Sun Sep 14 19:46:08 PDT 2014

Zones: Zone to zone access: How is communication facilitated and controlled to areas outside a zone/subzone?


Options:


Option 1: Use temporary {{encrypted} remote access connections to / on-endpoint} {non-}state-retaining {terminal servers, microzones} {with controlled configurations, surveillance, recording, limited actions, {with push / pull / shared} storage} for remote {diagnosis, maintenance, supervised activities} for limited time frames.
Option 2: Provide access through NAT gateways.
Option 3: Provide access through proxy servers.
Option 4: Don't allow access to distant locations.

Basis:

Use temporary {{encrypted} remote access connections to / on-endpoint} {non-}state-retaining {terminal servers, microzones} {with controlled configurations, surveillance, recording, limited actions, {with push / pull / shared storage}} for remote {diagnosis, maintenance, supervised activities} for limited time frames.

On-endpoint microzones or remote access connections to terminal servers or microzones provides the means to limit the undesired side effect of outside-of-zone activities.

Temporary remote connections are typically controlled by {user access / port / line / device / VPN with VM} {disablement / disconnect / power down / shutdown} during non-use periods and {enablement / connection / power up / startup} only during use periods.

Cryptographic protection is commonly used along with normal access controls or microzone controls to prevent interception and/or alteration of control and data en-route.

Encryption is required when so identified by other requirements, but typically whenever communicating outside of a zone and subzone through untrusted areas.

State retention extends the time frames and scope of possible side effects of use of the terminal server or microzone, in exchange for allowing retention of useful cross-session information, including things like updates.

Controlled configurations are typically desired when retaining state for medium or high surety, while surveillance, recording, and limited actions act to further restrict possible side effects, effectuate content controls, and/or attribute actions to actors for after-action issues.

To allow retention of desired content across sessions or to allow for its controlled movement into and out of different areas (i.e. zones), push (into the microzone), pull (out of the microzone) and shared file system areas (two-way implicit communication) are available. These are normally applied for supervised activities in zone-to-zone communications.

Supervised activities may take place in microzones under direct supervision of the operator of the VM in use for the microzone. Supervision in this context implies continuous presence and attention by the microzone operator, and represents a form of shared simultaneous use. As such, supervision required proper user behavior by the supervisor.

Provide access through NAT gateways.
Network Address Translation (NAT) gateways are used to allow outbound initiation of sessions but not return initiation of sessions. This prevents all direct attack from outside the NAT area, but allows Trojan horses and other attacks based on returned content to proceed unhindered.

Provide access through proxy servers.
This is similar to NAT gateways except that content inspection may be applied in both direction to further control content, and it does not, on its own, limit return traffic on other channels (typically ports).

Don't allow access to distant locations.
For some situations, it is simply to risky to allow connections to external systems, so none are allowed.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved