Wikipedia

High Assurance Guard

A High Assurance Guard (HAG) is a Multilevel security computer device which is used to communicate between different Security Domains, such as NIPRNet to SIPRNet. A HAG is one example of a Controlled Interface between security levels. HAGs are approved through the Common Criteria process.

Operation

A HAG runs multiple virtual machines or physical machines - one or more subsystems for the lower classification, one (or more) subsystems for the higher classification. The hardware runs a type of Knowledge Management software that examines data coming out of the higher classification subsystem and rejects any data that is classified higher than the lower classification. In general, a HAG allows lower classified data that resides on a higher classified system to be moved to another lower classified system. For example, in the US, it would allow unclassified information residing on a Secret classified system to be moved to another Unclassified system. Through various rules and filters, the HAG ensures that data is of the lower classification and then allows the transfer.

On the application layer, the HAG runs an "evaluated mandatory integrity policy" that provides sensitive files, data and applications protection from inadvertent disclosure. At the operating system level, the HAG must have a multilevel kernel that ensures sensitive information, processes, and devices stored and running on the system at different sensitivity levels cannot intermingle in violation of the system's mandatory security model.

The systems are certified via the Common Criteria; depending on the classification, the system may require Common Criteria Evaluated Assurance Level (EAL) 3 or higher. For examples, in the US, an evaluation at the EAL 5 or EAL 5+ (EAL 5 Augmented) or higher is required to export from a Secret domain to an Unclassified domain.

Some manufacturers may use "Trusted Computer System" or "Trusted Applications with High Assurance" as an equivalent term to HAG.

Importance, risks

The HAG is mostly used in email and DMS environments as certain organizations may only have unclassified network access, and they need to send a message to an organization that has only secret network access. The HAG provides them this ability.

See also

  • Data Diode
  • Guard (information security)
  • Cross-domain solution
This article is copied from an article on Wikipedia® - the free encyclopedia created and edited by its online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of Wikipedia® encyclopedia articles provide accurate and timely information, please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.

Copyright © 2003-2025 Farlex, Inc Disclaimer
All content on this website, including dictionary, thesaurus, literature, geography, and other reference data is for informational purposes only. This information should not be considered complete, up to date, and is not intended to be used in place of a visit, consultation, or advice of a legal, medical, or any other professional.