hp nettop™: high assurance computing ... - selinux...
TRANSCRIPT
© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
NetTop is a U.S. registered trademark of the NSA
HP NetTop™: High Assurance Computing using SELinux and Virtual Machines
Tony MusgraveHewlett-Packard
February 27, 2005 2
The Problem• Providing access to multiple networks with different
sensitivity levels while maintaining the desired degree of data isolation between them
• Customer requirements determine whether complete isolation or the controlled flow of databetween networks is desired
February 27, 2005 3
Solutions Before HP NetTop™
February 27, 2005 4
Scenario: Separate PC, keyboard, and monitor for each environment create an “air gap”
Internet Intranet
February 27, 2005 5
Scenario: Separate PC's using a KVM switch and a single keyboard and monitor for all environments
Internet Intranet
February 27, 2005 6
The HP NetTop™ Solution“a network on your desktop”
February 27, 2005 7
What is NetTop™ ?
x86 Hardware
SELinux (host OS)
VMware (virtual machine monitor)
NT(guest OS)
Win2K(guest OS)
Linux(guest OS)
WinXP(guest OS)
•Each virtual machine has its own guest OS and its own virtual hardware.
•The VMM keeps the VMs separate, and controls access to local resources.
•The host OS provides the main interface to the local peripherals.
NetTop is a combination of Open Source and COTS software that allows multiple “virtual computers” to run on a single workstation while maintaining separation of data.
February 27, 2005 8
NetTop™ is a “software BIOS”• No access to SELinux host OS, either locally or
remotely • Windows-like GUI is familiar to users• No Linux experience necessary for users
February 27, 2005 9
NSA NetTop™ 1.8.50 Certification• NSA/IAD Signed Certificate (August 2003)
“domain separation between networks of Secret/Releasable up to and through Top Secret/SCI”
• Complies with NSTISSP 11 (NIAP/NSA testing requirements)
• Customers must still obtain local certification and accreditation (HP does not certify NetTop)
February 27, 2005 10
What is HP NetTop™ ?• HP licensed NetTop from NSA in 2003• HP develops, installs, and supports HP NetTop• HP develops custom SELinux applications and
policies to extend NetTop• NSA reviews HP’s enhancements, including
SELinux security policy
February 27, 2005 11
VMware Workstation• Two loadable kernel modules, vmmon and vmnet• Each VM’s set of processes, virtual disk files,
configuration files, and log files are labeled in VM-specific domains
• SELinux policy enforces separation of data between VMs
• NSA reviews VMware source code to ensure proper behavior
February 27, 2005 12
HP NetTop™ Desktop
February 27, 2005 13
VMware: copy-and-paste• By default, VMware allows a person to select data
in one VM and paste the data into another VM• HP NetTop disables VMware’s copy-and-paste
feature via a VMware configuration setting
February 27, 2005 14
Devices shared by Virtual Machines• Floppy disk drive (only one VM at a time)• CD-ROM drive (only one VM at a time)• Sound card (only one VM at a time)• Network interface card (various options)SELinux policy prevents concurrent access by
multiple VMs
February 27, 2005 15
ChooserGUI utility which a person uses to assign removable
media or sound card to a virtual machine• Must enter a password (if required by customer)• Must physically remove disk from floppy or CD
drive• SELinux’s chcon is invoked to relabel the device
file
February 27, 2005 16
Separate NICs for Each VMEach VM is assigned to a
dedicated NIC for connection to its network
February 27, 2005 17
One NIC for Multiple VMs• Two or more VMs can be
connected simultaneously to different networks of different sensitivity levels using a single physical NIC
• Requires use of customer-provided VPN concentrator and a hidden VM to run VPN software
February 27, 2005 18
HP NetTop™ Installation• Customer-specific configuration file• SELinux policy automatically created, compiled,
and loaded• Initially in Development mode and SELinux policy
is not enforced• Later, HP NetTop is switched into Production mode
and SELinux policy is enforced• HP’s Remote Admin option for many workstations
February 27, 2005 19
Development Mode Details• SELinux kernel boots with “enforcing=0”• User can launch an xterm window and access the
SELinux host• Used by HP for developing and testing SELinux
host applications and security policy• Not intended for normal production use
February 27, 2005 20
Production Mode Details• Sys admin clicks on “Make Secure” to lock down
the SELinux host (irreversible)• SELinux kernel boots with “enforcing=1”• User can not launch an xterm window• No access to the SELinux host, so policy cannot be
changed• Cannot switch back to Development mode• Fewer RPMs installed on host than in Development
mode
February 27, 2005 21
HP NetTop™ Policy Objectives• Separation of VMs and Their Data• Least Privilege—allow only what is necessary, and
no more
February 27, 2005 22
HP NetTop™ 1.2 Enhanced Security Features• Monitor capacity of logging filesystem
- warning when filesystem is 80% full (default threshold)- shutdown when filesystem is 90% full (default threshold)
• Perform cryptographic hash integrity check on critical files at startup
• Wipe out swap partition when HP NetTop is shut down
• Lock Chooser after repeated authentication failures
February 27, 2005 23
HP NetTop™ Additional Security Features• Disk is Bound to MAC Addresses of Physical NICs
• Encrypted Virtual Machines (optional)
February 27, 2005 24
HP NetTop™ Additional Security Features (continued)VMware’s virtual disk modes• By default, each VM’s disk is in persistent mode—
all changes written by the guest OS are committed to the disk permanently
• Non-persistent mode: all changes written by the guest OS are lost when the VM is powered off or reset
• Undoable mode: when powering down a VM, VMware asks the user whether or not to commit all changes since the VM powered up
© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
NetTop is a U.S. registered trademark of the NSA
HP NetTop™ as a Foundation for Building Secure Applications
February 27, 2005 26
Applications based on HP NetTop™• Controlled flow of validated data between 2
networks or cross-domain transfer or one-way data pump
• Retrieval of log files from SELinux host for auditors• Access to multiple networks using a single NIC
and VPN• Read-only filesystem sandbox
February 27, 2005 27
One-way Data Pump: Requirements• Need to transfer data from Low VM to High VM• Only valid data can be transferred• Cannot use TCP networks for data transfer
between Low and High VMs
February 27, 2005 28
One-way Data Pump: Solution
February 27, 2005 29
Retrieval of Log Files: Requirements• Need to periodically retrieve log files from a
SELinux host (HP NetTop) but the host has no network access or local login
• Need to restrict which log files can be retrieved• Need to retrieve either entire log file or only those
records appended since previous retrieval• Need to keep SELinux host (HP NetTop) running –
cannot reboot from a CD (Knoppix) and bypass SELinux
February 27, 2005 30
Retrieval of Log Files: Solution• Application in a VM sends request to SELinux host
daemon: host filename and starting offset in bytes• SELinux host daemon verifies name of requested
file is in a list of approved files before sending the data back to the VM application
• VM and SELinux host communicate using 2 channels: one for sending the request from VM to host, and another for sending the file’s contents back to VM from host
• Both channels are virtual serial ports in the VM, visible on SELinux host as Unix domain sockets
February 27, 2005 31
Visit www.hp.com/go/nettop for more information on HP NetTop™