M-Guard serves as an XML guard at a network boundary to monitor and control traffic flow. The solution functions as an application-level data diode and allows traffic to move in one direction. M-Guard instances are deployed in pairs, each of which is managing traffic in opposite directions. The device processes incoming XML messages by permitting them to go through or blocking them without changing the content.
It requires that messages are correctly formatted and enforces established protocols. M-Guard can be used by both Isode and external applications, with the following deployment options:
1. Cross-Domain Communication: Controlling information flow is critical where secure domains connect across a national or organisational boundary. M-Guard operates at the boundary to ensure appropriate controls.
2. Red/Black Separation: Secure systems are often divided into Red (internal/secure) and Black (external) segments. Data on the Red side is typically encrypted at the red/black interface using NSA-defined Type 1 encryption standards. There may be a necessity for management and control data to cross this boundary (crypto bypass). M-Guard effectively manages information flow in these scenarios.
In environments where basic firewall defenxes are not enough, M-Guard can provide additional checks, such as:
- Preventing the leakage of sensitive information (e.g., through security label validations and sender/recipient verification)
- Blocking covert channels
- Thwarting malware and cyberattacks
- Performing encoding, syntax, and schema validations
- Enforcing business rules
Application Integration
M-Guard operates between two applications (the producer and consumer) with XML messages transferring from the producer to the consumer. M-Guard functions as an application-level data diode, confirms the messages and permits only those that match specific criteria to pass through. These applications connect to the M-Guard on separate networks.
M-Guard also offers (optional) transfer acknowledgments to ensure reliable message delivery from producer to consumer, without including any additional information. When the producer application starts a connection, M-Guard will connect with the consumer application before accepting the inbound link.
Isode provides a free C++ reference implementation of GCXP. Important GCXP characteristics include:
- The capability to transfer a stream of XML messages.
- Guaranteed use of TLS to secure the connection.
- Recommended two-way strong authentication for validating peer identities.
- M-Guard consistently verifies the IP address of connecting applications.
- Utilisation of Compact Binary Object Representation (CBOR) for framing.
Application Profiles
Each M-Guard is configured with an Application Profile that facilitates protocol compliance for the application in use. This profile also normalises XML and Unicode content, enabling a consistent representation of the protocol to mitigate covert channel risks and encoding-related attacks. M-Guard supports the importation of application profiles, including a generic XML profile and a profile for ‘Demo Protocol’. The Demo Protocol shows various M-Guard features, including security label support consistent with XEP-0258 (Security Labels in XMPP) as well as NATO STANAG 4774/4778.
Rules & Rule Catalogs
M-Guard can set specific rules to check XML messages. An important benefit of using XML is that there is a large variety of standardised mechanisms for checking XML messages. M-Guard uses the following standards:
- XML Schema. Schema of the XML protocol.
- Xpath. A mechanism useful for specifying generic checks.
- Schematron. A flexible mechanism for specifying rules.
- Relax NG. A modern XML specification mechanism.
Typically, an application will have a set of Rule Catalogs. Rule Catalogs can be added into an M-Guard Project, and then rules from these Catalogs can be applied for each Guard. Applications using M-Guard should provide the right set of Rule Catalogs.