RTCS_TrustedGatewaySystem_datasheet

Secure Multi-Directional Data Transfer

Trusted Gateway System™

�� User-friendly web interface minimizes the need for training and support.

�� Transfers files through data push or email.

�� Included in the UCDMO Baseline.

�� Quick Release feature simplifies file or text transfers and can be used as a secure chat mechanism when permitted by site security policy.

�� Ability to create templates containing frequently used data allowing users to create jobs with a single click.

�� Support for multi-channel, multi-directional transfers with one system.

�� Simple workflow guides users through each transfer, enforcing Reliable (two-person) Human Review.

�� Support for username/password and public key infrastructure (PKI) authentication mechanisms.

Cross Domain Transfer for Secure Information Sharing The�9/11�Commission�identified�that�information�sharing�between�international,�federal,�state,�local,�tribal,�and�private�sector�entities�is�a�recognized�and�legislated�need�in�the�fight�against�terrorism.�The�Intelligence�Community�continues�its�work�to�enable�secure�cross-agency�collaboration.�The�term�“need�to�know”�has�been�replaced�with�“need�to�share”�or�“responsibility�to�provide.”�Secure�information�exchange,�collaboration,�and�data�sharing�are�goals�we�must�reach�to�protect�national�security,�but�they�have�not�been�easy�to�achieve.

To�protect�our�citizens�and�national�assets,�government�agencies�are�required�to�access�critical�data�stored�on�separate�networks�managed�and�maintained�by�disparate�agencies.�Frequently,�information�stored�on�a�high-side�network�needs�to�be�transferred�to�a�low-side�network�for�use�by�another�agency�or�organization.�This�sensitive�data�may�be�a�single�document,�or�large�data�sets�with�imagery,�maps,�multiple�documents,�and�databases�that�must�be�moved�quickly�and�securely�to�prevent�viruses�and�network�intrusions.�Critical�data�must�be�transferred�between�and�across�networks�to�the�right�people�at�the�right�time,�keeping�it�secure�and�protecting�against�the�unintended�release�of�sensitive�information�into�the�wrong�hands.�

By�deploying�a�cross�domain�information�transfer�system�to�enforce�role-based�access,�workflow�tasks,�and�secure�file�management�and�controls,�agencies�and�organizations�can�efficiently�ensure�the�quick�and�secure�sharing�of�information.

Trusted Gateway System Trusted�Gateway�System™�(TGS)�is�an�accredited�Commercial-Off-The-Shelf�(COTS)�software�solution�that�provides�exceptional�built-in�manual�review�and�automatic�validations,�such�as�virus�scanning,�dirty�word�search,�and�deep�content�inspection,�enabling�safe�and�simultaneous�data�movement�between�networks�at�different�sensitivity�levels.�Because�TGS�can�move�data�between�multiple�networks�simultaneously,�it�is�also�known�as�a�“multi-directional�guard.”�

TGS�can�be�operated�in�a�single�server�configuration�that�provides�the�physical�connections�to�multiple�classified�networks,�maintaining�network�separation�and�enforcing�customer-configured�transfer�policies.�The�server,�or�guard,�runs�on�Red�Hat®�Enterprise�Linux®�64-bit�systems�with�Security�Enhanced�Linux�(SELinux)�components�providing�stringent�security�controls�(Figure�1).

Features and Benefits:

www.TrustedCS.com2

Trusted Gateway System™

TGS�is�identifi�ed�on�the�Unifi�ed�Cross�Domain�Management�Offi��ce�(UCDMO)�Cross�Domain��Baseline�list�as�an�approved�cross�domain�transfer�solution.�Because�TGS�is�an�operationally�accredited�system,�the�Certifi�cation�and�Accreditation�(C&A)�process�is�streamlined�for�individual�installations.

