How Does It Work?
What do Owl products do?
Owl products enable the secure, hardware-enforced, one-way-only transfer of data between network domains of different security levels and policies. Owl solutions ensure the isolation of both networks, while facilitating the delivery of mission-critical, and time-critical, information.
What is a data diode?
A data diode is an inter-network connection that permits information to travel in one direction only. It is most commonly deployed between two or more networks of different security classifications.
How do Owl products work?
Our core products are combinations of Owl-designed communication card hardware & drivers, and internally developed software applications. Communication cards are mounted in Send-only (Blue) and Receive-only (Red) server platforms, connected via fiber-optic or copper cabling. Owl software, specific to the kind(-s) of data to be transferred, is installed in both platforms. The Blue Owl application converts the data to Owl proprietary format, segments it to ATM cells, and sends it to the Red machine. The Red Owl application restores the information to its original format, for distribution to selected destinations.
What is Owl DualDiode Technology®?
The Owl DualDiode data diode design is a multi-layered approach for the transparent and secure transfer of user applications (files, TCP/IP traffic, streaming video, syslog messages, data historians, SCADA, etc.), across a wide range of computer operating systems. DualDiode solutions enable hardware-enforced, one-way information transfer between discrete network domains, to ensure communications capability and absolute assurance against data leakage -- at link speeds ranging from 2Mbps to 10Gbps. Custom-designed Send-only & Receive-only Communication Cards are matched with proxy/adapter Owl software applications to “condition” specific user data types to the Owl protocol break for transfer.
How does Owl secure information transfer operating systems?
Owl uses DISA Security Technical Implementation Guides (STIGs) and the processes of Certifiable Linux Integration Platform (CLIP) & Owl Security Enhanced Linux (OSELinux) to secure and constrain an OS to explicitly determined functionality and interaction with resident Owl software applications. This OS and application "hardening" may extend to the implementation of mandatory and/or role-based access controls, with customized menus explicitly defining what actions individual privileged users can take.
What does an Owl system do?
Owl systems pass data from one computer to another, and/or from one network to another, in one direction only. Data flows forward without impediment at high throughput rates. Data does not flow at all in the reverse direction. Data transfer may be low-to-high or high-to-low security. Some deployments may require both unidirectional paths, physically and logically separated but intrinsic to a higher application use.
Is the Owl system a firewall?
No. An Owl system does functions like a gateway, but with an important difference: data flows in one direction only, and paths are preconfigured. Because security is enforced in hardware, there is no possibility of security breach through software attack. Owl drivers have been developed internally and are not dependent on the TCP/IP communication stack of hosts on which they reside. An Owl data diode solution is a "non-routable" protocol break between the two networks it connects one-way. Owl systems cannot be "hacked."
What types of error-checking are used in Owl systems?
Data is verified at multiple levels. Error-checking is performed in hardware in accordance with ATM AAL5 protocol. At a higher level, advanced hash algorithms are used to validate integrity of IP packets assembled from ATM cells. Packet sequences are also verified. Finally, the packets are merged into higher level data structures that are also verified using advanced hash algorithms.
How fast will data flow through an Owl system?
Owl Communication Cards are designed to meet individual client capacity needs. Link speeds range from 1Mbps to 10Gbps.
For an example of throughput, link speed for Owl 2500 Communication Cards is 2.488 Gigabits/sec. When configured for clear-channel, an Owl 2500 pair transfers up to 270 Megabytes/sec of content. When configured as channelized, a 2500 pair will support up to 8 virtual connections over a single physical link, each connection configurable to meet individual application needs.
How does Owl manage log files?
Owl provides log file capability on Send-only and Receive-only servers. The level of detail of information that is stored in these log files is controlled by an argument in the startup scripts. All software applications support the Owl log file-management system, and the maintenance of historical information such as data archiving, aging, etc. Log files may be viewed locally or remotely by Owl Performance Management Service OPMS, on which real-time logs are replicated and displayed graphically via a Web interface. Alternately, Owl Log File Service (OLFS) delivers log information as a datagram stream to a third-party enterprise network manager, or as static files for admin analysis.
Can we run multiple Owl Applications on the same machine(s)?
Yes. Owl SNTS supports concurrent UDP, TCP, and file transfer; a single Communication Card set enables the hardware transfers. With channelized Owl 2500 cards, for specific user needs, multiple Owl applications may be run on individual machines, with one card set.
