Transforming Mission Support | GSF 2012 | Session 4-4
-
Upload
cisco-public-sector -
Category
Technology
-
view
986 -
download
2
description
Transcript of Transforming Mission Support | GSF 2012 | Session 4-4
1
Transforming Mission SupportThrough MLS Secure Virtualization, Collaboration, and Mobility
David Amoriell, Cisco SystemsGeorge Kamis, Raytheon TCS
22© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Driving an Ongoing Shift to BYOD and Mobility
Cisco Confidential
89%
10%
1% 23%
36%
26%
75%
22%
Device Diversity Is Here to Stay
33© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Paradigm Shift
• Gartner Predicts “…By 2013, mobile phones will overtake PCs as the most common Web access device worldwide…”
• 4+ Million iPhone 4s sold during the first weekend.
• 17+ Million iPhones sold last quarter
• 11+ Million iPads sold last quarter
• 500k+ Applications built for Apple App Store
• 400k+ Applications built for Android
• 550+ New apps added daily
• 700k Android Phones activated daily.
• Gartner Predicts that by 2014, 92% of Internet packets will be video.
Cisco Confidential
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
"
“Whether it is a squad going out on a humanitarian effort or an entire division in major combat operations, you will connect to the network and your data will be there.”
LTG Susan Lawrence Army CIO / G6
Teri Takai DoD CIO
Our challenge today is ensuring our networks can securely support the information demands of our users – users who require access to information anywhere and anytime across the DoD Information Enterprise…”
"I want to be the Chief Yes Officer”
Roger Baker Veterans Affairs CIO
"To fundamentally change the way we do things in government, we need to seize on this mobile opportunity both in how we serve the public and in how government employees work. "
Steven VanRoekel U.S. Chief Information Officer
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Manipulation Theft & Espionage Disruption
Cyber threats impact the security and economicviability of nations and businesses alike
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Manipulation Theft & Espionage Disruption
Cyber threats impact the security and economicviability of nations and businesses alike
Target: Target: Nasdaq OMXNasdaq OMX
Impact: Impact: ““Flash CrashFlash Crash”” of of May 2010May 2010
Exploit: Exploit: Directors Desk Directors Desk WebWeb--based Applicationbased Application
Target: Target: Security and Security and Defense ContractorsDefense Contractors
Impact: Impact: Intellectual Intellectual Property Theft, 2009Property Theft, 2009--20102010
Exploit: Exploit: Multiple ZeroMultiple Zero--dayday
Target: Target: Iranian Nuclear Iranian Nuclear ReactorsReactors
Impact: Impact: 22--5 Year Delay5 Year Delay
Exploit: Exploit: Siemens PLC Siemens PLC Software Software
7
Market Options Driving Transitioning to a Post-PC WorldNew choices being driven by Mobility, Agility and Customer Demand
PC World Post-PC World
8
THE NETWORK
GREEN, Energy Efficiency
IT PRODUCTIVITY, Service and Network Management
SECURITY, Accelerating Cyber-Threats
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Multiple DevicesMultiple Devices
Bring Your Own Device (BYOD)
Virtual Desktop Virtual Desktop \\WorkspaceWorkspace
MLS Secure VXI (SVXI)
1010© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
1111© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Trusted
WiFi
� Authenticate User
� Fingerprint Device
� Apply Corporate Config
� Enterprise Apps
� Automatic Policies
1212© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
WiFi
Trusted
Apply defined policy profiles based on:�Device Type�User�Location�Application
Identity Services Engine
Mobile Device Management
Aironet Infrastructure
Prime Management
1313© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Trusted
WiFi
Electronic Medical Records
Mobile TelePresence
Instant Messenger
YesNo
Access: FULL
1414© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Untrusted WiFi
Access: Limited
1515© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Hotspot 2.0
Aironet Infrastructure
ScanSafeIronPort
Identity Services Engine
AnyConnect
WebExMobile 8
1616© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Electronic Medical Records
Mobile TelePresence
Instant Messenger
YesNo
3G/4G
Access: Limited
1717© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Identity Services Engine
AnyConnect
3G/4G
ASR
1818© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Electronic Medical Records
Mobile TelePresence
Instant Messenger
YesNo
TrustedW i
F i
Access: FULL
1919© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
20
MLS CIUS Tablet, Provides MLS SVXI with Mobility
• Extends VDI/VXE• Integrated Collaboration
• Voice, Video & Telepresence
• Support Mission Apps• GEOINT• Visualization• All-source
• MLS Driven by RTCS• Application integration
• Tactical Reachback• Data to the Edge• Battlefield awareness• Fused intelligence• Realtime analysis• Ad-hoc communication• Un-tethered information
Features Impact
21
MLS Handheld: One Device, Many Networks, COTS, MLS User Apps on Android
Improved security, thin client, cloud hosted; infrastructure consolidation, reduced cost
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Multiple DevicesMultiple Devices
Secure Mobility and BYOD
Virtual Desktop Virtual Desktop \\WorkspaceWorkspace
MLS Secure VXI (SVXI)
2323© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_IDCisco Confidential
Two Approaches: “Native” and “Virtual”
The Network needs to be ready for both
Native Virtual
ISE
CSM/ASDM
PartnerMDM
MDM Mgr
AC VPN withCloud Web Security
IronPortWebDirectory Exchange
NCS Prime
AC NAM
IronPortEmail
WAAS
ISR
BRANCH
Virtualization-Aware Borderless Network
CDN
Compute UCS
MS Office
Desktop Virtualization Software
Virtualized Data Center
WAAS
Nexus
Microsoft OS
ACE
Hypervisor
Virtual Unified
CM
Virtual Quad
Cisco Collaboration Applications
Thin Client Ecosystem
CISCO CLIENTS
Cius Business Tablets
Virtualized Collaborative Workspace
Cisco Desktop Virtualization Endpoints
Cisco WAN
Compute UCS
24
WAAS
ISR
BranchBranch
Virtualization-Aware Borderless Network
CDN
End-to-End Security, Management and Automation
Cisco VXIVirtualized End-to-End System
Compute UCS
VirtualizedData Center
WAAS
Nexus
ACE
VirtualUnified CM
Virtual Quad
Thin Client EcosystemThin Client Ecosystem
Cisco ClientsCisco Clients
Cius Business Tablets
Virtualized Collaborative Workspace
Cisco Virtualization Experience Clients
Access switching w/PoE
SiSi
25
Collaboration BorderlessNetworks
Data CenterVirtualization
Secure VirtualWorkspace
Cisco SVXI
Cisco SVXI
Mission Application Support
Multi-level Security
Rich Media – Voice, Video, Collaboration & Mobility
Integrated Solution -Enterprise Resource Management
Cisco Secure Virtualization Experience Infrastructure (SVXI)
Copyright © 2012 Raytheon Company. All rights reserved.Customer Success Is Our Mission is a registered trademark of Raytheon Company.
George KamisChief Technology Officer
Transforming Mission Support through Multilevel
Secure Virtualization, Collaboration, and Mobility
Page 27
Raytheon Trusted Computer Solutions (RTCS)
� Part of Raytheon Intelligence & Information Systems (IIS) since November 2010
� Key focus area: building commercial cross domain products to meet most stringent security requirements
– Accessing and transferring data across security domains at a high level of assurance
� Cross domain solutions for DoD, IC, and Civilian Government include:
– Trusted Thin Client, High Speed Guard, Trusted Gateway System, SimShield, and WebShield
� Established technical and business relationship with CISCO
– Work natively in the field of VXI with Cisco thin client and server hardware
– Leverage Cisco products for secure connectivity
– Leverage off of mobile synergy to provide high assurance data access
Cross Domain Products in Operational Systems Around the World
Page 28
RTCS Product Line
Trusted Thin Client®
Secure Access to Multiple
Domains from a Single
Connection Point:
Thin Client, PC Virtual Client, or
Remote Access
ACCESS TRANSFER BROWSE
Trusted Gateway
System™
Secure Multi-Directional Data
Transfer
High Speed Guard
Automated, High-Performance
Data Transfer Supporting Full
Motion Audio/Video
WebShield
Secure HTTP Traffic Throughout
the Enterprise Including Browse
and Search Capabilities via Web
Proxy
Page 29
Overview
ACCESS � What is Trusted Thin Client?
