Secure Multi-Directional Data Transfer
Trusted Gateway System™
�� User-friendly web interface minimizes the need for training and support.
�� Transfers files through data push or email.
�� Included in the UCDMO Baseline.
�� Quick Release feature simplifies file or text transfers and can be used as a secure chat mechanism when permitted by site security policy.
�� Ability to create templates containing frequently used data allowing users to create jobs with a single click.
�� Support for multi-channel, multi-directional transfers with one system.
�� Simple workflow guides users through each transfer, enforcing Reliable (two-person) Human Review.
�� Support for username/password and public key infrastructure (PKI) authentication mechanisms.
Cross Domain Transfer for Secure Information Sharing The�9/11�Commission�identified�that�information�sharing�between�international,�federal,�state,�local,�tribal,�and�private�sector�entities�is�a�recognized�and�legislated�need�in�the�fight�against�terrorism.�The�Intelligence�Community�continues�its�work�to�enable�secure�cross-agency�collaboration.�The�term�“need�to�know”�has�been�replaced�with�“need�to�share”�or�“responsibility�to�provide.”�Secure�information�exchange,�collaboration,�and�data�sharing�are�goals�we�must�reach�to�protect�national�security,�but�they�have�not�been�easy�to�achieve.
To�protect�our�citizens�and�national�assets,�government�agencies�are�required�to�access�critical�data�stored�on�separate�networks�managed�and�maintained�by�disparate�agencies.�Frequently,�information�stored�on�a�high-side�network�needs�to�be�transferred�to�a�low-side�network�for�use�by�another�agency�or�organization.�This�sensitive�data�may�be�a�single�document,�or�large�data�sets�with�imagery,�maps,�multiple�documents,�and�databases�that�must�be�moved�quickly�and�securely�to�prevent�viruses�and�network�intrusions.�Critical�data�must�be�transferred�between�and�across�networks�to�the�right�people�at�the�right�time,�keeping�it�secure�and�protecting�against�the�unintended�release�of�sensitive�information�into�the�wrong�hands.�
By�deploying�a�cross�domain�information�transfer�system�to�enforce�role-based�access,�workflow�tasks,�and�secure�file�management�and�controls,�agencies�and�organizations�can�efficiently�ensure�the�quick�and�secure�sharing�of�information.
Trusted Gateway System Trusted�Gateway�System™�(TGS)�is�an�accredited�Commercial-Off-The-Shelf�(COTS)�software�solution�that�provides�exceptional�built-in�manual�review�and�automatic�validations,�such�as�virus�scanning,�dirty�word�search,�and�deep�content�inspection,�enabling�safe�and�simultaneous�data�movement�between�networks�at�different�sensitivity�levels.�Because�TGS�can�move�data�between�multiple�networks�simultaneously,�it�is�also�known�as�a�“multi-directional�guard.”�
TGS�can�be�operated�in�a�single�server�configuration�that�provides�the�physical�connections�to�multiple�classified�networks,�maintaining�network�separation�and�enforcing�customer-configured�transfer�policies.�The�server,�or�guard,�runs�on�Red�Hat®�Enterprise�Linux®�64-bit�systems�with�Security�Enhanced�Linux�(SELinux)�components�providing�stringent�security�controls�(Figure�1).
Features and Benefits:
www.TrustedCS.com2
Trusted Gateway System™
TGS�is�identifi�ed�on�the�Unifi�ed�Cross�Domain�Management�Offi��ce�(UCDMO)�Cross�Domain��Baseline�list�as�an�approved�cross�domain�transfer�solution.�Because�TGS�is�an�operationally�accredited�system,�the�Certifi�cation�and�Accreditation�(C&A)�process�is�streamlined�for�individual�installations.
Secure Transfer Workfl ows TGS�provides�users�various�mechanisms,�or�workfl�ows,�to�support�the�most�effi��cient�transfer�processes.�Th� ree�workfl�ows�utilize�the�graphical�user�interface�(GUI):�Reliable Human Review (RHR) (web-based);�Self Release�(web-based);�and�Quick Release�(application-based).�In�addition,�TGS�can�create�digitally�signed�bundles,�containing�job�fi�les�and�other�security�information,�which�can�be�made�available�for�manual�release�in�support�of�existing�workfl�ow�processes�outside�of�TGS.�Individual�site�security�policy�determines�which�workfl�ows�can�be�used.
Regardless�of�the�workfl�ows�or�combinations�instituted,�data�movement�can�occur�to�and�from�an�unlimited�number�of�approved�classifi�ed�networks.�File�transfer�occurs�by�data�push�or�email�distribution.�Any-to-any�classifi�cation�level�transfer�and�multiple�fi�le�transfer�requests�are�supported.
Reliable Human Review (RHR) Th� e�two-person�review�and�release�process�is�typically�used�for�all�high-to-low�classifi�cation�transfers.�In�support�of�this�process,�the�TGS�web-based�interface�enforces�the�use�of�two�standard�roles,�Producer�and�Releaser,�for�job�creation�and�transfer�(Figure�2).�RHR�requires�that�a�person�responsible�for�assembling�and�submitting�jobs�for�transfer�is�assigned�the�Producer�role,�and�that�a�person�responsible�for�review�and�approval�(release)�of�a�job�is�assigned�the�Releaser�role.�Releasers�must�also�open�
Figure 1: Typical Trusted Gateway System Architecture
each�fi�le�in�the�job�and�accept�any�dirty�word�search�results�before�the�job�can�be�approved�for�release�to�the�designated�network(s).�A�standard�workfl�ow�is�depicted�in�Figure�3.
Self ReleaseSelf�Release�allows�users�to�create�a�job�and�send�it�to�approved�destinations�(aft�er�passing�all�validations)�in�one�step�without�requiring�the�RHR�process.�Self�Release�users�must�be�granted�the�Self�Release�role.�Additional�permission�granularity�can�be�achieved�by�limiting�Self�Release�to�specifi�c�destinations.�For�example,�Jane�may�be�authorized�to�approve�her�own�fi�le�transfers�when�releasing�to�Network�A;�however,�when�moving�fi�les�to�Network�B�she�must�specify�the�appropriate�Releaser.�
Quick ReleaseQuick�Release�simplifi�es�the�transfer�process�for�fi�les�or�text�(Figure�4).�Th� e�Quick�Release�GUI�resembles�an�instant�messaging�application�and�provides�the�ability�to�rapidly�transfer�data�to�confi�gured�levels�from�a�Microsoft�®�Windows®�
desktop.�Users�type�or�copy�and�paste�text�and�click�a�button,�or�drag�and�drop�fi�les�to�send�the�information�through�TGS�to�the�selected�destination.�Files�or�text�are�delivered�to�users�directly�through�extensible�messaging�and�presence�protocol�(XMPP).�TGS�conducts�all�confi�gured�validations�including�virus�scanning,�
dirty�word�searching,�and�content�inspection�before�the�information�is�permitted�to�pass.�If�any�validation�issues�are�found,�the�web-based�application�is�launched�for�the�user�to�review�the�fi�le.�Th� e�Quick�Release�option�is�disabled�by�default.��
Automated TransferAs�with�the�manual�workfl�ows�described�earlier,�the�automated�transfer�process�enforces�all�confi�gured�validations�to�include�virus�scanning,�dirty�word�searching,�and�content�inspection.�Depending�on�the�site�confi�guration,�a�fi�le�that�fails�the�automated�transfer�process�is�either�deleted�from�the�guard�or�archived.�
TGS�provides�an�automated�bulk�transfer�mechanism�that�supports�direct�fi�le�transfers,�using�Secure�Copy�Protocol�(SCP),�from�a�confi�gured�network�to�the�appropriate�destination.�For�security�reasons,�only�confi�gured�hosts�can�access�the�input�directory�through�SCP.�All�other�connection�attempts�are�denied.
An�optional�service�can�be�included�on�a�Windows�system�(2000�or�later)�allowing�users�to�maintain�local�input�directories.�Th� is�service�monitors�the�local�folder�and�automatically�copies�the�fi�le�for�processing.�A�right-click�shortcut�allows�users�to�send�fi�les�to�defi�ned�destinations,�which�can�be�secure�fi�le�transfer�protocol�(SFTP)�servers,�FTP�servers,�or�email�addresses�at�permitted�classifi�cation�levels.
File Transfer Security ControlsRegardless�of�how�the�transfer�request�is�initiated,�TGS�manages�the�process�to�ensure�approved�fi�le�movement�between�secure�networks�and�across�classifi�cation�levels�following�site�security�policies.�By�default,�all�fi�les�are�required�to�pass�two�controls�prior�to�movement,�virus�scanning�and�fi�le�typing.�Dirty�word�search,�content�inspection,�and�manual�fi�le�review�can�be�confi�gured�to�meet�specifi�c�requirements.�
Virus Scanning TGS�permits�the�virus�scanning�engine�to�be�customized.�A�site�can�elect�to�exclude�certain�trusted�fi�le�types�from�virus�scanning�to�enhance�performance.�
File Type Verifi cation Th� e�diff�erent�varieties�of�fi�le�type�checking�supported�by�TGS�are�extension�matching,�XML�validation,�Raytheon�Trusted�Computer�Solutions�(RTCS)�signature�algorithm,�and�third�
Trusted Gateway System
Users WorkflowNetwork B
Servers Users
Network C
Servers Users
Network D
Servers Users
SecureOffice Trusted Gateway SystemSecure Multi-Directional Information Transfer
Network A
Figure 2: Initial Job Creation Interface
3800.230.1307
Figure 3: Reliable Human Review Workflow
party�algorithm,�all�of�which�are�configurable.�File�verification�signatures�can�be�customized�to�accommodate�unique�file�types,�configured�by�both�source�and�destination�policies�and�XML�files�can�be�validated�against�site-specific�schemas.�
Dirty Word Search TGS�checks�files�for�sensitive�or�“dirty”�words�that�should�not�be�released�to�other�networks.�This�control�also�allows�the�designation�of�“clean”�words,�which�are�common�words�that�contain�dirty�words.�For�example,�the�word�“secretary”�contains�the�embedded�word�“secret”�but�it�is�considered�a�false�positive�and�can�be�ignored.�System�administrators�can�create�and�customize�a�master�list�of�dirty�and�clean�words,�as�well�as�lists�that�are�used�with�specific�source�and�destination�network�pairs.�Once�these�lists�and�transfer�pair�rules�are�configured,�each�file�uploaded�to�TGS�is�searched�against�the�list�for�matches.�
If�dirty�words�are�found,�the�user�is�given�the�option�to�acknowledge�and�allow�the�word�(Figure�5).�The�user’s�acceptance�of�each�dirty�word�is�recorded�and�stored�in�an�auditable�database.�All�dirty�words�must�be�acknowledged�before�the�transfer�containing�the�flagged�file�can�be�submitted�for�release.�All�actions�and�overrides�are�stored.
