Imagine this: You are an hour early to catch your morning flight so you decided to pull out your trusty IPAD . While sifting a hot grande on your left, your right hand is harvesting your Farmville tomatoes. You might as well clean up your NMCI webmail before it hit its limit. Then you remember that you needed to respond to a colleague on SIPRNET DCO about the new F22 fighter jet lesson learned brief. You fire up VMware View, connect to NSA approved SIPRNET View Security Gateway, connect to your Win7 virtual machine and post a quick response. After quickly checking your email, you put away the IPAD as the intercom calls for final boarding.
How close are we from getting this to reality? In all honesty I thought this will never happen until I realize it Friday (17AUG2012). Part of my daily routine is to catch up on latest tech news and read through several tech blog site I religously follow. I happen to end up on Teradici’s release of the Tera2 chipset for their zero clients. I am not new to Teradici’s zero client for I have designed and engineered our VDI infrastructure around this product at work. Therefore, I monitor their website closely for any press releases. As I read through the middle of the page, “suite B cyphers” caught my eye and this is where the idea all started.
Suite B cyphers are NSA approved cyphers that tag along the strength of AES 128-256 ciphers to allow communication of two nodes to pass SECRET up to TOP SECRET information. Suite B cyphers was penned in 2005 but I am just now hearing about it. After digging a little bit more I realize that General Dynamics, Aruba wireless and others have devices that take advantage of the suite b cyphers that already went through NIAP approval while some still awaits approval.
In the past NSA only allows “suite A” (type 1) cyphers to guard SECRET to TOP SECRET information. These cyphers or crypto equipment are very secure because the handling of NSA approved device and keys are carefully tracked by the NSA with strict COMSEC monitoring program. The personnel handling this equipment go through a strict background check before they are entrusted with this equipment. This is done so that the device along with the key does not fall on the enemies hands. This proves to be so secure that we have been operating under this program ever since. Suite A cypher is still the most widely adopted mechanism for securing information for the federal government.
The problem: The problem is that this is an expensive process. The process is extensive from the development of the device, certification and approval to the manufacturing and transaction of the device. By the time you get the device installed, configured and ready to use, the technology is already 3 or 4 years old already. Check below references for more information regarding the problem. Let me just state the problem from VDI’s pair of glasses. Currently, on a typical DoD user’s desk they would have two separate workstations. One is unclassified NIPRNET which is a Dell or HP workstation that runs on separate switch/servers/routers. The user also has a second workstation for Secret SIPRNET which also is on Dell or HP workstation that also runs on separate switch/server/routers. This two system never cross streams. In addition, if the user has a Top Secret desktop that will also require a separate setup. For simplicity let’s discuss about SIPRNET for now and forget about TOP SECRET network. Essentially, SIPRNET is one big VPN for the Department of Defense. Each SIPRNET node goes to an NSA approved Type 1 encryption and it needs to talk to another NSA approved type 1 encryption. One has to go through DISA for all the paper work to get authorization for SIPRNET connection. Without going through more details, that is SIPRNET in a nutshell.
The Solution: I propose one PCOIP ZERO client on the user’s desk, taking advantage of NSA suite B ciphers. Utilizing VDI, specifically VMware View. The user will just need to connect to NSA approve SIPRNET View Security Gateway to access his/her Secret Win7 VM. The connection from the Zero client – View Security Server – Win7 vm needs to undergo NIAP approval. The PCOIP protocol is already using FIPS approved AES-128, so for NIAP approval it shouldn’t be that hard. There are lots of moving parts to make this happen.
- Diagrams 1 and 2 show the user starting from the Zero client using smart card PKI authentication and encrypting communication using suite B cyphers.
– The encrypted traffic travels through unclassified NIPRNET network. It passes through the ASA FW/IPS rules and terminates to the GREEN/RED View Security Server.
– Note that the View Security Server has a one NIC facing the unclassified NIPRNET and a second NIC touching the classified SIPRNET.
