blueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES



Similar documents
white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

Desktop Services (Production) Lot 2 - Platform as a Service. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Service description RFL Virtual Data Centre

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

Unleash the IaaS Cloud About VMware vcloud Director and more VMUG.BE June 1 st 2012

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Virtual Data Centre. User Guide

easy to adopt, easy to use, easy to leave service description API accessible Cloud Storage IaaS version 5.1

Technical White Paper

Dedicated Compute Cloud. Lot 1 - Infrastructure as a Service. Version: 1.0, Issue Date: 09/12/2014. Classification: Open

HP Service Manager Architecture and Security HP Software-as-a-Service

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

AVI NETWORKS CLOUD APPLICATION DELIVERY PLATFORM FOR VMWARE VCLOUD AIR

How to Guide: StorageCraft Cloud Services VPN

BYOD Guidance: BlackBerry Secure Work Space

Deploy Remote Desktop Gateway on the AWS Cloud

Dell Cloud Services. Services

A Guide to New Features in Propalms OneGate 4.0

vcloud Suite Architecture Overview and Use Cases

Best Practices: Pass-Through w/bypass (Bridge Mode)

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Chapter 11 Cloud Application Development

VMware vcloud Air Networking Guide

Cisco Intercloud Fabric Security Features: Technical Overview

service description Document Management in the Cloud Software as a Service

Implementing Microsoft Azure Infrastructure Solutions

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

and Collaboration as a Service. Lot 3 - Software as a Service. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

FUJITSU Cloud IaaS Trusted Public S5 Connecting to a Virtual Machine (VM)

vcloud Director User's Guide

AT&T CLOUD SERVICES. AT&T Synaptic Compute as a Service SM : How to Get Started. Version 2.0 January 2012

Monitoring Hybrid Cloud Applications in VMware vcloud Air

Assignment # 1 (Cloud Computing Security)

Remote PC Guide Series - Volume 1

How to Grow and Transform your Security Program into the Cloud

REDCENTRIC INFRASTRUCTURE AS A SERVICE SERVICE DEFINITION

G-Cloud Service Definition. Canopy Unmanaged Enterprise Private Cloud (IL3 Capable) IaaS

Your Guide to VMware Lab Manager Replacement

Open Source Sales Force Automation (SFA) in the Cloud SaaS

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

CSC GOVCLOUD MULTI-TENANT IAAS

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Proof of Concept Guide

Goliath Performance Monitor Prerequisites v11.6

Lecture 02b Cloud Computing II

Virtualization & Cloud Computing (2W-VnCC)

service description , SharePoint and File Archive in the Cloud Software as a Service

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

CloudLink - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds

2013 ovh.com. All rights reserved

Self-Service Provisioning and the Private Cloud

DiamondStream Data Security Policy Summary

Introduction to Mobile Access Gateway Installation

AT&T Synaptic Compute as a Service SM

Installing and Configuring vcloud Connector

Vodafone Total Managed Mobility

F-SECURE MESSAGING SECURITY GATEWAY

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

RemoteApp Publishing on AWS

Documentum Document Management in the Cloud Service Definition

Backup to the Cloud Service Definition

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Arctur Enterprise+ Cloud Services

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Using Public IP Settings

Copyright Pivotal Software Inc, of 351

XenDesktop 7.5 on Amazon Web Services (AWS) Design Guide

Bridging the gap between local IT and Cloud services, keeping you in control

Getting Started Guide: Deploying Puppet Enterprise in Microsoft Azure

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

SA Citrix Virtual Desktop Infrastructure (VDI) Configuration Guide

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Palo Alto Networks AAC Lab Creation Guidelines v1.0

Virtual Desktop Infrastructure in

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

NIS s Cloud Server is an enterprise-grade cloud application infrastructure designed specifically for small and mediumsized

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Disaster Recovery White Paper

M2M Series Routers. Port Forwarding / DMZ Setup

vshield Quick Start Guide vshield Manager 4.1 vshield Edge 1.0 vshield App 1.0 vshield Endpoint 1.0

