• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Focus on Air Force Research Laboratory’s Information Directorate / Cross-domain Transfer: Information Support Server Environment (ISSE)

Cross-domain Transfer: Information Support Server Environment (ISSE)

Published in Journal of Cyber Security and Information Systems
Volume: 4 Number: 1 - Focus on Air Force Research Laboratory’s Information Directorate

Authors: Alex Gwin and Richard Barrett
Posted: 03/08/2016 | Leave a Comment

A. Cross-domain Transfer

The proper treatment of classified data has always been important throughout this nation’s history. Classification of data was present even in the early period of the American Revolution when the Continental Congress passed a resolution in September 1774 to keep its proceedings secret [1]. It wasn’t until March 1940, before World War II, when the formal classifications of secret, confidential, and restricted were established. Many executive orders since then have refined the treatment of classified information [2].

Over the past ten years, leaks (whether intentional or unintentional) have made major news headlines. Examples include the release of classified documents and emails by WikiLeaks since 2007 [3, 4] and the leakage of classified information by Edward Snowden in 2013 [5]. Data must be properly handled and protected in accordance with its classification level. It is widely regarded that the proper treatment of data commensurate with its classification level is important now more than ever. In this digital age, the access of information is lightning fast, and proper security protocols must be established and followed to prevent future leaks.

To ensure proper safeguarding of classified data, isolated domains/networks are used, such as the Non-secure Internet Protocol Router Network (NIPRNet), the Secret Internet Protocol Router Network (SIPRNet), and the Joint Worldwide Intelligence Communications System (JWICS), as well as other domains specific to missions and coalition partners. The domains are separate and isolated to protect their information. However, isolated domains create the problem of information isolation—the inability to share information. Classified information is useless unless it can be visible to the people that make decisions based on its facts. To transfer this information effectively and securely, an electronic capability with built-in security protocols is needed between the domains—that is, a cross-domain transfer solution.

B. ISSE Overview

ISSE (Information Support Server Environment) is a system with a long history that has evolved to become a premier cross-domain solution (CDS). It is a cross-domain transfer solution developed, maintained, and installed by the Information Handling Branch of the Air Force Research Laboratory (AFRL) Information Directorate in Rome, New York. It is also on the Unified Cross Domain Services Management Office (UCDSMO) baseline list, and it is fully accredited according to CNSSI 1253, NIST SP 800-53, and ICD 503 requirements.

ISSE was originally released as the USAFE (United States Air Forces in Europe) Guard in 1988 by the Rome Air Development Center. USAFE Guard’s sole purpose was to disseminate threat update messages. It operated on a Harris Nighthawk computer with CX/SM MLS operating system. The system was officially re-branded and certified as ISSE in 1995. This work was done ahead of key government actions, such as the establishment of the multi-level security (MLS) working group by the Defense Information Systems Agency (DISA) in 1997. In 2001, Top Secret/Sensitive Compartmented Information (TS/ SCI) and Below Interoperability (TSABI) and Secret and Below Interoperability (SABI) were coined in order to create categories of flow between domains with distinct security requirements.

ISSE provides the capability to transfer data bidirectionally between domains in either TSABI (commensurate with TS/SCI to/from Secret) or SABI (commensurate with Secret to/from Unclassified) cases. In either TSABI or SABI, the domain with the highest level of security is called the Controlling Security Domain (CSD) and the other domains are called Non-controlling Security Domains (NCSDs). At the time of publication of this paper, over 140 structured and unstructured files types can be transferred, including Microsoft Office files, images, video, databases, and chat.

50

While transferring data is the main purpose of a CDS guard, security is equally (if not more) important. As seen in the publicized leak cases, the insecure transfer of data between domains can have adverse effects for national security. The security posture of ISSE is aggressive and well developed for preventing malicious activity. Additionally, ISSE enforces the security policies of the host unit. ISSE filtering criteria which are established by the host unit identify and flag issues when transferring files. When caught by the filters, the file is immediately pulled from the transfer queue and placed in a reviewer inbox. ISSE filters are highly configurable, based on the host unit’s requirements. In addition to key word searches, ISSE parses, inspects, filters, and sanitizes. Each data path, i.e. thread, may be configured with different security policies. The thread filters check for viruses, malcode, file type, and digital signature. ISSE leverages commercial off-the-shelf software called Purifile© to inspect Microsoft Office file types, while the other filters are programmed by the ISSE software developers.

The ISSE architecture is fairly straightforward. The ISSE Secure Trusted Automated Routing (STAR) is the “guard” component at the domain boundaries that acts like a secure tunnel between security domains. Threads are established at the time of installation for data transfer in each direction. For instance, to conduct transfers between the CSD and NCSD bi-directionally, two threads are needed. The threads operate concurrently and independently from one another; that is, they operate in parallel and can be configured with different security policies. The STAR connects to the ISSE Proxy Server (IPS) of each domain. The IPS is composed of multiple Protocol Translators (PTs) and the ISSE Web Server (IWS). The PT acts to protect the STAR, compose and send email, relay COTS email, execute file transfers, and exchange data with the clients, IWS and STAR. The IWS can be configured for Reliable Human Review (RHR) and single/dual review for enhanced security. Additionally, an Application Programming Interface (API) can be configured in the STAR for mission applications that bypass the IPS. Examples of mission applications include Multi-level Database Replication (MLDBR), Full Motion Video (FMV), and Large File Slicer, which will be elaborated upon below. Two optional components for the ISSE system are Parallel Audit Review and Analysis Toolkit (PARAT) and Security and Workflow Enforcement Services (SAWES). PARAT provides near-real time audit collection and analysis. It collects, organizes, and presents the audits collected by ISSE to the administrator. It may be used to monitor the file transfers, users’ activity, and send alerts to the administrator. SAWES is an upstream review and orchestration engine which allows the user to self-review work, receive feedback from the automated filters, and make adjustments as needed.

51

The ISSE Program Management Office (PMO) oversees the entirety of the system acquisition. These activities include site survey, installation, training, and support from the Core Configuration Management (CCM) help desk. In order to acquire ISSE, customers in the Intelligence Community (IC) typically contact the DoDIIS Crossdomain Management Office (DCDMO). DCDMO and DISA will discuss requirements to arrive at the best CDS for the organization’s needs. Other U.S. government agencies may reference the UCDSMO baseline list or contact the ISSE PMO directly. When ISSE is selected as the best solution, the ISSE PMO conducts a site survey to determine the details of the site’s cross-domain requirements. Subsequently, the system is installed by the ISSE installers. On-site training is conducted for site administrators and trainers, and an out-brief is completed. At this point, the ISSE system is ready to use. Should any questions or concerns arise, agencies can call the 24/7 help desk. Most of the questions can be adjudicated immediately. If it is a more serious problem, the PMO engineers work with the site to resolve the problem. Additionally, training is offered at the PMO site in Rome, New York, several times per year. The annual support fee also covers one site visit per year.

There are several mission applications and capabilities that have been added to ISSE as user requirements have arisen. Three that will be discussed here are Multi-level Database Replication (MLDBR), Full Motion Video (FMV) adapters, and the Large File Slicer. MLDBR provides real-time, automated database replication between security domains for Oracle, DB2, MS SQL, and Sybase formats. MLDBR uses ISSE for cross-domain replication of database information; one MLDBR host can even interface with multiple ISSE systems. It leverages XML formatted messages to replicate databases between the CSD and NCSD(s). Database replication is a common user requirement leveraged by numerous organizations.

The FMV v1.0 capability was a special user request and was tested in the Unified Vision 2014 exercise [6]. At the exercise’s central location in Ørland Air Station, Norway, ISSE provided 12 channels for video transfer to participants in Norway and Germany. ISSE was connected to an unclassified network and a coalition partner network. FMV performed well in this real world exercise by exhibiting exceptional video quality and less than 0.5-second latency.

Finally, ISSE is programmed to accept files less than 2 GB in size. Should the need arise to transfer files larger than this requirement, i.e. very high resolution photos, the Large File Slicer can be used. This application uses the ISSE API to communicate with the STAR. First fielded in January 2015 and demonstrated continually since then, it has human and machine interfaces that display the progress of the transfer. It operates by creating small ISSE packages from the larger file for a nearly infinite transfer capability. It sends the packages in parallel through the STAR while checking for security and malware, and compiles the pieces into the original file on the receiving end.

Pages: Page 1 Page 2

Previous Article:
« The Junior Force Council: Reaching Out to...
Next Article:
Air Force Research Laboratory / Information Directorate... »

References

[1] Maus, Cathy N. (July 1996). U.S. Department of Energy OpenNet. “Office of Classification: History of Classification and Declassification” [online].https://www.osti.gov

[2] Peters, Gerhard and John T. Woolley (2015). The American Presidency Project. “Executive Order 8381 – Defining Certain Vital Military and Naval Installations and Equipment [online]”. http://www.presidency.ucsb.edu/ ws/?pid=78426

[3] Joseph, Channing (Sep 2007). New York The Sun. “WikiLeaks Releases Secret Report on Military Equipment [online]”.http://www.nysun.com/foreign/wikileaks-releases- secret-report-on-military/62236

[4] Khatchadourian, Raffi (April 2010). The New Yorker. “The Use of Force [online].” http://www.newyorker.com/news/ news-desk/the-use-of-force

[5] Finn, Peter and Sari Horwitz (June 2013). The Washington Post. “U.S. charges Snowden with espionage [online]”.https://www.washingtonpost.com/ world/national-security/us-charges-snowden-withespionage/ 2013/06/21/507497d8-dab1-11e2-a016- 92547bf094cc_story.html

[6] North Atlantic Treaty Organization (May 2014). “More than just information gathering: Giving commanders the edge [online]”.http://www.nato.int/cps/en/natolive/ news_110351.htm

[7] Oracle. “Financial Services: Overview [online]”. http:// www.oracle.com/za/industries/financial-services/overview/ index.html

RELEASE STATEMENT

Distribution A. Approved for Public Release: [88ABW-2015-4666] Distribution Unlimited.

Authors

Alex Gwin
Alex Gwin
Alex Gwin is currently the deputy program manager of ISSEat Air Force Research Laboratory - Information Directorate(AFRL/RI) in Rome, New York. He is currently a captainin the United States Air Force. He has previously servedas an engineer and executive officer at Kirtland AFB inAlbuquerque, New Mexico, and as a master’s student atWright-Patterson AFB in Dayton, Ohio. Captain Gwinhas a Master of Science in Electrical Engineering from theAir Force Institute of Technology and a Bachelor of Sciencefrom Texas Christian University.
Richard Barrett
Richard Barrett
Richard Barrett is currently the Systems Engineer for ISSEat Air Force Research Laboratory - Information Directorate(AFRL/RI) in Rome, New York. He has over 26 years ofexperience leading systems engineering and acquisitionactivities, plus four years leading U.S. Air Force ICBMoperations. His systems engineering experience includeslaser weapons, avionics, manufacturing equipment,fiber-optics, network communications, and cross-domainsolutions. He is a retired officer from the Air ForceReserves. Mr. Barrett has a Master’s of AdministrativeSciences (MBA-equivalent with Information ManagementSystems emphasis) from University of Montana, and aBachelor of Science in Electrical Engineering (Quantumdevices and Communication Systems emphasis) fromPolytechnic University (now, New York UniversityPolytechnic School of Engineering).

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT