Industry breakout government military forum_jon green_stuart schulte

CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved 1 #airheadsconf#airheadsconf
Government Breakout Session
Jon Green
March 2013

CONFIDENTIAL
All rights reserved 2 #airheadsconf#airheadsconf2
Tunneled Internet Gateway Solution

CONFIDENTIAL
All rights reserved 3 #airheadsconf
•  Need for Internet-only access for government-
owned devices WITHOUT meeting government
security requirements
•  Example: Electronic Flight Bag (iPad)
•  Challenges:
–  FIPS 140-2 validated over-the-air encryption
–  Protection of locally stored information
–  PIV/CAC authentication
–  STIG compliance
Problem Statement
3

CONFIDENTIAL
•  Deploy a second, parallel network infrastructure
-or-
•  Use existing network, but maintain strong
separation between classes of service
Solutions

CONFIDENTIAL
Centralized, User Centric Security
Architecture
Applications
Services
Staff
Partner
SIPR
Command
AAA
RADIUS
LDAP
AD
PKI
Role-Based
Access Control
Flow / Application
Classification
Role-based Firewalls
Centralized
Crypto
Sessions
AP is
Untrusted
Virtual AP 1
SSID: Centrix
Virtual AP 2
SSID: SIPR
Security
Boundary
End-to-end crypto boundary
Per-user virtual connection

CONFIDENTIAL
Detailed Architecture

CONFIDENTIAL
Certifications Update

CONFIDENTIAL
•  6.1.4.1-FIPS is latest validated release
–  Will be updated quarterly to address bug fixes
•  6.3-FIPS next
–  Includes 72xx controller
–  New consolidated release model
–  Estimated completion by November/December
FIPS 140-2 - ArubaOS
8

CONFIDENTIAL
•  ClearPass Policy Manager
–  Using OpenSSL-FIPS internally
–  6.2 release should have knob to enable FIPS mode
•  Instant
–  Software work underway to achieve FIPS compliance
–  Expect to start validation work in April
•  VIA / OnGuard
–  Already using a FIPS-validated crypto library, but Aruba
doesn’t have access to the certificate 
–  Validation work has begun – expecting Box 1 in March
•  Switches
–  Not currently planned, but subject to change
FIPS 140-2 – Other Products

CONFIDENTIAL
•  WLAN Access System Protection Profile
–  Working with SAIC under the NIAP scheme
–  Expecting kick-off meeting with NIAP in March/April
•  Network Device Protection Profile (NDPP)
–  In process with CSC Australia under AISEP scheme
–  ArubaOS 6.3 listed as in-evaluation
–  Includes Firewall Extension Profile
•  VPN Gateway Extension Profile
–  Extension to NDPP
–  Will be performing evaluation with CSC Australia
•  VPN Client Protection Profile
–  Still in planning process
Common Criteria

CONFIDENTIAL
•  Listed on APLITS in November 2012
•  ArubaOS 6.1.4.0
•  Updating to 6.1.4.3 is in-process
UC-APL

CONFIDENTIAL
Aruba Solutions for Classified

CONFIDENTIAL
TYPE-1
Adapter
Classified Wi-Fi Networks
Today’s Legacy Architecture
802.11i / WPA2 Crypto Boundary
UNCLASS
Wireless AP
WLAN Controller
firewall
SECRET
HAIPE
(High Assurance IP Encryptor)
TYPE-1 Crypto Boundary
•  Advantages:
•  Strong security
•  Well understood
•  Covered by existing policy
•  Disadvantages:
•  Very expensive
•  Doesn’t support modern
COTS devices
•  Usability challenges with CCI

CONFIDENTIAL
•  Suite B is a set of public cryptographic
algorithms promulgated by the National
Security Agency as part of
its Cryptographic Modernization Program
•  Three goals:
–  Information sharing with partners
–  Enable rapid adoption of new technology
–  Lower cost/complexity of CCI
•  In the US, authority to use Suite B
granted by CNSSP-15
•  Suite B does NOT, by itself, permit
commercial devices in classified
networks
Best of Both Worlds: Suite B

CONFIDENTIAL
How do we accredit COTS products?
“Commercial Solutions for Classified”
NSA Program to enable Commercial
rather than Government-designed
products
Requirements:
–  Suite B support
–  FIPS 140-2 and Common Criteria validation
–  Signed agreement with NSA
Other countries planning similar
programs, but watching NSA first

CONFIDENTIAL
CSfC Guidance

CONFIDENTIAL
Suite B Components
Cryptographic
Algorithm or
Protocol
Standard
Minimum
Requirements for
SECRET
Minimum
Requirements for
TOP SECRET
Symmetric Encryption
Advanced
Encryption
Standard (AES)
FIPS 197 128 bit key 256 bit key
Hashing
Secure Hash
Algorithm (SHA)
FIPS 180-3 SHA-256 SHA-384
Digital Signature
Elliptic Curve
Digital Signature
Algorithm
(ECDSA)
FIPS 186-3
ANSI X9.62
256 bits over
prime field
384 bits over
prime field
Key Exchange
Elliptic Curve
Diffie-Hellman
(ECDH)
SP 800-56A
ANSI X9.63
256 bits over
prime field
384 bits over
prime field

CONFIDENTIAL
•  Commercial or government 3G/4G
Services
•  Government-owned Wi-Fi Networks
(pictured here)
•  Suite B applied through App Embedding
or Overlay
•  Rule of Two: independent authentication
and crypto layers
Networks Supporting Suite B
Private cloud voice
and apps data center
COTS 3G/4G/WiFi Device
+ Suite B Security Stack

CONFIDENTIAL
•  Wi-Fi (Layer 2) – Supported by Aruba
–  WPA2 is not Suite B compliant today... but not difficult to modify
–  AES-GCM (128/256) + Key Derivation Function needed
–  Modification to 802.11ac has been proposed by Aruba and Cisco
–  Pre-standard implementations are available today
•  IPsec (Layer 3) – Supported by Aruba
–  RFC 6379 “Suite B Cryptographic Suites for IPsec”
–  Interoperability between multiple vendors well established
•  TLS (Layer 7)
–  RFC 5430
–  Bundled into applications
Suite B Implementation Layers

CONFIDENTIAL
•  Determine where two encryption layers will be
implemented – network layers versus application layer
•  Data-at-rest issues can be solved with cloud / virtual
desktop
•  Credentials: X.509 Device certificate; User certificate
•  Locally generated keying material
Securing Commercial Mobile Devices
IP
PBX
File
Server
Database
COTS 3G/4G/Wi-Fi Device
+ Suite B Security Stack

CONFIDENTIAL
All rights reserved 21 #airheadsconf21
Classified Architecture:
NSA WLAN Capabilities Package
What is the
classification
level of this
segment?

CONFIDENTIAL
•  Summary:
–  If Aruba – APs are outside the security boundary. No
protection of APs required.
–  If any other vendor – APs and AP-to-controller network must
be protected at the same classification level as the data
(tamper protection, PDS, inspection, etc.)
Wireless System Classification Level
*
*
* Text taken from draft WLAN Capability Package and is believed to be official NSA policy

CONFIDENTIAL
Architecture: Suite B at L2/L3
NIPR
Aruba RAP
Aruba CAP
Aruba Controller
firewall
SECRET
LAN
IPSEC Suite B
Aruba bSec VIA Client
Suite B IPSEC
IPSEC Suite B
Aruba IPSEC Suite B VIA Client
IPSEC Suite B
Inner Suite B Session
Outer Suite B Session
WLAN
Remote W/LAN
“internet”
Aruba IPSEC Suite B RAP
Aruba
Controller

CONFIDENTIAL
New Architecture: Suite B at L3/L7
24
Source: http://www.nsa.gov/ia/programs/mobility_program/index.shtml

CONFIDENTIAL
Aruba VIA Clients with Suite B
  Mobile device policy compliance
•  Creates a FIPS+ validated end-to-end
authenticated and encrypted session to controller
  Multi-mode for multiple uses
•  Local WLAN or Remote Access Mode
•  Unclassified (SBU) or Classified (Secret) modes
  Supported devices
•  Windows 7 (32/64), Windows XP
•  Apple iOS
•  Mac OSX
•  Android 4.x
•  Linux
  Seamless Mobility
•  Firewall policies tied to user role
•  Same policy as in campus, branch
  Best in Class Security
•  Suite B encryption for L2 (bSec), IPSec
•  IPsec VPN with SSL fallback
•  Validations in process

CONFIDENTIAL
•  Option 1: Smartcards
–  Two-factor authentication with hardware
protection of certificates
–  But… existing government PKI based on RSA
–  Card readers for mobile devices?
•  Option 2: Certificates on disk/flash (soft certs)
–  Native certificate store capable of ECDSA?
–  Protecting against export/copying
–  Protecting against use if device is lost/stolen
–  Initial credential provisioning
Where do we find credentials?

CONFIDENTIAL
Evolution in credential storage

CONFIDENTIAL
•  Credentials on secure USB key or
stored on RAP flash
–  With USB credentials, IPsec tunnel dropped when
key is removed
•  Wired connection (4 ports)
•  Forms one layer of “rule of two”
–  Connects to Aruba mobility controller using Suite
B IPsec
•  Provides CPU separation for two Suite B
layers
Aruba RAP with Suite B

CONFIDENTIAL
Future: Interoperable High-
Assurance Networks

CONFIDENTIAL
Open Forum
30

CONFIDENTIAL

Industry breakout government military forum_jon green_stuart schulte

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Industry breakout government military forum_jon green_stuart schulte

Similar to Industry breakout government military forum_jon green_stuart schulte (20)

More from Aruba, a Hewlett Packard Enterprise company

More from Aruba, a Hewlett Packard Enterprise company (20)

Recently uploaded

Recently uploaded (20)

Industry breakout government military forum_jon green_stuart schulte