Content InspectionWhen�TGS�is�configured�for�content�inspection,�files�such�as�Microsoft�Office�and�portable�document�format�(PDF)�are�scanned�to�identify�and�remove�a�wide�range�of�hidden�or�embedded�data�and�metadata.�This�option�provides�added�
prevention�against�inadvertent�or�malicious�disclosure�of�sensitive�or�proprietary�information�when�documents�are�released.��
User Access Administration Controls User�access�and�authorization�controls�(username,�password,�Public�Key�Infrastructure�(PKI)�X.509�digital�certificates,�clearance�level,�and�group�management)�are�configured�and�managed�within�the�server�or�tied�into�a�pre-existing�Microsoft�Active�Directory®�server�or�Lightweight�Directory�Access�Protocol�(LDAP)�directory�server�on�the�high-side�network.�Utilizing�a�pre-existing�LDAP�or�Active�Directory�server�eliminates�the�need�to�manage�user�accounts�on�the�server,�thus�reducing�the�administrative�overhead.�
System�administrators�can�create�and�manage�end�users�directly�from�the�server�or�through�an�easy�to�use�web-based�application.�The�web-
based�application�is�enabled�only�for�specific�users�configured�with�“account�administrator”�privileges.�Such�users�have�the�ability�to�perform�basic�account�maintenance�without�a�system�administrator.�TGS�authorization�policies�are�configured�per�transfer�path,�per�user,�or�per�group.�Authorizations�allow�or�restrict�access�to�system�resources.�For�example,�allowing�a�user�to�produce�a�job�but�not�release�it�or�allowing�a�user�to�self�release�a�job�to�a�limited�number�of�destinations.�
Customizable Group AuthorizationsSystem�administrators�can�create�groups�of�users�with�authorizations�to�specific�destinations.�A�Producer�group�is�authorized�to�submit�transfers�to�one�or�more�destinations.�A�Releaser�group�is�authorized�to�release�transfers�to�one�or�more�destinations.�Producer�groups�are�assigned�to�one�or�more�Releaser�groups.�When�creating�a�job,�a�Producer�can�only�select�Releasers�from�an�associated�group.�The�local�TGS�database�or�remote�LDAP�server�manages�the�group�assignment.
Protecting CommunicationTGS�provides�configuration�information�for�application�initialization�and�communication�services.�Each�network�interface�on�the�server�connects�to�a�different�security�domain�and�is�protected�by�physical�separation�externally�and�best-of-breed�security�technologies�internally.�All�authorized�login�attempts�are�logged.�The�server�silently�rejects�all�communications�from�unauthorized�systems.�This�greatly�reduces�security�exposure�because�the�systems�and�protocols�are�limited�to�only�those�needed�for�TGS�to�operate.�
Producers The Guard Producers Releasers The Guard
■
■
■
■ ■ ■■
■
■
■
■
■
■
■
Access the web-based interface.
Select pre-established jobtemplate containingDestinations and Releasers.
Select files for transfer.
Manages validations: virus scanning, file type checking, dirty word searching, and content inspection (as configured).
Verifies allProducers, Releasers, and Destinations.
Returns all results tothe Producer.
Submit the transfer request if all validations pass.
Review the Destinations.
Review all attachedfiles in their native format.
Review and verifyall validation results.
Review the transferrequest upon approval.
Verifies that all steps and validations have been performed.
Moves the files asspecified in the request.
Logs the transferand all related validation results.
Figure 4: Quick Release Workflow
User selects Destination
User drops f iles to send
User types text to send
OR
TGS Guard
Quick Discover sends the text or f iles via the XMPP server to Quick Release and then deletes its copies
Quick Release displays the text
The guard processes the text or f iles then releases and archivesANDSends the text or f iles to Quick Discover at the Destination
Quick Discover
ORPrompts the user to save or discard f iles
For further information contact:Raytheon Trusted Computer Solutions12950 Worldgate Drive, Suite 600Herndon, VA 20170866.230.1307www.TrustedCS.com
Trusted Gateway System™
Trusted�Gateway�System�is�a�trademark�of�Raytheon�Trusted�Computer�Solutions,�Inc.�All�other�trademarks�and�registered�trademarks�are�the�property�of�their�respective�owners.
Cleared�for�public�release.�Reference�#2011-223.Copyright�©2011�Raytheon�Trusted�Computer�Solutions�Inc.�All�rights�reserved.Printed�in�the�U.S.A.�WM�05/11�2500�200121.0511
Th� e�interface�between�the�web-based�application�and�the�server�is�secured�by�encapsulating�network�traffi��c�using�Secure�Socket�Layer�(SSL)�with�a�confi�gurable�encryption�algorithm.�Outbound�communications�from�the�server�to�each�network�are�secured�through�FTP�over�IPSec�(SFTP�is�also�supported).�
Encrypted�communication�connections�are�maintained�throughout�the�data�transfer�process�with�SCP�over�Secure�Shell�(SSH)�for�low-to-high�transfers�and�SSL�transmission�security�for�high-to-low�transfers.
