Commercial Solutions for Classified (CSfC)The Future of the US Federal Market Space

 

The goal for this blog is to showcase a real-life network design situation with its business and technical requirements and their respective weights, the design options meant to fulfill these requirements with their pros and cons, and a walk-through on how the final solution was chosen.

 

Background

Cyber security is a growing concern for everyone and the U.S. Federal Government is spending big to modernize, consolidate, secure and save in its IT architectures to protect sensitive and classified data. Current White House budget plans show the U.S. Federal Government spending an estimated $86 billion dollars on IT in 2016. One of the major IT initiatives within the Department of Defense (DoD) is the Joint Information Environment (JIE), which is a single, joint, secure, reliable and agile command, control, communications and computing enterprise information environment. It will provide email, Internet access, common software applications and cloud computing. The main objectives are to increase operational efficiency, enhance network security and save money by reducing infrastructure and staffing.

 

Requirements, Challenges and Constraints

With the current state of geopolitical events, being able to communicate effectively and efficiently on classified networks with coalition partners is a top priority. Current federal agencies’ classified networks, data, and their cyber security postures are riddled with challenges by way of various mandates, regulations and policies. Additionally, many non-commercial and non-proprietary designs use solutions that end up being cost prohibitive to implement and maintain long term. With technology rapidly changing, leveraging commercial vendor products to create a reliable, scalable and secure design that also provides the ability to operate on classified networks in a clandestine manner is highly desired. It is assumed that your current IT staff has the skill sets needed and the manpower required for continued operations given the design selected.

 

Conceptual Design Overview

The Commercial Solutions for Classified (CSfC) program has governing solution guidelines referred to as capability packages (CPs). The CPs can be used separately or combined to meet the designer’s requirements. In Figure 1 you see a very common hub and spoke setup. Site A is the headend and Site B is the spoke. You can see two layers of VPNs an outer VPN and an inner VPN, both use Suite B cryptography algorithms to protect the classified network(s). The reason for two layers of VPNs is to ensure that a weakness, failure or misconfiguration in one layer would not expose the classified network. In that regard, the outer and inner VPN technologies cannot be identical e.g. same product, OS or cryptograpic library. Due to the fact that the cryptography uses X.509 certificates for authentication and authorization in VPN setup, a Certificate Revocation List (CRL) Distribution Point (CDP) can be made available to VPN Gateways to ensure the certificate used by the spoke site has not been revoked prior to attempted VPN establishment.

Blog11- figure 1-1.pngFigure 1

 

VPN Design Selection

Now that we have gone over the business requirements, challenges, constraints, architectural vision (JIE) and the conceptual design of CSfC VPNs, we can start on the VPN design selection by looking at the pros and cons of each option. In Table 1 we will look at three possible options and compare them with one another. Due to the fact that the design must work using commercial public transport offerings around the world, private network/WAN VPN design options were eliminated from consideration.

 

Design OptionProsCons
Point-to-Point GRE VPN
  • Non proprietary
  • Supports multicast and dynamic routing protocols
  • Supports per tunnel QoS
  • Supports non-IP protocols
  • Administratively intensive
  • Low scalability
DMVPN
  • Supports multicast and dynamic routing protocols
  • Medium scalability
  • Supports per tunnel QoS (Hub to Spoke only)
  • Vendor proprietary
  • Multicast replication done at hub
  • Added troubleshooting complexity
Flex VPN
  • Non proprietary
  • Supports multicast and dynamic routing protocols
  • High scalability
  • Supports per SA QoS, Hub to Spoke and Spoke to Spoke
  • IKEv2 support only
  • Multicast replication done at hub (native multicast replication after encryption, if transport supports)
  • May require hardware upgrades

Table 1

 

Table 2 is a comparison chart that depicts how the design options map to the business requirements [BR] and technical requirements [TR] for our use case. Its important to note that in most cases you will have explicit and implicit requirements, identifying and including them into your design is key for success. The weight scale used is 5 = must meet, 3 = should meet and 1 = nice to have.

DMVPN is eliminated due to it not meeting a “must meet” criteria leaving only P2P GRE VPN and Flex VPN. The Flex VPN option scored better overall and beats out the P2P GRE VPN from a scalability standpoint. Now that we have identified our VPN selection, we need to create the proposed design.

 

RequirementsWeight

Design Solution Flex VPN

Design Solution DMVPN

Design Solution P2P GRE VPN

[BR] Can be used/shared with US Coalition partners5555
[BR] Meets or exceeds federal mandates, regulations and policies5555
[BR] Non Proprietary 5505
[BR] Can operate in a clandestine manner3333
[BR] Low cost to implement and/or maintain3030
[TR] Reliable3333
[TR] Scalable3330
[TR] Secure5555
[TR] Supports Multicast1111
[TR] Supports Voice and Video3333
[TR] Supports per tunnel/SA QoS1101
Total 34Total 31Total 31

Table 2

 

Final design

Once you have completed the proposed design, being able to show and articulate how it will integrate within the desired architecture to stakeholders, managers and engineers is key in gaining approval. To that point, just because you meet or exceed the business and technical requirements doesn’t guarantee your design will be selected. Generally, many other designs being pitched will also meet or exceed the requirements as well. That is why understanding the business and its intricacies from holistic view is what will enable you to set your design apart from the rest in the end.  Below are the purposed designs high-level talking points. Figure 2 shows the proposed design and how it integrates into the current architecture.

 

This design solution provides:

  • Easy integration with existing architectures
  • Standards based non-proprietary IPsec VPN implementations
  • A defense-in-depth security posture
  • Greater cost savings when expanded to support multiple classified networks
  • The ability to conduct clandestine operations using commercial vendor products and the Internet
  • The ability to integrate other use cases such as wireless, mobile devices and data-at-rest (DAR)

Blog11- figure 2.png

Figure 2

 

Cost Comparison

While the high-level talking points make mention to the cost savings, when you’re pitching your design proposal the financials section needs to show that it is cost effective long term, from both capital expenditure (CAPEX) and operational expenditure (OPEX) perspectives. Include the devices’ maintenance and support costs over time as well as direct savings, indirect savings, return on investment (ROI) and total cost of ownership (TCO).

 

The proposed design moves away from government use only proprietary non-commercial equipment, processes and training to commercially available equipment, which uses standards based non-proprietary VPN implementations. This allows for OPEX savings to be realized by no longer needing special training for employees, whether they are on site staff or off site support escalation staff. Additionally proprietary network management tools are also eliminated and existing commercial tools are used for operations, administration and maintenance (OAM). From a CAPEX perspective Type 1 encryption device costs are roughly 50% more than CSfC devices and growing. Assuming there are 100 branch offices with a 5-year lifecycle for the products, over twenty years the ROI for one classified network easily justifies the initial CAPEX required for the proposed CSfC VPN design.

 

When combining the above-mentioned savings along with the business’ intent to add multiple classified networks in the near future, the ROI will continue to increases while the TCO will continue to decrease exponentially with growth.

 

Summary

The Flex VPN design was selected as it best met the requirements in this use case however, it should be noted that normally such an obvious choice is not always the case. Additionally, it is very common that your management or your customer’s management (depending on the situation) will change their minds about the requirements and their priority throughout the process. The Cisco Certified Design Expert (CCDE) prepares you for complex situations that allow you to stand out in your company, with your customers and among your peers.  The CCDEs true value is that it is not technology or vendor specific which sets it far above the other highly desired expert level certifications.

 

The topics discussed in this use case are real and currently implemented around the world. For those of you who work in U.S. Federal and would like to know more about CSfC please use my contact information below.

 

About the Author

 

Blog11- Joe Galimi.png

 

Joe Galimi is a Sr. Solutions Architect for Northern Technologies Group’s US Federal team. He loves pushing innovation with his wild ideas and working on problems everyone else says cannot be done. In his free time he contributes to various architecture and design programs within the commercial and federal communities.

 

 

 

Here are a few additional ways for us to engage and keep the conversation going: