Virtual machine guest operating systems (OS) which are used to access a T&D zone communicate with the host OS or a production OS.

From Enclave - Zone B Checklist

Part of Virtual guest OS communicates with host OS.

Associated with IA controls: ECSC-1

SV-15080r1_rule Virtual machine guest operating systems (OS) which are used to access a T&D zone communicate with the host OS or a production OS.

Vulnerability discussion

Virtual Machine clients provide a means for remote access into a separate enclave infrastructure using the same hardware the production client/OS resides on. As T&D environments are not always secure, this poses additional risk to the DoD desktop client or device if that device is utilizing such an architecture for remote access. Virtual machine technology permits multiple operating systems to reside on a single hardware platform, yet act as logically separate instances. In this environment, the guest operating system acts completely independent of the host operating system, however, in reality it is simulated in a contained software environment by the host system. The guest on a host system has the ability to be wholly contained and communicate independently of the host OS. Network traffic can be restricted on the guest OS and can be logically separated from any other guest or host OS on the platform.

Check content

Interview the IAO to determine the configuration requirements for the remote access solution. If a virtual machine environment is employed for remote access, ensure that the IAO and SA are aware of the requirement that it is configured such that a "guest" OS cannot in any way communicate with the host OS.

Fix text

The IAO will ensure Virtual Machine “guest” operating systems, which are used to access a T&D zone, do not communicate with the host OS or any production OS.

Pro Tips

Powered by sagemincer