FEDERAL SECURED WIRELESS BRIEF - CSFC

Transcription

1 FEDERAL SECURED WIRELESS BRIEF - CSFC Brian Baker Regional Security Lead - Army/SOF/NG World Wide Technology 16JUN2015 Copyright 2013 World Wide Technology, Inc. All rights reserved.

2 WHAT IS THE CSFC? Commercial Solutions for Classified (CSfC) Program by the NSA U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements. NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years. ( )

3 WHAT DOES THE CSFC OFFER? Capability Package NSA/CSS is developing sets of Capability Packages in order to provide customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner. CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements.

4 CURRENT CSFC CAPABILITY PACKAGES Campus WLAN Capability Package Virtual Private Network (VPN) Capability Package Mobility Capability Package Data-at-Rest (DAR) Capability Package

5 CAPABILITY PACKAGES - WHAT'S IN DEVELOPMENT NSA is currently updating and evolving its suite of Capability Packages. Upcoming releases include: Mobile Access CP v1.1 update to Mobile Access CP to include more user comments and requirements. Campus WLAN CP v2.0 evolution of Campus Wireless LAN CP; features a shared WPA2 layer. (Estimated date: Feb 2016) Data at Rest v3.0 CP hardware FDE technology; e.g., Self Encrypting Drives. (Estimated date: TBD 2016) Secure Multisite Connectivity CP extends VPN v3.1 to include MACsec use cases; enables secure high speed connectivity. (Estimated date: April 2016)

6 HOW? DAA (Designated Approving Authority) Approval Clearly Defined and Articulated Requirements Project Plan Supporting Documentation Fiduciary Duty (Due Diligence) Risk Mitigation NSA Support CSfC DISA Security Technical Implementation Guidelines (STIG s) Document Defined Waiver s

7 SUPPORTING DOD DOCUMENTATION DOD INSTRUCTION NUMBER WIPS/WIDS Army Wireless LAN Policy DoDD Encryption of unclassified data for transmission to and from wireless devices is required. Exceptions may be granted on a case-by-case basis as determined by the Designated Approving Authority (DAA) for the wireless connections under their control. At a minimum, data encryption must be implemented end-to-end over an assured channel and shall be validated under the Cryptographic Module Validation Program as meeting requirements per Federal Information Processing Standards (FIPS) Publication (PUB) 140-2, Overall Level 1 or Level 2, as dictated by the sensitivity of the data (reference (g)). DoDD Supplement x Requirement This document added additional guidance related IEEE wireless LAN technologies and security. In addition to detailing the data-in-transit security requirements when deploying IEEE networks, the document also stated that continuous 24/7 wireless intrusion detection was required for wired and wireless networks. AR 25-2 Information Assurance - PED s (Personal Electronic Device) standards Army CIO/G-6, SAIS-CB, Wireless Security Standards - Wireless Best Practices

8 How do we get there?

9 TRUSTED INTEGRATOR LIST Vetted by NSA as a Tusted Provider through an interview process Allows Customers to outsource the design, architecture and implementation of the CSfC network.

10 GETTING THERE Use the tools and resources available. CSfC Institutional Knowledge Commercial Knowledge Industry Knowledge Define the requirements Resource the Project, bring in the right players early (IA, Network Team, Service Desk Team, etc.) PLAN, PLAN, PLAN, Implement/Execute

11 What are the Guidelines?

12 CSfC Campus WLAN Capability Package v1.1 Dated 14DEC2012

13 AGNOSTIC NSA OVERVIEW

14 User Equipment Access Network Protected Network VPN Enterprise Firewall Wireless Controller VPN CA Enterprise 802.1x/WLAN Authentication WIPS/WIDS WLAN CA Management

15 USER EQUIPMENT (UE)

16 DMZ ARCHITECTURE

17 HIGH LEVEL MOBILE DEVICE- INFRASTRUCTURE CONNECTION The following summarizes the sequence of events that occur in order to establish network access from a wireless Mobile Device in the architecture: 1) The Mobile Device is powered on. The WLAN Client automatically associates with the Wireless System. 2) The Wireless System requires the WLAN Client to perform an IEEE 802.1X authentication before providing access. The WLAN Client and WLAN Authentication Server mutually authenticate using ITU-T X.509v3 machine certificates. The Wireless System acts as a pass through to WLAN Authentication Server during these communications. If either WLAN Authentication Server or the WLAN Client determines that the other party s certificate is not valid, communication will cease. 3) The WLAN Client and WLAN Authentication Server execute a key establishment protocol (EAP-TLS) to derive the PMK. 4) WLAN Authentication Server passes the PMK to the Wireless System using RADIUS inside an IPsec protected wired connection. Depending on the vendor, the Wireless System will either keep the PMK on the Wireless Controller or push the keys out to the appropriate AP as needed. 5) The WLAN Client and Wireless System perform a 4-way handshake to derive a session key from the PMK. From this point forward all communication between the Wireless Client and the Wireless System is protected with this session key. 6) The VPN Client and VPN Gateway mutually authenticate via ITU-T X.509v3 machine certificates. If either the VPN Client or the VPN Gateway determines that the other party s certificate is not valid, all communications will cease. 7) The VPN Client and VPN Gateway negotiate keys, algorithms, and parameters for the IPsec connection using IKE. From this point forward all communication between the VPN Client and VPN Gateway is protected with an IPsec tunnel. 8) At this point the Mobile Device is connected to the wired network, but does not have access to services. Unless the system owner wants to establish a user authentication method specifically for wireless users, the Mobile Device and the network perform a user authentication to gain service access using the authentication method already implemented on the wired network.

18 Interactions with Enterprise Services The two layers of encryption (WLAN and VPN) required by this Capability Package result in the creation of nested secure tunnels that carry Internet Protocol (IP) packets between the mobile device and the Enterprise Mobility Infrastructure. The VPN Gateway acts as the endpoint of the inner tunnel on the infrastructure side. Integration with the back-end enterprise network on the unencrypted side of the inner tunnel is outside the scope of this Capability Package, but this section identifies some best practices. Appropriate organizational policies and directives should be consulted for definitive information.

19 Authentication and Authorization: The WLAN and VPN Gateway only authenticate mobile device identity using machine certificates. It is recommended (and may be required) that the mobile device user be authenticated prior to granting access to backend application services. This verification should be centralized and occur as close to the network edge as possible. Guidance: The following references provide useful guidance for securing remote access to enterprise resources for the Department of Defense (DoD). This guidance for securing remote access should be applied within the context of the classified network for which a wireless connection is provided. Secure Remote Computing (SRC) Security Technical Implementation Guide (STIG), Defense Information Systems Agency (DISA) Network Infrastructure Technology Overview, DISA Remote Access Policy STIG, DISA Remote Access Server (RAS) STIG, DISA

20 Enterprise Services The Campus WLAN solution described in this Capability Package is application-agnostic in that it provides an end-to-end path for IP packets between the UE and the Enterprise Network without regard to what those IP packets contain. Enterprise services may or may not depend on the ability of the UE to provide local non-volatile storage for user data, configuration data, or state information (e.g., persistent cookies).

21 REQUIREMENTS

22 NSA UPDATES Date Item 16 June 2015 Updated the Components list 11 June 2015 Updated the Components list 08 June 2015 Updated the Components list; Updated the Archived Components list, Updated the VPN, Mobile Access, WLAN and DAR Registration Forms; Updated the VPN Compliance Checklist 27 May 2015 Updated the Components list 21 May 2015 Updated the Components list; Updated the Trusted Integrator list 21 May 2015 Updated the Components list; Updated the Trusted Integrator list 18 May 2015 Updated the Components list; Updated the VPN Compliance Checklist; Removed the Mobility Program page; 11 May 2015 Updated the Components list; Updated the Trusted Integrator list; Updated the Backround section 29 Apr 2015 Updated the DaR CP portion of the page; Updated the Mobile Access CP portion of the page 23 Apr 2015 Updated the Components list; Updated the DaR Compliance Checklist form; Updated the DAR Registration form; Added new Trusted Integrator; Added new component to the Comoponents list; Removed Non-technical and technical FAQs 02 Apr 2015 Updated the Components list; Updated the VPN Compliance Checklist form ; Added new Trusted Integrator 01 Apr 2015 Updated the CSfC homepage; Updated the Campus WLAN Registration Form; Added new Trusted Integrator

23 CSFC APPROVED PRODUCTS LIST What is the Process to get a Commercial Product CSfC-Listed? Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their product using the Common Criteria Process. The vendor will enter into a Memorandum of Agreement (MoA) with NSA. The MoA specifies that the vendor s product must be NIAP certified, FIPS certified, and that the vendor agrees to fix vulnerabilities in a timely fashion. The MoA may also reference technology-specific selections for NIAP testing.

24 CSFC APPROVED PRODUCT LIST CSFC Component Vendor Model Version (or later) CNSSP-11 Compliance Apriva VPN Server Red Hat Enterprise 6.5 NIAP Validation Ongoing (at InfoGard) Aruba 600 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Aruba 3000 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Aruba 6000 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Aruba 7005, 7010, 7024 and 7030 Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) IPsec VPN Gateway Click for Selections Aruba 7200 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Brocade Communications Systems Cisco MLXe Series Router 1905, 1921, 1941, 2901, 2911, and 2921 Integrated Services Routers 15.2(4)M6 IOS Cisco 2951, 3925, and 3945 Integrated Services Routers 15.2(4)M6 IOS Cisco 3925E and 3945E Integrated Services Routers 15.2(4)M6 IOS Cisco 1001-X, 1002-X, 1006 including ESP-100, and 1013 including ESP-100 or ESP-200 Aggregation Services Routers IOS XE Cisco 5940 and 5915 Embedded Services Routers IOS 15.2(4)GC Cisco 819, 819W, 819HGW, 819H-4G, 881, 881G, 881GW, 881W- GN-A-K9, 881GW-GN-A-K9, 891 and 891W Integrated 15.2(4)M7 Services Routers Cisco 4431-X, 4451-X Integrated Services Router IOS XE Cisco 4351, 4331, 4321 Integrated Services Routers IOS XE Cisco ASA 5500-X Midrange Appliances 5506-X Series, 5508-X Series, 5512-X, 5515-X, 5525-X, 5545-X; 5555-X; ASA x X Series High-end Appliances , , , ; ASA-SM for Catalyst 6500 with Sup2T In Contracting Phase NIAP Validation Completed (at Leidos) NIAP Validation Completed (at Leidos) NIAP Validation Completed (at Leidos) NIAP Validation Ongoing (at Booz Allen Hamilton) NIAP Validation Completed (at Leidos) NIAP Validation Completed (at Booz Allen Hamilton) NIAP Validation Completed (at Leidos) NIAP Validation Ongoing (at Leidos) In Contracting Phase ***Complete CSFC List can be found at:

25 COMPONENT SELECTION RESTRICTIONS

26 ALGORITHMS: Approved Interim Algorithms: Approved Suite B Algorithms:

27 LIFECYCLE REQUIRMENTS (CUSTOMER RESPONSIBILITIES) The following types of changes must be addressed during a component s/solution s lifecycle: Component Change: CSfC Components Lists and IA Alerts must be monitored for changes/updates. Guidance provided with the CSfC Components Lists and IA Alerts must be followed to continue to be in compliance with the Capability Package. Routine Capability Package Update: If a Capability Package is updated, all solutions based on that Capability Package must be validated against the latest Capability Package annually and have 6 months to come into compliance. Emergency Capability Package Update: If a Capability Package is deemed no longer to provide the level of security stated in the document, all solutions based on that Capability Package must be updated to the lasted version as soon as possible. NSA will provided an updated risk statement and possible mitigations (if available) to all registered users of the Capability Package with a required timeline for update.

28 REFERENCE ARCHITECTURES Feasible Solutions and Examples

29 NSA COMMERCIAL SOLUTION FOR CLASSIFIED VPN V2.0 SOLUTION (CISCO SINGLE VENDOR)

30 User Equipment Access Network Protected Network VPN Enterprise Firewall Wireless Controller VPN CA Enterprise 802.1x/WLAN Authentication WIPS/WIDS WLAN CA Management

31 Proposed Wireless Solution Android Device Windows Wireless Black Transport ios x AP 3702x AP 5508 WLC Black Identity Services Engine (ISE) AD/CA Prime Infrastructure Mobility Services Engine (MSE) ISRG2 ASR IOS FW Outer DMZ AD/CA Identity Services Engine (ISE) VPN/Firewall/Authentication Servers on Different Code Base ASA 55XX-X FW Enterprise AD/CA Identity Services Engine (ISE) Inner Tunnel Device WPA2 AES-128-CCMP 2 ASA 55XX-X Outer Tunnel AES-256-GCM Suite B IPSec Outer VPN AES-256-GCM or TLS Inner Application VPN 1 Wireless AES WPA2 & 802.1x 2 ISR/ASR IOS FW to Protect Wireless DMZ Services (AD,CA,ISE,MSE) 3 ASA SuiteB IPSec Outer 4 ASA FW Protects Inner Device 5 Inner Application VPN - TLS/SRTP/IPSec WLC & ISE can Authenticate to AD/LDAP to Allow Roaming Access AnyConnect VPN Launched from Any Location (Local, Hotel etc.)

32 Android Device Windows Wireless Black Transport ios 3602x AP 3702x AP 5508 WLC Black Identity Services Engine (ISE) AD/CA Prime Infrastructure Mobility Services Engine (MSE) ISRG2 ASR IOS FW Outer DMZ AD/CA Identity Services Engine (ISE) ASA 55XX-X Outer Tunnel ASA 55XX-X FW Enterprise AD/CA Identity Services Engine (ISE) Inner Tunnel Device Wireless is AC Capable WLC & ISE can Authenticate to AD/LDAP to Allow Roaming Access Cisco Prime Offers Centralized Management of Wired & Wireless Infrastructure to Include Location Tracking, Frequency Mgt, Rogue Detection etc. Single Client with Same AnyConnect VPN Launched from Any Location (Local, Hotel etc.) O&M of ASA is Familiar as Other ASA s are Deployed Today Existing PKI Infrastructure In Place Today to Support NGE (Suite B)

33 QUESTIONS NEXT STEPS