Skip to main content

PSTgateways

Overview

True network separation

PSTgateways architecture provides true network separation. Its key points are a 2 host layout and a complete TCP/IP protocol break enforcement. Both appliances act as protocol endpoints and communicate using standard protocols with nodes on each domain.

Application level gateways

Data elements of the application layer (files, email messag- es, etc.) are extracted and automatically transferred to the other domain. Protocol headers of all stack layers are discarded and new packets are created on the other network for sending the extracted data.

Ease of deployment and use

PSTgateways devices are composed of two 19” appliances with all the necessary software installed (firmware).

Each appliance is deployed on one security domain and communicates with the other through a passive device. From the security point of view the solution is asymmetrical; it is exclusively administered from the HIGH security domain. Two additional software components are included, one for the remote administration of the system (PSTadm) and another for transfer data logging (PSTaud). These are installed in general purpose computers.

Feature Overview

Topology

Two appliances, one on each security domain, which communicate through a passive device.

Deployment

Ready to use appliances. The system is configured remotely once PKI and network parameters are set on the HIGH domain appliance through a local interface.

Administration

The system is monitored remotely, with PSTadm, from the HIGH domain. Several gateways can be administered from the same console (PSTadm). One gateway can be simultaneously administered from several consoles.

Administration roles

Four remote administration roles are supported and enforced through PKI:
• Root Administrator
• Security Administrator
• Services Administrator
• Monitoring Administrator

Status and error notifications

Operation and security events can be sent to separate SYSLOG servers.

Transfered data loggin

With PSTaud, installed on a computer on the HIGH domain, information from all transfers can be logged to a database or saved as XML files.

Automatic time synchronization

The system allows configuring time synchronisation via NTP servers on the HIGH domain.

High availability (optional)

Complete hardware redundancy. Automatic switch to the secondary system in case of primary system failure.

Maximal bandwidth

130 Mbps (each direction).

Security

Topology

Dedicated and independent management network interface that allows separation of all management traffic from data traffic on the HIGH domain.

Application layer endpoint on both sides

Only data elements of the application layer are extracted and transferred to the other domain.

Boundary network protection

Minimal attack surface. Only used ports available. Communication only with configured hosts allowed.

Administrative communications

The system can only be administered by authorised administrators, enforced through PKI. All communications between the software components and the appliances are protected by TLS with remote peer authentication. All system access and operations performed by administrators are reported.

Transferred data logging

Information from all transfers can be logged for audit purposes.

Appliance software integrity

All software (OS included) executes from a RO partition, the integrity of which can be verified with the supplied tool.

Solutions

COTS Products


  • PSTmail: E-mail exchange between two security domains.
  • PSTfile: Automatically transfers files between servers on different security domains.
  • PSTupd: UDP payload transfers.

Solutions for specific environments


  • PSTmip: MIP4 Command & Control Systems.
  • PSTcsd: JISR Information Exchange (MAJIIC).
  • PSTjreap: Tactical Data Link via JREAP-C.
  • PSTatx: ASTERIX Surveillance Information.

Customizations

The PSTgateways technology allows customisation to support any cross-domain scenario:

  • Customisation of data exchange control via Web Services.
  • Development of custom filters for any of data flow service.
  • Extension to support new communication protocols.

Join the Autek team

A team that works with the objective of growing together doing what we like and facing the challenge of improving at every step.