In my last blog post I looked at what Information Exchange Gateways (IEGs) were and why they were so popular at the moment. In this post I will look at how you go about putting together a solution to solve the problem.
One of the current projects that I’m working on meant that as I blogged last time I was on-site installing an IEG demonstrator for a client. Progress went well, but more on that another day. What I wanted to write about today was how we started to create a solution. In order to do that we need to go back to 2009 when Nexor first developed a reference architecture for an IEG.
This architecture has subsequently been widely adopted and referenced in the sector. It identifies the key components of a solution and defines their functionality. Importantly the architecture is both product and vendor independent.
The architecture presented here is one that will support the majority of the main scenarios defined by NATO (see my last blog post). Other scenarios require either a subset of this architecture or a data diode in addition to this architecture.
The diagram below shows an IEG protecting the “A” domain, which connects to an IEG in order to communicate with the “B” domain.
The IEG can be broken into four logical components:
- Node Protection
- Information Exchange
- Information Protection
- Information Management
The IEG works on the principle of the self-protecting node; it assumes that any domain to which it might connect may be hostile. In order to allow exchange of information with other domains, it therefore must provide some protection for the domain. There are two levels of protection to be provided, Node Protection and Information Protection.
Node Protection – this protects the infrastructure of the domain by providing services such as network filtering, intrusion detection and virus/malware detection.
Information Protection – this protects the data residing in the domain by providing services to check the “releasability” of information outside of the domain.
The ultimate purpose of the IEG is to enable Information Exchange with other domains. The information exchange is controlled in an IEG through the use of proxies to enable specific information flows only. The proxies also enable information flow between non-IP routable networks which is currently the typical classified network situation between NATO and Nations.
The IEG must be managed to ensure that it is acting correctly. A separate Information Management network allows various components to be monitored and managed in a secure way.
This is a very brief overview for summary purposes but I hope it gives you the first step on how we approach building an IEG – just like the one I was installing recently.
If you want more details on how each of these four components enables you to build an IEG then I suggest you download a copy of the Nexor IEG Reference Architecture white paper or get in touch with me.
Next time in this mini-series I’ll explain more about the steps in developing a solution around the reference architecture.