The goal for this blog is to showcase a real-life network design situation with its business and technical requirements and their respective weights, the design options meant to fulfill these requirements with their pros and cons, and a walk-through on how the final solution was chosen.
Cyber security is a growing concern for everyone and the U.S. Federal Government is spending big to modernize, consolidate, secure and save in its IT architectures to protect sensitive and classified data. Current White House budget plans show the U.S. Federal Government spending an estimated $86 billion dollars on IT in 2016. One of the major IT initiatives within the Department of Defense (DoD) is the Joint Information Environment (JIE), which is a single, joint, secure, reliable and agile command, control, communications and computing enterprise information environment. It will provide email, Internet access, common software applications and cloud computing. The main objectives are to increase operational efficiency, enhance network security and save money by reducing infrastructure and staffing.
Requirements, Challenges and Constraints
With the current state of geopolitical events, being able to communicate effectively and efficiently on classified networks with coalition partners is a top priority. Current federal agencies’ classified networks, data, and their cyber security postures are riddled with challenges by way of various mandates, regulations and policies. Additionally, many non-commercial and non-proprietary designs use solutions that end up being cost prohibitive to implement and maintain long term. With technology rapidly changing, leveraging commercial vendor products to create a reliable, scalable and secure design that also provides the ability to operate on classified networks in a clandestine manner is highly desired. It is assumed that your current IT staff has the skill sets needed and the manpower required for continued operations given the design selected.
Conceptual Design Overview
The Commercial Solutions for Classified (CSfC) program has governing solution guidelines referred to as capability packages (CPs). The CPs can be used separately or combined to meet the designer’s requirements. In Figure 1 you see a very common hub and spoke setup. Site A is the headend and Site B is the spoke. You can see two layers of VPNs an outer VPN and an inner VPN, both use Suite B cryptography algorithms to protect the classified network(s). The reason for two layers of VPNs is to ensure that a weakness, failure or misconfiguration in one layer would not expose the classified network. In that regard, the outer and inner VPN technologies cannot be identical e.g. same product, OS or cryptograpic library. Due to the fact that the cryptography uses X.509 certificates for authentication and authorization in VPN setup, a Certificate Revocation List (CRL) Distribution Point (CDP) can be made available to VPN Gateways to ensure the certificate used by the spoke site has not been revoked prior to attempted VPN establishment.
VPN Design Selection
Now that we have gone over the business requirements, challenges, constraints, architectural vision (JIE) and the conceptual design of CSfC VPNs, we can start on the VPN design selection by looking at the pros and cons of each option. In Table 1 we will look at three possible options and compare them with one another. Due to the fact that the design must work using commercial public transport offerings around the world, private network/WAN VPN design options were eliminated from consideration.
|Point-to-Point GRE VPN|
Table 2 is a comparison chart that depicts how the design options map to the business requirements [BR] and technical requirements [TR] for our use case. Its important to note that in most cases you will have explicit and implicit requirements, identifying and including them into your design is key for success. The weight scale used is 5 = must meet, 3 = should meet and 1 = nice to have.
DMVPN is eliminated due to it not meeting a “must meet” criteria leaving only P2P GRE VPN and Flex VPN. The Flex VPN option scored better overall and beats out the P2P GRE VPN from a scalability standpoint. Now that we have identified our VPN selection, we need to create the proposed design.
Design Solution Flex VPN
Design Solution DMVPN
Design Solution P2P GRE VPN
|[BR] Can be used/shared with US Coalition partners||5||5||5||5|
|[BR] Meets or exceeds federal mandates, regulations and policies||5||5||5||5|
|[BR] Non Proprietary||5||5||0||5|
|[BR] Can operate in a clandestine manner||3||3||3||3|
|[BR] Low cost to implement and/or maintain||3||0||3||0|
|[TR] Supports Multicast||1||1||1||1|
|[TR] Supports Voice and Video||3||3||3||3|
|[TR] Supports per tunnel/SA QoS||1||1||0||1|
|Total 34||Total 31||Total 31|
Once you have completed the proposed design, being able to show and articulate how it will integrate within the desired architecture to stakeholders, managers and engineers is key in gaining approval. To that point, just because you meet or exceed the business and technical requirements doesn’t guarantee your design will be selected. Generally, many other designs being pitched will also meet or exceed the requirements as well. That is why understanding the business and its intricacies from holistic view is what will enable you to set your design apart from the rest in the end. Below are the purposed designs high-level talking points. Figure 2 shows the proposed design and how it integrates into the current architecture.
This design solution provides:
- Easy integration with existing architectures
- Standards based non-proprietary IPsec VPN implementations
- A defense-in-depth security posture
- Greater cost savings when expanded to support multiple classified networks
- The ability to conduct clandestine operations using commercial vendor products and the Internet
- The ability to integrate other use cases such as wireless, mobile devices and data-at-rest (DAR)
While the high-level talking points make mention to the cost savings, when you’re pitching your design proposal the financials section needs to show that it is cost effective long term, from both capital expenditure (CAPEX) and operational expenditure (OPEX) perspectives. Include the devices’ maintenance and support costs over time as well as direct savings, indirect savings, return on investment (ROI) and total cost of ownership (TCO).
The proposed design moves away from government use only proprietary non-commercial equipment, processes and training to commercially available equipment, which uses standards based non-proprietary VPN implementations. This allows for OPEX savings to be realized by no longer needing special training for employees, whether they are on site staff or off site support escalation staff. Additionally proprietary network management tools are also eliminated and existing commercial tools are used for operations, administration and maintenance (OAM). From a CAPEX perspective Type 1 encryption device costs are roughly 50% more than CSfC devices and growing. Assuming there are 100 branch offices with a 5-year lifecycle for the products, over twenty years the ROI for one classified network easily justifies the initial CAPEX required for the proposed CSfC VPN design.
When combining the above-mentioned savings along with the business’ intent to add multiple classified networks in the near future, the ROI will continue to increases while the TCO will continue to decrease exponentially with growth.
The Flex VPN design was selected as it best met the requirements in this use case however, it should be noted that normally such an obvious choice is not always the case. Additionally, it is very common that your management or your customer’s management (depending on the situation) will change their minds about the requirements and their priority throughout the process. The Cisco Certified Design Expert (CCDE) prepares you for complex situations that allow you to stand out in your company, with your customers and among your peers. The CCDEs true value is that it is not technology or vendor specific which sets it far above the other highly desired expert level certifications.
The topics discussed in this use case are real and currently implemented around the world. For those of you who work in U.S. Federal and would like to know more about CSfC please use my contact information below.
About the Author
Joe Galimi is a Sr. Solutions Architect for Northern Technologies Group’s US Federal team. He loves pushing innovation with his wild ideas and working on problems everyone else says cannot be done. In his free time he contributes to various architecture and design programs within the commercial and federal communities.
Here are a few additional ways for us to engage and keep the conversation going:
- Cisco Learning Network CCDE Study Group
- Connect on Twitter too
- CCDE study materials for the Written and Practical exams
- Related Unleashing CCDE blogs: A Network Designer’s Thought Process Part 1 by Cary Chen, , Network Function Virtualization in Enterprise by Stephen Lynn, All Smoke and Mirrors by Michael Kowal – Part 1, IWAN Part 1: PfRv3 Design Considerations by Dmytro Muzychko
- Related links: Joint Information Environment (JIE), Commercial Solutions for Classified, Suite B cryptography algorithm, Type 1 encryption device