Security Basics mailing list archives
RE: One computer two different networks
From: "evb" <swiver () cox net>
Date: Wed, 11 Oct 2006 11:18:34 -0700
The NSA had a problem very similar to the one posed in the initial email of this thread. Formerly, the NSA's attempt to solve the problem was done by having multiple computers at their desks. Deciding this was a wasteful and cumbersome attempt, they turned to vmware. I believe the NSA is now using a VMWare-developed product called NetTop. According to one story I read: "NetTop may solve a growing problem in many agencies: Government employees having multiple computers in their work areas, each for a different security environment. Multiple workstations for each employee clutter the desk and are unnecessarily costly; yet merging separate environments into one machine jeopardizes security, because there is no proven mechanism to prevent an application in a less secure area from tapping into the more secure one, Bugnion said. "To solve this problem, NetTop facilitates multiple sessions on a single computer, establishing virtual "vaults" for each session. Users can have separate virtual computers on one machine and even access them simultaneously, but NetTop controls what data, if any, can be moved from one session to another. Do a search for 'NSA' and 'VMWare' and you will find plenty. (I don't have any financial or other interest in posting this article.) Eric :-----Original Message----- :From: listbounce () securityfocus com :[mailto:listbounce () securityfocus com] On Behalf Of Hagen, Eric :Sent: Wednesday, October 11, 2006 8:41 AM :To: Santiago Barahona; security-basics () securityfocus com :Subject: RE: One computer two different networks : :My immediate thought is.... TWO computers. : :You have a private network with no Internet for the reason :that you do not want the data on that network or on those PCs :accessable to an attacker. : :If the PCs are on the Internet using a second network card in :each computer, they are just as vulnerable as any normal :computer, therefore, your network is just as vulnerable as any :normal network. : :If the Internet is routed directly over this network, you can :secure it via NAT and Firewalls, and this seems to me to be :your best bet, but there are always attack vectors that can be :used when a computer is on a public network. : :If your private network is truely "high-security", you cannot :connect anything on it to a public network. Period. For :example, the storage of TOP SECRET data according to DoD :cannot be stored on a comptuer that has any sort of access to :public networks. It has to be PHYSICALLY isolated from those networks. : :So exactly how "high-security" is your network and exactly how :much security can you compromise by adding Internet traffic to the mix? : :Eric : : :-----Original Message----- :From: listbounce () securityfocus com :[mailto:listbounce () securityfocus com]On Behalf Of Santiago Barahona :Sent: Tuesday, October 10, 2006 8:04 AM :To: security-basics () securityfocus com :Subject: One computer two different networks : : :Hi all, : :(First of all I want to apologise if I am misplacing this :question, if so I'd appreciate if anyone could point me to the :right direction) : :So here is the situation: : :We have about 250 computers that are isolated in a :high-security network, we want to give internet access to :those computer users without compromising the secured :network...of course our first thought is to buy 250 computers :so the users can switch between computers (one for the secure :network, one for internet)... but that might not be most :practical solution... : :So, I've been looking around and I've found a product called :DATAGATE, from Tenix which works as a "Data Diode"... looks :interesting... but I'd like to have a second opinion... : :Does anyone know about other products or techniques on how to :accomplish this?? : :thanks! : : :--------------------------------------------------------------- :------------ :This list is sponsored by: Norwich University : :EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The :NSA has designated Norwich University a center of Academic :Excellence in Information Security. Our program offers :unparalleled Infosec management education and the case study :affords you unmatched consulting experience. :Using interactive e-Learning technology, you can earn this :esteemed degree, without disrupting your career or home life. : :http://www.msia.norwich.edu/secfocus :--------------------------------------------------------------- :------------ : : :--------------------------------------------------------------- :------------ :This list is sponsored by: Norwich University : :EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The :NSA has designated Norwich University a center of Academic :Excellence in Information Security. Our program offers :unparalleled Infosec management education and the case study :affords you unmatched consulting experience. :Using interactive e-Learning technology, you can earn this :esteemed degree, without disrupting your career or home life. : :http://www.msia.norwich.edu/secfocus :--------------------------------------------------------------- :------------ : --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: One computer two different networks, (continued)
- RE: One computer two different networks Ray Sawyer (Oct 11)
- RE: One computer two different networks Corey Watts-Jones (Oct 11)
- Re: One computer two different networks Ed (Oct 11)
- RE: One computer two different networks Adnan Rafik (Oct 13)
- RE: One computer two different networks Beauford, Jason (Oct 10)
- Re: One computer two different networks chris (Oct 10)
- Re: One computer two different networks dtodosichuk (Oct 10)
- RE: One computer two different networks Chris Poulter (Oct 11)
- RE: One computer two different networks Hagen, Eric (Oct 11)
- RE: One computer two different networks mn19522 (Oct 11)
- RE: One computer two different networks evb (Oct 11)
- Re: Re: One computer two different networks davidthomastuck (Oct 11)
- Re: One computer two different networks Steve (Oct 11)
- RE: One computer two different networks Hagen, Eric (Oct 11)
- Re: One computer two different networks krymson (Oct 11)
- Re: Re: One computer two different networks davidthomastuck (Oct 13)
- Re: Re: One computer two different networks anonymous (Oct 13)
- RE: One computer two different networks Hagen, Eric (Oct 13)
- Re: One computer two different networks Ansgar -59cobalt- Wiechers (Oct 15)
- RE: One computer two different networks Laundrup, Jens (Oct 13)
- Re: RE: One computer two different networks nigel_barnes (Oct 15)
(Thread continues...)