Technical Brief: Virtualization



Similar documents
Moving Beyond Perimeter-Based Security

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

EMC SYNCPLICITY FILE SYNC AND SHARE SOLUTION

Proof of Concept Guide

The Cloud in your office

Cisco Hybrid Cloud Solution: Deploy an E-Business Application with Cisco Intercloud Fabric for Business Reference Architecture

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Citrix On-Boarding A target Cloud

SimpleConnect Product Brochure

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Security Overview Enterprise-Class Secure Mobile File Sharing

Sage Nonprofit Online and Sage Virtual Services. Frequently Asked Questions

VMware vsphere: Install, Configure, Manage [V5.0]

Server Virtualization with Windows Server Hyper-V and System Center

ADDING STRONGER AUTHENTICATION for VPN Access Control

Virtual Appliance Setup Guide

Mobile Admin Architecture

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Installing and Configuring vcenter Multi-Hypervisor Manager

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Cloud Management. Overview. Cloud Managed Networks

Cloud Computing. Chapter 8 Virtualization

Virtual Appliance Setup Guide

ipad in Business Security

How to Achieve Operational Assurance in Your Private Cloud

Helping Government Agencies Become Secure by Default

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

PRIVACY, SECURITY AND THE VOLLY SERVICE

Introduction to Mobile Access Gateway Installation

The Essential Security Checklist. for Enterprise Endpoint Backup

Deploying F5 Application Ready Solutions with VMware View 4.5

Backup Exec Private Cloud Services. Planning and Deployment Guide

Trends, Issues, and New Standards for ICS Security

White Paper. BD Assurity Linc Software Security. Overview

Network and Security Controls

Dell SonicWALL Secure Virtual Assist: Clientless remote support over SSL VPN

When enterprise mobility strategies are discussed, security is usually one of the first topics

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Server Virtualization with Windows Server Hyper-V and System Center

Your Location Instant NOC using Kaseya. Administrator at Remote Location Secure access to Management Console from anywhere using only a browser

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

User Guide for VMware Adapter for SAP LVM VERSION 1.2

Security Considerations for DirectAccess Deployments. Whitepaper

Thinspace deskcloud. Quick Start Guide

City of Coral Gables

VMware Horizon DaaS: Desktop as a Cloud Service (DaaS)

White Paper. The risks of authenticating with digital certificates exposed

Deployment Guide: Unidesk and Hyper- V

ReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA USA. November v1.0

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ

ACME Enterprises IT Infrastructure Assessment

LogMeIn HIPAA Considerations

Cloud Backup Service Service Description. PRECICOM Cloud Hosted Services

Business Process Desktop: Acronis backup & Recovery 11.5 Deployment Guide

Network Security Guidelines. e-governance

Virtual Desktop Infrastructure

Getting Started with ESXi Embedded

Secret Server Qualys Integration Guide

SofaWare Management Architecture Basics

Enterprise Solution for Remote Desktop Services System Administration Server Management Server Management (Continued)...

MICROS Customer Support

Family Datasheet AEP Series A

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Cloud Management. Overview. Cloud Managed Networks

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Did you know your security solution can help with PCI compliance too?

Experience with Server Self Service Center (S3C)

FAQ. Hosted Data Disaster Protection

Alliance Key Manager A Solution Brief for Technical Implementers

Locking down a Hitachi ID Suite server

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

The Technical Differential: Why Service Providers Choose VMware for Cloud-Hosted Desktops as a Service

Easy and secure application access from anywhere

Server Virtualization with Windows Server Hyper-V and System Center

Oracle Desktop Virtualization

Security Solution Architecture for VDI

SECURELINK.COM ENTERPRISE REMOTE SUPPORT NETWORK

SANS Institute First Five Quick Wins

Desktop Central Managing Windows Computers in WAN

Product Brief. it s Backed Up

Evaluating the Balabit Shell Control Box

Virtual Private Networks (VPN) Connectivity and Management Policy

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications

RSA Security Solutions for Virtualization

HP Intelligent Management Center Standard Software Platform

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

COMMVAULT SIMPANA 10 SOFTWARE MULTI-TENANCY FEATURES FOR SERVICE PROVIDERS

SynapseBackup Secure backups and disaster recovery services for both physical and virtual environments. Top reasons on why SynapseBackup is the best

How To Use Openstack On Your Laptop

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Single Product Review - Bitdefender Security for Virtualized Environments - November 2012

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

Transcription:

Technical Brief: Virtualization Technology Overview Tempered Networks automates connectivity and network security for distributed devices over trusted and untrusted network infrastructure. The Tempered Networks product line provides a centrally managed security appliance solution that meets the network integration challenges facing the modern industrial enterprise and aligns with industry best-practice cybersecurity standards and architectures. The Tempered Networks solution leverages existing network infrastructure to efficiently enable industrial connectivity that is secure by default while being very easy to use. The solution is based on the International Society of Automation (ISA) TR100.15.01 architecture model for the creation and management of private overlay networks. Tempered Networks Secure Communications A Tempered Networks environment is comprised of a scalable orchestration engine (HIPswitch Conductor ), industrial and data-center grade security appliances (HIPswitches) and a management console and user interface (SimpleConnect ). HIPswitches connect to a WAN infrastructure using standard network services and interfaces to establish point-to-point and point-to-multipoint encrypted HIP VPN tunnels to implement private overlay networks, and apply additional network policy controls over device communications that traverse each HIPswitch. The HIPswitch Conductor and the SimpleConnect user interface facilitate the orchestration and management of several independent private overlay networks. Each private overlay network can be delegated to different users, yet the governance of the entire solution is centralized and retained by the administrator. The Tempered Networks solution therefore provides the enterprise with Private Networks as a Service. Users interact with SimpleConnect through a web-based graphical user interface. Each HIPswitch has a unique cryptographic identity in the form of an RSA 2048-bit key pair. A private overlay network consists of a whitelist of HIPswitch cryptographic identities. The list of identities is provided to the members of each private overlay network, and each HIPswitch authenticates and authorizes peer HIPswitches against this whitelist of allowed peers. This architecture provides a trust model that minimizes unauthorized communications. Page 1

FIGURE 1: PRIVATE OVERLAY NETWORK IMPLEMENTATION USING THE TEMPERED NETWORKS SOLUTION Virtualization with Tempered Networks Tempered Networks creates hardened firmware images that target both physical and virtualization appliances. When deploying Tempered Networks virtual appliances, consider two types: enterprise and endpoint. Enterprise virtualization is a data-center or cloud environment with concentrated compute resources and a managed virtualization layer such as VMware ESXi, Microsoft HyperV, or Linux KVM/XEN. Endpoint virtualization refers to desktop application software that runs local virtual machines on individual endpoint hardware such as a personal laptop. Tempered Networks virtual appliances use the underlying host hardware to perform their function and as such require compute resources from the host. Minimum hardware requirements for the virtual HIPswitch models can be found on the Tempered Networks datasheet. Bandwidth will be determined by the compute resources available to the HIPswitch and can potentially fluctuate as the underlying host resources fluctuate. Similarly, the virtual HIPswitches use the underlying host network connections to communicate with the shared network. The network connection will have at best the same quality and level of service as the underlying host hardware. Tempered Networks Virtualization Details The Tempered Networks product line includes two virtual HIPswitch models: the HIPswitch- 100v and the HIPswitch-300v. The HIPswitch-100v is designed for endpoint virtualization hosts running Windows 7 and 8. The HIPswitch-100v is packaged as a Microsoft installer executable and includes Oracle VirtualBox endpoint virtualization software. The HIPswitch-100v installer also creates Start, Stop, and Configure program menu entries in the Start Menu. The HIPswitch Page 2

