Industry breakout government military forum_jon green_stuart schulte

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf #airheadsconf

Government Breakout Session Jon Green

March 2013

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf #airheadsconf 2

Tunneled Internet Gateway Solution

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf

•  Need for Internet-only access for government-owned devices WITHOUT meeting government security requirements

•  Example: Electronic Flight Bag (iPad)

•  Challenges: –  FIPS 140-2 validated over-the-air encryption –  Protection of locally stored information –  PIV/CAC authentication –  STIG compliance

Problem Statement

3


•  Deploy a second, parallel network infrastructure

-or-

•  Use existing network, but maintain strong separation between classes of service

Solutions


Centralized, User Centric Security Architecture

Applications Services

Staff

Partner

SIPR

Command

AAA

RADIUS LDAP AD PKI

Role-Based Access Control

Flow / Application Classification

Role-based Firewalls

Centralized Crypto

Sessions

AP is Untrusted

Virtual AP 1 SSID: Centrix

Virtual AP 2 SSID: SIPR

Security Boundary

End-to-end crypto boundary Per-user virtual connection


Detailed Architecture


Certifications Update


•  6.1.4.1-FIPS is latest validated release –  Will be updated quarterly to address bug fixes

•  6.3-FIPS next –  Includes 72xx controller –  New consolidated release model –  Estimated completion by November/December

FIPS 140-2 - ArubaOS

8


•  ClearPass Policy Manager –  Using OpenSSL-FIPS internally –  6.2 release should have knob to enable FIPS mode

•  Instant –  Software work underway to achieve FIPS compliance –  Expect to start validation work in April

•  VIA / OnGuard –  Already using a FIPS-validated crypto library, but Aruba

doesn’t have access to the certificate –  Validation work has begun – expecting Box 1 in March

•  Switches –  Not currently planned, but subject to change

FIPS 140-2 – Other Products


•  WLAN Access System Protection Profile –  Working with SAIC under the NIAP scheme –  Expecting kick-off meeting with NIAP in March/April

•  Network Device Protection Profile (NDPP) –  In process with CSC Australia under AISEP scheme –  ArubaOS 6.3 listed as in-evaluation –  Includes Firewall Extension Profile

•  VPN Gateway Extension Profile –  Extension to NDPP –  Will be performing evaluation with CSC Australia

•  VPN Client Protection Profile –  Still in planning process

Common Criteria


•  Listed on APLITS in November 2012 •  ArubaOS 6.1.4.0 •  Updating to 6.1.4.3 is in-process

UC-APL


Aruba Solutions for Classified


TYPE-1 Adapter

Classified Wi-Fi Networks Today’s Legacy Architecture

802.11i / WPA2 Crypto Boundary

UNCLASS

Wireless AP

WLAN Controller

firewall

SECRET

HAIPE (High Assurance IP Encryptor)

TYPE-1 Crypto Boundary

•  Advantages: •  Strong security •  Well understood •  Covered by existing policy

•  Disadvantages: •  Very expensive •  Doesn’t support modern

COTS devices •  Usability challenges with CCI


•  Suite B is a set of public cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program

•  Three goals: –  Information sharing with partners –  Enable rapid adoption of new technology –  Lower cost/complexity of CCI

•  In the US, authority to use Suite B granted by CNSSP-15

•  Suite B does NOT, by itself, permit commercial devices in classified networks

Best of Both Worlds: Suite B


How do we accredit COTS products?

“Commercial Solutions for Classified” NSA Program to enable Commercial

rather than Government-designed products

Requirements: –  Suite B support –  FIPS 140-2 and Common Criteria validation –  Signed agreement with NSA

Other countries planning similar programs, but watching NSA first


CSfC Guidance


Suite B Components

Cryptographic Algorithm or Protocol

Standard Minimum Requirements for SECRET

Minimum Requirements for TOP SECRET

Symmetric Encryption Advanced Encryption Standard (AES)

FIPS 197 128 bit key 256 bit key

Hashing Secure Hash Algorithm (SHA) FIPS 180-3 SHA-256 SHA-384

Digital Signature

Elliptic Curve Digital Signature Algorithm (ECDSA)

FIPS 186-3 ANSI X9.62

256 bits over prime field


Key Exchange Elliptic Curve Diffie-Hellman (ECDH)

SP 800-56A ANSI X9.63




•  Commercial or government 3G/4G Services

•  Government-owned Wi-Fi Networks (pictured here)

•  Suite B applied through App Embedding or Overlay

•  Rule of Two: independent authentication and crypto layers

Networks Supporting Suite B

Private cloud voice and apps data center

COTS 3G/4G/WiFi Device + Suite B Security Stack


•  Wi-Fi (Layer 2) – Supported by Aruba –  WPA2 is not Suite B compliant today... but not difficult to modify –  AES-GCM (128/256) + Key Derivation Function needed –  Modification to 802.11ac has been proposed by Aruba and Cisco –  Pre-standard implementations are available today

•  IPsec (Layer 3) – Supported by Aruba –  RFC 6379 “Suite B Cryptographic Suites for IPsec” –  Interoperability between multiple vendors well established

•  TLS (Layer 7) –  RFC 5430 –  Bundled into applications

Suite B Implementation Layers


•  Determine where two encryption layers will be implemented – network layers versus application layer

•  Data-at-rest issues can be solved with cloud / virtual desktop

•  Credentials: X.509 Device certificate; User certificate •  Locally generated keying material

Securing Commercial Mobile Devices

IP PBX

File Server

Database

COTS 3G/4G/Wi-Fi Device + Suite B Security Stack


•  Summary: –  If Aruba – APs are outside the security boundary. No

protection of APs required. –  If any other vendor – APs and AP-to-controller network must

be protected at the same classification level as the data (tamper protection, PDS, inspection, etc.)

Wireless System Classification Level

*

*

* Text taken from draft WLAN Capability Package and is believed to be official NSA policy


Architecture: Suite B at L2/L3

NIPR

Aruba RAP

Aruba CAP

Aruba Controller

firewall

SECRET

LAN

IPSEC Suite B

Aruba bSec VIA Client Suite B IPSEC

IPSEC Suite B

Aruba IPSEC Suite B VIA Client

IPSEC Suite B

Inner Suite B Session

Outer Suite B Session

WLAN

Remote W/LAN

“internet”

Aruba IPSEC Suite B RAP

Aruba Controller


New Architecture: Suite B at L3/L7

24 Source: http://www.nsa.gov/ia/programs/mobility_program/index.shtml


Aruba VIA Clients with Suite B

  Mobile device policy compliance •  Creates a FIPS+ validated end-to-end

authenticated and encrypted session to controller

  Multi-mode for multiple uses •  Local WLAN or Remote Access Mode •  Unclassified (SBU) or Classified (Secret) modes

  Supported devices •  Windows 7 (32/64), Windows XP •  Apple iOS •  Mac OSX •  Android 4.x •  Linux

  Seamless Mobility •  Firewall policies tied to user role •  Same policy as in campus, branch

  Best in Class Security •  Suite B encryption for L2 (bSec), IPSec •  IPsec VPN with SSL fallback •  Validations in process


•  Option 1: Smartcards –  Two-factor authentication with hardware

protection of certificates –  But… existing government PKI based on RSA –  Card readers for mobile devices?

•  Option 2: Certificates on disk/flash (soft certs) –  Native certificate store capable of ECDSA? –  Protecting against export/copying –  Protecting against use if device is lost/stolen –  Initial credential provisioning

Where do we find credentials?


Evolution in credential storage


•  Credentials on secure USB key or stored on RAP flash –  With USB credentials, IPsec tunnel dropped when

key is removed

•  Wired connection (4 ports) •  Forms one layer of “rule of two” –  Connects to Aruba mobility controller using Suite

B IPsec

•  Provides CPU separation for two Suite B layers

Aruba RAP with Suite B


Future: Interoperable High-Assurance Networks


Open Forum

30

Industry breakout government military forum_jon green_stuart schulte

Technology

Transcript of Industry breakout government military forum_jon green_stuart schulte