Datasheet Cross Domain Security Trusted Thin Client Secure enterprise information access to multiple domains from a single device Key Benefits Enabling secure access to sensitive data, applications, and networks › Assessed and Authorized by Government agencies know better than most how pervasive and costly (in lives, authorities according to NIST trust and money) cyberattacks and breaches can be. One basic method of defense guidelines in the US and Five- is to ensure complete compartmentalization and data separation through physically Eyes nations separate network architectures. This security best practice is commonly referred to as › Supports DoD and IC VDI initiatives “network segmentation.” such as DoD Joint Information Environment (JIE): Mission While network segmentation does not ensure that hackers “stay out” it keeps them Partner Environment (MPE) in one place should they breach the perimeter. Damage is therefore contained and › Commercial-Off-The-Shelf only one domino can possibly “fall,” not five, ten or 20,000. This is the essence of (COTS) solution successful cyber risk management and resiliency.” › Simultaneous access to As agencies have discovered, working in this secure-by-design environment has also multiple networks/clouds from a single endpoint led to high costs (hardware, power, and administration) and usability and endpoint security burdens by requiring one computer per network for each user. › Significant ROI through lower ownership costs (infrastructure, This is no longer the case. Due to the increased adoption of virtualization to move office space, power consumption and administration) desktop, application and data resources back into the datacenter and increase operating system security and physical separation can be maintained while › Maximized security, usability permitting secure simultaneous access to allowed networks from a secure endpoint and adaptability device. Forcepoint Trusted Thin Client, delivers the most robust combination of › Flexible implementation security, flexibility, usability and reduced total cost of ownership available to enable options to meet the needs secure access to multiple sensitive networks. of your organization › Streamlined administration Forcepoint Trusted Thin Client through robust enterprise Forcepoint Trusted Thin Client is comprised of two components, a Distribution management capabilities Console and client software. The Distribution Console is the solution’s server › Redisplay technology integration component and provides the physical connection to one or more single-level with industry standards such virtualized networks, maintaining separation between each. as Citrix › Supports the use of Personal The Distribution Console leverages the Common Criteria evaluated (EAL4+) Red Identity Certificate (PIV), Common Hat Enterprise Linux operating system with Security-Enhanced Linux (SELinux) Access Card (CAC), SAC and to provide stringent security controls and maintain the necessary network/data SIPRtoken smartcards for separation. The client software communicates directly with the Distribution Console identity management and access and provides secure, simultaneous access to permitted networks, applications authorization to back end Microsoft and data. While providing connectivity to multiple security domains through Windows servers common virtualization and desktop and application redisplay technologies (e.g., › Supports Suite B cryptographic Citrix, Microsoft, VMware), each network has a separate physical network interface algorithms for all encrypted connection on the Distribution Console that is assigned the classification level of communications on the the domain. client network forcepoint.com Forcepoint Trusted Thin Client Architecture NETWORK A FORCEPOINT DATA TRUSTED THIN CLIENT STORAGE SERVERS FORCEPOINT TRUSTED THIN CLIENT Virtual Access Implementation NETWORK B DATA STORAGE SERVERS FORCEPOINT TRUSTED THIN CLIENT NETWORK Distribution Console C DATA STORAGE SERVERS TRUSTED THIN CLIENT Remote Access Implementation Security protections prevent data from being transferred Restricted, high-risk installation environments between classification levels. The Distribution Console rejects Environments that provide connection to high-risk networks, all communications from unauthorized systems, reducing risk such as unclassified networks or the open Internet, are required exposure to the enterprise. to operate in a restricted manner. To enforce this requirement, Forcepoint Trusted Thin Client installation is modular based Built for the enterprise on your environment. Restricted, high-risk environments are Designed and built to meet the needs of any enterprise installed with some features removed. (Table 1). deployment, Forcepoint Trusted Thin Client is the most secure yet flexible access solution available today, providing robust Central administration, monitoring and auditing centralized management for multiple form factors, globally The Distribution Console is the solution’s administration dispersed sites and thousands of users. Administrators are and monitoring hub from which all Distribution Consoles, equipped with centralized administration and monitoring, endpoints and users are administered through the scalability to easily add networks and clients, and the flexibility Management Console application. It is recommended that all to enable access to users in offices, in-theater, and in the field deployments utilize multiple Distribution Consoles to address from virtually any device. server outages, scheduled maintenance and unexpected hardware failures. 2 FEATURE SABI AVAILABILITY TSABI AVAILABILITY Forcepoint’s multi-network access technology: Trusted Thin Client, is currently in operation across a multitude of USB Peripheral federal agencies including the DOD, DOJ, and IC with over Redirection (thumb 160,000 access devices deployed around the globe. It has drive, optical reader/ proven deployments of over 60 classification levels and the writer, printer, scanner) ability to easily add more classification levels and endpoints at anytime. All IT resources, including endpoint updates are easily managed through a central management console. Video Playback through *Video playback is Multimedia Redirection available through (optimized) and Media Windows VDI sessions Player application HDX RealTime *Skype for Business Optimization Pack is available through for Lync - Skype for Windows VDI sessions, Business non-optimized Remote Distribution Console Administration via Private, Administration Network Table 1: Features removed from SABI environments Through the Management Console, administrators can administer any Distribution Console from any other Distribution Client user management Console in the enterprise—greatly reducing the need for on-site The Distribution Console provides all necessary configuration resources and the cost to transport administrators from site information for client initialization and communication services. to site. Administrators configure clients to failover to redundant This information contains relevant security data and allows Distribution Consoles (on- or off-site) when necessary, allowing the user to access the virtual environments. When a network work to continue unabated. at another security level or a new server is added to the Distribution Console, the information is automatically sent to The Distribution Console serves as a centralized audit repository each client, removing the need to locally manage or update for the client software to track use and activity. This audit data individual clients. can be pushed to a centralized enterprise audit storage location. User access controls (username, password, and clearance Administrator role and account separation level) are validated by the Distribution Console through Additional security controls are provided through granular either hosted Lightweight Directory Access Protocol (LDAP), administrator role and account separation. Each account is external high-side LDAP, or external high-side Microsoft Active permitted only one role on the system, thus enforcing the Directory. Utilizing a pre-existing LDAP or Active Directory requirement that multiple personnel provide checks and server eliminates the need to manage user accounts on the balances for privileged actions, system changes and system Distribution Console, further reducing administrative overhead. data access. 3 Support for multiple endpoint devices Risk exposure is greatly reduced due to the read-only device, In support of the variety of missions and users that make up strict network and virtual desktop session separation, and the an enterprise, the same client software can be implemented fact that Forcepoint Trusted Thin Client only provides a redisplay on different form factors: thin client hardware, PCs, laptop and of data from the data center. Should malicious code make its hybrid devices, or a virtual machine resident on a host operating way to a virtual desktop, these factors prevent it from moving system. All recommended hardware is certified in-house by from one network to another greatly reducing the risk to the Forcepoint engineers. overall infrastructure. All endpoint devices run a read-only, stateless, SELinux With DC spanning you can connect to anywhere in the world, multi-level secure (MLS) operating system that meets the from anywhere in the world. For example, personnel located in in most stringent security requirements. Users interact with Virgina can connect to a network in Korea. See Figure 2. Multi- the security-enabled