M-Guard is an XML guard that is used at a network boundary to control traffic. An M-Guard instance is an application level data diode, with traffic flowing in one direction only. Commonly, M-Guard instances will be deployed in pairs, one controlling flow in each direction.


M-Guard takes inbound XML messages and either passes them through or blocks them. It does not perform any transformation; it expects correct messages and enforces correct behaviour.

M-Guard can be used by Isode and third-party applications. There are two primary deployment scenarios:

  1. Cross-Domain. When two secure domains communicate across a national of organizational boundary, it is often important to tightly control information flow across the boundary. M-Guard sits on the boundary to provide necessary controls and assurance.
  2. Red/Black separation. Secure systems are often split with a Red (internal/secure) and Black (external) side. Primary red-isde data is always encrypted at the red/black boundary, typically with a Type 1 (NSA definition) type cryptographic system. There is often a need for management and control information to flow across the red/black boundary (crypto bypass). M-Guard is an appropriate device to control information flow across a red/black boundary.

At boundaries where simple firewall protection is insufficient, M-Guard can provide checks including:

  • Prevent leak of sensitive data (e.g., by Security Label checks; sender/recipient checks)
  • Prevent Covert Channels
  • Prevent malware and attacks
  • Encoding/Syntax/Schema checks
  • Business Rule Checks

Further information is provided in the whitepaper [M-Guard: Isode's XML Guard].

Platforms

M-Guard is delivered as an appliance software package. It is intended for diskless hardware and is currently targeted for Intel Atom processor based applicances. The reference hardware is the Netgate SG-5100, Isode can work with partners to support other hardware platforms.

The appliance uses NanoBSD, which is a cut down FreeBSD. This has been chosen for its small footprint and excellent security characteristics. The appliance software provided by Isode includes NanoBSD; the Isode product is the only application running on the hardware.

M-Guard may also be deployed on Virtual Machines, two platforms are currently supported, and others may be added:

  1. Microsoft Hyper-V
  2. Oracle VirtualBox

An M-Guard appliance can also run one or more M-Guard instances. A common set up is to have one M-Guard appliance running a pair of M-Guard instances (one in each direction). M-Guard is stateless, so that multiple M-Guards may be set up to provide a redundant configuration.

Application Integration

An M-Guard instance will sit between a pair of applications (producer and consumer), with XML messages flowing from producer to consumer. M-Guard, acting as an application level data diode, will validate messages and only pass through those that match configured criteria. These applications will be connected to the M-Guard appliance on separate networks.

M-Guard provides (optional) acknowledgement of transfer to enable reliable transfer from producer to consumer. There is no extra information included with the acknowledgement, to avoid creation of a covert channel.

When the producer application initiates a connection to M-Guard, then M-Guard will connect to the consumer application before accepting the inbound connection.

The protocol used by applications that communicate with M-Guard is the Guard Content eXchange Protocol (GCXP). Isode has published the GXCP protocol in Appendix B of the M-Guard Administration Guide. Isode has also provided a freely available C++ reference implementation of GCXP. Characteristics of GCXP:

  • Transfers a stream of XML Messages.
  • TLS is always used to protect the connection.
  • Two way strong authentication is recommended to validate peers.
  • M-Guard will always validate IP address of connecting application.
  • Framing using RFC 7049 - Compact Binary Object Representation (CBOR).

Management

M-Guard Console is the management GUI for M-Guard, which will connect to M-Guard over a third (management) network. M-Guard Console is used to set up and configure the M-Guard appliance and M-Guard instances running on the appliance. It handles general operations and maintenance, such as system backup.

M-Guard Console uses "Projects" to describe and manage the configuration of multiple individual M-Guard instances.

The screenshot above shows use of M-Guard Console to configure a Guard instance on an M-Guard appliance. A key part of this configuration is setting up addressing to enable correct communication between M-Guard and the consuming and producing applications.

M-Guard activity can be monitored using Syslog, which will be done on the management network. Events are sent to record activity and errors. This can be sent to the Syslog management system of choice. The screenshot below shows M-Guard Syslog messages displayed by the visual Syslog tool.

Testing

There are test Producer and Consumer applications associated with M-Guard Console; these can be run to test one or other side of an operational configuration, or (as in the configuration shown above) both run at once to test and demonstrate an M-Guard instance.

The screenshots above show the test tools sending XML messgaes through an M-Guard instance, which is a useful way to test and demonstrate M-Guard capability. The Producer can be used to send any XML message and has a set of basic XML messages built in, plus a set of "Demo Protocol" messages, one of which is shown above. M-Guard can be configured with rules relating to Demo Protocol, enabling easy demonstration og M-Guard capability to accept and block XML.

Application Profiles & Rules

M-Guard can apply a set of rules to check XML messages. A key benefit of using XML is that there are a wide range of standardized mechanisms to check XML messages. M-Guard supports rules using the following standards:

  1. XML Schema. Schema of the XML protocol.
  2. Xpath. A mechanism useful for specifying generic checks.
  3. Schematron. A flexible mechanism for specifying rules.
  4. Relax NG. A modern XML specification mechanism.

For each application supported, there will be an Application Profile comprising a set of rules. Rule Catalogs can be loaded into an M-Guard Project, and then rules from these Catalogs can be enabled. Applications using M-Guard are expected to provide an appropriate set of Rule Catalogs.

M-Guard supplies two Rule Catalogs with M-Guard Console that are shown above in the M-Guard Console UI:

  1. Demo Protocol Rules. These can be used with the Test Producer and Test Consumer to demonstrate M-Guard capabilities. These rules show parameterization, where the M-Guard configuration includes parameters to constrain the rules.
  2. A set of Base Rules. These provide generic constraints, which will be generally used.

Target Applications

M-Guard can be used with a wide variety of applications, including 3rd party applications, that use GCXP to communicate over M-Guard. Isode also plans to provide a number of applications that can be used with M-Guard or another XML Guard.

The first class of product uses M-Guard for red/black separation, there are two planned products:

  1. Icon-5066, Isode's STANAG 5066 Server. M-Guard is used to support crypto bypass. Planned for Q1 2020.
  2. Red/Black, a new product which enables monitoring and control of black side devices (e.g., HF Radios and Antennae) with a Red Side Web UI. Planned for Q2 2020.

The second class of application is for cross-domain use, following the architecture shown below.

The model is that standard protocols are mapped onto two unidirectional XML message flows that are sent through the guard. The Edge servers are responsible for ensuring that the XML messages transferred comply to the application profile. M-Guard simply enforces this. Isode has two planned products:

  1. A new version of M-Link Edge, for XMPP, with M-Guard (GCXP) support is planned for Q3 2020.
  2. M-Switch Edge, for messaging services. This is particularly focused on military messaging using STANAG 4406, ACP127 and SMTP, but is also suitable for general purpose messaging. Planned for Q4 2020.

Accreditation

M-Guard is intended for environments where it will generally be required that the product used is accredited. M-Guard has been developed with processes and approaches to facilitate accreditation and this is planned.