Non-production “guests” communicate with DoD networks via the LAN.

From Enclave - Zone A Checklist

Part of Non-production guests communicate with DoD.

Associated with IA controls: ECSC-1

SV-15082r1_rule Non-production “guests” communicate with DoD networks via the LAN.

Vulnerability discussion

Virtual Machine clients provide a means for remote access into a separate enclave infrastructure using the same hardware the production client/OS resides on. As T&D environments are not always secure, this poses additional risk to the DoD desktop client or device if that device is utilizing such an architecture for remote access. Virtual machine technology permits multiple operating systems to reside on a single hardware platform, yet act as logically separate instances. In this environment, the guest operating system acts completely independent of the host operating system, however, in reality it is simulated in a contained software environment by the host system. The guest on a host system has the ability to be wholly contained and communicate independently of the host OS. Network traffic can be restricted on the guest OS and can be logically separated from any other guest or host OS on the platform.

Check content

Work with the network reviewer to determine if the is a VPN solution in place for virtual machine remote access solutions into a T&D environment. An OS reviewer may have to review the system to determine if the "guest" is configured to only communicate with zone perimeter devices via a tunnel (VPN) rather than using the LAN as a transport mechanism.

Fix text

The IAO will ensure non-production virtual machine “guests” only communicate with the zone perimeter access devices via a tunnel (VPN). There is no DoD network connectivity via the LAN.

Pro Tips

Powered by sagemincer