Leveraging secure commercial routing technology to protect data-in-motion

Story

August 04, 2020

Leveraging secure commercial routing technology to protect data-in-motion

By Mike Southworth, Curtiss-Wright

Protecting a military platform’s secret data-in-motion as it’s routed over an Ethernet-based IP network has become significantly easier, more affordable, and faster to deploy in recent years, thanks to U.S. National Security Agency (NSA) support of commercial encryption technologies.

Specifically, the NSA’s Information Assurance Directorate (IAD)’s Commercial Solutions for Classified (CSfC) program enables cost-effective commercial products to be used in layered solutions to protect National Security System (NSS) data classified as secret. This approach makes it far less burdensome to secure embedded network communications onboard an aircraft, vessel, or ground vehicle, since integrators can use a layered commercial solution based on public cryptography and secure protocol standards (as opposed to considering NSA Type 1 devices only).

In the last few years, the NSA replaced the Suite B algorithms – in use since 2005 for protecting classified and unclassified NSS – with new algorithms included in the Commercial National Security Algorithm Suite (CNSA Suite) as part of its plans for transitioning users to quantum-resistant algorithms.

CSfC requires the use of two encryption layers, which can be both hardware, both software, or a mix of the two. System integrators can select approved commercial components from the NSA Central Security Service (CSS) Components List (https://www.nsa.gov/resources/everyone/csfc/components-list/), which shows approved cybersecurity solutions, enabling system designers to speed their system development.

Originally, CSfC’s Manufacturer Diversity Requirements insisted system integrators select each of the two encryption layers from two separate vendors. That rule has been updated and now permits “single-manufacturer implementations of both layers,” under specified conditions when manufacturers can prove sufficient independence in the code base and cryptographic implementations of the products used to implement each layer.

To date, Cisco is the only supplier with data-in-motion products on the CSfC-approved components list that can be used to implement both the first and second layer of encryption to satisfy CSfC requirements. Pairing a secure Cisco router and Cisco firewall, each leveraging diverse code bases, can satisfy the requirement for two layers of security.

Cisco’s newest embedded router card, the ESR-6300, is currently undergoing rigorous testing and will obtain all appropriate certifications for military use cases later this year, including FIPS 140-2, Common Criteria and CSfC compliance. It provides support for next-generation encryption (NGE) and quantum computing resistant (QCR) algorithms such as AES-256, SHA-384, and SHA-512 CNSA encryption. Based on enterprise-grade Cisco IOS-XE software, it provides routing and switching security features for highly secure voice, video, and data communication. IOS-XE has been validated on other Cisco platforms for both Common Criteria and CSfC.

An example of a product that integrates Cisco’s ESR-6300 module and IOS-XE software is Curtiss-Wright’s rugged COTS Parvus DuraMAR 6300, a small-form-factor secure network router system housed in an chassis optimized for harsh military and civil vehicle/aircraft installations. (Figure 1.) Its miniature IP67-rated fanless enclosure features military-rated circular connectors and provides six GbE ports, including two routed (WAN) and four switched (LAN) interfaces, providing up to 10 times the routing/switching bandwidth and up to 20 times faster encrypted bandwidth than legacy Cisco ESR-5915-based routers. The unit also has new capabilities for Cisco IOx (IOS+Linux)- based edge computing services with optional SSD, USB, and serial interfaces to leverage onboard computing resources to analyze, secure, and share data from embedded Internet of Things (IoT) sensors.

[Figure 1 | Curtiss-Wright’s Parvus DuraMAR 6300 features Cisco’s ESR-6300 module and IOS-XE software to provide a small-form-factor secure network router system.]

In addition to network routers and firewalls, the CSfC list also includes MACSec devices, which provide strong Layer 2 cryptography for point-to-point authentication and encryption for Ethernet traffic between computers and switches on a local area network (LAN). IPsec [internet protocol security] is used to encrypt Layer 3 IP packets for WANs while MACSec encrypts Layer 2 Ethernet frames for LANs. MACSec support was added to the mainline Linux kernel (Kernel 4.6) in 2016, and its adoption is growing. Cisco’s ESS-3300 embedded services switch is a MACSec device that’s been validated for FIPS 140-2, Common Criteria, and CSfC.