– How it is being used by DoD, Intel, and Civilian customers
– The transformation from Desktop to Trusted Thin Client access with VXI services� Multi-sensitivity access from a single termal
� Evolution from a Thin Client computing model to meet current and future needs
– Movement to remote computing access� Teleworker� Memory stick based computing for BYOD
applications
– Evolution to mobile and tablet platforms � Secure access to multiple sensitivity levels
Trusted Thin Client®
Secure Access to Multiple
Domains from a Single
Connection Point:
Thin Client, PC Virtual Client, or
Remote Access
ACCESS
Page 30
Current Information Access
TOP SECRETSENSITIVE BSECRET
SENSITIVE D
SENSITIVE A
SENSITIVE C
Page 31
Consolidation Approach Multilevel Access from a single Thin Client
Classification levels clearly displayed Consolidated access with
Trusted Thin Client
Page 32
Trusted Thin Client High Assurance Multilevel Access (Intel/DoD Scenario)
Cost-Effective• Inexpensive commodity hardware for both
thin clients & servers
Enterprise-Ready• Scalable with failover• Consolidates the user environment• Expandable network connections
Flexible• Wide variety of client options: thin client, PC,
virtual machine, memory stick, etc.• Microsoft and UNIX system access via
Terminal Services, Citrix ICA, VMware PCoIP, etc
• Hardware independent: Servers, Blades, Dedicated storage, etc.
Secure• Based upon Security Enhanced (SE) Linux• Meets DoD and IC security requirement for
processing multiple classification levels
Users
Top Secret
Data Storage
Servers
Distribution Console
Secret
Data Storage
Servers
Sensitive
Data Storage
Servers
Traditional
Multiple Monitors
Remote Access
Virtual Access
CISCO UCS servers
CISCO Virtualized Experience Infrastructure (VXI) CISCO VXC Thin Clients
Page 33
Trusted Thin Client High Assurance Multilevel Access (Civilian Scenario)
Cost-Effective• Inexpensive commodity hardware for both
thin clients & servers
Enterprise-Ready• Scalable with failover• Consolidates the user environment• Expandable network connections
Flexible• Wide variety of client options: thin client, PC,
virtual machine, memory stick, etc.• Microsoft and UNIX system access via
Terminal Services, Citrix ICA, VMware PCoIP, etc
• Hardware independent: Servers, Blades, Dedicated storage, etc.
Secure• Based upon Security Enhanced (SE) Linux• Meets DoD and IC security requirement for
processing multiple classification levels
Users
Sensitive
Data Storage
Servers
Distribution Console
Internal
Data Storage
Servers
Public
Data Storage
Servers
Traditional
Multiple Monitors
Remote Access
Virtual Access
CISCO UCS servers
CISCO Virtualized Experience Infrastructure (VXI) CISCO VXC Thin Clients
Page 34
Virtual Desktop InfrastructureLeveraging CISCO VXI
Server Hardware
Top Secret
Data Storage
Servers
Secret
Data StorageServers
Other Enclaves
Data StorageServers
Enterprise Storage
MS Hyper-V, Citrix XenServer, VMware ESX Server, etc.
