Cases
The Fox DataDiode has been deployed in various cases to provide unique solutions which in the past where impossible to implement due to strict security or functionality requirements.
-
Lawful Interception
Service Providers intercept internet communications using wiretaps and hand this data over to Law Enforcement Agencies (LEA). ETSI has played a leading role in the standardisation of lawful interception since 1991. The ETSI LI standards specify for instance the Interception and Handover interface between the Service Providers and the LEA. A big challenge with these frameworks is to provide network confidentiality while intercepted information is transported from the service provider into the LEA isolated/classified network. An even bigger challenge is the interpretation and reconstruction of the intercepted data and transform it into valuable (intelligence) information. Fox-IT has some of the answers for you: Fox DataDiode and FoxReplay Analyst.
Secure One-Way Connection
The goal of Law Enforcement Agencies (LEA) is to focus on the analysis of intercepted data and not to worry that analyzed information will leak back to public networks. Traditionally, data leakage from classified networks is prevented using Firewalls or Air Gaps. Although both solutions are well established they are deficient in security since firewalls are based on software/rules and therefore can always be compromised. Air Gaps require human intervention which makes them never real-time and create additio- nal human-related security risks.
-
Secure Multi-Domain Desktop
Access to multiple differently classified domains has always been a cumbersome process. Due to security regulations classified domains have to be physically segregated from each other. Users have to switch physically from one workplace to another, just to check their email or to upload a file. Fox DataDiode combined with Keyboard, Video and Mouse Switch (KVM) provides a flesible solution to data separation in the office.
Red/Black Segregation
Organizations currently handle confidential information on multiple seperated computers, where classified (Red) information is stored on a Red computer and unclassified (Black) information is stored on a Black computer. Practically this means that the user has two compu- ters, two monitors, two keyboards and two mouses on his desktop. Also, due to the Red/Black segregtation transporting information from the Black to the Red computer has become a cumbersome pro- cess, since unsecure transportation media have to be used.
KVM
KVM switches are used to access multiple computers though a single monitor, keyboard and mouse. This solution saves desktop space and gives the user a flexible way of switching between multiple compu- ters and domains. Secure KVMs can be found in the Common Criteria Portal or NATO Information Assurance Product Catalogue.
Secure Multi-Domain Desktop
One-way communication through the Fox DataDiode can be augmen- ted with various applications which enhance the usability of a multi- domain desktop without degrading security:
- Drag and Drop file transfer
- Automated Mirroring
- Desktop Monitoring
- Email Forwarding
- Sharing Information
-
Sharing Secrets
Various organizations collect sensitive information and store this in (classified) internal networks. These organizations can benefit from each others by exchanging information efficiently without compromising the confidentiality of their entire internal network. How can various organizations exchange classified information over the internet without leaking information?
Current Approach
Information about e.g. suspisious individuals, is collected and stored in (classified) internal networks which are physically segregated from other networks. To exchange information media carriers are used e.g. USB-sticks or CDs. The downside to this approach is the cumbersome process of exchanging information: it has to be done manually, it is not real time and introduces additional security risks.
Secure Approach
Connect various organizations over the Internet securely with each other requires the use of Virtual Private Networks (VPN). The result is a secure tunnel which prevents adversaries to view communication between the organizations. To prevent unintended leakage of information from the classified network a Data Diode is used. The advantage is that exchanged information is allowed to go inside the classified network while ensuring that no information can leak. For storage of shared information a mutually agreed network location is added, which is accessible by all organizations through VPN.