Administration and ManagementTGS�administration�and�management�is�performed�by�a�system�administrator,�with�the�appropriate�permissions�from�the�server�or�remotely�through�the�Remote�Access�Console�(RAC).
Auditing TGS�provides�an�Auditor�role.�With�this�role�users�can�review�jobs�and�create�status�reports�from�the�TGS�web�interface�based�on�specifi�ed�criteria.�For�example,�Auditors�can�generate�reports�detailing�when�the�dirty�word�search�has�been�overridden�for�all�fi�les�transferred�in�the�last�week.�Auditors�can�export�reports�in�CSV,�Excel®,�and�XML�formats.
Additionally,�the�TGS�server�generates�application�logs�and�the�operating�system�collects�detailed�audit�records�to�track�use�and�activity.�Th� is�log�and�audit�data�can�also�be�pushed�to�a�centralized�enterprise�storage�location.
Remote Access Console (RAC)RAC�is�used�to�centrally�manage�and�access�Protection�Level�4�(PL4)-capable�servers�over�a�secure�connection.�RAC�provides�scalable�remote�access�that�can�be�utilized�from�any�authorized�location�on�the�network�where�the�servers�reside.�RAC�uses�Keyboard,�Video,�Mouse�(KVM)-over-IP�capabilities�that�enable�an�authorized�user�
“console”�access�as�if�he�or�she�were�seated�at�the�attached�device.
Certifi cation and Accreditation (C&A)TGS�is�engineered�to�satisfy�cross�domain�security�requirements�for�the�Top�Secret/SCI�and�Below�Interoperability�(TSABI)�and�Secret�and�Below�Interoperability�(SABI)�C&A�processes.�RTCS�cross�domain�products�are�installed�and�accredited�in�operational�systems�around�the�world.��
ConclusionWith�hundreds�of�government�clients�and�more�than�a�decade�and�a�half�of�success,�Raytheon�Trusted�Computer�Solutions�(RTCS)�is�an�industry�leader�in�cross�domain�solutions.�Th� e�company’s�products�have�a�proven�track�record�of�proactively�preventing�government�and�commercial�organizations�from�being�compromised,�while�fostering�the�secure�access�and�transfer�of�information.�Th� is�allows�the�RTCS�cross�domain�solutions�to�strike�the�right�balance�between�information�protection�and�information�sharing�—�a�vital�component�to�national�security.�TGS�is�a�secure�transfer�solution�that�solves�the�diffi��cult�problem�of�satisfying�security�needs�while�enhancing�information�sharing.�TGS�provides�the�ability�to�quickly�and�securely�move�data�between�and�within�classifi�cation�levels.�TGS�is�designed�to�satisfy�the�information�assurance�accrediting�community�requirements,�eliminate�potential�leaks�and�risks,�and�provide�users�with�an�easy�to�use�workfl�ow�application.�All�RTCS�solutions�have�been�designed�to�meet�or�exceed�extensive�and�rigorous�security�C&A�testing�by�the�Defense�Intelligence�Agency�(DIA)�and�the�National�Security�Agency�(NSA)�for�simultaneous�connections�to�various�networks�at�diff�erent�security�levels.�RTCS�off�ers�an�experienced�professional�services�team�to�guide�customers�through�the�technical�implementation�and�C&A�processes.
Member ofAllowed Releasers
Releaser GroupsProducer Groups
Fred
Bob
Jonathan
DH Attachés
DI Analysts
DJ Watch Officers
DH CollectionManagers
DI Editors
DJ Watch Officers
Figure 6: Group Authorizations
Figure 5: Dirty Word Search Results Review