� Each user has a dedicated “virtual” complete operating system
� Broker directs users to VDI sessions
� Can utilize application streaming
� User environment is created from a read-only image
Virtualized Data Center
Virtualized Data Center
CISCO Virtualized Experience Infrastructure (VXI)
Users
Traditional
Multiple Monitors
Remote Access
Virtual Access
Distribution Console
Page 35
Users
Top Secret
Data Storage
Servers
Distribution Console
Secret
Data Storage
Servers
Sensitive
Data Storage
Servers
Traditional
Multiple Monitors
Remote Access
Virtual Access
SecureOffice Trusted Thin Client ArchitectureCISCO Virtualized Experience Infrastructure (VXI)
Page 36
Deployments … many more pending
Enterprise Deployments
� Intelligence Community
– Large Enterprise TTC deployment underway
– Thousands deployed with many other agencies
� DoD
– Air Force Central Command, COAC-X
– Thousands deployed elsewhere with other DoD components
Civilian Deployments
– DHS
– DOJ
Unique Deployments
– Aircrafts, submarines, etc
International Deployments
– Australia NGD
– UK– Canada
Trusted Thin Client (TTC)
Page 37
Evolution Trusted Thin Client Capabilities
– Movement to remote computing access � Remote Access Implementation (TTC RAI)
� Secure access from anywhere
� Aimed at the teleworker / first responder / road warrior
– Evolution to mobile phone and tablet platforms (in development)� Secure mobile access to data
� Support multiple sensitivity levels and a variety of mobile desktops
3/22/2012
Page 38
Trusted Thin Client Remote Access Implementation (RAI)
� Driven by the need to securely access information remotely
– Growing teleworker and first responder workforce
– Supports BYOD model
� Portable, lightweight TTC Client in a Remote Environment that offers the benefits of TTC
– Secure cross domain access
– Consolidation of multiple desktops on different networks into a single client
� Runs on a standard media device (i.e., USB flash drive, SD memory card)
� Launched by booting host machine (i.e., laptop, netbook) from media device
– Local hard disk not enabled or accessed
� Works on most x86 machines regardless of OS
� No Installation required on host machine
3/22/2012
Page 39
TTC Remote Access Implementation
� Runs on most memory sticks
– Encrypted Bootable Partition� Hardened Linux host OS with many connectivity and security features
� Native TTC Client runs within a hypervisor
– Unencrypted Partition (Optional)
� Looks like a normal memory stick
� Network connectivity
– NIC, WiFi, Cellular (3G/4G)
� Cisco AnyConnect VPN Client
3/22/2012
Page 40
TTC RAI Overview
3/22/2012
Remote Access w/USB flash drive
TTC RAIDevice
Secure DMZ
Cisco AnyConnect Encryption
Users
Traditional
Multiple Monitors
Virtual Access
Network A
Data Storage
Servers
Network B
Data StorageServers
Network C
Data StorageServers
Cisco ASA Security Appliance
Distribution Console
Secure Remote access from a USB stick
Page 41
Movement to Mobile Access
� Mobile Platforms are now ubiquitous
– Phones, tablets, hybrids
� Multiple devices are not the answer
– Personal, business, etc
� Emphasis on BYOD
– Sensitive data should not be comingled with personal information
– Personal devices now have access to protected network assets
– No control of the end points (also applies to governmentand corporate provided devices)� Hard to protect once physical access is granted
� How to provide access to multiple sensitivity domains?
– Trusted Thin Client (TTC) Mobile� Based on the same security concepts as TTC
� Multi-sensitivity access from a mobile platform
3/22/2012
Page 42
TTC Mobile ArchitectureSecure Mobile Access
3/22/2012
Cisco AnyConnect Encryption
Users
Traditional
Multiple Monitors
Virtual Access
Network A
Data Storage
Servers
Network B
Data StorageServers
Network C
Data StorageServers
Cisco ASA Security Appliance
Distribution Console
Page 43
RTCS and Cisco Relationship
� Established and growing partnership
– Synergy by offering multilevel or multi-sensitivity access with VXI access� Thin clients and mobile platforms
– Hardware options with certified Cisco VXC thin clients and Cisco UCS server hardware
� Moving to better voice and video support
– Trusted Thin Client integration of Cisco Unified Communications
� Mobility
– Benefiting from CIUS tablets and leveraging VXI infrastructure
– Leveraging off Cummings Secure Sleeve for security network connectivity
� Validated Reference Architecture for Secure MLS SVXI
3/22/2012
44
Thank you.Thank you.