November 7, 2006 at 6:56 am
Virtualization for Security
I read a novel some time back about the CIA. Well, not exactly about the CIA, but it was a spy novel and the CIA was in it. One thing in there that caught me eye, and probably the only thing since I can't remember which book it was, was the use of a secondary computers by one of the analysts.
In this situation, the analyst had a computer that was connected to the internal network, but not anything outside. Instead there was a second machine that could connect to the Internet and allow research, checking on things outside the internal network, etc. There wasn't an easy way to transfer information between the computer (other than typing it in), so it provided some aspect of security.
That same type of architecture may be the answer to IT control of user's browsing. Imagine if a virtual computer were installed on everyone's machine. With the high power we have and free Virtual PC, this might make sense. Have it automatically installed and connect on a different IP network than the regular machine. This virtual machine could have outside access for Hotmail, browsing, etc., while the internal machine would only allow access to corporate information.
I know there are some issues and the cut-and-paste problem could still exist. There also might be issues with trying to track browsing for regulatory and compliance purposes, but it would prevent some of the secruity issues.
Have a virus hit? Clean out and reset the virtual machine.
It would also help propgations by users who run as adminsitrator. I know you're not supposed to do this, but sometimes it's not practical. You're doing a lot of administrative work and need to check something on TechNet. With cross site scripting issues, even this might not be safe anymore.
Actually the more I think about it, this might be the solution out here at the ranch for letting the kids browse their music sites 🙂
Steve Jones
November 7, 2006 at 8:54 am
I've always felt that the only way to truly assure security is to have the network cable unplugged and the computer in a lockable room.
The trade-off, however, is no good. The value for the vast majority of users is in the network, not the CPU, hard-drive or locally installed software.
To that end, I like the dual-machine, dual network idea for highly secured environments. The Black Hat guys setting it up would have to cut the cords on the USB ports on one or the other of the machines, though...
My concern with the VPC option is that the physical machine is still connected to the outside network and at least theoretically hackable. Cross-site scripting wasn't even imagined a few years ago. Cross-VPC tunnelling may not be implemented yet, but after your editorial I'm imagining it now!
Thanks for another thought provoking column - keep it up!
Carter
But boss, why must the urgent always take precedence over the important?
November 7, 2006 at 1:20 pm
Has anyone tried Vista yet? For the average, non-admin user, there is a single security token with average privileges. For anyone with admin privileges, you start out with an average security token with non-admin privileges. If you have to elevate to a program that needs admin privileges, you are prompted and the program operates in a second profile with a separate security token. The key is that you get prompted every time you elevate. So if you are just going along minding your own business surfing the web and you get prompted to elevate, DON'T DO IT.
If a user is savy enough to shell out to a VPC for admin work, they'll be savy enough to use the elevating prompt of Vista more effectively.
November 8, 2006 at 3:12 am
What's new?? This is basically what we have here and have had for years. We can browse the internet from our desks but not download or anything (and we're limited by SurfControl as to sites).
If anything needs downloading eg patches, service packs etc it has to be done on the stand alone adsl machine then tested and virus checked before being put on cd to bring to the network and only certain people can use cd drives as they, serial and usb ports are all disabled for the non-network admin users.
Email has to get through both the central MOD checks and the local MimeSweeper and executable attachments are blocked, even zip's from suppliers.
November 8, 2006 at 3:40 am
I have a colleague with exactly the setup you suggest for use at home. He browses in safety, because as soon as he kills the virtual session the "PC" just vanishes.
But as for the practice of keeping a computer in a locked room without external connections... ultimately it didn't work too well in Mission Impossible....!
November 8, 2006 at 7:30 am
Maybe not, but then again, who here holds such critical information??
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply