Selling CSfC Solutions

Selling CSfC SolutionsHow to Position Cisco Products for CSFC Solutions

U//PROPIN

July 2015

What is CSFC?

U//PROPIN

Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Commercial Solutions for Classified NSA IAD Program: https://www.nsa.gov/ia/programs/csfc_program/ Established to provide guidance and assistance to US Government

customers on the use and implementation of SuiteB for protection of classified information in transit

NSA has established an approved components list: https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml

NSA has created several Capability Packages (CP) that dictate the design and configuration of the solution. The three most relevant to this guide are: Virtual Private Network CP (VPN CP) Mobile Access CP (MA CP) Campus WLAN CP (WLAN CP)

What is CSfC? U//PROPIN

https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml








CSFC Terms & Components

U//PROPIN


Black Network - The transport network that carries data that has been encrypted twice (Internet, Private, MPLS)

Outer VPN - The first layer of VPN encryption between Outer VPN components established over the black network

Gray Network - The transport network that carries data that has been encrypted once

Inner VPN - The second layer of VPN encryption established between the gray VPN components

Red Network - The unencrypted data behind the Inner VPN components

CSfC Key Concepts U//PROPIN


Next-Generation Encryption (NGE) - NGE offers future-proof cryptography. Suite B Ciphers are included.

Network Firewall - When possible, a firewall solution should be placed between network boundaries to ensure only the appropriate devices can communicate. Note, per the VPN CP, if a gray firewall is deployed, the gray firewall and inner VPN gateway product must meet the criteria for implementation independence (ie. ISR/ASR vs. ASA)

PKI Infrastructure - An Elliptic Curve Digital Signature Algorithm (ECDSA) based Certificate Authority (CA) is required on both the red and gray networks (separate PKI chains)

CSfC Key Concepts U//PROPIN


Implementation Independence/Cryptographic Diversity - Outer & Inner VPN components must have cryptographic diversity and meet NSA criteria for implementation independence

Customers assume a dual-vendor solution must be deployed in order to meet the cryptographic diversity requirements

A single vendor solution can be deployed and is approved for use as long as the vendor can prove cryptographic diversity between the products

Specific Cisco products have met the criteria for implementation independence and are approved for use. For example, IOS/XE devices are approved and can be deployed with ASA’s in a CSFC solution.

CSfC Key Concepts: Single Vendor Solution Potential U//PROPIN


General Concept of Operation

Government encryption devices are replaced with approved high assurance commercial encryption

Two layers of encryption with cryptography diversity are required (Outer & Inner Tunnel)

HAIPECRYPTO

TRANSPORTNETWORK

HAIPECRYPTO

Inner VPN Outer VPN Inner VPNTRANSPORTNETWORK

Outer VPN

Current HAIPE Operations

U//PROPIN


Multiple Site CSFC Concept U//PROPIN

https://www.nsa.gov/ia/_files/VPN_CP_3_1.pdf







CSFC Concept of Multiple ClassificationsU//PROPIN







CSFC Trusted Integrator List

U//PROPIN


The program office has created a trusted integrator list defining the approved CSFC integrators

Customers must work with the trusted integrators to implement a CSFC solution

Integrators must apply and coordinate with the program office directly to become certified and approved

The latest list of trusted integrators is located at:

https://www.nsa.gov/ia/programs/csfc_program/trusted_integrators_list.shtml

CSFC Trusted Integrator List U//PROPIN









CSFC Architectures

U//PROPIN


VPN CP - WAN/Campus VPN Solution - Option 1 - ASA Outer VPN with IOS/XE Inner VPN

VPN CP - WAN/Campus VPN Solution - Option 2 - IOS/XE Outer VPN with ASA Inner VPN

VPN CP - WLAN as Black Transport - ASA/AnyConnect Outer VPN with 3rd Party Inner VPN

MA CP - Mobile Device VPN Solution - ASA/AnyConnect IPSec Outer VPN with Application Inner VPN

WLAN CP - Wireless VPN Solution - Wireless Encryption for Outer VPN with ASA/AnyConnect Inner VPN

CSfC Architectures U//PROPIN

VPN Capability Package (VPN CP v3.1)

U//PROPIN


CSfC Architectures - VPN CP Multiple Siteshttps://www.nsa.gov/ia/_files/VPN_CP_3_1.pdf

U//PROPIN







VPN CP - Cisco WAN/Campus VPN SolutionOption 1 - ASA Outer VPN with IOS/XE Inner VPN

Outer Tunnel – IPSecSuite B/NGE

Inner Tunnel – IPSec/GRESuite B/NGE

IOS/XE Router

ASA 5500-X ASA 5500-X

IOS/XE Router

BlackTransport

U//PROPIN


Inner VPN (IOS/XE) routers provide advanced routing on the red network (EGP, IGP, Multicast, MPLS etc.)

Inner VPN (IOS/XE) routers provide tunneling & encapsulation/decapsulation capabilities on the red network (Multicast, GRE etc.)

Preferred solution for Multicast transport Standard IOS/XE features, such a QOS, Netflow and other solutions

can be deployed on the routers on the red network Potential to place an ASA-X or FirePOWER (3D) solution as the Gray

packet firewall if multiple classifications will be tunneled over the base architecture. The ASA/FirePower firewall & inner VPN gateway (IOS/XE) are diverse

Scaling hardware to fit high-bandwidth requirements can be a challenge

VPN CP - Cisco WAN/Campus VPN SolutionOption 1 - Architectural Benefits & Challenges

U//PROPIN


Cisco has manufacturer diversity letter allowing single vendor for IOS/XE & ASA

Position the ASA 5500-X Next-Generation firewall with Premium license for Suite B/NGE Outer VPN

Position UCS Compute for all compute services (PKI, AD etc.) Position ACS for configuration change detection & logging

requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &

Lancope on red network Potential for LiveAction on gray/black network

VPN CP - Cisco WAN/Campus VPN SolutionOption 1 - Notes

U//PROPIN


VPN CP - WAN/Campus VPN SolutionOption 2 - IOS/XE Outer VPN with ASA Inner VPN

Outer Tunnel – IPSec/GRESuite B/NGE

Inner Tunnel – IPSecSuite B/NGE

IOS/XEASA 5500-X ASA 5500-X

IOS/XEBlack

TransportRouter Router

U//PROPIN


Outer VPN (IOS/XE) routers provide advanced routing functions (EGP,IGP, etc.) on the transport network

Outer VPN (IOS/XE) routers provide tunnel encapsulation/decapsulation functions (GRE, MPLS etc.) on the transport network

Standard IOS/XE features, such a QOS, Netflow and other solutions can be deployed on the routers on the transport network

Potential to position FirePOWER 3D IPS as Gray firewall since inner VPN gateway and firewall (ASA) are diverse (Multi-classification requirement)

Scaling hardware to fit high-bandwidth requirements can be a challenge

VPN CP - Cisco Secure WAN/Campus VPN SolutionOption 2 - Architecture Benefits & Challenges U//PROPIN


Cisco has manufacturer diversity letter allowing single vendor for IOS/XE/ASA

Position the ASA 5500-X Next-Generation firewall with Premium license for Suite B/NGE as the Inner VPN. With AnyConnect 4.0, use Apex license. Note: Standards-based IKEv2 clients do not require (premium/apex)

Position UCS Compute for all compute services Position ACS for configuration change detection requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &


VPN CP - Cisco Secure WAN/Campus VPN SolutionOption 2 - Notes U//PROPIN

VPN CPRemote Access VPN

WLAN as Black Transport

U//PROPIN


CSfC Architectures - VPN CP with End User Device (EUD)

U//PROPIN


VPN CP - Cisco WLAN as Black Transport - AC/ASA Outer VPN with 3rd Party IPSec Inner VPN



ASA 5500-X

Cisco WirelessWLC w/ AP’s

VPN

AnyConnectIPSec VPN

IPSec VPNon

Client/Hypervisor

U//PROPIN


This solution positions the WLAN as a black transport and follows the VPN CP design vs. the WLAN CP that considers the client/AP encryption as an accountable outer VPN layer

Users can roam across networks (local, hotel, LTE etc.) and utilize the same certified VPN overlay solution

This approach reduces TCO by allowing the WLAN to be used as transport for multiple networks

VPN CP is considered less cumbersome to install, operate and maintain compared to the WLAN CP

