Forcepoint SimShield
Bi-Directional Fixed-Format Data Filtering and Disguise

Overview:

• Meet NSA Raise the Bar and NIST
  Included on the U.S. NCDSMO Baseline for SABI environments (since 2009) with native support for DIS, HLA, TENA, RTP and MPEG2-TS, and meets NSA Raise the Bar and NIST guidelines.
• Only authorized TENA guard available
  Evaluated by the High Performance Computing Modernization Program Office (HPCMPO) for connection to Defense Research & Engineering Network (DREN) and Secure Defense Research & Engineering Network (SDREN).
• Enable secure two-way communication
  SimShield enables fully automated, predictable, controlled, and audited two-way communication and sanitization of events across segmented, air-gapped security domains.

Enable Multilevel Training and Testing Missions

Connecting training—Live, Virtual, and Constructive (LVC)—and testing environments across security boundaries and in a real-world manner allows for more effective training activities and more efficient test events. The result is overall cost savings, a better trained warfighter, and more thoroughly and quickly tested equipment. Training cost savings are realized through the ability to train multiple groups at the same time, whether different national agencies or multinational forces; testing cost savings are realized through earlier detection and correction of issues and errors. For example, an unclassified rail gun can be tested with a ship’s classified communications system before the gun is mounted and deemed “classified,” reducing rework and improving implementation time.

Forcepoint SimShield

Forcepoint SimShield is an accredited commercialoff-the-shelf (COTS) fixed-format data guard with the capability to label, segregate, protect, and exchange data between systems executing at different sensitivity or classification levels. Forcepoint SimShield meets the data format, near real-time performance and low latency requirements for distributed simulation operations, live training exercises, and test events.

In the LVC training environment, SimShield provides secure interoperability across networks at multiple classification levels, enabling training assets that operate under different security classification levels to fully communicate and securely interact, creating the most realistic and beneficial training exercises possible.

In the Research, Development, Test & Evaluation (RDT&E) environment, Forcepoint SimShield allows tests on distributed components to be performed in near realtime and analyzed in a matter of hours. This drastically reduces testing cycle time, which provides significant financial benefits.

SimShield is listed on the US National Cross Domain Strategy Management Office (NCDSMO) Baseline list for Secret and Below Interoperability (SABI) environments and meets current NSA Raise The Bar guidelines for an approved cross domain transfer solution. Because SimShield is an operationally accredited system, the Assessment and Authorization (A&A) process is streamlined for individual installations. SimShield consists of two components: Policy Editor and Trusted Bridge.

Forcepoint Simshield Policy Editor & Trusted Bridge

The Policy Editor is a stand-alone system in which security classification and domain experts define and build classification filtering and sanitization rules that govern the network communications and data flows through the Trusted Bridge. The graphical user interface provides for human review and approval, in addition to automated system checkpoints, to ensure the rule set is built accuratelyand locked down before loading into the Trusted Bridge. Policy Editor also provides persistent storage for rules and associated reclassification justifications for system and security auditing.

The Trusted Bridge is the guard component of SimShield and provides the solution’s multilevel security and bi-directional filtering capabilities. The administrator installs and implements the approved Policy Editor rule set on the Trusted Bridge to check the data for type and content. The rule set enforces separate and distinct filter rules before passing, failing, or sanitizing (disguising) the data, flowing from high to low and from low to high.

Data Types and Protocols

Forcepoint SimShield natively supports many data types and protocols for the cross domain transfer of video, audio, and metadata streams concurrently with live and virtual training, simulation, and testing data. For all protocols and data types, Forcepoint SimShield provides deep format validation, integrity checking, content inspection, and content sanitization at its most granular level of decomposition (i.e., the content’s lowest independently addressable data structure).

Administration and Management

SimShield architecture divides policy administration tasks and critical data transfer tasks onto separate hardware platforms: Trusted Bridge (guard) and Policy Editor. This separation provides strict security protection on the guard and prohibits filter policy generation on the guard system. Filter policies and rules are defined and generated on the Policy Editor system. A two-person control policy is rigorously enforced when moving the filter policies and rules from the Policy Editor to the Trusted Bridge.

Logging and Auditing
SimShield provides automatic logging within the Trusted Bridge for user and system activities. When enabled, logging is redirected to a remote syslog server at (and only at) the high side, which allows for central logging and archiving. Additionally, a logwatcher utility sends administrators email alert notifications and/or displays the alerts on-screen in real time.

System Integrity
SimShield uses various mechanisms for file system integrity checking and local configuration monitoring. Integrity validation can occur at any interval as specified by customer policy, typically hourly for most critical cross domain solution files and daily for normal system files.

Data Type or Protocol	Description
TENA LROM	Test and Training Enabling Architecture Logical Range Object Model Used for live training and testing environments.
HLA FOM	High Level Architecture Federated Object Model Provides the ability to interconnect two or more HLA Federations operating at different security classification levels.
DIS	Distributed Interactive Simulation Typically used for virtual training and simulation exercises.
RTP	Real-Time Transport Protocol Used for video and audio streaming
MPEG2-TS	MPEG-2 Transport Stream Enables multiplexed video and audio streaming
MPEG-PES, MPEG-PSI	MPEG Packetized Elementary Stream & MPEG Program -Specific Information Stream Used in conjunction with MPEG2 for video and audio data transfer
MPEG-Video, MPEG-Audio	MPEG Video and Audio Elementary Streams Used for video and audio data transfer in basic format
KLV Metadata	Key-Length-Value Used for KLV data inspection and security mark check, which might be embedded in the MPEG2-TS stream

Assessment & authorization (A&A)

SimShield is engineered to satisfy cross domain security requirements for the Top Secret/SCI and Below Interoperability (TSABI) and Secret and Below Interoperability (SABI) A&A processes to include meeting NSA’s Raise The Bar guidelines. Forcepoint products are installed and accredited in operational systems around the world.

SimShield is the only SABI and High Performance Computing Modernization Program Office (HPCMPO) approved TENA guard. This permits SimShield to securely transfer data between the Defense Research and Engineering Network (DREN) and the Secret Defense Research and Engineering Network (SDREN).

Conclusion

Forcepoint’s cross domain solutions have a proven track record of proactively preventing organizations from compromise, while fostering the secure access and transfer of information. This allows agencies to strike the right balance between information protection and information sharing—a vital component to national security.