Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Fox DataDiode Frequently Asked Questions A document for certified Fox-IT partners Version 1.0 April 9th, 2015 Pages: 17 Author: Andre Post Classification: CONFIDENTIAL FOX CONFIDENTIAL This document is classified as Fox confidential. Any information published in this document and its appendices is intended exclusively for the addressee(s) as listed on the document management distribution list. Only these addressee(s) and additional persons explicitly granted permissions by any of these originally authorized addressee(s) may read this document. Any use by a party other than the addressee(s) is prohibited. The information contained in this document may be Fox confidential in nature and fall under a pledge of secrecy. If your name is not listed on the document management page or if you have not obtained the appropriate (written) authorization to read this document from an authorized addressee, you should close this document immediately and return it to its original owner. Misuse of this document or any of its information is prohibited and will be prosecuted to the maximum penalty possible. Fox-IT cannot be held responsible for any misconduct or malicious use of this document by a third party or damage caused by its contained information. Fox-IT BV Olof Palmestraat 6 2616 LM Delft Postbus 638 2600 AP Delft The Netherlands Telephone: +31 (0)15 284 7999 Fax: +31 (0)15 284 7990 E-mail: [email protected] Internet: www.fox-it.com Copyright © 2015 Fox-IT BV All rights reserved. No part of this document shall be reproduced, stored in a retrieval system or transmitted by any means without written permission from Fox-IT. Violations will be prosecuted by applicable law. The general service conditions of Fox-IT B.V. apply to this documentation. Trademark Fox-IT and the Fox-IT logo are trademarks of Fox-IT B.V. All other trademarks mentioned in this document are owned by the mentioned legacy body or organization. FOX CONFIDENTIAL- 2 DOCUMENT MANAGEMENT Version management Project name Fox DataDiode Subject: Frequently Asked Questions Date: April 9th, 2015 Version: 1.0 Author(s): Andre Post This version replaces all previous versions of this document. Please destroy all previous copies! Changes Version Date By Remarks FOX CONFIDENTIAL- 3 I NTRODUCTION This document is a compilation of frequently asked questions and their respective answers concerning the Fox DataDiode. The intended audience for this document is every Fox-IT approved commercial partner that is authorized by Fox-IT to sell the Fox DataDiode. The overall structure of this document is ordered in such a way, that it will begin with questions on a higher, conceptual level. The DataDiode system consists of hardware and software. The physical product side of the DataDiode is quite fundamental, and as such the DataDiode system hardware is explained prior to the various software aspects. FOX CONFIDENTIAL- 4 TABLE OF CONTENTS 1 2 3 Concepts .................................................................................................................................... 7 1.1 What is a Fox DataDiode? ................................................................................................. 7 1.2 What is a unidirectional network? .................................................................................... 7 1.3 How are the separated networks designated? ................................................................. 7 1.4 How does the Fox DataDiode work? ................................................................................. 7 1.5 When is a Fox DataDiode needed? ................................................................................... 7 1.6 What is the standard hardware setup of a Fox DataDiode system? ................................. 7 1.7 What is the function of the proxy servers? ....................................................................... 8 1.8 What is protocol break? .................................................................................................... 8 1.9 How does a protocol break benefit the DataDiode? ......................................................... 8 1.10 What are the primary use cases for the DataDiode? ........................................................ 8 1.10.1 How does the DataDiode protect secrets? ......................................................... 8 1.10.2 How does the DataDiode protect assets? .......................................................... 9 Hardware................................................................................................................................. 10 2.1 Fox DataDiode – Government edition............................................................................. 10 2.1.1 What is the Fox DataDiode - Government edition? ......................................... 10 2.1.2 Which certifications does the Fox DataDiode - Government edition hold? ..... 10 2.1.3 What is CC EAL7+ certification?........................................................................ 10 2.1.4 Why is CC EAL7+ certification significant? ........................................................ 10 2.1.5 Which customers require the Fox DataDiode - Government edition? ............. 11 2.2 Fox DataDiode - Business edition .................................................................................... 11 2.2.1 What is the Fox DataDiode - Business edition? ................................................ 11 2.2.2 Which certifications does the Fox DataDiode - Business edition hold? ........... 11 2.2.3 Which customers would require the Fox DataDiode - Business edition? ........ 11 2.3 Proxy servers ................................................................................................................... 11 2.3.1 What is the purpose of the proxy servers? ...................................................... 11 2.3.2 What are the hardware requirements? ........................................................... 12 2.3.3 Dell R610 .......................................................................................................... 12 2.3.4 Dell R320 .......................................................................................................... 12 Proxy server software ............................................................................................................. 13 3.1 The Fox DataDiode Appliance (version 1) ....................................................................... 13 3.2 The Linux core ................................................................................................................. 13 3.2.1 Which Linux versions are supported by the Linux core? .................................. 13 3.2.2 What is the maximum throughput of the Linux core? ..................................... 13 3.3 The Windows core ........................................................................................................... 13 3.3.1 Are there any known limitations to the Windows core? .................................. 13 3.3.2 Which Windows versions are supported? ........................................................ 14 3.3.3 Are the required Windows licences included? ................................................. 14 3.4 The Fox DataDiode Appliance (version 2) ....................................................................... 14 FOX CONFIDENTIAL- 5 4 5 6 7 3.4.1 What are the distinguishing features between the Fox DataDiode Appliance version 2 and version 1? ........................................................................................................................ 14 The Demo Kit ........................................................................................................................... 14 4.1.1 What is included in the demo kit? .................................................................... 14 4.1.2 Are there any restrictions or special conditions for using the Demo Kit? ........ 14 4.1.3 What is the delivery time of the Demo Kit? ..................................................... 14 4.1.4 How to use the Demo Kit? ................................................................................ 15 Replication software ............................................................................................................... 15 5.1.1 Can Windows updates (WSUS) be replicated? ................................................. 15 5.1.2 Can SCCM managed Windows machine updates (WSUS) be replicated? ........ 15 5.1.3 Can file transfer users authenticate using Active Directory? ........................... 15 5.1.4 Can file transfer users authenticate using Kerberos?....................................... 15 5.1.5 Is it possible to include replicators in the Appliance? ...................................... 15 5.1.6 Can Oracle Databases be replicated through the DataDiode? ......................... 15 General features ..................................................................................................................... 16 6.1 Which network protocols can be sent through the DataDiode?..................................... 16 6.2 What are the maximum data transfer speeds?............................................................... 16 Miscellaneous topics ............................................................................................................... 16 7.1 Is the IEC-60870-5-104 protocol supported? .................................................................. 16 FOX CONFIDENTIAL- 6 1 C ONCEPTS This section represents frequently asked questions regarding top-level concepts about the Fox DataDiode. 1.1 What is a Fox DataDiode? The Fox DataDiode is computer hardware that enforces unidirectional flow of network traffic. 1.2 What is a unidirectional network? A unidirectional network connection is a link between two networks for which guarantee can be given that the information only flows from the one network to the other, and that it is not possible in the opposite direction. 1.3 How are the separated networks designated? The source network is typically referred to as "upstream" and the destination network as "downstream", following the analogy how water flows from upstream to downstream. Although in many government and military environments, the source network is referred to as “black” and the destination network as “red”. 1.4 How does the Fox DataDiode work? The Fox DataDiode works by enforcing the use of a single strand of a fiber optic connection in conjunction with fiber optic processing electronics that are especially designed for unidirectional signal flow. This lack of full duplex communication breaks the use of bidirectional traffic such as TCP/IP. This problem is addressed by using proxy servers that transmit data in a connectionless way. 1.5 When is a Fox DataDiode needed? By using a one-way connection, the Fox DataDiode helps you to prevent data leakage of confidential or classified information, while still having access to critical data sources you need for your daily job. Think about updates for your Anti-Virus products or Microsoft Windows, Databases, web feeds, email, video streams and operational information for your Security Operation Centers. Once you start thinking about it you can come up with a lot more. The Fox Data Diode can also prevent unwanted access to your Industrial Control Systems (ICS), including SCADA systems and DCSs, while still allowing ICSs to send out Critical Operational Data, Performance Metering and other Events and Alarms. 1.6 What is the standard hardware setup of a Fox DataDiode system? The next picture (figure 1) schematically shows the standard hardware setup of a Fox DataDiode system. Located in the center, the Fox DataDiode optical diode hardware connects and isolates the upstream (sending) network from the downstream (receiving) network. Located on the left-hand side the upstream proxy server ensures sending data from the upstream network through the optical diode to the downstream proxy server. On the right-hand side the downstream proxy server ensures receiving data from the optical diode for further handling in the downstream network. FOX CONFIDENTIAL- 7 Figure 1: Conceptual setup of a Fox DataDiode system. 1.7 What is the function of the proxy servers? The proxy servers are the primary point of contact for the networks on both ends of the optical diode hardware. Looking outward to their respective networks, they are responsible for interfacing with designated systems and will provide any forwarding services as pre-configured. Facing inward to the optical diode they facilitate protocol break and handle internal diode communications. 1.8 What is protocol break? A protocol break consists of two components that reside between the sender and the receiver of a message. The first component is a "catcher", which, while adhering to the protocol, strips all traffic control data from the data it receives, and only retains the payload data. The second component is a "thrower". The thrower does the opposite: it takes bare payload data, and sends the payload to another system by means of some chosen protocol. In order to do this successfully, the thrower performs all the complicated tasks that are necessary to adhere to the protocol specifications, including the creation of traffic control data. 1.9 How does a protocol break benefit the DataDiode? The attacks that are caused by one of the parties not adhering to a protocol can only be prevented by ensuring that within the environment where attacks are unacceptable, both parties in the protocol are trusted. For unidirectional communication scenarios, that implies that the side sending the payload (upstream) should be trustworthy, at least from the perspective of the receiver (downstream). The only way to ensure this is by the use of a protocol break. 1.10 What are the primary use cases for the DataDiode? There are two primary use cases for deploying the DataDiode: 1. Protect secrets (See “How does the DataDiode protect secrets?” for details) 2. Protect assets (See “How does the DataDiode protect assets?” for details) 1.10.1 How does the DataDiode protect secrets? FOX CONFIDENTIAL- 8 The next picture (figure 2) schematically depicts how an example setup may allow information to enter a secure network, but prevent information from leaving the secure network. This configuration is often found in government and other high-security operations. Figure 2: Conceptual representation of the “protecting secrets” scenario. 1.10.2 How does the DataDiode protect assets? The next picture (figure 3) schematically depicts how an example setup may allow information (normally monitoring data) to leave a network of valuable assets, but prevent potential harmful data from reaching those same assets. This configuration is often found in critical industrial environments. Figure 3: Conceptual representation of the “protecting assets” scenario. FOX CONFIDENTIAL- 9 2 H ARDWARE The Fox DataDiode fiber optic hardware is available in 2 editions: the government edition and the business edition. This chapter explains both editions as well as the extra proxy server hardware that connects to the fiber optic DataDiode. 2.1 Fox DataDiode – Government edition Government organizations and agencies often require that hardware in a high security area holds specific certifications. Confidential information is usually stored on disconnected, isolated networks to prevent data leakage. Often this is mandated by rules and regulations. The act of adding information to this network typically involves offline transportation of data on removable media such as optical discs. This is not real-time, not 24×7 and cumbersome so that users dislike it. Moreover it’s error prone and insecure. The Fox DataDiode automates and accelerates the process of adding information to confidential networks without compromising security. It offers guaranteed one-way network connectivity so that you can securely, smoothly transfer information in real-time, 24×7. The Fox DataDiode is the highest certified product in the world in terms of security. 2.1.1 What is the Fox DataDiode - Government edition? The hardware of the Fox DataDiode - Government edition is certified by NATO for use up to SECRET level and by Common Criteria up to EAL7+ level. In addition, the Fox DataDiode has been accredited by many local authorities such as the Dutch General Intelligence and Security Service (AIVD) and the German Bundesamt für Sicherheit in der Informationstechnik (BSI). 2.1.2 Which certifications does the Fox DataDiode - Government edition hold? The government edition holds the following certifications and approvals: Common Criteria EAL7+ EU Approval by Germany and The Netherlands up to State Secret networks UK Common Criteria SOGIS Mutual Recognition Agreement India and Norway Common Criteria EAL4+ NATO Secret networks 2.1.3 What is CC EAL7+ certification? The levels are the numerical rating describing the depth and rigor of an evaluation. Each EAL (Evaluation Assurance Level) corresponds to a package of security assurance requirements which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic and EAL 7 being the most stringent. Evaluation Assurance Levels can be “augmented” with requirements from a higher assurance level. In the case of the Fox DataDiode, the EAL 7+ stands for a complete evaluation based on all classes within the Common Criteria. 2.1.4 Why is CC EAL7+ certification significant? CC EAL7+ is a significant certification because the Fox DataDiode was subjected to and passed the most rigorous tests available in IT security. FOX CONFIDENTIAL- 10 2.1.5 Which customers require the Fox DataDiode - Government edition? As the name implies, government agencies and organizations often require IT infrastructure equipment that conforms to certain certifications. The Fox DataDiode - Government edition is often found in military organizations such as the air force, and in agencies such as the ministry of information and the ministry of defense, as well as in international organizations such as NATO. 2.2 Fox DataDiode - Business edition In addition to the Government edition offering, Fox-IT also provides the Fox DataDiode - Business edition which is specifically developed for protecting industrial control systems. Modern multi-staged attacks hop from one network to the next by any means, both by network and by storage device. Every connected system stands the risk of being compromised. At the same time, business needs require the increased levels of integration with industrial automation. Industrial Control Systems are targeted by well-funded adversaries that want to cripple society. Often, attacks remain active and undetected for months or even years, as the Stuxnet attack clearly illustrates. 2.2.1 What is the Fox DataDiode - Business edition? The Business edition is technically identical to the Government edition, however it does not require all the production certifications. This makes the business edition extremely affordable to companies and organizations that have to operate on constrained budgets. 2.2.2 Which certifications does the Fox DataDiode - Business edition hold? The Business edition does not have official certifications. However, the hardware on the inside is identical to the Government edition. 2.2.3 Which customers would require the Fox DataDiode - Business edition? The Business edition is the obvious choice for businesses and organizations that do not have the need for the rigorously certified Government edition. Usually, the Business edition is the product of choice for companies in the energy sector (oil and gas production, nuclear facilities, electricity distribution) and other critical infrastructure providers (i.e. water management systems, airports, viaducts etc.). 2.3 Proxy servers The proxy servers play a crucial role in the correct working of any Fox DataDiode system. This section provides details on the proxy servers. 2.3.1 What is the purpose of the proxy servers? The proxy servers are the only devices connected to the optical diode box, making them the first devices in the upstream and downstream networks from the optical diode box point of view. The proxy servers therefore provide the first point of contact with either network, ensuring the additional functionality and security features in the Fox DataDiode setup. Some of the most important features are: Provide an infrastructural interface to the upstream/downstream network Provide enhanced security by means of protocol break (See “What is protocol break?” for details) Manage the data flow through the optical diode Offer functional integration with other network components, such as file servers FOX CONFIDENTIAL- 11 2.3.2 What are the hardware requirements? All Fox DataDiode software has been tested to work on either a Dell R610 server or Dell R320 server. 2.3.3 Dell R610 The Dell R610 is the main operational hardware platform for the Appliance 1.x software. The Appliance 1.x is based on the OpenBSD operating system that has driver support for the Dell R610. The other Fox DataDiode Core software products are naturally compatible with the Dell R610 as well. The Dell R610 was introduced in 2009 and as such is no longer actively sold; current stock will be utilized as needed and will provide a supply for replacement units. 2.3.4 Dell R320 All of the Fox DataDiode Core software modules operate on the Dell R320 hardware platform, with the exception of the Appliance 1.x. The Dell R320 is versatile and can be configured flexibly to cover a wide range of deployment requirements. The technical specifications (table 1) of the Dell R320 are as follows: Form factor Processors 1U rack Intel® Xeon® processor E5-2400 product family Intel Xeon processor E5-1410 Intel Pentium® processor 1400 product family Memory Up to 192GB (6 DIMM slots): 2GB/4GB/8GB/16GB/32GB DDR3 up to 1600MT/s Maximum internal storage Up to 16TB Power supply Redundant Table 1: Technical specifications of the Dell R320 rack mount server. FOX CONFIDENTIAL- 12 3 P ROXY SERVER SOFTWARE The proxy servers on each side of the optical diode box provide an interface to the rest of the infrastructure where the Fox DataDiode is operational. 3.1 The Fox DataDiode Appliance (version 1) The Fox DataDiode Appliance is a complete implementation solution, without the need for any prerequisites. The Appliance consists of one Fox DataDiode hardware device and two proxy servers. Both Appliance servers come with the software pre-installed enabling seamless integration into office environments and industrial networks. Support for many common file transfer protocols is built in as a standard, as well as SMTP (email) forwarding. Additionally, the servers’ health can be monitored over SNMP. The Appliance version 1 is based on OpenBSD, which does not support TCP forwarding, is limited to a maximum transfer speed of 100 Mbit/second, and does not provide data transfer redundancy. Version 1 will be considered end of life when version 2 is released (see “The Appliance (version 2)” for details). 3.2 The Linux core The Linux Core proxy software provides a high reliability and high performance proxy forwarding solution for TCP, UDP, and file transfers. Data transfer redundancy is implemented by sending all packets in duplicate. This means that over the 1Gbit/second optical connection, a maximum net data transfer speed of 500Mbit/second can be attained. 3.2.1 Which Linux versions are supported by the Linux core? The Linux Core supports the following Linux operating system versions: Ubuntu 12.04 Ubuntu 14.04 RedHat 6 RedHat 7 Debian Wheezy 3.2.2 What is the maximum throughput of the Linux core? The Linux core proxy software allows utilizing the maximum bandwidth of 1 Gbit/second. However due to data duplication for forward error correction purposes, the effective throughput is 500 Mbit/second. 3.3 The Windows core The Windows core proxy software is suited for deployment in a Microsoft Windows enforced infrastructure. The proxy software boasts a graphical user interface to configure the proxy servers, and as such is a logical option for any low technology, low learning curve work environment. 3.3.1 Are there any known limitations to the Windows core? The Windows core was developed specifically with ease of use and ease of maintenance in mind. These choices do have consequences; the maximum throughput is more limited than that of the Linux core, and the number of forwarded network streams is limited to 24. FOX CONFIDENTIAL- 13 3.3.2 Which Windows versions are supported? The Windows core supports the following Windows versions: 2003 2008 (R2) 2012 (R2) 3.3.3 Are the required Windows licences included? No, they have to be obtained separately. 3.4 The Fox DataDiode Appliance (version 2) In Concept similar to the Fox DataDiode Appliance version 1 (See “The Fox DataDiode Appliance (version 1)” for details), version 2 is a complete solution and enhanced with all the improvements learned from lessons with version 1. 3.4.1 What are the distinguishing features between the Fox DataDiode Appliance version 2 and version 1? When looking at the implementation choices, the Appliance version 2 is a completely different product from version 1. The key features that make version 2 stand out are: The integrated interactive web interface, giving a modern look and feel Improved new Linux core software with increased effective throughput of 800Mbit/second Modular buildup paving the road for data handler plug-ins 4 T HE D EMO K IT Fox DataDiode business partners are encouraged to procure one or more Fox DataDiode demo kits. This enables them to become familiar with all the technical aspects of the Fox DataDiode and test specific deployment setups as needed. 4.1.1 What is included in the demo kit? The Demo Kit is a package that is built on the Appliance version of the DataDiode. This means that the set comes with 1 DataDiode, 2 Proxy servers and all additional hardware and fiber-cables. The set also comes with ALL Diode software meaning, aside from the Appliance setup, you can also set it up to demonstrate the Linux Core or Windows Core and all replicators come with it. 4.1.2 Are there any restrictions or special conditions for using the Demo Kit? The Demo Kit is a NOT FOR RESALE unit and cannot be used or placed at a customer or partner for long periods of time. Use of the Demokit is solely intended for demonstration and pre-agreed upon time limited POC (proofof-concept) purposes. 4.1.3 What is the delivery time of the Demo Kit? Delivery time of the Demo Kit is approx. 10 working days. FOX CONFIDENTIAL- 14 4.1.4 How to use the Demo Kit? The Demo Kit comes together with a full day of instruction by one of our pre-sales engineers. Upon request we can also provide a Fox DataDiode sales training for your team. 5 R EPLICATION SOFTWARE Quite often, the nature of the data that needs to be transferred through the Fox DataDiode surpasses that of basic files, TCP or UDP streams and is bidirectional in nature. For some of these protocols and data types, FoxIT has developed additional software that can handle replication of the most popular protocols available. 5.1.1 Can Windows updates (WSUS) be replicated? Yes. We provide WSUS replication software for Windows Server 2003 and Windows Server 2008. Additionally the WSUS replicator software is scheduled to support Windows Server 2012 no earlier than Q2 2015. 5.1.2 Can SCCM managed Windows machine updates (WSUS) be replicated? A replicator software module for WSUS updates is available (See “Can Windows updates (WSUS) be replicated” for details), effectively providing Windows updates through the DataDiode. Take note however that SCCM is highly bidirectional in nature and therefore the need to replicate SCCM metadata through a DataDiode is questionable. 5.1.3 Can file transfer users authenticate using Active Directory? File transfer user authentication using Active Directory is on the roadmap, development is not scheduled earlier than Q3 2015. 5.1.4 Can file transfer users authenticate using Kerberos? See “Can file transfer users authenticate using Active Directory?”. 5.1.5 Is it possible to include replicators in the Appliance? No, not in the current version. We are currently working on a new version of the Appliance (version 2), that is scheduled for release at the beginning of Q2 2015. Version 2 is built from the ground up with flexibility and customization possibilities in mind. The feature to provide an interface that will easily integrate custom replicators/filters is on the roadmap. There is a “Yes, depends…” for the current 1.x Appliance: Any replicators that need to send data through the DataDiode Appliance would need to run outside the Appliance and have to be able to process data transmission on the basis of TCP/UDP forwarding or file-based transfers. 5.1.6 Can Oracle Databases be replicated through the DataDiode? Yes, Oracle databases can be replicated through the Fox DataDiode. For Windows operating systems, Fox-IT provides Oracle database replication software that works with 3rd party tools. Dell provides Oracle database replication software “Dell SharePlex Secure” for the Linux operating system that interoperates natively with Oracle databases. FOX CONFIDENTIAL- 15 6 G ENERAL FEATURES This section covers questions related to Fox DataDiode product features. 6.1 Which network protocols can be sent through the DataDiode? All Fox DataDiode proxy products except the Fox DataDiode Appliance version 1 natively support forwarding of the TCP and UDP network protocols. The Fox DataDiode Appliance version 1 does not support TCP streams. The Appliance (both versions) additionally support the following network protocols: SMB/CIFS (Windows file sharing) FTP FTPS SFTP SCP SMTP (email) 6.2 What are the maximum data transfer speeds? Maximum data transfer speed vary per proxy server platform. The following list summarizes these speeds and list the effective data transfer rate (measured end user data going over the wire). Fox DataDiode Appliance version 1 100 Mbit/second Windows core variable, tested to average 250 Mbit/second Linux core 500Mbit/second Fox DataDiode Appliance version 2 800 Mbit/second 7 M ISCELLANEOUS TOPICS This section provides answers to frequently asked questions that do not fit in any of the other sections. 7.1 Is the IEC-60870-5-104 protocol supported? As of Q1 2015, no. However, given sufficient requests, support for the IEC-60870-5-104 protocol can be added within a 3 month time frame. FOX CONFIDENTIAL- 16 FOX CONFIDENTIAL- 17