Virtualization Demystified Oregon State Police CJIS Statewide Training September 24, 2015 Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program
Virtualization Demystified
What is Virtualization? Defined by the CJIS Security Policy as: A methodology of dividing the resources of a computer (hardware and software) into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time sharing, partial or complete machine simulation or emulation allowing multiple operating systems, or images, to run concurrently on the same hardware.
What is Virtualization (cont.)? Hardware
A Simple Virtualized Environment
What can I use Virtualization for?
Virtualization in the CJIS Security Policy The CSP covers the concept of virtualization in the following areas: Section 5.10.3 Partitioning and Virtualization Section 5.10.3.2 Virtualization Appendix G Best Practices; G.1 Virtualization
Virtualization in the CJIS Security Policy (cont.) There are four general requirements for virtual environments: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall. 4. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system secured as independently as possible.
Virtualization in the CJIS Security Policy (cont.) The following additional requirements must be applied in virtual environments where CJI is comingled with non CJI: 1. Encrypt CJI when stored in a virtualized environment where CJI is comingled with non CJI or segregate and store unencrypted CJI within its own secure VM. 2. Encrypt network traffic within the virtual environment
Virtualization in the CJIS Security Policy (cont.) The following are technical security industry best practices and should be implemented wherever feasible: Implement IDS and/or IPS monitoring within the virtual machine environment. Virtually or physically firewall each virtual machine from each other to ensure that only allowed protocols will transact. Segregate the administrative duties for the host.
Use Case #1 Logical Separation A PD network was incorporated within a virtualized network as part of a county network consolidation effort. The virtual network consists of both CJI and non CJI processing virtual machines (VM). So, the VMs are segregated (CJI processing VMs from non CJI VMs) and separated via virtual firewalls. This is a comingled environment, so the agency does encrypt network traffic within the virtual environment. The virtual network resides completely within a physically secure location (no remote connections) and CJI is stored within its own VM, so encryption is not a requirement for CJI at rest.
Logical Separation Example Logical Separation
Logical Separation Example (cont.) No CJI No CJI CJI No CJI CJI CJI
Use Case #2 Physical & Logical Separation The state police (SP) recently transitioned to a virtualized network. The CJI and non CJI are stored in separate VMs within a physically secure location no encryption requirement for CJI at rest. The SP manages the state switch and will allow remote connections to from the virtual network via a web portal interface link is protected via encryption (FIPS 140 2 certified, 128 bit) Internet facing VM (web portal interface) is physically separated from non Internet facing VMs. This is a comingled environment, so the agency does encrypt network traffic within the virtual environment. This agency has also segregated VMs using virtual firewalls.
Physical & Logical Separation Example Logical and Physical Separation
Physical Separation in a Virtualized Environment Example of Physical Separation
Virtualized Environments FAQ #1 Question: In section 5.10.3.2 Virtualization, item number 2 in the first paragraph states: Maintain audit logs for all virtual machines and hosts and store the logs outside the host s virtual environment." Does this mean that I have to pull the event and content logs from the virtual environment to save them? Answer: Yes. There is a CSP requirement for retaining audit logs for 1 year (Section 5.4.6). Also, know that many virtual environments are ephemeral and therefore is set to delete/erase everything when taken down, whether intentionally or by malicious means this includes log data within the virtual environment.
Virtualized Environments FAQ #2 Question: In section 5.10.3.2 Virtualization, item number 2 in the third paragraph states: "Virtually or physically firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer firewall) and ensure that only allowed protocols will transact." So, is this a requirement? Will this be audited? Answer: No. This is not an auditable requirement. It is simply industry best practice guidance. Appendix G.1 provides some additional best practice guidance to provide better security for your virtualized environment.
Questions?
ISO RESOURCES ISO Resources
ISO RESOURCES State CJIS Representatives State CJIS CSO/ISO should be the first stop for any questions or concerns Responsible for CJIS systems in their state/agency State CJIS requirements may differ from the CSP CSO/ISO should be kept in the loop with the CJIS issues in their state/agency Forwards requests for changes to the CJIS Security Policy to the CJIS ISO Program
ISO RESOURCES CJIS ISO Program Steward the CJIS Security Policy for the Advisory Policy Board Draft and present topic papers at the APB meetings Provide Policy support to state ISOs and CSOs Policy Clarification Solution technical analysis for compliance with the Policy Operate a public facing web site on FBI.gov: CJIS Security Policy Resource Center Provide training support to ISOs Provide policy clarification to vendors in coordination with ISOs
ISO RESOURCES The CJIS Security Policy!!!
ISO RESOURCES CSP Requirements Document Companion document to the CSP Lists every requirement, shall statement, and corresponding location and effective date Updated annually in conjunction with the CSP
ISO RESOURCES CSP Resource Center Publically Available http://www.fbi.gov/about us/cjis/cjis security policy resourcecenter/view Features: Search and download the CSP Download the CSP Requirements Document 2014 ISO Symposium Presentations Use Cases (Advanced Authentication and others to follow) Cloud Computing Report & Cloud Report Control Catalog Mobile Appendix Submit a Question (question forwarded to CJIS ISO Program) Links of Importance
ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view Step #1 Select About Us Step #2 Select Criminal Justice Information Services
ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view Step #3 Select Security Policy Resource Center
ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view iso@leo.gov
ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view iso@leo.gov
CJIS ISO CONTACT INFORMATION George White, CJIS ISO (304) 625 5849 george.white@ic.fbi.gov Chris Weatherly, CJIS ISO Program Manager (304) 625 3660 john.weatherly@ic.fbi.gov Jeff Campbell, CJIS Assistant ISO (304) 625 4961 jeffrey.campbell@ic.fbi.gov Steve Exley, Senior Consultant/Technical Analyst (304) 625 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov
QUESTIONS? Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program (304) 625 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov