Sat Nov 22 06:32:51 PST 2014

Zones: Zone to zone access: How is communication facilitated and controlled to areas outside a zone/subzone?


Options:


Option 1: Use temporary {{encrypted} remote access connections to / on-endpoint} {non-}state-retaining {terminal servers, microzones} {with controlled configurations, surveillance, recording, limited actions, {with push / pull / shared} storage} for remote {diagnosis, maintenance, supervised activities} for limited time frames.
Option 2: Provide access through NAT gateways.
Option 3: Provide access through proxy servers.
Option 4: Don't allow access to distant locations.

Decision:

We recommend as follows:

Consequence Maturity Approach
High Managed+ IF outside of subzone communications are critical THEN Use temporary encrypted remote access connections to non-state-retaining {microzones / terminal servers} with configuration controls, surveillance, recording, limited actions, push / pull storage for remote supervised activities for limited time frames.
High Defined- Don't allow communication to areas outside a zone/subzone
Medium Managed+ Use temporary {{encrypted} remote access connections to / (on-endpoint)} [non-]state-retaining {terminal servers, microzones} with controlled configurations, surveillance, recording, [~limited actions], {push / pull / shared} storage for remote supervised activities for limited time frames.
Medium Defined Use temporary encrypted remote access connections to non-state-retaining microzones with surveillance, recording, {push / pull} storage for remote supervised activities for limited time frames.
Medium Repeatable- Don't allow communication to areas outside a zone/subzone
Low Defined+ IF Operating within an organizationally controlled facility THEN Provide access through NAT gateways.
OTHERWISE Use temporary {[{encrypted} remote access connections to] / on-endpoint} {[terminal servers], microzones} with controlled configurations, with [push / pull] / [~shared storage] for remote supervised activities for limited time frames.
ALSO IF content controls are operated from within available proxy servers, THEN Provide access through proxy servers.
Low Repeatable- IF Operating within an organizationally controlled facility THEN Provide access through NAT gateways.
OTHERWISE Use temporary on-endpoint non-state-retaining microzones with controlled configurations, with shared storage for remote supervised activities for limited time frames.
ALSO IF content controls are operated from within available proxy servers, THEN Provide access through proxy servers.
Facilitating communication outside of a zone/subzone

Basis:

Use temporary {{encrypted} remote access connections to / on-endpoint} {non-}state-retaining {terminal servers, microzones} {with controlled configurations, surveillance, recording, limited actions, {with push / pull / shared storage}} for remote {diagnosis, maintenance, supervised activities} for limited time frames.

On-endpoint microzones or remote access connections to terminal servers or microzones provides the means to limit the undesired side effect of outside-of-zone activities.

Temporary remote connections are typically controlled by {user access / port / line / device / VPN with VM} {disablement / disconnect / power down / shutdown} during non-use periods and {enablement / connection / power up / startup} only during use periods.

Cryptographic protection is commonly used along with normal access controls or microzone controls to prevent interception and/or alteration of control and data en-route.

Encryption is required when so identified by other requirements, but typically whenever communicating outside of a zone and subzone through untrusted areas.

State retention extends the time frames and scope of possible side effects of use of the terminal server or microzone, in exchange for allowing retention of useful cross-session information, including things like updates.

Controlled configurations are typically desired when retaining state for medium or high surety, while surveillance, recording, and limited actions act to further restrict possible side effects, effectuate content controls, and/or attribute actions to actors for after-action issues.

To allow retention of desired content across sessions or to allow for its controlled movement into and out of different areas (i.e. zones), push (into the microzone), pull (out of the microzone) and shared file system areas (two-way implicit communication) are available. These are normally applied for supervised activities in zone-to-zone communications.

Supervised activities may take place in microzones under direct supervision of the operator of the VM in use for the microzone. Supervision in this context implies continuous presence and attention by the microzone operator, and represents a form of shared simultaneous use. As such, supervision required proper user behavior by the supervisor.

Provide access through NAT gateways.
Network Address Translation (NAT) gateways are used to allow outbound initiation of sessions but not return initiation of sessions. This prevents all direct attack from outside the NAT area, but allows Trojan horses and other attacks based on returned content to proceed unhindered.

Provide access through proxy servers.
This is similar to NAT gateways except that content inspection may be applied in both direction to further control content, and it does not, on its own, limit return traffic on other channels (typically ports).

Don't allow access to distant locations.
For some situations, it is simply to risky to allow connections to external systems, so none are allowed.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved