DoDIIS NexGen Desktop Concept Architecture, Phase 2

A presentation at DoDIIS Industry Day in August 2010 in Washington, DC, USA by Shawn Wells

Slide 1

Slide 1

NexGen Desktop Concept Architecture Shawn Wells sdw@redhat.com Intelligence Community Programs 443-534-0130

Slide 2

Slide 2

Conceptual Overview GOAL: A light weight Red Hat Enterprise Linux based device which has the ability to have multiple concurrent Citrix sessions, each one tied to a specific network (CIA Desktop, DoDIIS Desktop, etc). Alpha Alpha Network Network Bravo Bravo Network Network Charlie Charlie Network Network MLS Network Guard MLS Network Guard & & Red Hat Virtualization Red Hat Virtualization Server Server Alpha Citrix Client Bravo Citrix Client Red Hat Enterprise Linux Workstation Charlie Citrix Client 2

Slide 3

Slide 3

System Demonstration & Screen Shots

Slide 4

Slide 4

Base Desktop View 4

Slide 5

Slide 5

Virtual Connection View: Single Desktop 5

Slide 6

Slide 6

Virtual Connection View: Multi Desktop 6

Slide 7

Slide 7

Red Hat Kiosk Security Features

Slide 8

Slide 8

Desktop System Security  Relevant U.S. Government Red Hat Enterprise Linux 5 security certifications ●  EAL4+ Common Criteria Certification (LSPP, RBAC, CAPP) on IBM & HP hardware ● DCID 6/3 (used up to PL5) ● DISA STIG Devices will run in “kiosk” mode ● ● No ability for users to retain information or configuration locally on the system via SELinux Traffic shaping technology secures network traffic to appropriate desktop/Citrix instance ● No local users ● No local data files ● Inherent security, not bolt on 8

Slide 9

Slide 9

Desktop Firewall VPN Tunnel Alpha Alpha Network Interface MLS Guard & RHEV Server VPN Tunnel Bravo Red Hat Enterprise Linux Kiosk Bravo Network Interface  Red Hat Enterprise Linux has embedded firewall capability, which was used in our EAL4+ Common Criteria Certification.  Helps ensure traffic shaping should a network router become compromised.  Policy centrally managed via Red Hat Network Satellite. 9

Slide 10

Slide 10

Desktop Application “Zoning”  MLS Guard & Citrix Server VPN Tunnel Alpha Alpha Network Interface VPN Tunnel Bravo Bravo Network Interface Utilizing a security technology named SELinux, which is co­developed with the NSA, the Red Hat Enterprise Linux Kiosk has the ability to “zone” applications and data. ● ● ● Alpha Citrix Client Bravo Citrix Client Red RedHat HatEnterprise EnterpriseLinux LinuxKiosk Kiosk  Each network interface will be labeled, such as “Alpha Network Interface” Each Citrix client will be labeled, such as “Alpha Citrix Client” Security policy will check the labels, only allowing matches to establish communication paths. This is the same security policy used in the Red Hat Enterprise Linux Common Criteria Certification. 10

Slide 11

Slide 11

Short SELinux Overview  Central management via Red Hat Satellite   Built into system, not bolt on. No way to subvert access control mechanism. Collected centrally on Kiosk by default  Ability to send audit data to 3rd party applications built in (HP OpenView, IBM, central DB,etc)  Used to audit for “covert channels” in DCID 6/3 systems 11

Slide 12

Slide 12

Red Hat Kiosk System & Software Management

Slide 13

Slide 13

Desktop System Management   Full management by Red Hat Satellite Server, a systems management platform designed to provide complete lifecycle management of the operating system and applications. ● Standardized Provisioning (“golden builds”) ● Centralized software management (security patches, hardware drivers, etc) Same management software for both servers and desktops; one standard management suite for both Red Hat Provided Content Custom Content RHN Satellite Software • Software Distribution • Account Management • Channel Management • Monitoring • Provisioning MANAGED SERVERS MANAGED DESKTOPS 13

Slide 14

Slide 14

Desktop System Management: Update Automatically update systems with the latest security fixes Easily obtain security updates, patches, and new OS versions Remove undesired packages through RHN Satellite Software the simple RHN web • Software Distribution • Account Management interface • Channel Management • Monitoring • Provisioning 14

Slide 15

Slide 15

Desktop System Management: Manage Easily obtain security updates, patches, and new OS versions Manage groups Manage groups of of systems as systems as easily easily as as a a single single system system Assign permissions Assign permissions to administrators to administrators for managing for managing different groups or different groups or roles roles Remove undesired RHN Satellite Software • Software Distribution packages • Account Management • Channel Management • Monitoring • Provisioning Schedule updates Schedule updates to occur to occur during during maintenance maintenance windows windows 15

Slide 16

Slide 16

Desktop System Management: Provision Undo problematic changes with snapshots and rollback Provision existing or bare metal systems using predetermined profiles or system cloning Improve consistency by RHN Satellite Software using RHN to • Software Distribution • Account Management manage and deploy • Channel Management • Monitoring configuration files • Provisioning 16

Slide 17

Slide 17

Desktop System Management: Monitor Easily obtain security updates, patches, and new OS versions Manage Dozensgroups of low-of impact systems probes as easily can asbe a single set forsystem each system Assign permissions Group probes into to administrators suites for fast for managing deployment different groups or roles Remove undesired RHN Satellite Software • Software Distribution packages • Account Management • Channel Management • Monitoring • Provisioning Receive email or Schedule updates pager notices when occurreaches during a atoprobe maintenance predefined warning windows or critical threshold 17

Slide 18

Slide 18

Overview

Slide 19

Slide 19

Overview   Everything shown utilizes built in features of Enterprise Linux. ● Built in data & network labeling technology ● Built in auditing systems ● Built in firewalls Red Hat Network (RHN) Satellite manages both existing Enterprise Linux servers in addition to desktop & Kiosk devices. Giving System Administrators the ability to manage thousands of systems as easily as one, Satellite is an integral part of the solution. 19