Industry breakout government military forum_jon green_stuart schulte
-
Upload
airheads-community -
Category
Technology
-
view
812 -
download
3
description
Transcript of Industry breakout government military forum_jon green_stuart schulte
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf #airheadsconf
Government Breakout Session Jon Green
March 2013
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf #airheadsconf 2
Tunneled Internet Gateway Solution
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf
• Need for Internet-only access for government-owned devices WITHOUT meeting government security requirements
• Example: Electronic Flight Bag (iPad)
• Challenges: – FIPS 140-2 validated over-the-air encryption – Protection of locally stored information – PIV/CAC authentication – STIG compliance
Problem Statement
3
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 4 #airheadsconf
• Deploy a second, parallel network infrastructure
-or-
• Use existing network, but maintain strong separation between classes of service
Solutions
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 5 #airheadsconf
Centralized, User Centric Security Architecture
Applications Services
Staff
Partner
SIPR
Command
AAA
RADIUS LDAP AD PKI
Role-Based Access Control
Flow / Application Classification
Role-based Firewalls
Centralized Crypto
Sessions
AP is Untrusted
Virtual AP 1 SSID: Centrix
Virtual AP 2 SSID: SIPR
Security Boundary
End-to-end crypto boundary Per-user virtual connection
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 6 #airheadsconf
Detailed Architecture
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 7 #airheadsconf #airheadsconf 7
Certifications Update
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 8 #airheadsconf
• 6.1.4.1-FIPS is latest validated release – Will be updated quarterly to address bug fixes
• 6.3-FIPS next – Includes 72xx controller – New consolidated release model – Estimated completion by November/December
FIPS 140-2 - ArubaOS
8
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 9 #airheadsconf
• ClearPass Policy Manager – Using OpenSSL-FIPS internally – 6.2 release should have knob to enable FIPS mode
• Instant – Software work underway to achieve FIPS compliance – Expect to start validation work in April
• VIA / OnGuard – Already using a FIPS-validated crypto library, but Aruba
doesn’t have access to the certificate – Validation work has begun – expecting Box 1 in March
• Switches – Not currently planned, but subject to change
FIPS 140-2 – Other Products
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 10 #airheadsconf
• WLAN Access System Protection Profile – Working with SAIC under the NIAP scheme – Expecting kick-off meeting with NIAP in March/April
• Network Device Protection Profile (NDPP) – In process with CSC Australia under AISEP scheme – ArubaOS 6.3 listed as in-evaluation – Includes Firewall Extension Profile
• VPN Gateway Extension Profile – Extension to NDPP – Will be performing evaluation with CSC Australia
• VPN Client Protection Profile – Still in planning process
Common Criteria
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 11 #airheadsconf
• Listed on APLITS in November 2012 • ArubaOS 6.1.4.0 • Updating to 6.1.4.3 is in-process
UC-APL
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 12 #airheadsconf #airheadsconf 12
Aruba Solutions for Classified
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 13 #airheadsconf
TYPE-1 Adapter
Classified Wi-Fi Networks Today’s Legacy Architecture
802.11i / WPA2 Crypto Boundary
UNCLASS
Wireless AP
WLAN Controller
firewall
SECRET
HAIPE (High Assurance IP Encryptor)
TYPE-1 Crypto Boundary
• Advantages: • Strong security • Well understood • Covered by existing policy
• Disadvantages: • Very expensive • Doesn’t support modern
COTS devices • Usability challenges with CCI
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 14 #airheadsconf
• Suite B is a set of public cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program
• Three goals: – Information sharing with partners – Enable rapid adoption of new technology – Lower cost/complexity of CCI
• In the US, authority to use Suite B granted by CNSSP-15
• Suite B does NOT, by itself, permit commercial devices in classified networks
Best of Both Worlds: Suite B
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 15 #airheadsconf
How do we accredit COTS products?
“Commercial Solutions for Classified” NSA Program to enable Commercial
rather than Government-designed products
Requirements: – Suite B support – FIPS 140-2 and Common Criteria validation – Signed agreement with NSA
Other countries planning similar programs, but watching NSA first
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 16 #airheadsconf
CSfC Guidance
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 17 #airheadsconf
Suite B Components
Cryptographic Algorithm or Protocol
Standard Minimum Requirements for SECRET
Minimum Requirements for TOP SECRET
Symmetric Encryption Advanced Encryption Standard (AES)
FIPS 197 128 bit key 256 bit key
Hashing Secure Hash Algorithm (SHA) FIPS 180-3 SHA-256 SHA-384
Digital Signature
Elliptic Curve Digital Signature Algorithm (ECDSA)
FIPS 186-3 ANSI X9.62
256 bits over prime field
384 bits over prime field
Key Exchange Elliptic Curve Diffie-Hellman (ECDH)
SP 800-56A ANSI X9.63
256 bits over prime field
384 bits over prime field
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 18 #airheadsconf
• Commercial or government 3G/4G Services
• Government-owned Wi-Fi Networks (pictured here)
• Suite B applied through App Embedding or Overlay
• Rule of Two: independent authentication and crypto layers
Networks Supporting Suite B
Private cloud voice and apps data center
COTS 3G/4G/WiFi Device + Suite B Security Stack
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 19 #airheadsconf
• Wi-Fi (Layer 2) – Supported by Aruba – WPA2 is not Suite B compliant today... but not difficult to modify – AES-GCM (128/256) + Key Derivation Function needed – Modification to 802.11ac has been proposed by Aruba and Cisco – Pre-standard implementations are available today
• IPsec (Layer 3) – Supported by Aruba – RFC 6379 “Suite B Cryptographic Suites for IPsec” – Interoperability between multiple vendors well established
• TLS (Layer 7) – RFC 5430 – Bundled into applications
Suite B Implementation Layers
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 20 #airheadsconf
• Determine where two encryption layers will be implemented – network layers versus application layer
• Data-at-rest issues can be solved with cloud / virtual desktop
• Credentials: X.509 Device certificate; User certificate • Locally generated keying material
Securing Commercial Mobile Devices
IP PBX
File Server
Database
COTS 3G/4G/Wi-Fi Device + Suite B Security Stack
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 21 #airheadsconf 21
Classified Architecture: NSA WLAN Capabilities Package
What is the classification level of this segment?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 22 #airheadsconf
• Summary: – If Aruba – APs are outside the security boundary. No
protection of APs required. – If any other vendor – APs and AP-to-controller network must
be protected at the same classification level as the data (tamper protection, PDS, inspection, etc.)
Wireless System Classification Level
*
*
* Text taken from draft WLAN Capability Package and is believed to be official NSA policy
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 23 #airheadsconf
Architecture: Suite B at L2/L3
NIPR
Aruba RAP
Aruba CAP
Aruba Controller
firewall
SECRET
LAN
IPSEC Suite B
Aruba bSec VIA Client Suite B IPSEC
IPSEC Suite B
Aruba IPSEC Suite B VIA Client
IPSEC Suite B
Inner Suite B Session
Outer Suite B Session
WLAN
Remote W/LAN
“internet”
Aruba IPSEC Suite B RAP
Aruba Controller
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 24 #airheadsconf
New Architecture: Suite B at L3/L7
24 Source: http://www.nsa.gov/ia/programs/mobility_program/index.shtml
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 25 #airheadsconf
Aruba VIA Clients with Suite B
Mobile device policy compliance • Creates a FIPS+ validated end-to-end
authenticated and encrypted session to controller
Multi-mode for multiple uses • Local WLAN or Remote Access Mode • Unclassified (SBU) or Classified (Secret) modes
Supported devices • Windows 7 (32/64), Windows XP • Apple iOS • Mac OSX • Android 4.x • Linux
Seamless Mobility • Firewall policies tied to user role • Same policy as in campus, branch
Best in Class Security • Suite B encryption for L2 (bSec), IPSec • IPsec VPN with SSL fallback • Validations in process
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 26 #airheadsconf
• Option 1: Smartcards – Two-factor authentication with hardware
protection of certificates – But… existing government PKI based on RSA – Card readers for mobile devices?
• Option 2: Certificates on disk/flash (soft certs) – Native certificate store capable of ECDSA? – Protecting against export/copying – Protecting against use if device is lost/stolen – Initial credential provisioning
Where do we find credentials?
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 27 #airheadsconf
Evolution in credential storage
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 28 #airheadsconf
• Credentials on secure USB key or stored on RAP flash – With USB credentials, IPsec tunnel dropped when
key is removed
• Wired connection (4 ports) • Forms one layer of “rule of two” – Connects to Aruba mobility controller using Suite
B IPsec
• Provides CPU separation for two Suite B layers
Aruba RAP with Suite B
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 29 #airheadsconf
Future: Interoperable High-Assurance Networks
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 30 #airheadsconf #airheadsconf 30
Open Forum
30
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 31 #airheadsconf #airheadsconf 31