Effectively Meeting Security Requirements through KVM Keyboard Video and Mouse Technology

1
Effectively Meeting Security Requirements through
KVM (Keyboard Video and Mouse) Technology

• Weapons Engineering Computer Support Team
• Los Alamos National Laboratory
• Brian Martinez, Computing, Telecommunications,
  and Networking Division (CTN-3)

LA-UR-07-3606
2
Objective

• This presentation provides an introduction into a
  KVM implementation at the Los Alamos National
  Laboratory.  It has been showcased multiple times
  to other agencies and Laboratories across the
  complex because of its security advantages.  The
  presentation focuses on the system architecture
  and some of the tools developed for
  implementation.

3
Agenda

• Introduction to KVM Technology
• Weapons Engineering Computer Support Team
• Weapons Engineering Vault Configuration
• Questions

4
KVM (Keyboard Video and Mouse)

• Keyboard, Video and Mouse at a users desktop.
• Stands for the technologies which retain personal
  computing advantages, while centralizing
  administration and physical location.
• More Secure, cheaper to manage
• No desktop CREM
• Central locations streamline physical support
• Always on enables effective remote system
  management

5
Technologies

• 5 different KVM technologies available and
  implemented
• Currently one size does not fit all
• High end Graphics VIS-4 Logical Solutions
• Low end Graphics VIS-1 Logical Solutions
• ClearCube Point to Point Solution
• ClearCube IP Solution
• Matrix Switch Solution

6
Weapons Systems Secure Computing Environment
SRD COMPUTING
Office Secure Lock Box
System W/HD (Access control Approved or
Equivalent)
Remote Access SECURE PTS/Encrypted Approved
Users KVM Work Area (No Writable Media, NO USB)
7
WECS Team Secure Computing Overview

• 589 KVM Units Implemented in WECS Support area
• Service provided to over 800 classified users
• 100 of classified desktop/workstations on a
  Non-CREM solution.
• Machine controllers are the only machines left
  with a disk.

8
KVM installation at TA16-933
Using 1 unit high computers, the black devices
in the lower portion, and muti-fiber KVM units,
the beige units in the top half of the
rack. This installation eliminated 65 hard
drives that were previously stored in safes when
not in use. Furthermore, it eliminates user
access to CREM reading and writing devices.
9
Weapons Engineering Vault

• Standard Weapon Systems vault Configuration

10
ClearCube Rack Configuration (Front side)

• Using Clearcube Blade Technology we are able to
  support 80 blades per rack.
• This rack installation also has 3 UPS units and 4
  PDUs

11
ClearCube Rack Configuration (Back side)

• Clearcube IP based Blade Solutions

12
Logical Solutions/Dell 1850 Rack Configuration
(front)

• Dell 1u servers/Logical Solutions
• 16 users per Rack

13
Logical Solutions/Dell 1850 Rack Configuration
(Back)
Approved PTS Wire Separation (Power separated
from Video)
14
No Mass Storage Devices

• Technology used only enumerates human interface
  devices (HID) such as mouse and keyboard at the
  clients workstation.
• Physical hardware disablement through Jumper
  setting on motherboard.
• Software USB disablement and monitoring on all
  KVM machines.

15
1u Workstations

• Dell 1750, 1850, 1950
• Dual core, dual 3.00 ghz processor, 4-8 gig ram,
  High end Video
• 32 bit and 64 bit Operating System
• HP DL140 G3
• Dual Core, Dual core, dual 3.00 ghz processor,
  4-8 gig ram, High end Video
• 32 bit and 64 bit Operating System

16
Point to Point KVM

• Logical Solutions
• VIS-4- Digital Fiber Optic Transceiver, receiver
  System
• 1600x1200 Resolution
• Up to 1,000 meters
• VIS-8- Digital Fiber Optic Transceiver, receiver
  System, Dual Link
• 1920x1200 resolution
• Dual LCDs available
• Up to 1,000 meters

17
Blades

• New -- Model R1300
• Intel 945G chipset
• Single Dual Core Pentium 4
• Integrated Intel GMA 950 Graphics
• Integrated Gigabit Ethernet port
• Secondary 10/100 Ethernet port
• 8 Blades fit into a single Cage
• USB 2.0 port on front and out back
• PCI Express Video Option NVS285 w/ 128 MB VRAM

• New -- Model R2200
• Intel E7525 chipset w/ 800 MHz FSB
• Dual Intel Xeon Processors with HT
• 1 MB and 2 MB L2 Cache
• Dual Gigabit Ethernet ports
• Dual SATA II Hard Drives with HW Raid 0, 1
• 4 Blades fit into a single Cage
• NVIDIA Quadro NVS 285 (128 MB VRAM) Graphics
  PCI Express

18
Blade Infrastructure Chassis Connection
Modules
112 PC Blades per 42U Rack
New -- R4300 Series
19
I/Port Model I8330

• Host
• Software that runs on existing future ClearCube
  blades
• Runs on Windows XP and Windows 2000
• Unique video compression and USB extension
  technology
• Doesnt depend on MS RDP, but still runs over
  routable Ethernet
• Supports multiple users per blade via virtual
  machines
• (no WinConnect support)
• Client
• Fully embedded System-on-Chip solution (like the
  C/Port)
• No configurable items (no OS, no removable
  memory or flash)
• Supports streaming video and audio (best
  performance in a 320x240 window)
• Managed by ClearCube Sentral

20
I/Port I8330 Connections

• Single VGA output (1280x1024, 16-bit max
  resolution)
• 10/100 Ethernet
• PS/2 Mouse and Keyboard
• Audio Out and Audio In for microphone use
• 4 transparently extended USB ports (bulk-mode and
  interrupt-mode USB devices including mass
  storage, scanners, etc.)

21
Software

• Key New Features
• Combines previous generation tools into a single
  integrated console (5th generation)
• Enterprise Scalability Powerful Views and
  Dashboard let admins slice and dice their
  environments
• Remote Browser-based access and User Roaming
• Support for virtual machines
• Modular architecture supports plug-in software
  modules for added functionality (Switching Module
  and Dynamic Allocation Module)
• English and Japanese Localization

22
WECS TEAM KVM Visitors

• Livermore National Laboratory
• Sandia National Laboratory
• Department of Energy LA, Abq., DC
• Pantex
• Savanna River
• Nevada Test Site
• University of California
• Congressional Members
• Many Divisions in the Laboratory
• Acting NNSA Administrator
• Department of Energy Chief of Staff

23
KVM

• KVM technology has proven to be a secure and cost
  effective solution to the ACREM issue
• Technology continues to evolve
• LANL continues to evaluate improvements and
  development in media-less technologies

24
WECS Classified Computing Future

• Implement new Clearcube I-PORT Technology
• Cost effective (much cheaper than current KVM)
• High end computing available for CAD users
• Easier Maintenance
• Potential for entry costs under 1K per user
  for non-engineering workers (multi-user
  computers)

25
Contact Information

• Brian Martinez
• CTN-3 Los Alamos National Laboratory
• Phone 505-667-3940
• E-mail Brianm_at_lanl.gov