Virtualization Demystified

(1)

Virtualization Demystified

Stephen

Exley

,

CISSP

Senior Consultant/Technical Analyst FBI CJIS ISO Program

Oregon State Police

CJIS Statewide Training

(2)

VIRTUALIZATION

DEMYSTIFIED

(3)

VIRTUALIZATION

DEMYSTIFIED

What

is

Virtualization?

• Defined

by

the

CJIS

Security

Policy

as:

A

methodology

of

dividing

the

resources

of

a

computer

(hardware

and

software)

into

multiple

execution

environments,

by

applying

one

or

more

concepts

or

technologies

such

as

hardware

and

software

partitioning,

time

‐

sharing,

partial

or

complete

machine

simulation

or

emulation

allowing

multiple

operating

systems,

or

images,

to

run

concurrently

on

the

same

(4)

VIRTUALIZATION

DEMYSTIFIED

What

is

Virtualization

(cont.)?

(5)

VIRTUALIZATION

DEMYSTIFIED

(6)

VIRTUALIZATION

DEMYSTIFIED

(7)

VIRTUALIZATION

DEMYSTIFIED

Virtualization

in

the

CJIS

Security

Policy

The

CSP

covers

the

concept

of

virtualization

in

the

following

areas:

 Section 5.10.3 Partitioning and Virtualization

 Section 5.10.3.2 Virtualization

(8)

VIRTUALIZATION

DEMYSTIFIED

Virtualization

in

the

CJIS

Security

Policy

(cont.)

There

are

four

general

requirements for

virtual

environments:

1. Isolate the host from the virtual machine. In other words, virtual

machine users cannot access host files, firmware, etc.

2. Maintain audit logs for all virtual machines and hosts and store the

logs outside the hosts’ virtual environment.

3. Virtual Machines that are Internet facing (web servers, portal servers,

etc.) shall be physically separate from Virtual Machines (VMs) that

process CJI internally or be separated by a virtual firewall.

4. Drivers that serve critical functions shall be stored within the specific

VM they service. In other words, do not store these drivers within the

hypervisor, or host operating system, for sharing. Each VM is to be

treated as an independent system – secured as independently as

(9)

VIRTUALIZATION

DEMYSTIFIED

Virtualization

in

the

CJIS

Security

Policy

(cont.)

The

following

additional

requirements

must

be

applied

in

virtual

environments

where

CJI

is

comingled

with

non

‐

CJI:

1. Encrypt CJI when stored in a virtualized environment where CJI is

comingled with non‐CJI or segregate and store unencrypted CJI

within its own secure VM.

(10)

VIRTUALIZATION

DEMYSTIFIED

Virtualization

in

the

CJIS

Security

Policy

(cont.)

The

following

are

technical

security

industry

best

practices

and

should

be

implemented

wherever

feasible:

• Implement IDS and/or IPS monitoring within the virtual machine

environment.

• Virtually or physically firewall each virtual machine from each other to

ensure that only allowed protocols will transact.

(11)

VIRTUALIZATION

DEMYSTIFIED

• A

PD

network

was

incorporated

within

a

virtualized

network

as

part

of

a

county

network

consolidation

effort.

• The

virtual

network

consists

of

both

CJI

and

non

‐

CJI

processing

virtual

machines

(VM).

• So,

the

VMs

are

segregated

(CJI

‐

processing

VMs

from

non

‐

CJI

VMs)

and

separated

via

virtual

firewalls.

• This

is

a

comingled

environment,

so

the

agency

does

encrypt

network

traffic

within

the

virtual

environment.

• The

virtual

network

resides

completely

within

a

physically

secure

location

(no

remote

connections)

and

CJI

is

stored

within

its

own

VM,

so

encryption

is

not

a

requirement

for

CJI

at

rest.

Use

Case

#1

– Logical

Separation

(12)

Logical

Separation

Example

VIRTUALIZATION

DEMYSTIFIED

(13)

VIRTUALIZATION

DEMYSTIFIED

Logical

Separation

Example

(cont.)

CJI

No CJI No CJI

CJI

No CJI

(14)

VIRTUALIZATION

DEMYSTIFIED

• The

state

police

(SP)

recently

transitioned

to

a

virtualized

network.

• The

CJI

and

non

‐

CJI

are

stored

in

separate

VMs

within

a

physically

secure

location

– no

encryption

requirement

for

CJI

at

rest.

• The

SP

manages

the

state

switch

and

will

allow

remote

connections

to

from

the

virtual

network

via

a

web

portal

interface

– link

is

protected

via

encryption

(FIPS

140 ‐

2 certified,

128 bit)

• Internet

facing

VM

(web

portal

interface)

is

physically

separated

from

non

‐

Internet

facing

VMs.

• This

is

a

comingled

environment,

so

the

agency

does

encrypt

network

traffic

within

the

virtual

environment.

This

agency

has

also

segregated

VMs

using

virtual

firewalls.

(15)

Physical

&

Logical

Separation

Example

VIRTUALIZATION

DEMYSTIFIED

(16)

Physical

Separation

in

a

Virtualized

Environment

VIRTUALIZATION

DEMYSTIFIED

(17)

VIRTUALIZATION

DEMYSTIFIED

Virtualized

Environments FAQ

#1

Question:

In section 5.10.3.2 Virtualization, item number 2 in the first paragraph

states:

“Maintain audit logs for all virtual machines and hosts and store the logs

outside the host’s virtual environment."

Does this mean that I have to pull the event and content logs from the

virtual environment to save them?

Answer:

Yes. There is a CSP requirement for retaining audit logs for 1 year (Section

5.4.6). Also, know that many virtual environments are ephemeral and

therefore is set to delete/erase everything when taken down, whether

intentionally or by malicious means – this includes log data within the

(18)

VIRTUALIZATION

DEMYSTIFIED

Virtualized

Environments FAQ

#2

Question:

In section 5.10.3.2 Virtualization, item number 2 in the third paragraph

states:

"Virtually or physically firewall each virtual machine from each other (or

physically firewall each virtual machine from each other with an

application layer firewall) and ensure that only allowed protocols will

transact."

So, is this a requirement? Will this be audited?

Answer:

No. This is not an auditable requirement. It is simply industry best practice

guidance. Appendix G.1 provides some additional best practice guidance to

(19)

Questions?

(20)

ISO

RESOURCES

(21)

ISO

RESOURCES

State

CJIS

Representatives

• State

CJIS

CSO/ISO

should

be

the

first

stop

for

any

questions

or

concerns

⁻ Responsible for CJIS systems in their state/agency

⁻ State CJIS requirements may differ from the CSP

⁻ CSO/ISO should be kept in‐the‐loop with the CJIS issues in their

state/agency

⁻ Forwards requests for changes to the CJIS Security Policy to the CJIS

(22)

ISO

RESOURCES

CJIS

ISO

Program

• Steward

the

CJIS

Security

Policy

for

the

Advisory

Policy

Board

⁻ Draft and present topic papers at the APB meetings

• Provide

Policy

support

to

state

ISOs

and

CSOs

⁻ Policy Clarification

⁻ Solution technical analysis for compliance with the Policy

⁻ Operate a public facing web site on FBI.gov: CJIS Security Policy

Resource Center

• Provide

training

support

to

ISOs

(23)

ISO

RESOURCES

(24)

ISO

RESOURCES

CSP

Requirements

Document

• Companion

document

to

the

CSP

• Lists

every

requirement,

“shall”

statement,

and

corresponding

location

and

effective

date

(25)

ISO

RESOURCES

CSP

Resource

Center

• Publically

Available

 http://www.fbi.gov/about‐us/cjis/cjis‐security‐policy‐resource‐

center/view

• Features:

⁻ Search and download the CSP

⁻ Download the CSP Requirements Document

⁻ 2014 ISO Symposium Presentations

⁻ Use Cases (Advanced Authentication and others to follow)

⁻ Cloud Computing Report & Cloud Report Control Catalog

⁻ Mobile Appendix

⁻ Submit a Question (question forwarded to CJIS ISO Program)

(26)

Step #2 Select “Criminal Justice Information Services” Step #1 Select “About Us”

http://www.fbi.gov/about‐us/cjis/cjis‐security‐policy‐resource‐center/view