© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetTop is a U.S. registered trademark of the NSA

HP NetTop™: High Assurance Computing using SELinux and Virtual Machines

Tony MusgraveHewlett-Packard

February 27, 2005 2

The Problem• Providing access to multiple networks with different

sensitivity levels while maintaining the desired degree of data isolation between them

• Customer requirements determine whether complete isolation or the controlled flow of databetween networks is desired

February 27, 2005 3

Solutions Before HP NetTop™

February 27, 2005 4

Scenario: Separate PC, keyboard, and monitor for each environment create an “air gap”

Internet Intranet

February 27, 2005 5

Scenario: Separate PC's using a KVM switch and a single keyboard and monitor for all environments

Internet Intranet

February 27, 2005 6

The HP NetTop™ Solution“a network on your desktop”

February 27, 2005 7

What is NetTop™ ?

x86 Hardware

SELinux (host OS)

VMware (virtual machine monitor)

NT(guest OS)

Win2K(guest OS)

Linux(guest OS)

WinXP(guest OS)

•Each virtual machine has its own guest OS and its own virtual hardware.

•The VMM keeps the VMs separate, and controls access to local resources.

•The host OS provides the main interface to the local peripherals.

NetTop is a combination of Open Source and COTS software that allows multiple “virtual computers” to run on a single workstation while maintaining separation of data.

February 27, 2005 8

NetTop™ is a “software BIOS”• No access to SELinux host OS, either locally or

remotely • Windows-like GUI is familiar to users• No Linux experience necessary for users

February 27, 2005 9

NSA NetTop™ 1.8.50 Certification• NSA/IAD Signed Certificate (August 2003)

“domain separation between networks of Secret/Releasable up to and through Top Secret/SCI”

• Complies with NSTISSP 11 (NIAP/NSA testing requirements)

• Customers must still obtain local certification and accreditation (HP does not certify NetTop)

February 27, 2005 10

What is HP NetTop™ ?• HP licensed NetTop from NSA in 2003• HP develops, installs, and supports HP NetTop• HP develops custom SELinux applications and

policies to extend NetTop• NSA reviews HP’s enhancements, including

SELinux security policy

February 27, 2005 11

VMware Workstation• Two loadable kernel modules, vmmon and vmnet• Each VM’s set of processes, virtual disk files,

configuration files, and log files are labeled in VM-specific domains

• SELinux policy enforces separation of data between VMs

• NSA reviews VMware source code to ensure proper behavior

February 27, 2005 12

HP NetTop™ Desktop

February 27, 2005 13

VMware: copy-and-paste• By default, VMware allows a person to select data

in one VM and paste the data into another VM• HP NetTop disables VMware’s copy-and-paste

feature via a VMware configuration setting

February 27, 2005 14

Devices shared by Virtual Machines• Floppy disk drive (only one VM at a time)• CD-ROM drive (only one VM at a time)• Sound card (only one VM at a time)• Network interface card (various options)SELinux policy prevents concurrent access by

multiple VMs

February 27, 2005 15

ChooserGUI utility which a person uses to assign removable

media or sound card to a virtual machine• Must enter a password (if required by customer)• Must physically remove disk from floppy or CD

drive• SELinux’s chcon is invoked to relabel the device

file

February 27, 2005 16

Separate NICs for Each VMEach VM is assigned to a

dedicated NIC for connection to its network

February 27, 2005 17

One NIC for Multiple VMs• Two or more VMs can be

connected simultaneously to different networks of different sensitivity levels using a single physical NIC

• Requires use of customer-provided VPN concentrator and a hidden VM to run VPN software

February 27, 2005 18

HP NetTop™ Installation• Customer-specific configuration file• SELinux policy automatically created, compiled,

and loaded• Initially in Development mode and SELinux policy

is not enforced• Later, HP NetTop is switched into Production mode

and SELinux policy is enforced• HP’s Remote Admin option for many workstations

February 27, 2005 19

Development Mode Details• SELinux kernel boots with “enforcing=0”• User can launch an xterm window and access the

SELinux host• Used by HP for developing and testing SELinux

host applications and security policy• Not intended for normal production use

February 27, 2005 20

Production Mode Details• Sys admin clicks on “Make Secure” to lock down

the SELinux host (irreversible)• SELinux kernel boots with “enforcing=1”• User can not launch an xterm window• No access to the SELinux host, so policy cannot be

changed• Cannot switch back to Development mode• Fewer RPMs installed on host than in Development

mode

February 27, 2005 21

HP NetTop™ Policy Objectives• Separation of VMs and Their Data• Least Privilege—allow only what is necessary, and

no more

February 27, 2005 22

HP NetTop™ 1.2 Enhanced Security Features• Monitor capacity of logging filesystem

- warning when filesystem is 80% full (default threshold)- shutdown when filesystem is 90% full (default threshold)

• Perform cryptographic hash integrity check on critical files at startup

• Wipe out swap partition when HP NetTop is shut down

• Lock Chooser after repeated authentication failures

February 27, 2005 23

HP NetTop™ Additional Security Features• Disk is Bound to MAC Addresses of Physical NICs

• Encrypted Virtual Machines (optional)

February 27, 2005 24

HP NetTop™ Additional Security Features (continued)VMware’s virtual disk modes• By default, each VM’s disk is in persistent mode—

all changes written by the guest OS are committed to the disk permanently

• Non-persistent mode: all changes written by the guest OS are lost when the VM is powered off or reset

• Undoable mode: when powering down a VM, VMware asks the user whether or not to commit all changes since the VM powered up

© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

NetTop is a U.S. registered trademark of the NSA

HP NetTop™ as a Foundation for Building Secure Applications

February 27, 2005 26

Applications based on HP NetTop™• Controlled flow of validated data between 2

networks or cross-domain transfer or one-way data pump

• Retrieval of log files from SELinux host for auditors• Access to multiple networks using a single NIC

and VPN• Read-only filesystem sandbox

February 27, 2005 27

One-way Data Pump: Requirements• Need to transfer data from Low VM to High VM• Only valid data can be transferred• Cannot use TCP networks for data transfer

between Low and High VMs

February 27, 2005 28

One-way Data Pump: Solution

February 27, 2005 29

Retrieval of Log Files: Requirements• Need to periodically retrieve log files from a

SELinux host (HP NetTop) but the host has no network access or local login

• Need to restrict which log files can be retrieved• Need to retrieve either entire log file or only those

records appended since previous retrieval• Need to keep SELinux host (HP NetTop) running –

cannot reboot from a CD (Knoppix) and bypass SELinux

February 27, 2005 30

Retrieval of Log Files: Solution• Application in a VM sends request to SELinux host

daemon: host filename and starting offset in bytes• SELinux host daemon verifies name of requested

file is in a list of approved files before sending the data back to the VM application

• VM and SELinux host communicate using 2 channels: one for sending the request from VM to host, and another for sending the file’s contents back to VM from host

• Both channels are virtual serial ports in the VM, visible on SELinux host as Unix domain sockets

February 27, 2005 31

Visit www.hp.com/go/nettop for more information on HP NetTop™