening XML schemas

11/11/2015 15

Comprehensive support for all features of XML

HSG Consolidated Enterprise Administration

Physically separates graphical administration tasks from operational data flows– Further reduces guard software size

Single admin supports ten or more guards, depending on log volume

Multiple guards administered by consolidated admin system– Configuration Management

– Audit Log Reduction

– Real Time Alerting

– Backups

– Restoration

– Administrator Accounts

11/11/2015 16

SFG Operations and Maintenance

Tactical deployments typically cannot support traditional CDS O&M requirements– Distinct lack of specialized UNIX® administrators, monitoring

Simplified depot workstation applications perform day-to-day maintenance

SFG adopts the “mission profile” construct– A mission profile is selected before the mission that defines data flows, policies and

configurations

– Profile is loaded onto the SFG during platform initialization

– Audit data is extracted from SFG post-mission or in-mission as appropriate

Mission Profiles are evaluated as part of the A&A process– Minimizes anti-tamper and handling restrictions

11/11/2015 17

Designed for tactical environments

Audit Monitoring with ALERT

Audit Log Examination and Reduction Tool (ALERT),

deployed since 2002

Provides a simple operator interface for reviewing significant

events, plotting occurrences and reviewing raw logs

Enterprise-capable audit tool

Automated log parsing/reduction

Immediate notification via SNMP

Multi-platform– Windows, Solaris, Red Hat Enterprise

Linux

11/11/2015 18

Assessment & Authorization (A&A)

Our experts ensure that the assessment and authorization of the system proceeds smoothly

A&A Professional Services

Professional Services Offerings

A&A Processes & Facilitation

• Guidance on best practices for each community and process

Tailored A&A Documents

• Deployment-specific documentation with reuse from common

body of evidence

Assessment support

• Test plan/procedure development, dry run and formal

execution

Authorization support

• Briefings to authorizing official(s), generation of Plan Of Action

and Milestones (POAMs)

Trusted Agent

• Certifying Authority Services on behalf of Government

customers

Testing Standards

NIST 800-37 (RMF) Based processes

• Selection and tailoring of NIST 800-53 controls and overlays

• Tailoring of System Security Plan (SSP) and related

documentation

• Formal test event execution

Legacy Secret And Below Interoperability process

• Development of Cross Domain Appendix

• Support community briefings

• Deliver, train and support certification testing

• Support site test and evaluation including final reports

Community-specific processes

• Experience with wide variety of more unique processes utilized

in specific scenarios

International authorization processes

• Facilitate information sharing between U.S. and partner nations

11/11/2015 19

Summary

Performance – From high throughput dissemination to low latency messaging

– Large data transfers - up to 9Gb/s sustained throughput

– Small message transfers – operational @ 96,000 messages/sec

– < 10ms messaging latency

– Over 50 simultaneous HD video streams

– File transfers from 600 GB/day to 97TB/day

Interface – One solution for many requirements

– Web services, JMS messaging, streaming video, SNMP, custom protocols, file drop box, and file

steaming protocols

Management – Comprehensive control and awareness

– Maintain operational relevancy without re-engineering

– Administer multiple enterprise units from a single point – dramatically reduced TCO

– Tailored to operate in a tactical environment

11/11/2015 20

HSG and SFG provide unmatched flexibility

Questions?

Thank you for your time!

Jason Ostermann

Chief Engineer, Transfer Solutions

josterm@raytheon.com

+1-972-205-5332

Jamie Hall

Director, International Sales

jamie.hall@raytheon.com

+1-703-615-7071

11/11/2015 21