High Assurance Guard
   HOME

TheInfoList



Click Here for Items Related To - High Assurance Guard
OR:
High Assurance Guard on:   [Wikipedia]   [Google]   [Amazon]

{{Unreferenced stub, auto=yes, date=December 2009 A High Assurance Guard (HAG) is a Multilevel security computer device which is used to communicate between different Security Domains, such as
NIPRNet The Non-classified Internet Protocol (IP) Router Network (NIPRNet) is an IP network used to exchange unclassified information, including information subject to controls on distribution, among the private network's users. The NIPRNet also provide ...
to
SIPRNet The Secure Internet Protocol Router Network (SIPRNet) is "a system of interconnected computer networks used by the U.S. Department of Defense and the U.S. Department of State to transmit classified information (up to and including information cla ...
. A HAG is one example of a Controlled Interface between security levels. HAGs are approved through the
Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. Common Criteria ...
process.


Operation

A HAG runs multiple virtual machines or physical machines - one or more subsystems for the lower classification, one (or more) subsystems for the higher classification. The hardware runs a type of
Knowledge Management Knowledge management (KM) is the collection of methods relating to creating, sharing, using and managing the knowledge and information of an organization. It refers to a multidisciplinary approach to achieve organisational objectives by making ...
software that examines data coming out of the higher classification subsystem and rejects any data that is classified higher than the lower classification. In general, a HAG allows lower classified data that resides on a higher classified system to be moved to another lower classified system. For example, in the US, it would allow unclassified information residing on a Secret classified system to be moved to another Unclassified system. Through various rules and filters, the HAG ensures that data is of the lower classification and then allows the transfer. On the application layer, the HAG runs an "evaluated mandatory integrity policy" that provides sensitive files, data and applications protection from inadvertent disclosure. At the operating system level, the HAG must have a multilevel kernel that ensures sensitive information, processes, and devices stored and running on the system at different sensitivity levels cannot intermingle in violation of the system's mandatory security model. The systems are certified via the Common Criteria; depending on the classification, the system may require Common Criteria Evaluated Assurance Level (EAL) 3 or higher. For examples, in the US, an evaluation at the EAL 5 or EAL 5+ (EAL 5 Augmented) or higher is required to export from a Secret domain to an Unclassified domain. Some manufacturers may use "Trusted Computer System" or "Trusted Applications with High Assurance" as an equivalent term to HAG.


Importance, risks

The HAG is mostly used in email and DMS environments as certain organizations may only have unclassified network access, and they need to send a message to an organization that has only secret network access. The HAG provides them this ability.


See also

*
Data Diode A unidirectional network (also referred to as a unidirectional gateway or data diode) is a network appliance or device that allows data to travel in only one direction. Data diodes can be found most commonly in high security environments, such as ...
*
Guard (information security) In information security, a guard is a device or system for allowing computers on otherwise separate networks to communicate, subject to configured constraints. In many respects a guard is like a firewall and guards may have similar functionality to ...
*
Cross-domain solution A cross-domain solution (CDS) is an integrated information assurance system composed of specialized software, and sometimes hardware, that provides a controlled interface to manually or automatically enable and/or restrict the access or transfer of ...
Computer security