Certifications, Patents, & Accreditations
What Data Diode Patent does Owl exclusively License from Sandia?
Patent Number: 5,703,562 | December 30, 1997
Method For Transferring Data From An Unsecured Computer To A Secured Computer.
What other Patents has Owl been granted?
On March 9, 2010, Owl received Patent Number: 7,675,867 for One-Way Data Transfer with Built-In Data Verification Mechanism, and markets the technology as the Owl Secure Acknowledgment Engine (OSAE).
On May 10, 2011, Owl was granted Patent Number: 7,941,526 for Transmission of Syslog Messages over a One-Way Data Link, to transfer syslog messages over DualDiode Technology®.
On August 2, 2011, Owl was awarded Patent Number: 7,992,209 B1 for "Bilateral Communication using Multiple One-Way Links."
On November 29, 2011, Owl was granted Patent Number: 8,068,415 B2 for "Secure One-Way Data Transfer using Communication Interface Circuitry."
On March 20, 2012, Owl was awarded Patent Number: 8,139,581 B1 for "Concurrent Data Transfer involving two or more Transport Layer Protocols over a Single One-Way Data Link."
Are Owl products certified and accredited?
Certified -- Owl Communication cards are NIAP Common Criteria-certified:
Owl 2500 Communication Cards -- NIAP Common Criteria EAL-4
Owl 155 Communication Cards, versions 3 & 4 -- NIAP Common Criteria EAL-4
Owl 155 Communication Cards, versions 1 & 2 -- NIAP Common Criteria EAL-2
Owl 052 - under consideration for EAL certification
Safety Certified - TUV Rheinland Group
All Owl DualDiode Technology products may be included in cross-domain solutions that require accreditation in operational deployment. Owl products function in over 1200 accredited applications throughout the DoD, US Intelligence community and other government agencies. Owl Perimeter Defense solutions are deployed throughout Critical Infrastructure organizations.
As of March 2012, Owl has two entries on the UCDMO Baseline Inventory as an accredited Cross Domain Solutions – OCDS-FT01 (formerly Owl 4.0) for low-to-high file transfer at link speed 155Mbps with Solaris OS, and ECDS-FT01 for enterprise file transfer at link speed 2.5Gbps with Linux OS. A third candidate – OCDS-ST01 – will shortly join the first two. ST01 enables the secure transfer of Full Motion Video and COTS files.
I have been directed to review the UCDSMO Baseline Configurations against my requirements. How do Owl solutions fit into the currently listed Baseline solutions?
As of January 27, 2012, Owl OCDS-FT01 (formerly Owl 4.0) & the Owl ECDS-FT01 (formerly ECDS) are accredited Cross Domain Solutions for transfer on the UCDMO Cross Domain Baseline List. This designation describes solutions that are accredited, and have been successfully evaluated for re-use by other programs requiring these functionalities. This is in addition to many existing niche and individually accredited solutions for individual Agency, DOD or program uses.
Are Owl systems reliable?
Yes.. No Owl system has ever failed in the field.
Do we have to re-certify when we modify or create new software applications based on Owl systems?
No. Security in Owl systems is primarily enforced in hardware, and it is Owl hardware that is certified.
Can the Owl system improve the security of my network?
Yes. Owl systems are designed to prevent leakage of sensitive information from secure isolated networks. Data flows into the secure network, but cannot flow out through the same channel. Without the capability of bilateral communications, the secure network is rendered impervious to probing cyber attacks.
If Owl products send data one-way only, then how do I know my data arrived successfully?
The Owl suite of secure one-way data transfer systems does not provide any back-channel for data verification. Instead, Owl systems perform multiple levels of error-checking on both the Send and Receive machines as data is being sent. Owl systems have proven highly reliable, and are widely used by the most demanding IT customers in the US DoD, US Intelligence Community and major critical infrastructure customers. For clients requiring explicit confirmation of data receipt, the Owl Secure Acknowledgment Engine provides this capability, with no compromise to the original one-way transfer of information.
Can the Owl system support multiple users?
Yes. Owl systems are server-based; the combination of high throughput and seamless network integration accommodates multiple concurrent users. In Enterprise Services deployments, an Owl ECDS can support a wide range of service subscribers, each with its own set of security policies, across a single physical link.
For Process Control customers, an Owl Perimeter Defense solutions can support a range of different applications, with up to 32 individual connections, on a single physical chassis.
Can I move large files through the Owl system?
Yes. Multi-GigaByte and TeraByte-scale files have been reliably transferred through Owl systems. In such cases, Owl 2500 Communication Cards are preferred because of their high link speed (2.488 Gigabits per sec) and high content throughput rates (clear channel - 270+ MegaBytes/sec) automate transfers that had typically been sneaker-net/walk-net transactions. An estimated file size upper limit of 2 TeraBytes is imposed by limitations in host operating systems.
Will the Owl system transfer streaming video?
Yes. Owl solutions will pass streaming video in real-time. On the Send-only server, the optional Owl MUX/DEMUX Server application supports N instances of distinct UDP streams. On the Receive-only server, the MUX Server supports unicast, multicast, and broadcast distribution modes. The OCDS-ST01 Cross Domain Solution is specifically designed to support video and COTS files transfers.
How does Owl offer a TCP product in a one-way environment, if TCP typically requires handshaking?
With Owl TPTS, TCP client establishes a "handshake" with TCP server on the Send-only machine. TCP/IP address information is stripped from the incoming packets, with packet payload transferred to the Receive-only machine. The receiving machine establishes a TCP handshake with its intended recipient and completes the transfer. In Web Server language, the Owl application may be thought of as a one-way proxy. For maximum security, no IP routing information is passed across the one-way link.
Do any Owl products provide encryption?
Yes. Owl Remote File Transfer Service may impose encryption and authentication on files delivered as TCP/IP packets across networks, or from a source, across a DualDiode transfer, to a destination.
Other encrypt/decrypt services may be integrated into an Owl cross-domain solution, as with malware scanning and/or data filters. Our products provide a physical one-way link that allows users to safely send data and trust that absolutely no information - not even handshaking protocols - escapes from your private network via our products.
With what hardware and software are Owl systems compatible?
Owl systems are designed for compatibility with all network devices that support standard IP network communication protocols. Owl secure one-way data transfer systems are designed to function transparently on their host networks. Owl one-way data transfer hardware may be installed in any computer platform with standard PCI-x or PCI-e bus slots operating at 3.3 volts or 5 volts. Owl hardware and software has been extensively tested with a wide range of operating systems - Windows, Solaris, and LINUX. Check under the Products sub-menu for up-to-date Version Information.
Are Owl systems easy to install?
Owl OEM product kits feature color-coded components, streamlined installation procedures, and thorough documentation. Basic Owl systems are routinely installed by client personnel in less than an hour -- sometimes as quickly as 15 minutes.
What components are included in a Turnkey purchase option?
Today, in most cases customers purchase Owl products either as Communication Card sets with application-specific Owl software, or as fully developed Cross Domain Solutions (CDS) [or Perimeter Defense Solutions (PDS)]. Turnkeys include all the application-specific items, two rack-mount servers with the selected Owl communication cards and application software, tested and installed.
How much does an Owl system cost?
Owl systems vary in price based on Owl Communication Card selection, Owl software required for user-specific data types, CDS or PDS requirements, and optional lifecycle & configuration management. Contact us, via the Contact Form included on this website, or call Owl Sales toll-free 866.695.3387, for pricing details on your application.
Can Owl products be exported?
All Owl Communication Cards have an ECCN number of 5A991 with an AT1 restriction -- they can ship almost anywhere (exceptions, -- Cuba, Iran, Iraq is OK with some additional restrictions, Libya, N. Korea, Sudan and Syria).
Detailed information on ECCN ⟨ Export Control Classification Number ⟩ can be Found Here.
Owl Cross Domain Solutions, involving card sets, Owl software, specially modified servers and Oss, and content management suites are handled on a case-by-case basis.
Are you compliant with section 508 of the Rehabilitation Act?
Owl products are considered fully compliant with the applicable provisions of section 508 of the Rehabilitation Act. Owl products are designed to work seamlessly with accessibility enhancement features of their host platform operating systems, thus enabling Federal employees with disabilities to interact with Owl systems with the same effectiveness as Federal employees without disabilities.
Where are Owl cards manufactured?
Owl products are designed and manufactured In the USA.
All Owl products have a U.S. controlled supply chain.