Securely booting from strangest of places
FOSE vendors display a new crop of devices for booting from USB keys and portable hard drives
- By Joab Jackson
- Mar 12, 2009
Could FOSE 2009 be remembered as the year of the bootable portable drive? On the show floor, a number of vendors are displaying either USB drives, enclosed hard drives or other portable media from which an entire operating system and associated application can booted.
FOSE 2009 news index
Although aimed at different segments of government, in effect, all these products perform a similar task: They can turn any computer into a secured thin client -- namely, by bypassing the OS and the hard drive entirely and using only the processor and memory to run a guest OS.
BeCrypt (Booth 2231) offers a USB key with a complete operating environment as a way to run a secure session on an unmanaged PC. Insert the drive in a USB port and configure the laptop to boot from the USB, and the hard drive is bypassed altogether in favor of the software on the USB stick.
The USB drive, called the BeCrypt Trusted Client, contains a stripped-down version of Linux, along with any applications you want to run. This setup would allow a government worker to run a secure session from anywhere by using the basic secure OS along with downloadable applications provided by Citrix software or some other client. The material on the drive is encrypted with either 128 bit or 256 bit Advanced Encryption Standard (AES). This device costs $100, though there is a discount with purchase of multiple devices.
Along the same lines, but using a rugged portable hard drive and rugged casing, is the V2 ABS Rugged Backup System from CMS Products (Booth #2241). It encloses an 80-gigabyte Seagate EE25 Series ruggedized hard drive within a rubberized shock control sleeve. The drive itself has a shock rating of 300 Gs operating and 900 Gs when not in use, it can work in temperatures ranging from 20 degrees below zero to 75 degrees centigrade. It can range in altitude (m) from 5000m operating to 15,000 non-operating. Everything on the drive is encrypted with 256-bit AES file-level encryption.
What makes this drive bootable is that it comes with backup and recovery software called BounceBack. With this software, you can copy everything from the main drive of a desktop computer and perform incremental backups thereafter. When the hard drive fails, plug this portable drive in to the USB port and you can boot directly into the backup.
If you don't need rugged, you could just buy the BounceBack software and back everything up to your own USB key or portable hard drive. This approach may be particularly appealing for remote workers who aren't technically astute. Should the hard drive fail, the user can simply switch to the backup drive and continue working until tech support can replace the original drive. When the original drive is replaced, then everything can be copied back over.
For the security-conscious, MXI Security (booth 2223) does these offerings one better with a couple of bootable USB drives that use Common Access Card-level user authentication out of the box. The Access CAC is a USB drive with fingerprint reader, as well as the ability to hold CAC public key infrastructure credentials. The user can set up the device to allow access to its files only by a combination of a fingerprint biometric and a password. Or, if that drive is attached to a computer with a CAC reader on a Defense Department network, access can be granted through CAC authentication. Or, the CAC could be used with the biometric and the password for three-factor authentication.
Like the other portable drives, Access CAC can hold an OS that be booted from. MXI uses a VMWare container, so you can load your choice of OS onto the drive. The authentication is done in the pre-boot stage. And like the other portable drives here, the material is encrypted, so the content of the drive cannot be access by outside parties, should the drive be lost or stolen. Access CAC will be commercially available next month, with a basic price of $39 per drive. Drives can range in size from a single gigabyte to 32 gigabytes.
For the CAC access to work, Access CAC drive must be used on a computer with a smart-card reader and the middleware. MXI is also preparing a similar drive, to be called the Portable CAC Personal Identification Verification (PIV) system, which eliminates the need for CAC middleware on the client. A worker who wants to sign onto a Defense Department network from a public machine would just insert a USB drive, and attach a smart card reader into another USB port. The MXI software will act as go-between for the card reader and the network CAC identification service. Once verified, the drive's OS is booted up and the worker can use that guest computer in a secure fashion.
Booting from CD is another option, and increasingly, we are seeing a number of what is known as live CDs, or CDs that contain an entire OS that can be loaded into working memory without touching the hard drive at all.
Live CDs can be really useful for taking a new OS on a test-run. For instance, one of the biggest hurdles for newcomers trying the Linux desktop on their own computers is the worry that once the installation process has started, something will go wrong. Perhaps the graphics card or the wireless adapter won't work correctly in the new setup, and the poor individual who tried installing Linux now must go and reinstall Microsoft Windows.
To get a taste of desktop Linux, stop by the Northern Virginia Linux Users Group booth (#2536). They have free live CDs of the latest Fedora (Release 10) and Canonical's Ubuntu (8.10) Linux distributions for desktop computers. With one of these live CDs, you simply insert the disk and set the computer BIOS to boot from the optical disk player, and the entire Linux desktop environment comes up. If you find everything to your liking, you can then install the distribution on your hard drive.
Joab Jackson is the senior technology editor for Government Computer News.