-100v can connect via Bridged or NAT network connections to the host for connections to the Shared Network. The HIPswitch-300v is designed for deployment in Enterprise virtualization environments. The HIPswitch-300v is shipped as a standard Open Virtualization Archive (OVA) format that can be imported, or converted as necessary, into the virtualization environment. The HIPswitch-300v requires two network connections. The first connection is to the Shared Network, typically bridged to a virtual switch with a physical interface to the Shared Network. The second connection is the protected Equipment connection to the virtual server(s) that connects to remote protected devices. The Equipment connection is typically on an internal virtual switch that does NOT connect to the Shared Network. FIGURE 2: TEMPERED NETWORKS VIRTUALIZATION OVERVIEW The HIPswitch-100v uses a host-only network interface to connect to the local physical host (host-only is a type of virtual network interface that restricts communications between the physical host and the virtual appliance). The local physical host must be configured with an IP address on the host-only interface, and it is this IP address that is used to communicate with other remote protected devices within the Tempered Networks private network. The HIPswitch-100v Configure program allows the user to enter the IP address of local physical device for the protected communications. This IP address is the same address that is configured in the SimpleConnect user interface as the local device for the HIPswitch-100v. Important Note about Cloning Virtual HIPswitches Each physical or virtual HIPswitch is individually provisioned by Tempered Networks with a unique cryptographic identity. Do not clone, copy, or re-install HIPswitches on a different Page 3

computer without first ensuring that the previous instance has been deleted or destroyed. If more than one instance of a virtual HIPswitch is online at the same time, the HIPswitch Conductor and peer HIPswitches will be unable to differentiate between them. Using Two-Factor Authentication with the HIPswitch-100v Tempered Networks recommends enabling two-factor authentication on all HIPswitch-100v security appliances. Once two-factor authentication is configured for the HIPswitch-100v in the SimpleConnect user interface, the HIPswitch-100v will present a captive portal web page to the user for entering his/her SimpleConnect user login and password. Once the user successfully authenticates, the HIPswitch-100v will enable the security policies defined for this HIPswitch. In this manner, two-factor authentication provides an additional level of assurance that protected communications are enabled only for authorized users. FIGURE 3: TEMPERED NETWORKS VIRTUALIZATION WITH HIPSWITCH 100V Revoking an Untrusted Virtual HIPswitch If a virtual HIPswitch is installed on a physical host that is lost or stolen, or improperly disposed of, the cryptographic identity of the HIPswitch should be revoked. Revocation breaks the trust relationship of this HIPswitch with all other HIPswitches and the HIPswitch Conductor. If the physical host is later found or repaired, the HIPswitch can be re-activated in order to trust the HIPswitch identity. Security Considerations Virtualization introduces a level of convenience in deployment but also introduces additional risks for consideration. The underlying physical host must be trusted. Tempered Networks Value Proposition Page 4

The Tempered Networks solution is an independent layer of security on top of an underlying network infrastructure that facilitates a defense in depth security architecture and provides real and demonstrated security hardening, resilience and awareness. Tempered Networks reduces the cost of securing critical infrastructure and communications by: 1. Creating flexible private networks for connectivity to distributed devices and equipment 2. Providing secure, managed policies for connectivity to devices within these private networks 3. Centralizing governance, auditing, monitoring, logging, change control and documentation of distributed equipment and their associated configurations 4. Introducing user authentication, authorization, and auditing for remote access 5. Enabling ad-hoc networks for managing assets through test, patch, upgrade, remediation and replacement phases 6. Supporting comprehensive deployment models for physical, virtual, data-center and cloud connectivity requirements 7. Facilitating highly constrained remote access Next Steps and Call to Action Best practices suggest comprehensive risk management, tied to a defense in depth cybersecurity implementation, is the appropriate approach for securing ICS. Network segmentation is a foundational building block of a defense in depth, layered security implementation. Standards from ISA are focusing on network segmentation because it can be used to minimize the connectivity for ICS to the absolute minimum, and protect that connectivity over shared network infrastructures. The Tempered Networks solution is an implementation of industry standards that not only decouples and secures the ICS communications from a shared network, but also decouples the management of the ICS systems from the management of the shared network. The delegated management approach makes it possible for an enterprise to deploy secure private networks as an internal service, while adding robust and flexible security to their critical systems. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information