FIPS 140-2 VPN National Architecture Solution for AWS East-West
By Jeremy Gibbons, Enterprise-Cloud Solutions Architect
Published on May 22, 2018
A common design element for an information system (IS) is to establish a VPN connection between a cloud environment and another external network, typically an on-premise corporate network. For modern security frameworks like NIST 800-53, this means satisfying FIPS 140-2 validated cryptographic module controls for the VPN connection in order to protect in-transit data, and to achieve or maintain an ATO or AOC.
AWS provides a VPC VPN anchor called a Virtual Private Gateway (VGW). This gateway acts as the cloud VPN concentrator. However, VGW capabilities vary across regions. For example, GovCloud provides a FIPS 140-2 validated VGW anchor; however, in the East-West regions the VGW anchor is not FIPS validated.
To satisfy the security controls associated with the VPN connection in East or West regions, an organization can deploy a virtual cloud appliance. The appliance must support a FIPS validated cryptographic module and be configured to run in FIPS mode.
The following approach can help to select, validate, and enable the FIPS validated appliance modules. Selecting the right appliance for your architecture can help reduce the audit scope, time, cost, and business risks associated by not satisfying IA program high-value (no-go) controls.
Before adopting any architecture technologies or designs it is important to understand the impact they can have on an authorization system boundary, ATO, or AOC
5-Step Appliance Selection Process
1. Select a potential appliance solution or vendor
2. Validate the appliance on the NIST Cryptographic Validation Program Site
For example, Palo Alto PANOS 8.0.3 is Certificate No. 3144. Remember that certificates are validated and associated with specific Software Versions. This is important for the next step.
3. Confirm the appliance availability on the AWS Marketplace
Ensure the appliance offering on the AWS Marketplace aligns with the NIST certificate details. If not; contact the vendor for more options.
4. Select the version that aligns with the NIST certificate software versions
Alternatively, some vendors support Bring Your Own Licensing (BYOL) models that include appliance software version downgrade support and the ability to provide a known configuration baseline during the bootstrapping process.
5. Enable FIPS mode on the appliance
For example, enabling Palo Alto FIPS and Common Criteria (FIPS-CC) mode via the MRT
By the end of step 5, the appliance is ready to be connected to the on-premise appliance which should also be configured to run in FIPS mode. After establishing the VPN connection it’s important to understand the system boundary has been extended from the cloud environment to include a portion of the external network.
To reduce the authorization system boundary best practice is to deploy a dual VPN DMZ solution to separate the broader cloud and corporate networks from one another. This technique also minimizes the likelihood of unintentionally including any out-of-scope corporate assets such as printers, phones, and other compute assets during a network inventory discovery scan. The final architecture below shows the system boundary and the two DMZs on either side of the VPN connection.
The next step after selecting an appliance and enabling FIPS mode would be to wire the appliance up in the cloud environment. This process is beyond the scope of this high-level notional architecture and selection process. However, information for Palo Alto appliances and VPN tunnels can be found in the PANOS 8.0 Documentation.
Jeremy Gibbons is a cybersecurity and compliance architect with 15+ years’ experience providing secure and compliant solutions for both Fortune 500 and Public Sector clients.