Skip Navigation
  • Overview

    UCDSMO Baseline - Validated Cross Domain Transfer System

    In today’s data-centric environment, critical information constantly flows between users, devices, data centers, and networks. It’s important that the right people have access to the right data where and when they need it.

    The MDeX System, a cross domain transfer system, securely manages the exchange of voice, video, and data across multi-level security domains and between internal organizations and external coalitions.  This easy-to-use solution provides secure collection, distribution, dissemination, and delivery of sensitive information enabling organizations to quickly share data without worrying that it will fall into the wrong hands.

    The MDeX System supports mutiple use cases including:

    • Cyber Security Situational Awareness 
    • Disaster Response
    • Supply Chain Security
    • Defense and Intelligence Coordination
    • Cloud Assurance
    • Big Data Analytics
  • How It Works

    Multi-Domain eXchange (MDeX) System

    • Collects diverse volumes, velocities, & varieties of  sensor and source data
    • Delivers product information for alerts & tips, command & control, and organizational reporting
    • Distributes collected data for collaborative information product processing

    The MTS ingests all content from the source XMPP client SDI and applies security (both flow and content) policies on the content. The MTS inspects session content for policy anomalies and quarantines the content if policy constraints such as anti-virus or content inspection are not met. For customer applications that apply message integrity checks or classification labels, the MTS can also apply content policies to inspect for any anomalies associated with that additional content.

    The SDI simultaneously supports multi-protocols (e.g., SMTP, XMPP, JMS, File) through a common SDI (at least one in each source/destination domain).   The MTS is not constrained by interface changes or other related issues as that is handled by the SDI. Only the payload submitted by the source application is exchanged between the MTS and the SDI.  

    SDI edge interfaces support multiple types of services.  The MTS has several network ports that provide access points to the same domain or multiple domains. 

  • Components
    Core Solution Core Solution Core Solution
    MDeX Transfer System (MTS) Security Domain Intermediary (SDI) Remote Management Station (RMS)
                                  

    Core assurance appliance of the MDeX System that makes policy decisions and enforces policy for all information flows

    The MTS provides the content policy and executes content filters. It engages, as necessary, the XD Mail appliance for complex and multi-part documents.  The MTS provides quarantine control of all messages and content that fail policy checks.

    Edge interface application of the MDeX System (within each security domain)

    The SDI provides connectivity of mission and infrastructure applications to the MDeX System.  Protocol clients include SMTP, XMPP, JMS, File DropBox/File Service, Proxies/User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).  At least one SDI interface is required for each domain connected to an MTS, extending to the source or destination applications and systems.

    Public Key-enabled management appliance of the MDeX System

    It provides mission and infrastructure operators command and control, monitoring, and security/policy management accessibility to all MTS instantiations.  The RMS receives alerts from the MTS in the advent of quarantined items.

  • Benefits

    High Availability
    The MDeX System can include back up MTS and RMS appliances for high availability to support continuity of operations of the enterprise.  The MTS and RMS appliances are highly robust platforms with fault tolerant components designed to address high availability needs. 

    For transfers, the MTSs can be implemented in a mesh architecture where multiple MTSs can be bound to common SDIs.  When primary and back up MTSs are active, if one MTS fails then the other MTS continues the data flow.  

    System Monitoring and Management Capabilities
    The MTS is controlled, managed, and monitored by the RMS.  Operators use the RMS to issue commands to the MTS and to monitor events (e.g., audit, performance, quarantine) that it receives from the MTS.  Events are generated on the MTS for audit, system, application, and transaction activities and are periodically sent to the RMS.  Alerts and notifications for critical events are generated and directly sent to the RMS with follow-on notifications configured particular to respective enterprise services.  Additionally, each security domain may send chat-relevant events through notifications configured for the respective enterprise services.  All events on the RMS can also be distributed to associated enterprise management service providers (e.g., security management, health and status management, and mission management) for overall enterprise situational awareness.

    Computer Network Defense
    The MDeX System provides cyber network defense capabilities. MTS events are pushed to the RMS for analysis and audit reduction.  The RMS includes Splunk, a third party event management engine. Splunk visualizes machine data by providing a comprehensive tool set to monitor events for potential anomalies, threats, and attacks, content and unauthorized flows. The resulting quarantine actions send alerts to the RMS for immediate action.

    The MDeX-MTS-SPLUNK integrated capability significantly increases the cyber defense and information assurance function, converting machine data into actionable intelligence.

    Plug and Play Architecture 
    The MDeX System’s modular design and simple Java programming support creates an environment where adding new domains, communities of interest, applications, and content filters requires significantly less custom development compared to most solutions. This gives the mission or organization the flexibility to change their requirements based on mission needs. SDIs supply the edge interface for connectivity between security domains and the MDeX System’s core security appliance, the MTS, allowing for ready integration of the MTS within existing mission and enterprise JMS, SMTP, XMPP, and standard file sharing applications. 

    Typical cross domain solutions are designed to address specific data types and transfers.  When a new data type or transfer organization is added it requires custom development efforts, and a complete certification and accreditation effort for approval to use. This process can take many months and costs a great deal of money. To address this challenge, the MDeX System uses a plug and play architecture and Application Programming Interfaces (APIs) for the customization and refinement of application protocol support and content filtering. These optimization capabilities enable users to add new protocols or content filters without changing the overall security support structure.

    Organizations can then isolate any additional certification and accreditation activities to just the new protocols or content filters, without re-certification of the MTS itself. As a result, missions and organizations can deploy MDeX System configurations with minimal certification impact and minimize accreditation timeframes.

    Scalability
    The entry-level MTS (MTS E-1) appliance offers a standard two domain configuration that can be upgraded through additional domain licenses. SafeNet AT offers a field upgrade option for government network operators that require additional capacity in a sub-system (Memory swap, Additional Network Ports). 

    The MTS E-2 appliance offers a standard six domain configuration that can be upgraded through additional domain licenses to a thirteen domain configuration.

  • Capabilities
    Feature SafeNet AT MDeX System
    U.S. UCDSMO-baseline validated (TSABI)
    Create templates containing frequently used data to create jobs √  Offers ability to clone policies and then modify as needed
    Support for multi-channel, multi-directional transfers with one system
    Support for username and password authentication mechanisms
    PKI authentication mechanisms
    Support for a mail system
    Validations √  Basic validations readily available for virus scanning, file type, verification, dirty word search, etc. however customers have the ability to create their own more detailed obligation filtering or integrate with 3rd party COTS obligations
    Enterprise manageability
    Server platform Solaris
    Site security policy √  To/from unlimited number of approved networks
    Classification level transfer √  All levels
    Supports multiple file transfer requests
    Available policies √   Can support configuration for any and all policies
    Delivery protocol for text or files post-validation JMS, File Client, UDP
    File transfer protocol Use custom scripts running on SDI
    User interface
    Administration and management
    Auditing
    File types All
  • Tech Specs

    MTS Appliance

    • SafeNet AT cross domain solution and information flow engine
    • SafeNet AT’s MTS appliances are:
      • MTS E-2 (Enterprise 2U X86 with 13 1GbE ports
      • MTS E-1 (Base 2U X86 with 5 1GbE ports)
      • MTS E-1 10G (Base 2U X86 with 4 10GbE and 1GbE ports)

    RMS Appliance

    • SafeNet AT cross domain service  manager that is available as a 1U X86 appliance or a VM that can support any virtualized platform to allow for more flexibility and requiring less overhead and physical space. The RMS includes a Web GUI for cross domain service operator access.

    SDI Applications

    • SafeNet AT protocol clients and obligations

    Obligation API

    • Application Programming Interface (API) for porting existing content filters or integration of new content filters  on the MDeX System’s MTS appliance

    SDI API

    • The SDI API allows for legacy or unique application protocols to interface with the MDeX System’s MTS appliance.