– View Security Server checks with its paired View Connection Server for the PKI credentials authorization and checks the assigned desktop pool. The View Security Server and the Connection server are separated by a second RED ASA to limit the ports and protocol of the Security Server to its bare essential.
-Once credential is all good the View Security Server proxies connection to WIN7 VM and send the pixels to the Zero client through the encrypted channel. The View Security Server and the WIN7 VM is also separated by a RED ASA to limit the Security Server to tcp/udp 4172
Here are the moving parts:
The Client – This will be at the user’s desk. There are three types that I am going to describe.
- Zero Client - The zero client would be the easiest client to pass the NIAP approval since these clients does not have any hard drive for any accidental storing of classified information. I will concentrate this solution utilizing the zero client. With the latest Firmware 4 and the support for SIPR token for PKI authentication, this is the perfect client for the problem. Samsung and LG make an integrated monitor and Clearcube is releasing a portable zero client which is a laptop form factor with CAC reader built in to the unit. The Tera2 that will be officially announced for release this month at VMWORLD 2012 will support the NSA suite B cyphers but I do not know if it has went through NIAP approval.
- Thin Client/IPAD – In reality the IPAD analogy introduction might take two to three more years to get certified compared to its zero client brother. Software thin client could be a problem and they are difficult to control. First the host machine needs to be secure for any malicious Trojan or keystroke logging/pixel capturing software. Second, the software client needs to go through a rigorous certification process to make sure that it does not store any classified information in memory or on the device. IPAD need the token reader to be able to read SIPRNET token for PKI authentication. Laptop thin client should be no problem for Windows XP/7/MAC/LINUX using PKI authentication.
- Read-only thin client – This one warrants a separate category and takes a little explaining. My colleague and I built a bootable-cd Linux client base on strip down Lubuntu for repurposing perfectly good laptops (or Desktop). There are manufacturer like IGEL, WYSE, DEVONIT, HP and others that use the same technique to accomplish the same thing. Our company’s use case is due to transport of classified information. In the past we have to make sure that we ship Windows XP laptop as UNCLASSIFIED. Once it is plugged to SIPRNET it is classified from then on. We have to DOD wipe the drive for shipment back after every event. Each event last a couple of weeks. Inherent to this bad model, it will always fall off the security patches/antivirus etc. DOD has HBSS suite which is mandated for the Department of the Navy. The installer is classified so I can not install it on the laptop. HBSS is a MacAfee EPO suite with AV/HIPS and a whole bunch of plugins. Once we Ghost it with an outdated image (2 weeks is considered outdated) the cat-and-mouse cycles around again. As you can see laptop/ghosting models is not the way to go. A read-only OS with VMware View open client is the way to go. A portable zero client is even ideal but Clearcube’s product is not out on the market yet until early quarter of 2013.
USB redirection – USB redirection would need to be turned off to prohibit removable media. Luckily, this is easy to implement at the firewall level. USB redirection rides on TCP 32111, separate from PCOIP 4172. Kudos for VMware and Teradici for separating it. Turning off USB redirection may be a negative downside but it is a small price to pay to achieve higher security. This will affect isochronous webcams for DCO functionality. Audio can be accomplished through the mini 1/8 inch jack.
VMware View Security Server – This would fall heavily on the shoulders of VMware. This view security server would need to be very secure because it shall have one NIC on the unclassified side and a second NIC on the SIPRNET side. The current security server that is installed on Windows will not fly, due to the underlying OS attack footprint. VMware will need to create a special hardware appliance that is purposely built for this. Firmware type upgrade is preferred. It needs to have a built in firewall and an IPS function to actively prevent common port scan and HTTP attack. It does not need a full blown IPS signature since there are only a few ports open. The Unclassified NIC specifically just need to allow just TCP 443 and TCP/UDP 4172 and that is all. Any management on the device will have to be done on the SIPRNET side or better yet a 3rd management NIC. This security server should probably need to have some PIXEL recording capability for auditing purpose and also a login/logoff timestamp, or it can be off loaded through other means. The protocol that rides on TCP/UDP 4172 are already using approved TLS DCM encryption and are approved FIPS. It just needs the extra NIAP certification to be approved for SECRET. The success of this vision falls on this View Security Server because it is the gateway for Unclassified to classified SIPRNET VM. In the DoD world it is labeled as “Cross Domain Solution”.
SIPRNET token – PKI authentication is a must and it should not be optional. Two factor authentication is paramount for the overall security of the system. VMware View and the PCOIP Zero Client supports PKI authentication.
WIN7 VM – The VM will need to be DOD STIG compliant, including HBSS enforcement. This VM should be surrounded by perimeter FW and IPS for additional security. I would treat these VM as untrusted VM, separating them from the server and also the SIPRNET.
Web proxy – Web browser must go through a web proxy for tracking and accountability.
Cisco ASA FW/IPS – This is by preference but the device needed to be NIAP approved. Firewall function for the View Security Server can be offloaded to the ASA for performance. This can help speed up the process for the Security Server certification since it does not need to certify its FW/IPS functionality.
Use Case: There are lots of use cases for this technology and this is just to name a few.
- NMCI, ONENET, Entire DoD can use this to minimize footprint on the user’s desk and switching fabrics. One zero client to connect to NIPRNET VMWARE VIEW suite or SIPRNET VMWARE VIEW suite (also maybe TOP SECRET VMWARE VIEW suite).
- It can also be used as hot disaster recover site for the whole DOD. Label it SIPRNET on the cloud. It will need to be redundant, one suite for west coast and another for the east coast.
- Another use case is for travelling government officials to be able to connect to local wireless/hotel/airport/4g networks and access their SIPRNET VDI.
- Also troops in the battle field does not need to carry sensitive suite A (Type 1) encryption equipment in the battle field to access classified information. No need for any Data At Rest (DAR) encryption since classified data stay safe at the data center where it can be easily safeguarded.
Closing Remarks: I understand that you can probably engineer this to run if you put suite B device in front of each client device. However, what I envision is simplicity for the end user without compromising security. Giving every user a suite B device adds to the total cost of ownership. Product provider like General Dynamics is going to kiss us if we require this added “tax” for it would mean more business for them. Why do it if it is not necessary because TERADICI’s new TERA2 are already NSA suite B compliant. We just need to make sure that they are NIAP approved from end to end.
The use case for this architecture is phenomenal. But this can only happen if NSA, VMware and Teradici will decide to make it happen. The stars are all aligning, just a few minor tweaks and we are there. I can see this being accomplished in the next year but no more than two years. This idea is only possible because of NSA’s support to suite B cypher. Without the suite B cypher we would not be exploring on this possibility.
Would VMware make the Security Server Appliance? Why not, they would be way ahead of Citrix or any competition. They would appeal more to government due to this feature alone. They would be “THE” choice above every other VDI solution.
Would Teradici help? Teradici has a vested interested on their own flagship product. You bet that they would do anything within their power to make this a success. Who knows, they might even build the Security Server Appliance themselves utilizing their PCOIP server offload card. Teradici can do this without VMware and/or VDI. Teradici’s hardware to hardware TERA2 solution is already using suite B cyphers. But in reality, VDI would be the way to do it instead of a bunch of traditional desktop hosted on datacenter.
Would NSA do it? Ultimately this question would be the show stopper. The only reason that they would stop it from being implemented is because this would potentially give SIPRNET in the palm of everyone’s hand, including our adversary. However, they can control and limit users such as only allowing selected politicians, special forces, or high ranking government officials, then the reason becomes acceptable. In the end NSA has the ultimate authority to allow this to happen.
This would be a very exciting event to watch for the next couple of years and it would be interesting to see who will make the first move.