Commercial Solutions for Classified (CSfC) is an NSA initiative that allows users more flexibility in how they handle classified data, while still maintaining high IT security standards. Rather than mandating the use of Type 1 government off-the-shelf (GOTS) equipment, CSfC enables users to construct alternative solutions by assembling a number of commercial off-the-shelf (COTS) products.
To receive NSA approval, CSfC solutions must comply with a stringent set of security requirements. For example, users who want to send and receive mobile data, including voice and video calls, need to encrypt this data using a double VPN tunnel.
But what does a dual, or double, VPN tunnel look like for CSfC solutions, and how can you build one yourself?
In this article, we’ll go over what you need to know about building an outer tunnel for VPNs under the CSfC protocol.
-- Article Continues Below --
Everything you need to know when it comes to the CSfC process.
Type 1 GOTS equipment comes with the guarantee of being NSA-certified and battle-tested. In many cases, however, building a GOTS hardware product from scratch is too slow and expensive to be practical.
More importantly, it has a higher total cost of ownership and far greater degree of management complexity.
The CSfC program was founded on the idea that commercial off-the-shelf products could serve as an acceptable substitute to government-built equipment, saving NSA money and offering greater technological flexibility.
Building your own double VPN tunnel via CSfC can help you get a working solution up and running faster, along with other benefits such as lower total cost of ownership.
As part of the CSfC program, NSA offers several Capability Packages as a starting point for users to implement their own solution. The products, or components, used to build the CSfC solutions must be selected off the CSfC Components List. These components have been certified by NSA’s rigorous NIAP certification along with FIPS when applicable.
The CSfC Multi-Site Connectivity Capability Package describes the need to protect classified data using multiple encrypted tunnels to protect data using a specified set of encryption protocols.
Using two nested, independent encryption tunnels helps to protect the confidentiality and integrity of data as it moves through an untrusted network. Each of the two tunnels helps protect data flow by using one of two independent encryption protocols:
The outer tunnel of a dual tunnel VPN refers to the components that terminate the outer layer of encryption.
The Mobile Access Capability Package (MACP) outlines how to protect data using a mobile communication system (e.g. over cellular networks or Wi-Fi). The MACP guidelines are very specific on how to build a mobile access solution for exchanging confidential information.
Implemented correctly, this solution should work both for untrusted networks and for networks consisting of multiple classification levels.
According to the MACP document: “The MA solution uses two nested, independent tunnels to protect the confidentiality and integrity of data (including voice and video) as it transits the untrusted network. The MA solution uses Internet Protocol Security (IPsec) as the outer tunnel and, depending on the solution design, IPsec or Transport Layer Security (TLS) as the inner layer of protection.”
Using a double VPN tunnel provides an extra layer of protection and redundancy for classified data traveling across mobile networks. If a malicious actor manages to hack through the outer tunnel, the data remains secure thanks to the additional encryption provided by the VPN’s inner tunnel.
The double layer of encryption helps to prevent data spillage, a security incident where classified information is exposed to an unauthorized system or individual. This means that CSfC VPN solutions can transport extremely sensitive information, all the way up to TS (Top Secret).
We first need to define some terms for the networks that comprise a CSfC mobile access solution:
The components of a CSfC mobile access solution, moving from the edge of the infrastructure to the inner VPN tunnel, are:
Building an outer tunnel for your CSfC site-to-site connectivity or mobile access solution thus requires two separate components: the outer firewall and the outer VPN gateway.
In addition, note that the cryptographic libraries used by the outer tunnel must be different from those used by the inner tunnel, in order to provide a sufficiently hardened double encryption layer and proper defense in depth.
Building your own CSfC solution involves careful consideration of many different requirements and issues, and the double VPN tunnel is no exception.
Before you start building an outer VPN tunnel, make sure to do your research and speak with potential vendors or CSfC integrators to find the product that’s right for your situation.
Are you looking for a robust, feature-rich, outer tunnel solution for your CSfC double VPN tunnel? Get in touch with the Archon team.
Archon’s GoSilent Cube is an enterprise-grade firewall and VPN product that has been NSA-certified for use as the outer tunnel component in CSfC mobile access solutions.