VPN CP - WLAN as Black Transport Architecture Benefits & Challenges

U//PROPIN


Position the ASA 5500-X Next-Generation firewall with Premium license for Suite B/NGE for Outer VPN. With AC 4.0, use Apex licensing. Note: Standards-based IKEv2 clients do not require (premium/apex)

Gray firewall (ASA) and inner VPN gateway are diverse (Multi-classification requirement)



VPN CP - Cisco Wireless SolutionWireless as Black Transport - Notes

U//PROPIN


The inner and outer VPN clients must come from either: different vendors or the same vendor where the program office has determined implementation independence (manufacturer/cryptographic library diversity)

EUD vendor diversity requirements are the easiest way for other vendors to get their products in to the architecture!

Customers often feel that because of EUD requirements, they must use another vendors product (i.e. Aruba controller w/ VIA client). Combat this by positioning strongSwan. StrongSwan is an open source VPN client

Educate the customer that open source products are not listed on the CSfC APL but they can still be used in a CSfC Architecture

Android, iOS & Microsoft native VPN clients are approved for use Android & iOS WLAN clients are approved for use Position/reference SecureView Architecture – SecureView is already an AFRL

Program of Record

VPN Package End User Device (EUD) RequirementsU//PROPIN

Mobile AccessCapability Package

(MA CP v1.0)

U//PROPIN


The same black/gray/red, inner/outer VPN & PKI nomenclature is also referenced in the MA CP

TLS Server/Client - Application specific TLS encryption components

SRTP - Secure Real Time Protocol deployed to encrypt voice and video

VPN EUD - End user device that uses the VPN client and VPN gateway components

TLS EUD - End user device that uses the TLS/SRTP client and TLS/SRTP gateway components

Outer/Gray/Inner Firewall - The MA CP introduces a firewall to the black/gray/red boundaries

Mobile Access CP Key Concepts U//PROPIN


CSfC Architectures - MA CPhttps://www.nsa.gov/ia/_files/MA_CP_v1.0.pdf

U//PROPIN

https://www.nsa.gov/ia/_files/MA_CP_v1.0.pdf






Mobile Access CP - Cisco Mobile VPN SolutionAC/ASA Outer VPN with TLS/SRTP Inner


Inner Tunnel TLS/SRTP

*ASA 5500-X

Transport

(TLS Server)

AnyConnectIPSec VPN

(TLS/SRTP)

OuterFirewall

ASA 5500-X

InnerFirewall

ASA 5500-X

*IOS/XE

*Could be either ASA or IOS/XE

(SRTP)

TLS Encryption for Call-Control & SignalingSRTP Encryption for Media

U//PROPIN


This design follows the VPN overlay over black transport model AnyConnect IPSec VPN with ASA or IOS/XE for outer VPN It is preferred to use the ASA for AnyConnect VPN termination TLS/SRTP or IPSec VPN is established for inner VPN Gray firewall and inner VPN gateway are diverse Position UCS Compute for all compute services Position ACS for configuration change detection requirements Position FireSIGHT MC, FirePOWER IPS, AMP Private Cloud &


MA CP - Cisco Secure Mobile VPN Solution - NotesU//PROPIN

Campus WLAN Capability PackageWLAN CP (v1.1)

U//PROPIN


The same black/gray/red, inner/outer VPN & PKI nomenclature is also referenced in the WLAN CP

Wireless System - Includes the access-points and wireless controllers

Authentication Server - References the server that performs device/client authentication (ie. AD/Radius)

WLAN Client - Includes the WLAN supplicant used for WLAN authentication etc.

VPN Gateway/Client - Includes the inner VPN IPSec components

WIDS/wIPS - References the wireless Intrusion Detection/Prevention Systems

WLAN CP Key Concepts U//PROPIN


CSfC Architectures - WLAN CPhttps://www.nsa.gov/ia/_files/Campus_WLAN.pdf U//PROPIN

https://www.nsa.gov/ia/_files/Campus_WLAN.pdf







WLAN CP - Cisco SolutionWireless Encryption Outer VPN - AC/ASA Inner VPN

Outer Tunnel - WPA2-AES


ASA 5500-XWireless

SupplicantAnyConnect

IPSecVPN

ClientCisco APwIPS/IDS

5500 WLC

CAPWAPDTLS

Prime InfrastructureMobility Services Engine (MSE)

aWIPS

U//PROPIN

* Cisco has requested a single-vendor diversity letter for AireOS with ASA/AC


This approach allows the use of client/AP/controller based encryption as an accountable outer VPN layer vs. following the VPN CP model

WPA2-AES over-the-air encryption is enabled between client and access-point providing the outer VPN

CAPWAP DTLS AES encryption is enabled between the AP and controller for both control and data plane

AnyConnect Suite B IPSec VPN with ASA provide inner VPN Standard Wireless Deployment - Gray Prime, MSE, wIPS etc.

WLAN CP - Cisco Secure Wireless VPN SolutionWireless Encryption - Notes

U//PROPIN


Per current WLAN CP guidance, the wireless system and VPN gateway/client must have implementation independence. Cisco has requested a single-vendor letter supporting the use of AireOS and ASA/AC similar to the IOS/XE/ASA VPN CP design

Per current WLAN CP guidance, the authentication server and VPN gateway/client must have implementation independence. Customers can deploy another vendors authentication server (AD/Radius) in conjunction with ASA/AC

Per current WLAN CP guidance, the WLAN client and VPN gateway/client must have implementation independence. Customers can easily deploy another vendors WLAN client with the AnyConnect VPN client


U//PROPIN


Per current WLAN CP guidance, the wireless system must be dedicated to a single network classification


Lancope on red network Potential for LiveAction on gray/black network Future wireless solutions will support AES-GCM for over-the-air

encryption Position Cisco Integrated wIDS to meet Wireless IDS requirements Consider Windows NPS Authentication Server for Suite B form of

EAP-TLS (TLS 1.2)


U//PROPIN

Potential Future Solutions

U//PROPIN


MACsec - Cisco is pursuing approval to allow the use of MACsec as an accountable layer of encryption. Products include ASR 1/9k and potentially the Catalyst products

Software Based Solutions - The program office is still trying to determine the best way to certify the CSR1K, ASAv & ESR 5921 software based solutions. Note, the ESR 5921 is listed as an approved VPN client on the CSFC list

Optical Encryption - Wire Speed Encryption (WSE) line card. Potential to get this certified as a layer of encryption. Customers can pursue certification with CSFC program office directly

Today, CUCM 10.5.2 supports NGE & CUCM 11.0 supports ECDSA

Potential Future Solutions U//PROPIN

Capability Package Challenges

U//PROPIN


Customer now has to implement and manage two separate PKI infrastructures

Today, the only approved CA vendor is Microsoft (Systems team is usually the O&M)

AAA Server ISE does not support EC enrollment today WLAN authentication server and VPN gateway came from

different vendors and that the vendors are not a subsidiary of each other

From VPN-CP “Devices shall use Enrollment over Secure Transport (EST) as detailed in IETF RFC 7030 for certificate management.” Not widely supported today – ISE and other products are on

support roadmap

CP Challenges U//PROPIN

CSFC FAQs

U//PROPIN


Q: Can a CSFC solution be deployed to replace PDS?A: Yes, and there is a strong business case for doing so. However, local policy justification and cost analysis would need to be completed but this is a feasible replacement solution.

Q: Can I use a CSFC solution on coalition networks?A: Yes, and this is an ideal solution for networks where Foreign Nationals are involved and the customer may be currently utilizing CCI devices for protection of information in transit to foreign nationals. Examples would be networks such as CENTRIXS, CMN, BICES – any other enclave based networks where foreign nationals connect.

FAQ’s U//PROPIN


Can I remove my type-1/TACLANE/HAIPE device on both SIPR & JWICS?A: It is possible, but there are several factors that determine whether this is appropriate. Do you have a DAA and IA team that agree this makes sense? US National (CNSSP-15) policy provides that protection of NSS shall utilize Suite B solutions for protection of information systems, however your customer must understand that for networking such as SIPR, JWICS they are part of a broader information protection boundary that is owned by an external organization – meaning that they must seek permission and consult directly with the accrediting agency first before attempting to remove ANY current encryption.

FAQ’s (Continued) U//PROPIN


Questions?Cisco CSFC [email protected]

U//PROPIN

Selling CSfC Solutions

Technology

Transcript of Selling CSfC Solutions