XEBHRA: A Virtualized Platform for Cross Domain Information Sharing



Similar documents
MiCART : Mixed Criticality Real-time Hypervisor

Frontiers in Cyber Security: Beyond the OS

Applying Multi-core and Virtualization to Industrial and Safety-Related Applications

ACSAC CWID 2007 Data Diode Case Study. toll free

How To Improve The Defense Communications System

OWL CROSS DOMAIN FORUM

Moving Target Reference Implementation

Topic 5a Operating System Fundamentals

Cyber Security at NSU

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

custom hosting for how you do business

White Paper Levels of Linux Operating System Security

Understanding & Improving Hypervisor Security

Embedded Virtualization & Cyber Security for Industrial Automation HyperSecured PC-based Control and Operation

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird. January government

Chapter 2 Addendum (More on Virtualization)

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Start building a trusted environment now... (before it s too late) IT Decision Makers

SANS Top 20 Critical Controls for Effective Cyber Defense

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Desktop Virtualization Solutions Simplified Appliance

DoD IA Training Products, Tools Integration, and Operationalization

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Consolidated security management for mainframe clouds

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Proven LANDesk Solutions

SCADA Security Training

VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. Advisor: Software Security Lab.

Data Center Manager (DCM)

Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation

Network Mission Assurance

DeltaV System Cyber-Security

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

CLOUD FORENSICS WITH F-RESPONSE

Cyber Exercises, Small and Large

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

Rapid Response, Total Support. Homeland Security Solutions that Keep America Safe

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Oracle Fusion Project Portfolio Management CLOUD SERVICE. The New Standard for Project Portfolio Management

The Xen of Virtualization

BEST PRACTICES. DMZ Virtualization with VMware Infrastructure

THE COMPLETE VIEWER FOR MS PROJECT. Deployment White Paper

Veeam Task Manager for Hyper-V

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Simplified Private Cloud Management

Virtualization for Cloud Computing

Condor Supercomputer

Provide access control with innovative solutions from IBM.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

MobiKEY. Virtual Desktop Infrastructure (VDI) Integration. September 2012

UNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Historically Black Colleges and Universities and Minority Institutions

The State of DoD Biometrics

EECatalog SPECIAL FEATURE

Protecting Data with a Unified Platform

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls

CIO and Cyber Security Overview Argonne National Laboratory. Michael A. Skwarek CIO Matthew A. Kwiatkowski CISO Oct. 12, 2011

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

GE Measurement & Control. Cyber Security for Industrial Controls

Developing a dynamic, real-time IT infrastructure with Red Hat integrated virtualization

A Biologically Inspired Approach to Network Vulnerability Identification

Addressing BYOD Challenges with ForeScout and Motorola Solutions

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

IBM Security Intrusion Prevention Solutions

GeoLogics Points of Contact

Windows Server Virtualization An Overview

RackWare Solutions Disaster Recovery

Course Title: Virtualization Security, 1st Edition

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Virtualization in Enterprise Environment. Krisztian Egi

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Seven Things To Consider When Evaluating Privileged Account Security Solutions

can you effectively plan for the migration and management of systems and applications on Vblock Platforms?

Virtualization Technologies (ENCS 691K Chapter 3)

Table of Recommendations for End-User Monitoring Solutions

SOFTWARE-DEFINED NETWORKS

Q A F 0 3. ger A n A m client dell dell client manager 3.0 FAQ

Securing Industrial Control Systems Secure. Vigilant. Resilient. May 2015

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

SDN Security for VMware Data Center Environments

Cyber DTU. Lars Ramkilde Knudsen

Achieve Deeper Network Security

PFP Technology White Paper

Transcription:

2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP XEBHRA: A Virtualized Platform for Cross Domain Information Sharing Adventium Labs Charles N. Payne, Jr. July 23, 2013

Company Profile of your company Scientist-owned small business, founded 2002 Commercial and government contract research Technical Staff: Ph.D.: 50%, MS: 30%, BS: 20% Fields: Computer Science, Mathematics, Electrical Engineering, Psychology Career patents: 25 issued (3 AL), 33 pending (5 AL) Publications: 300+ 2012 DoD commercialization score: 95 (up from 90 in 2011) Cyber Security Trusted Systems Cyber Physical Systems Real-World Applications Automated Reasoning Systems Engineering Selected Transition Successes: SAFEbus for Boeing 777 and C5-AMP Integrated Modular Avionics Guidant LATITUDE wireless medical devices 3Com Embedded Firewall DTOS (Distributed Trusted Operating System) foundation of SE Linux DEOS Real-Time Operating System 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 1

Customer Need DoD and IC missions share information across multiple information security domains, using a certified guard to approve the transfer between domains. Despite the push for enterprise cross domain services, some missions require a locally managed guard. Currently a guard must be deployed on a separate physical host. Successful transfer requires at least three physical computers, one for each domain and one for the guard. Resource constrained environments (e.g., submarine, airplane, tank) are burdened by the higher Size, Weight and Power (SWaP) incurred. Lower SWaP for cross domain transfer in resource constrained environments. 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 2

Approach Co-locate the guard and cross domain applications as virtual machines (s) on the same physical hardware. Cross domain transfer occurs locally -- without going through the physical network. Leverage commercially available virtualization technologies that offer strong assurances of isolation. Use already certified guards to approve information transfers. Key innovation: Use virtual networks, operating in their own isolated s, to force information flow between domains through the guard. High App High Net Approved Transfer High Virtual Network Guard Low Virtual Network Privileged (Emulation) Hypervisor Hardware Low App Low Net The XEBRHA platform enforces information flow through the guard. 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 3

Benefits XEBHRA is designed to be agnostic to the guard and cross domain application used. XEBHRA scales to support more domains and guards. The XEBHRA prototype exceeded expectations. Installed unmodified Radiant Mercury guard. Reduced SWaP 3-to-1 over physical host deployment. Achieved end-to-end transfers (using null guard) comparable to 1 Gbps Ethernet, with < 1% overhead. XEBHRA protects the guard from direct attack from the physical networks. The XEBHRA platform reduces SWaP by at least 3-to-1 and uses existing guards. 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 4

Current Status Phase 2 SBIR completed in August 2011: Demonstrated prototype for an operationally relevant cross domain application associated with a Navy Program of Record (PoR); briefed Navy and SPAWAR personnel. Exhibited prototype at conference sponsored by the Unified Cross Domain Management Office (UCDMO). Migrated key portions to the Citrix XenClient XT hypervisor. XenClient XT is also the hypervisor for the TSABI certified AFRL SecureView workstation (SABI underway). Adventium has on-going collaboration with Citrix to build other information security appliances for XenClient XT. Selected for Navy RIF funding in 2012 but became a victim of budget cuts. Defined certification plan for XEBHRA. Briefings for other Navy and Air Force PoRs have generated positive responses. 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 5

Next Steps Identify funding to complete port of XEBHRA to Citrix XenClient XT. Identify PoR to sponsor XEBHRA certification (possibly using Phase IIB). UCDMO recommended certifying XEBHRA as an alternate hardware platform for the guard. The initial certification is the biggest hurdle. 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 6

Contact Information Technical: Charles N. Payne, Jr. charles.payne@adventiumlabs.com (612) 817-2525 Business Development: Dr. Lindsey Hillesheim lindsey.hillesheim@adventiumlabs.com (612) 481-0533 Acknowledgments: This work was funded by the Office of the Secretary of Defense (OSD)/Navy SBIR program under OSD07-I11. Program technical direction was provided by the Naval Research Laboratory. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Naval Research Laboratory, the Office of the Secretary of Defense, or the U.S. Government. 8/5/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information