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

What s New with VMware vcloud Director 5.1

Transcription:

blueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES

INTRODUCTION Skyscape is one of very few cloud providers that has achieved Pan Government Accreditation (PGA) and PSN Accreditation for our IL3 Compute, Storage and Email cloud services. One of the key benefits of a PGA IL3 cloud service is the enhanced security it offers due to controls such as more restrictive network connections, additional vetting of end-user personnel and heavily locked down end-user devices, as described in CESG guidance. However, those additional controls also create a challenge as the locked down networks and devices used by many government customers and Skyscape partners (operating at IL3) can make it difficult to manage assured cloud services such as Skyscape's. A core component of the Skyscape Compute-as-a Service platform is VMware vcloud Director which enables customers to control their virtual data centre, virtual machines and virtual networks. This requires a number of programmes to be installed and run on any locked-down devices used to access our platform this in turn can sometimes cause problems depending on the specific use case. For example, in order to view remote consoles of Virtual Machines (VMs), a small Windows executable file for the VMware Remote Control (VMRC) needs to be installed on the locked-down devices, and also a browser plug-in installed and enabled. In addition, to upload or download VMs, a Java plugin needs to be installed and enabled in the client browser. It has been found that for some implementations of locked-down devices, software can be installed by an administrator, however sometime later a configuration management tool will automatically remove the software. One way of addressing the problems experienced when using locked-down devices to access our platform is to deploy and access your VMs through a Bastion Host. This Blueprint document details how Skyscape customers can configure a Bastion Host to facilitate access to our platform via Secure End User Devices. IN THIS BLUEPRINT Access via a Bastion Host 3 Security considerations 5 Connectivity from device to host 5 Using vapp Edge 6 2 Skyscape Cloud Services Limited

ACCESSING THE SKYSCAPE PLATFORM VIA A BASTION HOST As described in CESG guidance such as Architectural Pattern 2: Walled Garden Architecture, Bastion Hosts are used as an intermediate point of authentication and connection, perhaps in conjunction with a Remote Access VPN solution. This means that security is not compromised as there is always a managed, known clean Bastion Host between the secure IL3 application and potentially unmanaged or untrusted end-user device. It also provides a practical approach to not installing and maintaining software on end-user devices. Once deployed, on successful connection to a Bastion Host, users can access other services or devices within the assured environment, subject to further (different) authentication, and also subject to configuration of suitable routing/firewalling. In the example below, a simple three-tier web application is being deployed and will be consumed over a Government Secure Network such as GSI. Skyscape customers need to access the various components of the environment via locked-down devices, but are having difficulty installing the various components or plug-ins described previously. Figure 1. Data flows between secure end point and managed server Blueprint: IL3 connectivity from Secure End-User Devices 3

To enable secure connectivity, a Bastion Host has been configured on an Access or Admin virtual network within the Skyscape cloud. For this example, a Windows 2008 server is being used, with Remote Desktop Services (RDS) enabled. Users on the locked-down laptops can use the Microsoft Remote Desktop Connection applet (MSTSC) to access the Bastion Host and authenticate against that machine. Once successfully logged-on, RDP or Putty can be used to access other VMs, or devices within the Skyscape cloud, via the Bastion Host. In the example shown, Putty/SSH is used to access a Linux VM running Apache. Users will also be able to access the Skyscape Portal from the web browser on their Bastion Host. They will then be able to install and activate the VMRC and Java Plug-ins required for access on that VM for permanent use (for example, including any other software needed to administer their applications or development environment). 4 Skyscape Cloud Services Limited

SECURITY CONSIDERATIONS There are various options within the Skyscape cloud to further secure the scenario discussed above. Connectivity from a Secure End-User Device to a Bastion Host Clearly, RDP access will be required from the Secure End-User Device to the Bastion host. For many Government organisations, RDP (port 3389) is an allowed port through the LAN and perimeter firewalls but it is worth checking. Similarly, as a secure and trusted network, RDP should already be allowed across the GSI. At the Skyscape end of the connection, RDP is allowed through the Skyscape managed perimeter firewalls to the customer's virtual firewall (VMware vshield Edge Gateway). The customer will need to configure their virtual firewall to specifically allow this connection as the platform is pre-configured to deny all access unless otherwise permitted. In this example, a firewall rule is being created to allow RDP/3389 from any external address on the GSI to the Public GSI address the customer wants to allocate for this. Having defined the firewall rule, the DNAT needs to be defined to allow RDP traffic to NAT between the VMware vshield Edge Gateway and the Bastion Host. Blueprint: IL3 connectivity from Secure End-User Devices 5

Using a vapp Edge to further secure the Bastion server In order to further lock down access inbound and outbound to the Bastion server, a vapp Edge can be used with the Bastion server vapp. This is a scaleddown version of a VMware vshield Edge Gateway that provides firewall and NAT services between the Bastion VM and the Organisation network it sits on. As an example, the firewall on the vapp Edge could be used to only allow RDP inbound from the external network (i.e. GSI) if required. More importantly, it can be configured to only allow RDP or SSH outbound to certain machines in the cloud environment. Figure 2. Data flows between secure end point and managed server 6 Skyscape Cloud Services Limited

VMware vcloud Director will automatically set up a DNAT to map the organisation network IP address 192.168.10.10 in the diagram to the internal IP address of the Bastion Host (192.168.2.100). Similarly, to allow the Bastion Host to communicate with the Apache server, a firewall rule can be created. Blueprint: IL3 connectivity from Secure End-User Devices 7

Or, the customer could be slightly less strict and allow SSH traffic to the whole Web Tier subnet It s also necessary to configure the VMware vshield Edge Gateway to allow traffic between the Access network and the Web Tier network. On the VMware vshield Edge Gateway configure the services as follows: 8 Skyscape Cloud Services Limited

ABOUT SKYSCAPE Skyscape Cloud Services has developed a range of cloud services designed specifically for the UK public sector, to help increase efficiencies, reduce costs, significantly improve procurement times and increase transparency. Our services are easy to adopt, easy to use and easy to leave to ensure that our customers remain in complete control, with minimum risk, reassured by the fact Skyscape's services are Pan Government Accredited (PGA) up to IL3. Skyscape s full offering consists of IaaS, PaaS and SaaS products: IaaS seven offerings around Compute and Storage on demand SaaS 17 offerings around messaging and document management PaaS based upon Cloud Foundry All of Skyscape s UK sovereign cloud computing services are hosted across our two highly-resilient Tier 3 UK data centres in Farnborough and Corsham. Skyscape services are delivered with leading technologies from Skyscape Alliance Partners: QinetiQ, VMware, Cisco, EMC and Ark Data Centres. The Cloud Alliance also provides a collaborative resource which drives innovation and technical product development, helping to continually improve Skyscape s offering to meet the needs of the UK public sector. Skyscape is focused on providing cloud services in a more agile, secure and cost-effective manner. We strive to deliver solutions that harness technology as a way to facilitate the changes that are needed to streamline processes and reduce costs to support the UK public sector and, ultimately, UK citizens and taxpayers. MORE INFORMATION For further information about Skyscape Cloud Services and how we can help you, please send an email to info@skyscapecloud.com Blueprint: IL3 connectivity from Secure End-User Devices 9

Skyscape Cloud Services Limited A8 Cody Technology Park Ively Road Farnborough Hampshire GU14 0LX +44 (0)1252 303300 info@skyscapecloud.com www.skyscapecloud.com @skyscapecloud Reasonable efforts have been made to ensure the accuracy of the information contained in this document. No advice given or statements or recommendations made shall in any circumstances constitute or be deemed to constitute a warranty by Skyscape Cloud Services Limited as to the accuracy of such advice, statements or recommendations. Skyscape Cloud Services Limited shall not be liable for any loss, expense, damage or claim howsoever arising out of the advice given or not given or statements made or omitted to be made in connection with this document. No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of Skyscape Cloud Services Limited. Skyscape Cloud Services Limited 2014 All Rights Reserved. SC-GEN-106

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information