About IA at NSA
Partners
Rowlett Awards
Award Recipients
Background
Nomination Procedures
Links
IA News
IA Events
Open for Registration
Closed for Registration
Scheduled
IA Guidance
Media Destruction Guidance
Security Configuration Guides
Applications
Archived Guides
Cisco Router Guides
Current Guides
Database Servers
Fact Sheets
IPv6
Operating Systems
Apple Mac Operating Systems
Linux
Microsoft Windows
Sun Solaris
Supporting Documents
Switches
VoIP and IP Telephony
Vulnerability Technical Reports
Web Server and Browser Guides
Wireless
Standards Profiles
System Level IA Guidance
TEMPEST Overview
TEMPEST Products: Level I
Certified
Confirmed Deficiencies
Suspended
Terminated
No Longer Produced
TEMPEST Products: Level II
Certified
Confirmed Deficiencies
Suspended
Terminated
No Longer Produced
TEMPEST Company POCs
Certified
Suspended
Terminated
TEMPEST Zoned Equipment
IA Academic Outreach
National Centers of Academic Excellence in IA Education
CAE/IAE Program Criteria
CAE-R Program Criteria
Colloquium
Institutions
SEAL Program
Applying
FAQs
IA Courseware Evaluation Program
Institutions
FAQs
Student Opportunities
IA Business and Research
IA Business Affairs Office
Certified Product Sales and Support
Commercial COMSEC Evaluation Program
Commercial Satellite Protection Program
Independent Research and Development Program
User Partnership Program
National IA Research Laboratory
Partnerships with Industry
NIAP and COTS Product Evaluations
IA Programs
Global Information Grid
High Assurance Platform
Releases
Computing Platform Architecture and Security Criteria
IA Training and Rating Program
Inline Media Encryptor
Suite B Cryptography
IA Careers
Contact Information
|
HAP Program Release 1 (HAPR1)The HAPR1 computing platform demonstrates hardware-assisted virtualization and attestation. From an operational user perspective, HAPR1 is a multi-security level workstation solution that provides simultaneous access to multiple networks of different security levels via virtual machines running on the same platform. The platform provides separation of security domains without any information flows (i.e., sharing) between domains. Both the workstation and the network security levels range from either Unclassified to Secret or Secret/Releasable to Top Secret/SCI. HAPR1 Assurable Computing Platform CapabilitiesHardware-Assisted Virtualization TechnologyHardware-assisted virtualization technology has emerged as a compelling technology that improves on traditional software-based virtualization solutions. Hardware-assisted virtualization reduces the size, complexity, and processing time of its controlling software. This enables more streamlined virtualization software stacks and "near native" performance characteristics while providing for stronger separation between the virtual machines. HAPR1 uses the hardware-assisted virtualization services provided by the microprocessor chipset to manage multiple virtual machine execution environments and to enforce separation between the virtual machine environments. The virtual machines host single-level (guest) operating systems of different security levels. Hardware-Assisted AttestationHAPR1 implementation uses hardware and software to perform integrity checking of the platform before allowing any access from the platform to network resources. HAPR1 is trusted to:
In HAPR1, the critical software1 is measured and reported to validate the integrity of the platform. HAPR1 uses the Trusted Platform Module (TPM) for secure storage of the measurements. The TPM is a microcontroller located on the motherboard of a computing platform that is used to store "secrets" (e.g., measurements, digital certificates, cryptographic keys). It also offers cryptographic functions such as the generation of cryptographic keys, the ability to limit the use of keys (to either signing/verification or encryption/decryption), and a hardware random number generator. To support remote attestation, HAPR1 uses an open standard protocol to provide endpoint integrity called Trusted Network Connect (TNC). The TNC architecture enables network operators to enforce policies governing endpoint integrity at or after the time of network connection. The remote attestation process creates an unforgeable summary of platform measurement to verify that the critical software has not been changed. HAPR1 Operational DescriptionHAPR1 supports the execution of multiple guest operating systems running concurrently on a single physical machine. It allows these guest operating systems to be connected to networks with different security levels. To accomplish this, HAPR1 utilizes hardware-assisted Virtual Machine (VM) technology to provide logically separated and isolated virtual machine execution environments. Each VM hosted on the physical platform is able to connect to a single-level, system-high network. Individual VMs can run supported2 guest operating systems without modification (i.e., right out of the box); each instance of the operating system (OS) runs as if it were the only OS in the computer. The HAPR1 provides an environment where the guest operating systems are displayed in their own individual windows. To accomplish this, the HAPR1 provides a window manager3 and an execution environment for it to run. Figure 1 shows an example screenshot of an instance of HAPR1 running two virtual machines, each running Microsoft XP Professional as guest operating systems in their own virtual machine window. Figure 1 - Screenshot Example of a HAPR1 HAPR1 General Security PropertiesHAPR1 Security Protection Characteristics
HAPR1 Security Functionality
Requirements Not Met by HAPR1
Operational EnvironmentHAPR1 is intended for use in National Security Systems and configured to allow access to multiple system-high networks of different security-levels ranging from either Unclassified to Secret/Releasable or Secret/Releasable to Top Secret/SCI in a physically protected environment. In such environments, all users must have an associated clearance level that is the same or higher than the highest level of data processed by the platform. The platform is authorized to run in one of the following configurations:
Figure 2 depicts two scenarios of HAPR1s accessing networks with different security levels.
UsersAll users must be cleared at or above the highest level of data being processed on the platform. The platform is not intended for use in physical environments where all users are not cleared for the highest level of data processed by the system. HAPR1 users may:
Users may not modify the configuration settings of the platform. AdministratorsAdministrators must be cleared at or above the highest level of data being processed on the HAPR1. Administrators must be properly trained to configure and maintain the HAPR1. Administrative users may:
Administration of the HAPR1 may only take place when the system is not in an operational mode, e.g., all associated guest virtual machines are in an inactive/powered off state. Network EnvironmentThe HAPR1 is intended to be connected to one or more single-level networks within a protected enclave. The HAPR1 can be connected to multiple networks via multiple Network Interface Cards (NICs) (where a single-level NIC is required per security level) or via a single NIC when using NSA/IAD approved network encryption components. In the later case, the network traffic from a lower-security-level network can tunnel through the higher-security-level network (i.e., low-over-high VPN tunneling). Appropriate measures must be taken by each single-level network infrastructure to protect the data from unauthorized access by external IT systems that may be connected to the network. Physical EnvironmentThe HAPR1 does not provide any measure of physical self-protection and must be maintained within a physically protected enclave where such physical protection is commensurate with the value of the information processed by the HAPR1. 1. By "critical software," we mean software that enforces the platform security policy. 2. The guest OS version must match the hardware architecture version that is virtualized by the VM - no different than the case where that same OS is expected to run directly on a specific processor/chipset combination. 3. A window manager is software that controls the placement and appearance of application windows. It provides a graphical user interface that enables a user to interact with a number of application programs simultaneously. In the HAPR1, each virtual machine is expected to have its own independent window. 4. If availability requirements exist, the environment must provide the required mechanisms (e.g., mirrored/duplicated data). |
|
Date Posted: Nov 14, 2008 | Last Modified: Nov 14, 2008 | Last Reviewed: Nov 14, 2008 |