RE: One computer two different networks

["evb" <swiver () cox net>]

The NSA had a problem very similar to the one posed in the initial email of
this thread.  Formerly, the NSA's attempt to solve the problem was done by
having multiple computers at their desks.  Deciding this was a wasteful and
cumbersome attempt, they turned to vmware.  I believe the NSA is now using a
VMWare-developed product called NetTop.  According to one story I read:

"NetTop may solve a growing problem in many agencies: Government employees
having multiple computers in their work areas, each for a different security
environment. Multiple workstations for each employee clutter the desk and
are unnecessarily costly; yet merging separate environments into one machine
jeopardizes security, because there is no proven mechanism to prevent an
application in a less secure area from tapping into the more secure one,
Bugnion said.

"To solve this problem, NetTop facilitates multiple sessions on a single
computer, establishing virtual "vaults" for each session. Users can have
separate virtual computers on one machine and even access them
simultaneously, but NetTop controls what data, if any, can be moved from one
session to another. 

Do a search for 'NSA' and 'VMWare' and you will find plenty.  (I don't have
any financial or other interest in posting this article.)


Eric 



:-----Original Message-----
:From: listbounce () securityfocus com 
:[mailto:listbounce () securityfocus com] On Behalf Of Hagen, Eric
:Sent: Wednesday, October 11, 2006 8:41 AM
:To: Santiago Barahona; security-basics () securityfocus com
:Subject: RE: One computer two different networks
:
:My immediate thought is.... TWO computers. 
:
:You have a private network with no Internet for the reason 
:that you do not want the data on that network or on those PCs 
:accessable to an attacker.
:
:If the PCs are on the Internet using a second network card in 
:each computer, they are just as vulnerable as any normal 
:computer, therefore, your network is just as vulnerable as any 
:normal network.
:
:If the Internet is routed directly over this network, you can 
:secure it via NAT and Firewalls, and this seems to me to be 
:your best bet, but there are always attack vectors that can be 
:used when a computer is on a public network.
:
:If your private network is truely "high-security", you cannot 
:connect anything on it to a public network.  Period.  For 
:example, the storage of TOP SECRET data according to DoD 
:cannot be stored on a comptuer that has any sort of access to 
:public networks.  It has to be PHYSICALLY isolated from those networks.
:
:So exactly how "high-security" is your network and exactly how 
:much security can you compromise by adding Internet traffic to the mix?
:
:Eric
:
:
:-----Original Message-----
:From: listbounce () securityfocus com
:[mailto:listbounce () securityfocus com]On Behalf Of Santiago Barahona
:Sent: Tuesday, October 10, 2006 8:04 AM
:To: security-basics () securityfocus com
:Subject: One computer two different networks
:
:
:Hi all,
:
:(First of all I want to apologise if I am misplacing this 
:question, if so I'd appreciate if anyone could point me to the 
:right direction)
:
:So here is the situation:
:
:We have about 250 computers that are isolated in a 
:high-security network, we want to give internet access to 
:those computer users without compromising the secured 
:network...of course our first thought is to buy 250 computers 
:so the users can switch between computers (one for the secure 
:network, one for internet)... but that might not be most 
:practical solution...
:
:So, I've been looking around and I've found a product called 
:DATAGATE, from Tenix which works as a "Data Diode"... looks 
:interesting... but I'd like to have a second opinion...
:
:Does anyone know about other products or techniques on how to 
:accomplish this??
:
:thanks!
:
:
:---------------------------------------------------------------
:------------
:This list is sponsored by: Norwich University
:
:EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The 
:NSA has designated Norwich University a center of Academic 
:Excellence in Information Security. Our program offers 
:unparalleled Infosec management education and the case study 
:affords you unmatched consulting experience. 
:Using interactive e-Learning technology, you can earn this 
:esteemed degree, without disrupting your career or home life.
:
:http://www.msia.norwich.edu/secfocus
:---------------------------------------------------------------
:------------
:
:
:---------------------------------------------------------------
:------------
:This list is sponsored by: Norwich University
:
:EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The 
:NSA has designated Norwich University a center of Academic 
:Excellence in Information Security. Our program offers 
:unparalleled Infosec management education and the case study 
:affords you unmatched consulting experience. 
:Using interactive e-Learning technology, you can earn this 
:esteemed degree, without disrupting your career or home life.
:
:http://www.msia.norwich.edu/secfocus
:---------------------------------------------------------------
:------------
:


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------