Secure Transfer Workfl ows TGS�provides�users�various�mechanisms,�or�workfl�ows,�to�support�the�most�effi��cient�transfer�processes.�Th� ree�workfl�ows�utilize�the�graphical�user�interface�(GUI):�Reliable Human Review (RHR) (web-based);�Self Release�(web-based);�and�Quick Release�(application-based).�In�addition,�TGS�can�create�digitally�signed�bundles,�containing�job�fi�les�and�other�security�information,�which�can�be�made�available�for�manual�release�in�support�of�existing�workfl�ow�processes�outside�of�TGS.�Individual�site�security�policy�determines�which�workfl�ows�can�be�used.

Regardless�of�the�workfl�ows�or�combinations�instituted,�data�movement�can�occur�to�and�from�an�unlimited�number�of�approved�classifi�ed�networks.�File�transfer�occurs�by�data�push�or�email�distribution.�Any-to-any�classifi�cation�level�transfer�and�multiple�fi�le�transfer�requests�are�supported.

Reliable Human Review (RHR) Th� e�two-person�review�and�release�process�is�typically�used�for�all�high-to-low�classifi�cation�transfers.�In�support�of�this�process,�the�TGS�web-based�interface�enforces�the�use�of�two�standard�roles,�Producer�and�Releaser,�for�job�creation�and�transfer�(Figure�2).�RHR�requires�that�a�person�responsible�for�assembling�and�submitting�jobs�for�transfer�is�assigned�the�Producer�role,�and�that�a�person�responsible�for�review�and�approval�(release)�of�a�job�is�assigned�the�Releaser�role.�Releasers�must�also�open�

Figure 1: Typical Trusted Gateway System Architecture

each�fi�le�in�the�job�and�accept�any�dirty�word�search�results�before�the�job�can�be�approved�for�release�to�the�designated�network(s).�A�standard�workfl�ow�is�depicted�in�Figure�3.

Self ReleaseSelf�Release�allows�users�to�create�a�job�and�send�it�to�approved�destinations�(aft�er�passing�all�validations)�in�one�step�without�requiring�the�RHR�process.�Self�Release�users�must�be�granted�the�Self�Release�role.�Additional�permission�granularity�can�be�achieved�by�limiting�Self�Release�to�specifi�c�destinations.�For�example,�Jane�may�be�authorized�to�approve�her�own�fi�le�transfers�when�releasing�to�Network�A;�however,�when�moving�fi�les�to�Network�B�she�must�specify�the�appropriate�Releaser.�

Quick ReleaseQuick�Release�simplifi�es�the�transfer�process�for�fi�les�or�text�(Figure�4).�Th� e�Quick�Release�GUI�resembles�an�instant�messaging�application�and�provides�the�ability�to�rapidly�transfer�data�to�confi�gured�levels�from�a�Microsoft�®�Windows®�

desktop.�Users�type�or�copy�and�paste�text�and�click�a�button,�or�drag�and�drop�fi�les�to�send�the�information�through�TGS�to�the�selected�destination.�Files�or�text�are�delivered�to�users�directly�through�extensible�messaging�and�presence�protocol�(XMPP).�TGS�conducts�all�confi�gured�validations�including�virus�scanning,�

dirty�word�searching,�and�content�inspection�before�the�information�is�permitted�to�pass.�If�any�validation�issues�are�found,�the�web-based�application�is�launched�for�the�user�to�review�the�fi�le.�Th� e�Quick�Release�option�is�disabled�by�default.��

Automated TransferAs�with�the�manual�workfl�ows�described�earlier,�the�automated�transfer�process�enforces�all�confi�gured�validations�to�include�virus�scanning,�dirty�word�searching,�and�content�inspection.�Depending�on�the�site�confi�guration,�a�fi�le�that�fails�the�automated�transfer�process�is�either�deleted�from�the�guard�or�archived.�

TGS�provides�an�automated�bulk�transfer�mechanism�that�supports�direct�fi�le�transfers,�using�Secure�Copy�Protocol�(SCP),�from�a�confi�gured�network�to�the�appropriate�destination.�For�security�reasons,�only�confi�gured�hosts�can�access�the�input�directory�through�SCP.�All�other�connection�attempts�are�denied.

