Post on 15-Apr-2017
transcript
Selling CSfC SolutionsHow to Position Cisco Products for CSFC Solutions
U//PROPIN
July 2015
What is CSFC?
U//PROPIN
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Commercial Solutions for Classified NSA IAD Program: https://www.nsa.gov/ia/programs/csfc_program/ Established to provide guidance and assistance to US Government
customers on the use and implementation of SuiteB for protection of classified information in transit
NSA has established an approved components list: https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml
NSA has created several Capability Packages (CP) that dictate the design and configuration of the solution. The three most relevant to this guide are: Virtual Private Network CP (VPN CP) Mobile Access CP (MA CP) Campus WLAN CP (WLAN CP)
What is CSfC? U//PROPIN
CSFC Terms & Components
U//PROPIN
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Black Network - The transport network that carries data that has been encrypted twice (Internet, Private, MPLS)
Outer VPN - The first layer of VPN encryption between Outer VPN components established over the black network
Gray Network - The transport network that carries data that has been encrypted once
Inner VPN - The second layer of VPN encryption established between the gray VPN components
Red Network - The unencrypted data behind the Inner VPN components
CSfC Key Concepts U//PROPIN
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Next-Generation Encryption (NGE) - NGE offers future-proof cryptography. Suite B Ciphers are included.
Network Firewall - When possible, a firewall solution should be placed between network boundaries to ensure only the appropriate devices can communicate. Note, per the VPN CP, if a gray firewall is deployed, the gray firewall and inner VPN gateway product must meet the criteria for implementation independence (ie. ISR/ASR vs. ASA)
PKI Infrastructure - An Elliptic Curve Digital Signature Algorithm (ECDSA) based Certificate Authority (CA) is required on both the red and gray networks (separate PKI chains)
CSfC Key Concepts U//PROPIN
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Implementation Independence/Cryptographic Diversity - Outer & Inner VPN components must have cryptographic diversity and meet NSA criteria for implementation independence
Customers assume a dual-vendor solution must be deployed in order to meet the cryptographic diversity requirements
A single vendor solution can be deployed and is approved for use as long as the vendor can prove cryptographic diversity between the products
Specific Cisco products have met the criteria for implementation independence and are approved for use. For example, IOS/XE devices are approved and can be deployed with ASA’s in a CSFC solution.
CSfC Key Concepts: Single Vendor Solution Potential U//PROPIN
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
General Concept of Operation
Government encryption devices are replaced with approved high assurance commercial encryption
Two layers of encryption with cryptography diversity are required (Outer & Inner Tunnel)
HAIPECRYPTO
TRANSPORTNETWORK
HAIPECRYPTO
Inner VPN Outer VPN Inner VPNTRANSPORTNETWORK
Outer VPN
Current HAIPE Operations
U//PROPIN
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multiple Site CSFC Concept U//PROPIN
https://www.nsa.gov/ia/_files/VPN_CP_3_1.pdf
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSFC Concept of Multiple ClassificationsU//PROPIN
https://www.nsa.gov/ia/_files/VPN_CP_3_1.pdf
CSFC Trusted Integrator List
U//PROPIN
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The program office has created a trusted integrator list defining the approved CSFC integrators
Customers must work with the trusted integrators to implement a CSFC solution
Integrators must apply and coordinate with the program office directly to become certified and approved
The latest list of trusted integrators is located at:
https://www.nsa.gov/ia/programs/csfc_program/trusted_integrators_list.shtml
CSFC Trusted Integrator List U//PROPIN
CSFC Architectures
U//PROPIN
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VPN CP - WAN/Campus VPN Solution - Option 1 - ASA Outer VPN with IOS/XE Inner VPN
VPN CP - WAN/Campus VPN Solution - Option 2 - IOS/XE Outer VPN with ASA Inner VPN
VPN CP - WLAN as Black Transport - ASA/AnyConnect Outer VPN with 3rd Party Inner VPN
MA CP - Mobile Device VPN Solution - ASA/AnyConnect IPSec Outer VPN with Application Inner VPN
WLAN CP - Wireless VPN Solution - Wireless Encryption for Outer VPN with ASA/AnyConnect Inner VPN
CSfC Architectures U//PROPIN
VPN Capability Package (VPN CP v3.1)
U//PROPIN
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSfC Architectures - VPN CP Multiple Siteshttps://www.nsa.gov/ia/_files/VPN_CP_3_1.pdf
U//PROPIN
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VPN CP - Cisco WAN/Campus VPN SolutionOption 1 - ASA Outer VPN with IOS/XE Inner VPN
Outer Tunnel – IPSecSuite B/NGE
Inner Tunnel – IPSec/GRESuite B/NGE
IOS/XE Router
ASA 5500-X ASA 5500-X
IOS/XE Router
BlackTransport
U//PROPIN
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Inner VPN (IOS/XE) routers provide advanced routing on the red network (EGP, IGP, Multicast, MPLS etc.)
Inner VPN (IOS/XE) routers provide tunneling & encapsulation/decapsulation capabilities on the red network (Multicast, GRE etc.)
Preferred solution for Multicast transport Standard IOS/XE features, such a QOS, Netflow and other solutions
can be deployed on the routers on the red network Potential to place an ASA-X or FirePOWER (3D) solution as the Gray
packet firewall if multiple classifications will be tunneled over the base architecture. The ASA/FirePower firewall & inner VPN gateway (IOS/XE) are diverse
Scaling hardware to fit high-bandwidth requirements can be a challenge
VPN CP - Cisco WAN/Campus VPN SolutionOption 1 - Architectural Benefits & Challenges
U//PROPIN
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco has manufacturer diversity letter allowing single vendor for IOS/XE & ASA
Position the ASA 5500-X Next-Generation firewall with Premium license for Suite B/NGE Outer VPN
Position UCS Compute for all compute services (PKI, AD etc.) Position ACS for configuration change detection & logging
requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &
Lancope on red network Potential for LiveAction on gray/black network
VPN CP - Cisco WAN/Campus VPN SolutionOption 1 - Notes
U//PROPIN
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VPN CP - WAN/Campus VPN SolutionOption 2 - IOS/XE Outer VPN with ASA Inner VPN
Outer Tunnel – IPSec/GRESuite B/NGE
Inner Tunnel – IPSecSuite B/NGE
IOS/XEASA 5500-X ASA 5500-X
IOS/XEBlack
TransportRouter Router
U//PROPIN
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Outer VPN (IOS/XE) routers provide advanced routing functions (EGP,IGP, etc.) on the transport network
Outer VPN (IOS/XE) routers provide tunnel encapsulation/decapsulation functions (GRE, MPLS etc.) on the transport network
Standard IOS/XE features, such a QOS, Netflow and other solutions can be deployed on the routers on the transport network
Potential to position FirePOWER 3D IPS as Gray firewall since inner VPN gateway and firewall (ASA) are diverse (Multi-classification requirement)
Scaling hardware to fit high-bandwidth requirements can be a challenge
VPN CP - Cisco Secure WAN/Campus VPN SolutionOption 2 - Architecture Benefits & Challenges U//PROPIN
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco has manufacturer diversity letter allowing single vendor for IOS/XE/ASA
Position the ASA 5500-X Next-Generation firewall with Premium license for Suite B/NGE as the Inner VPN. With AnyConnect 4.0, use Apex license. Note: Standards-based IKEv2 clients do not require (premium/apex)
Position UCS Compute for all compute services Position ACS for configuration change detection requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &
Lancope on red network Potential for LiveAction on gray/black network
VPN CP - Cisco Secure WAN/Campus VPN SolutionOption 2 - Notes U//PROPIN
VPN CPRemote Access VPN
WLAN as Black Transport
U//PROPIN
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSfC Architectures - VPN CP with End User Device (EUD)
U//PROPIN
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VPN CP - Cisco WLAN as Black Transport - AC/ASA Outer VPN with 3rd Party IPSec Inner VPN
Outer Tunnel – IPSecSuite B/NGE
Inner Tunnel – IPSecSuite B/NGE
ASA 5500-X
Cisco WirelessWLC w/ AP’s
VPN
AnyConnectIPSec VPN
IPSec VPNon
Client/Hypervisor
U//PROPIN
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
This solution positions the WLAN as a black transport and follows the VPN CP design vs. the WLAN CP that considers the client/AP encryption as an accountable outer VPN layer
Users can roam across networks (local, hotel, LTE etc.) and utilize the same certified VPN overlay solution
This approach reduces TCO by allowing the WLAN to be used as transport for multiple networks
VPN CP is considered less cumbersome to install, operate and maintain compared to the WLAN CP
VPN CP - WLAN as Black Transport Architecture Benefits & Challenges
U//PROPIN
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Position the ASA 5500-X Next-Generation firewall with Premium license for Suite B/NGE for Outer VPN. With AC 4.0, use Apex licensing. Note: Standards-based IKEv2 clients do not require (premium/apex)
Gray firewall (ASA) and inner VPN gateway are diverse (Multi-classification requirement)
Position UCS Compute for all compute services Position ACS for configuration change detection requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &
Lancope on red network Potential for LiveAction on gray/black network
VPN CP - Cisco Wireless SolutionWireless as Black Transport - Notes
U//PROPIN
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The inner and outer VPN clients must come from either: different vendors or the same vendor where the program office has determined implementation independence (manufacturer/cryptographic library diversity)
EUD vendor diversity requirements are the easiest way for other vendors to get their products in to the architecture!
Customers often feel that because of EUD requirements, they must use another vendors product (i.e. Aruba controller w/ VIA client). Combat this by positioning strongSwan. StrongSwan is an open source VPN client
Educate the customer that open source products are not listed on the CSfC APL but they can still be used in a CSfC Architecture
Android, iOS & Microsoft native VPN clients are approved for use Android & iOS WLAN clients are approved for use Position/reference SecureView Architecture – SecureView is already an AFRL
Program of Record
VPN Package End User Device (EUD) RequirementsU//PROPIN
Mobile AccessCapability Package
(MA CP v1.0)
U//PROPIN
Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The same black/gray/red, inner/outer VPN & PKI nomenclature is also referenced in the MA CP
TLS Server/Client - Application specific TLS encryption components
SRTP - Secure Real Time Protocol deployed to encrypt voice and video
VPN EUD - End user device that uses the VPN client and VPN gateway components
TLS EUD - End user device that uses the TLS/SRTP client and TLS/SRTP gateway components
Outer/Gray/Inner Firewall - The MA CP introduces a firewall to the black/gray/red boundaries
Mobile Access CP Key Concepts U//PROPIN
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSfC Architectures - MA CPhttps://www.nsa.gov/ia/_files/MA_CP_v1.0.pdf
U//PROPIN
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Mobile Access CP - Cisco Mobile VPN SolutionAC/ASA Outer VPN with TLS/SRTP Inner
Outer Tunnel – IPSecSuite B/NGE
Inner Tunnel TLS/SRTP
*ASA 5500-X
Transport
(TLS Server)
AnyConnectIPSec VPN
(TLS/SRTP)
OuterFirewall
ASA 5500-X
InnerFirewall
ASA 5500-X
*IOS/XE
*Could be either ASA or IOS/XE
(SRTP)
TLS Encryption for Call-Control & SignalingSRTP Encryption for Media
U//PROPIN
Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
This design follows the VPN overlay over black transport model AnyConnect IPSec VPN with ASA or IOS/XE for outer VPN It is preferred to use the ASA for AnyConnect VPN termination TLS/SRTP or IPSec VPN is established for inner VPN Gray firewall and inner VPN gateway are diverse Position UCS Compute for all compute services Position ACS for configuration change detection requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &
Lancope on red network Potential for LiveAction on gray/black network
MA CP - Cisco Secure Mobile VPN Solution - NotesU//PROPIN
Campus WLAN Capability PackageWLAN CP (v1.1)
U//PROPIN
Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The same black/gray/red, inner/outer VPN & PKI nomenclature is also referenced in the WLAN CP
Wireless System - Includes the access-points and wireless controllers
Authentication Server - References the server that performs device/client authentication (ie. AD/Radius)
WLAN Client - Includes the WLAN supplicant used for WLAN authentication etc.
VPN Gateway/Client - Includes the inner VPN IPSec components
WIDS/wIPS - References the wireless Intrusion Detection/Prevention Systems
WLAN CP Key Concepts U//PROPIN
Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSfC Architectures - WLAN CPhttps://www.nsa.gov/ia/_files/Campus_WLAN.pdf U//PROPIN
Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
WLAN CP - Cisco SolutionWireless Encryption Outer VPN - AC/ASA Inner VPN
Outer Tunnel - WPA2-AES
Inner Tunnel – IPSecSuite B/NGE
ASA 5500-XWireless
SupplicantAnyConnect
IPSecVPN
ClientCisco APwIPS/IDS
5500 WLC
CAPWAPDTLS
Prime InfrastructureMobility Services Engine (MSE)
aWIPS
U//PROPIN
* Cisco has requested a single-vendor diversity letter for AireOS with ASA/AC
Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
This approach allows the use of client/AP/controller based encryption as an accountable outer VPN layer vs. following the VPN CP model
WPA2-AES over-the-air encryption is enabled between client and access-point providing the outer VPN
CAPWAP DTLS AES encryption is enabled between the AP and controller for both control and data plane
AnyConnect Suite B IPSec VPN with ASA provide inner VPN Standard Wireless Deployment - Gray Prime, MSE, wIPS etc.
WLAN CP - Cisco Secure Wireless VPN SolutionWireless Encryption - Notes
U//PROPIN
Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Per current WLAN CP guidance, the wireless system and VPN gateway/client must have implementation independence. Cisco has requested a single-vendor letter supporting the use of AireOS and ASA/AC similar to the IOS/XE/ASA VPN CP design
Per current WLAN CP guidance, the authentication server and VPN gateway/client must have implementation independence. Customers can deploy another vendors authentication server (AD/Radius) in conjunction with ASA/AC
Per current WLAN CP guidance, the WLAN client and VPN gateway/client must have implementation independence. Customers can easily deploy another vendors WLAN client with the AnyConnect VPN client
WLAN CP - Cisco Secure Wireless VPN SolutionWireless Encryption - Notes
U//PROPIN
Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Per current WLAN CP guidance, the wireless system must be dedicated to a single network classification
Position UCS Compute for all compute services Position ACS for configuration change detection requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &
Lancope on red network Potential for LiveAction on gray/black network Future wireless solutions will support AES-GCM for over-the-air
encryption Position Cisco Integrated wIDS to meet Wireless IDS requirements Consider Windows NPS Authentication Server for Suite B form of
EAP-TLS (TLS 1.2)
WLAN CP - Cisco Secure Wireless VPN SolutionWireless Encryption - Notes
U//PROPIN
Potential Future Solutions
U//PROPIN
Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
MACsec - Cisco is pursuing approval to allow the use of MACsec as an accountable layer of encryption. Products include ASR 1/9k and potentially the Catalyst products
Software Based Solutions - The program office is still trying to determine the best way to certify the CSR1K, ASAv & ESR 5921 software based solutions. Note, the ESR 5921 is listed as an approved VPN client on the CSFC list
Optical Encryption - Wire Speed Encryption (WSE) line card. Potential to get this certified as a layer of encryption. Customers can pursue certification with CSFC program office directly
Today, CUCM 10.5.2 supports NGE & CUCM 11.0 supports ECDSA
Potential Future Solutions U//PROPIN
Capability Package Challenges
U//PROPIN
Cisco Confidential 44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customer now has to implement and manage two separate PKI infrastructures
Today, the only approved CA vendor is Microsoft (Systems team is usually the O&M)
AAA Server ISE does not support EC enrollment today WLAN authentication server and VPN gateway came from
different vendors and that the vendors are not a subsidiary of each other
From VPN-CP “Devices shall use Enrollment over Secure Transport (EST) as detailed in IETF RFC 7030 for certificate management.” Not widely supported today – ISE and other products are on
support roadmap
CP Challenges U//PROPIN
CSFC FAQs
U//PROPIN
Cisco Confidential 46© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Q: Can a CSFC solution be deployed to replace PDS?A: Yes, and there is a strong business case for doing so. However, local policy justification and cost analysis would need to be completed but this is a feasible replacement solution.
Q: Can I use a CSFC solution on coalition networks?A: Yes, and this is an ideal solution for networks where Foreign Nationals are involved and the customer may be currently utilizing CCI devices for protection of information in transit to foreign nationals. Examples would be networks such as CENTRIXS, CMN, BICES – any other enclave based networks where foreign nationals connect.
FAQ’s U//PROPIN
Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Can I remove my type-1/TACLANE/HAIPE device on both SIPR & JWICS?A: It is possible, but there are several factors that determine whether this is appropriate. Do you have a DAA and IA team that agree this makes sense? US National (CNSSP-15) policy provides that protection of NSS shall utilize Suite B solutions for protection of information systems, however your customer must understand that for networking such as SIPR, JWICS they are part of a broader information protection boundary that is owned by an external organization – meaning that they must seek permission and consult directly with the accrediting agency first before attempting to remove ANY current encryption.
FAQ’s (Continued) U//PROPIN
Cisco Confidential 48© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Questions?Cisco CSFC Teamcsfc@cisco.com
U//PROPIN