I know of two government approved methods for data transfers for closed networks, one of which is pretty close. You basically have two servers connected to the same disk array, and they take turns mounting it to move files onto/off it. There is of course scanning and logging and such involved.
The other (unidirectional) method is a fibre pair connection that does not physically connect the TX with the RX in one direction, and there is some bumblefuckery that pushes the data through.
Of course classified data is only transferred from networks with lower classification to networks with higher classification, never the other way.
Raytheon Trusted Computer Solutions (RTCS), a wholly owned subsidiary of Raytheon Company (NYSE: RTN), today announced that its High Speed Guard (HSG) big data transfer solution has received Cross Domain System Authorization and Authority to Operate for Secret and Below Interoperability (SABI).
This allows government customers to connect to networks classified at secret and below, and enables them to start the SABI site test and evaluation toward full system accreditation.
Raytheon's HSG solution is a commercial-off-the-shelf product that enables the rapid transfer of all types of data across multiple networks at different classification levels. With the industry's fastest bi-directional transfer rates of any guard technology and proven sustained transfer rates of more than nine gigabits per second, HSG is ideally suited for large-scale deployments that require rapid, automated data transfer.
That is precisely how I would describe the Tenix and/or FOX-IT data pump implementations. It's amazing what people can manage to get away with even at EAL-7+.
Fun fact: many desktop printers can hit 3kbps in V40L QR codes (biggest + lowest ECC).
(Estimated at approx 10ppm by 20KiB per code.)
For the security conscious on a budget, printing QR codes to scan to a networked machine can be a way to get information off an otherwise air-gapped machine, with easy introspection and auditing. (This came up in the context of offline signing of Bitcoin transactions with a "warm" wallet -- digital, but airgapped from the "hot" wallets.)
The other (unidirectional) method is a fibre pair connection that does not physically connect the TX with the RX in one direction, and there is some bumblefuckery that pushes the data through.
Of course classified data is only transferred from networks with lower classification to networks with higher classification, never the other way.