Q&A: Securing Sensitive Networks

Connecting open and closed networks with security intact

Over the last 10 years, the Internet has redefined notions of the corporate network. In the past, networks were proprietary and tough to break. Now, with everyday Web browsing, e-mail, and well-known vulnerabilities, networks and connected systems are vulnerable to a wide range of internal and external threats.

As a result, many organizations create a completely separate network for very sensitive, or classified, material. Though the government was an early adopter of so-called network separation, more companies are turning to network separation to protect their information assets and contain leaks, whether inadvertent or not.

Security Strategies spoke with Terry Whelan, Vice President of Tenix Datagate Inc., a network separation hardware provider based in Arlington, Virginia, with military and intelligence service customers throughout North America, Europe, Asia Pacific, and Whelan's native Australia, where he was traveling.

What exactly is network separation?

Very generally, exactly as its name implies—there’s more than one network for people to use. In particular, it’s something the government, defense, and intelligence agencies have used for quite some time—divided their classified networks from their unclassified networks, and, in fact, on the classified side, they might have more than one—a secret network, top secret network.

Where else do you see network separation?

In organizations that have some sort of intellectual property to protect. So R&D, pharmaceuticals—they might have a whole series of small enclaves that are closed to protect specific areas of development. Then there’s medical, with requirements for privacy, such as HIPAA [the U.S. Health Insurance Portability and Accountability Act]. There are some very stringent privacy regulations here in Australia, as well as over in Europe, that require the separation of sensitive information, especially personal.

What’s the lure of a closed network?

You’re guaranteeing the integrity, confidently, and availability of what’s on your networks. You couldn’t guarantee that on open networks.

What’s the traditional tradeoff with network separation?

If you have two networks, then you have two network infrastructures. So you have the same management regime in place, maybe even the same network manager, but you have two systems logs, which increases management. Second off, those people who are working in a sensitive environment don’t have connectivity to their e-mail from the sensitive network. So as a result, that person is likely to have two workstations—one that will allow him to have connectivity to the corporate intranet to get access to his e-mail and so forth, and another to get access to the sensitive data he needs in his daily work.

What does your hardware do for the network separation picture?

These products connect two networks together, so that I can have a classified and an unclassified network, if you want, or a connection to the Internet and to the sensitive network, on one workstation. We’ve gotten rid of the expense of multiple equipment with network separation.

How do end users work in this kind of an environment?

I can push a button and switch to the sensitive network and maintain the confidentiality and sensitivity of that data, knowing that there will be no leakage from the sensitive to the non-sensitive network.

How does your hardware connect multiple networks?

There are two parts. There’s what we call a Data Diode that sits in your server room, which allows passage of data from your non-sensitive to your sensitive network. Then there’s a switch—Interactive Link is the military version; Veto is corporate. It’s a hardware device that sits next to your computer, and basically when you want to work in one area, you press button A, and when you want to work in another area you press button B.

How does the device restrict sensitive information flow?

What you can’t do is take information from the sensitive area and pass it down, so there can be no accidental or deliberate leakage of information.

Can you only be active in one environment at a time?

You can have your non-sensitive window and your sensitive window open at the same time, so you keep an eye on it while downloading information for a report or some kind of analysis. However only one of those windows can be active at the same time.

Which network does the hard drive touch?

It’s connected to your classified or your sensitive environment. On your sensitive side, most of the applications would be on your workstation hard drive. On the non-sensitive side, it would be a thin client.

So everything on the PC is assumed to on the sensitive side, unless it’s thin client?

Correct. There are a whole bunch [of customers who have] thin-client applications on both sides. So on the desktop there’s no memory or hard drive, for example, but there are a lot of different applications that can be utilized for this particular architecture.

Do networks on both side of the switch need to be the same?

No. We add a little software that allows you to take information from the non-sensitive area to the sensitive area—a little cut and paste, if you will. It provides a little bit of productivity and a little bit of connectivity to people who might not have had it before.

How does this approach compare, cost-wise, with two completely redundant networks?

What we were talking about before, network separation having this enormous equipment cost, we are reducing that—not eliminating it, because you still have another network, but you can have one manager and have all the logs passed on to the administrator, so you only have one set of logs the administrator is required to look at. The other advantage is that if a hacker happens to get through all of your other security products—your firewalls and whatnot—what he sees is a black hole. He sees a machine, but he doesn’t see anything behind it. The result is he’s going to move on and look at other computers. So what [the product] does is it protects the connection to your sensitive network.

How do you handle upgrades?

We’re required under a contract with a couple of groups that we have not only here in Australia but in the United Kingdom, to support these products until 2012. When companies and organizations change their computer equipment, they’re not required to change our box. You can change the applications that exist on either side of our system, you can change the hardware, even add gigabit Ethernet.

What other costs does a product such as yours add?

Management costs—your administrators look at two logs instead of one, to make sure that no one is trying to take sensitive area information to a non-sensitive area. But they’re mainly [network] infrastructure costs. That’s got to be balanced by what would be the cost to the company if they lost some or all of the information that they’re trying to protect.

For more information on Tenix Datagate, visit www.tenixdatagate.com.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.