An�optional�service�can�be�included�on�a�Windows�system�(2000�or�later)�allowing�users�to�maintain�local�input�directories.�Th� is�service�monitors�the�local�folder�and�automatically�copies�the�fi�le�for�processing.�A�right-click�shortcut�allows�users�to�send�fi�les�to�defi�ned�destinations,�which�can�be�secure�fi�le�transfer�protocol�(SFTP)�servers,�FTP�servers,�or�email�addresses�at�permitted�classifi�cation�levels.

File Transfer Security ControlsRegardless�of�how�the�transfer�request�is�initiated,�TGS�manages�the�process�to�ensure�approved�fi�le�movement�between�secure�networks�and�across�classifi�cation�levels�following�site�security�policies.�By�default,�all�fi�les�are�required�to�pass�two�controls�prior�to�movement,�virus�scanning�and�fi�le�typing.�Dirty�word�search,�content�inspection,�and�manual�fi�le�review�can�be�confi�gured�to�meet�specifi�c�requirements.�

Virus Scanning TGS�permits�the�virus�scanning�engine�to�be�customized.�A�site�can�elect�to�exclude�certain�trusted�fi�le�types�from�virus�scanning�to�enhance�performance.�

File Type Verifi cation Th� e�diff�erent�varieties�of�fi�le�type�checking�supported�by�TGS�are�extension�matching,�XML�validation,�Raytheon�Trusted�Computer�Solutions�(RTCS)�signature�algorithm,�and�third�

Trusted Gateway System

Users WorkflowNetwork B

Servers Users

Network C

Servers Users

Network D

Servers Users

SecureOffice Trusted Gateway SystemSecure Multi-Directional Information Transfer

Network A

Figure 2: Initial Job Creation Interface

3800.230.1307

Figure 3: Reliable Human Review Workflow

party�algorithm,�all�of�which�are�configurable.�File�verification�signatures�can�be�customized�to�accommodate�unique�file�types,�configured�by�both�source�and�destination�policies�and�XML�files�can�be�validated�against�site-specific�schemas.�

Dirty Word Search TGS�checks�files�for�sensitive�or�“dirty”�words�that�should�not�be�released�to�other�networks.�This�control�also�allows�the�designation�of�“clean”�words,�which�are�common�words�that�contain�dirty�words.�For�example,�the�word�“secretary”�contains�the�embedded�word�“secret”�but�it�is�considered�a�false�positive�and�can�be�ignored.�System�administrators�can�create�and�customize�a�master�list�of�dirty�and�clean�words,�as�well�as�lists�that�are�used�with�specific�source�and�destination�network�pairs.�Once�these�lists�and�transfer�pair�rules�are�configured,�each�file�uploaded�to�TGS�is�searched�against�the�list�for�matches.�

If�dirty�words�are�found,�the�user�is�given�the�option�to�acknowledge�and�allow�the�word�(Figure�5).�The�user’s�acceptance�of�each�dirty�word�is�recorded�and�stored�in�an�auditable�database.�All�dirty�words�must�be�acknowledged�before�the�transfer�containing�the�flagged�file�can�be�submitted�for�release.�All�actions�and�overrides�are�stored.

Content InspectionWhen�TGS�is�configured�for�content�inspection,�files�such�as�Microsoft�Office�and�portable�document�format�(PDF)�are�scanned�to�identify�and�remove�a�wide�range�of�hidden�or�embedded�data�and�metadata.�This�option�provides�added�

prevention�against�inadvertent�or�malicious�disclosure�of�sensitive�or�proprietary�information�when�documents�are�released.��

User Access Administration Controls User�access�and�authorization�controls�(username,�password,�Public�Key�Infrastructure�(PKI)�X.509�digital�certificates,�clearance�level,�and�group�management)�are�configured�and�managed�within�the�server�or�tied�into�a�pre-existing�Microsoft�Active�Directory®�server�or�Lightweight�Directory�Access�Protocol�(LDAP)�directory�server�on�the�high-side�network.�Utilizing�a�pre-existing�LDAP�or�Active�Directory�server�eliminates�the�need�to�manage�user�accounts�on�the�server,�thus�reducing�the�administrative�overhead.�

System�administrators�can�create�and�manage�end�users�directly�from�the�server�or�through�an�easy�to�use�web-based�application.�The�web-

based�application�is�enabled�only�for�specific�users�configured�with�“account�administrator”�privileges.�Such�users�have�the�ability�to�perform�basic�account�maintenance�without�a�system�administrator.�TGS�authorization�policies�are�configured�per�transfer�path,�per�user,�or�per�group.�Authorizations�allow�or�restrict�access�to�system�resources.�For�example,�allowing�a�user�to�produce�a�job�but�not�release�it�or�allowing�a�user�to�self�release�a�job�to�a�limited�number�of�destinations.�

Customizable Group AuthorizationsSystem�administrators�can�create�groups�of�users�with�authorizations�to�specific�destinations.�A�Producer�group�is�authorized�to�submit�transfers�to�one�or�more�destinations.�A�Releaser�group�is�authorized�to�release�transfers�to�one�or�more�destinations.�Producer�groups�are�assigned�to�one�or�more�Releaser�groups.�When�creating�a�job,�a�Producer�can�only�select�Releasers�from�an�associated�group.�The�local�TGS�database�or�remote�LDAP�server�manages�the�group�assignment.

Protecting CommunicationTGS�provides�configuration�information�for�application�initialization�and�communication�services.�Each�network�interface�on�the�server�connects�to�a�different�security�domain�and�is�protected�by�physical�separation�externally�and�best-of-breed�security�technologies�internally.�All�authorized�login�attempts�are�logged.�The�server�silently�rejects�all�communications�from�unauthorized�systems.�This�greatly�reduces�security�exposure�because�the�systems�and�protocols�are�limited�to�only�those�needed�for�TGS�to�operate.�

Producers The Guard Producers Releasers The Guard

■

■

■

■ ■ ■■

■

■

■

■

■

■

■

Access the web-based interface.

Select pre-established jobtemplate containingDestinations and Releasers.

Select files for transfer.

Manages validations: virus scanning, file type checking, dirty word searching, and content inspection (as configured).

Verifies allProducers, Releasers, and Destinations.

Returns all results tothe Producer.

Submit the transfer request if all validations pass.

Review the Destinations.

Review all attachedfiles in their native format.

Review and verifyall validation results.

Review the transferrequest upon approval.

Verifies that all steps and validations have been performed.

Moves the files asspecified in the request.

Logs the transferand all related validation results.

Figure 4: Quick Release Workflow

User selects Destination

User drops f iles to send

User types text to send

OR

TGS Guard

Quick Discover sends the text or f iles via the XMPP server to Quick Release and then deletes its copies

Quick Release displays the text

The guard processes the text or f iles then releases and archivesANDSends the text or f iles to Quick Discover at the Destination

Quick Discover

ORPrompts the user to save or discard f iles

For further information contact:Raytheon Trusted Computer Solutions12950 Worldgate Drive, Suite 600Herndon, VA 20170866.230.1307www.TrustedCS.com

Trusted Gateway System™

Trusted�Gateway�System�is�a�trademark�of�Raytheon�Trusted�Computer�Solutions,�Inc.�All�other�trademarks�and�registered�trademarks�are�the�property�of�their�respective�owners.

Cleared�for�public�release.�Reference�#2011-223.Copyright�©2011�Raytheon�Trusted�Computer�Solutions�Inc.�All�rights�reserved.Printed�in�the�U.S.A.�WM�05/11�2500�200121.0511

Th� e�interface�between�the�web-based�application�and�the�server�is�secured�by�encapsulating�network�traffi��c�using�Secure�Socket�Layer�(SSL)�with�a�confi�gurable�encryption�algorithm.�Outbound�communications�from�the�server�to�each�network�are�secured�through�FTP�over�IPSec�(SFTP�is�also�supported).�

Encrypted�communication�connections�are�maintained�throughout�the�data�transfer�process�with�SCP�over�Secure�Shell�(SSH)�for�low-to-high�transfers�and�SSL�transmission�security�for�high-to-low�transfers.

Administration and ManagementTGS�administration�and�management�is�performed�by�a�system�administrator,�with�the�appropriate�permissions�from�the�server�or�remotely�through�the�Remote�Access�Console�(RAC).

Auditing TGS�provides�an�Auditor�role.�With�this�role�users�can�review�jobs�and�create�status�reports�from�the�TGS�web�interface�based�on�specifi�ed�criteria.�For�example,�Auditors�can�generate�reports�detailing�when�the�dirty�word�search�has�been�overridden�for�all�fi�les�transferred�in�the�last�week.�Auditors�can�export�reports�in�CSV,�Excel®,�and�XML�formats.

Additionally,�the�TGS�server�generates�application�logs�and�the�operating�system�collects�detailed�audit�records�to�track�use�and�activity.�Th� is�log�and�audit�data�can�also�be�pushed�to�a�centralized�enterprise�storage�location.

Remote Access Console (RAC)RAC�is�used�to�centrally�manage�and�access�Protection�Level�4�(PL4)-capable�servers�over�a�secure�connection.�RAC�provides�scalable�remote�access�that�can�be�utilized�from�any�authorized�location�on�the�network�where�the�servers�reside.�RAC�uses�Keyboard,�Video,�Mouse�(KVM)-over-IP�capabilities�that�enable�an�authorized�user�

“console”�access�as�if�he�or�she�were�seated�at�the�attached�device.

Certifi cation and Accreditation (C&A)TGS�is�engineered�to�satisfy�cross�domain�security�requirements�for�the�Top�Secret/SCI�and�Below�Interoperability�(TSABI)�and�Secret�and�Below�Interoperability�(SABI)�C&A�processes.�RTCS�cross�domain�products�are�installed�and�accredited�in�operational�systems�around�the�world.��

ConclusionWith�hundreds�of�government�clients�and�more�than�a�decade�and�a�half�of�success,�Raytheon�Trusted�Computer�Solutions�(RTCS)�is�an�industry�leader�in�cross�domain�solutions.�Th� e�company’s�products�have�a�proven�track�record�of�proactively�preventing�government�and�commercial�organizations�from�being�compromised,�while�fostering�the�secure�access�and�transfer�of�information.�Th� is�allows�the�RTCS�cross�domain�solutions�to�strike�the�right�balance�between�information�protection�and�information�sharing�—�a�vital�component�to�national�security.�TGS�is�a�secure�transfer�solution�that�solves�the�diffi��cult�problem�of�satisfying�security�needs�while�enhancing�information�sharing.�TGS�provides�the�ability�to�quickly�and�securely�move�data�between�and�within�classifi�cation�levels.�TGS�is�designed�to�satisfy�the�information�assurance�accrediting�community�requirements,�eliminate�potential�leaks�and�risks,�and�provide�users�with�an�easy�to�use�workfl�ow�application.�All�RTCS�solutions�have�been�designed�to�meet�or�exceed�extensive�and�rigorous�security�C&A�testing�by�the�Defense�Intelligence�Agency�(DIA)�and�the�National�Security�Agency�(NSA)�for�simultaneous�connections�to�various�networks�at�diff�erent�security�levels.�RTCS�off�ers�an�experienced�professional�services�team�to�guide�customers�through�the�technical�implementation�and�C&A�processes.

Member ofAllowed Releasers

Releaser GroupsProducer Groups

Fred

Bob

Jonathan

DH Attachés

DI Analysts

DJ Watch Officers

DH CollectionManagers

DI Editors

DJ Watch Officers

Figure 6: Group Authorizations

Figure 5: Dirty Word Search Results Review