NSA hones secure desktop to run multiple OSes
- By William Jackson
- Sep 17, 2003
After two years of development, the National Security Agency is hiring an auditor for its NetTop desktop technology, which isolates multiple levels of classified information on the same system.
'We're at an interesting point,' said Ed Bugnion, chief architect for VMware Inc. of Palo Alto, Calif., which developed the technology underlying NetTop. 'We're getting close to commercialization.'
NetTop integrates NSA's Security-Enhanced Linux operating system with VMware's Workstation 4, which sets up virtual machines to run multiple OSes simultaneously. By isolating the virtual machines from each other, NetTop can securely access classified and unclassified networks and run a variety of applications on the same hardware.
In announcing the program, NSA said NetTop could expand intelligence analysts' use of commercial software and eliminate the need for them to work at multiple machines.
NSA entered a two-year R&D agreement with VMware in January 2001 and has extended it for two more years. A second company, Platform Logic Inc. of Glenwood, Md., received a one-year contract to evaluate NetTop.Security assessment
'We're going to assess some of the security aspects,' said Platform Logic president Homayoon Tajalli. The company, which develops intrusion-prevention software, has helped NSA and the Defense Information Systems Agency work on secure OSes. It will audit NetTop's functions and advise about software engineering.
VMware Workstation, which has been around since 1999, is in use at several intelligence agencies, Bugnion said. Because the OS and apps in each virtual machine are isolated from the underlying environment, snapshots can be captured for restoration in the event of an attack.
But security isn't the main reason for VMware Workstation. Most of its million-plus users are systems integrators, software developers and other power users''people who manipulate a variety of environments at the same time,' Bugnion said.
Workstation also is in use as an enterprise migration tool during OS upgrades. It can maintain legacy applications that have not been ported to the new OS.
'We believe that, going forward, security is going to be a more important part of our business,' Bugnion said.
Workstation originally had Linux as the host OS. 'Inside the virtual machines you can run the guest operating system of your choice,' Bugnion said.
Since then, VMware has added support for Microsoft Windows NT, 2000 and XP hosts. Workstation can run up to 16 guest OSes, although the average is four or five.
'It's a function of how much memory you have,' Bugnion said.
'Some of the NetTop requirements were incorporated on the Workstation release in April,' Bugnion said. The interface now gives visual cues for switching between virtual machines.
If and when NetTop becomes a product, the Workstation software will be incorporated into the Security-Enhanced Linux rather than running on top of it. If NetTop wins NSA's blessing, Bugnion said VMware would set up a separate division to sell the product.
William Jackson is freelance writer and the author of the CyberEye blog.