Virtual Private Networks (VPNs) used for the security of military communication are subject to far more stringent requirements than typical VPNs. There are also often a host of environmental factors and specific needs for your use case that should be weighed heavily when selecting the right military grade VPN for your communication solution.
Military grade VPN encryption requirements
Products that have achieved both NIAP and CSfC certifications will already have been certified to meet the encryption requirements of military grade VPNs, so you won’t have to do any additional research.
However, for informational purposes, the VPN protocols and VPN encryption requirements of all military grade VPNs include:
- CSNA: CNSA encryption is considered the military-grade or classified federal government standard. Components include Advanced Encryption Standard (AES) 256-bit end-to-end military grade encryption algorithm, the most secure solution in the marketplace. AES-256 is the first publicly accessible and open cipher approved by the NSA to protect information at a classified, top secret level.
- NIST algorithm verification: All military grade VPN products will have to go through a NIST verification of the encryption algorithms used to ensure they are up to standard.
Additional military grade VPN requirements
Following are some things to consider when selecting a VPN for military communications use cases.
All military grade VPNs will have to achieve NIAP certification before they can be used in any government system.
NIAP certification is a commercial cybersecurity product certification that is mandated by federal procurement requirements (CNSSP 11) for use in U.S. National Security Systems (NSS). Its primary purpose is to certify the security of commercial technology or products which will be used to handle sensitive data.
Once NIAP certification has been achieved, products will be listed on the NIAP Product Compliant List (PCL). You can learn more about the full process any VPN provider will have to go through in order to complete the NIAP certification process and gain entry to the NIAP PCL in this in-depth article.
NIAP certification alone is not enough for use in military grade communication systems.
The Commercial Solutions for Classified (CSfC) program was established to enable U.S. government agencies and their customers to take advantage of affordable and readily available commercial off-the shelf (COTS) IT solutions that meet the NSA’s stringent security guidelines for the transmission of classified data.
Getting CSfC approval is a rigorous process that ensures all products listed on the CSfC Approved Products List are fully qualified to protect up to top secret information.
You can search the CSfC components list in the VPN category to find all products that would be considered military grade VPN solutions.
Hardware vs software for military grade VPNs
We are often asked if hardware or software VPNs are a better fit for the security of military communication systems.
In this case, the answer is actually that you need both.
CSfC architecture requires the use of a dual VPN tunnel where each tunnel adheres to the VPN encryption standards above, ultimately supporting a double encrypted connection to transmit data.
It is possible to try and achieve this dual tunnel architecture with two software VPNs, but in practice, it is very difficult to stand up and maintain such an architecture.
Instead, what works best to create the dual tunnels is a dedicated outer secure VPN tunnel built with a hardware VPN, with the inner tunnel built on a software VPN service. This completely removes issues with interoperability, and in fact even alleviates the requirement for a retransmission device (a common requirement in Mobile Access Capability Package deployments).
Evaluating military grade VPNs
🔎 Related Articles: Hardware VPN Buyers Guide
Not all military grade VPNs are created equally, and there are a few additional things to consider when looking for the most effective solution for your needs.
Network connectivity options
You’ll have to consider the networks over which your chosen solution will need to transmit information.
Most military communication solutions need to be capable of adapting to changing circumstances, and may need to connect over satellite, cellular, Wi-Fi or other wired connections.
A VPN technology that obfuscates the endpoint devices (including their IP address) that are communicating, and works over various different connection mediums, will give you added versatility.
Executive communications kits, for instance, are commonplace within the Department of Defense (DoD) and consist of on-demand, secure command and control network communications meant to keep key leaders connected via voice, video, email and data from anywhere in the world.
Communications kits built for remote access generally support voice calls, built-in cellular and WiFi transport options, a USB port for laptop, mobile device, or additional devices and an integrated power supply. Some kits are designed and approved to send sensitive, unclassified information, whereas others may transport classified data, or both classified and unclassified data.
The most important requirements for any executive communications kits are:
- The ability to send and receive highly sensitive, classified communications via secure methods.
- Due to the size of comms kits, it is important that the solution for securing data transmission have a small form factor or SWaP (size, weight and power).
- The ability to communicate in highly mobile situations.
- Minimal set-up time, as these kits are often needed in immediate or emergency situations.
- The ability to send and receive communications in real-time.
- The ability to communicate securely, even over unsecure connections like a public internet connection.
Secure comms kits can contain built-in tech solutions such as:
- Satellite link
- Wifi hotspot
One solution that we developed for the DoD provided agency officials working in the field with secure, real-time communications access to their home base staff as well as to DoD colleagues operating in other parts of the world.
An executive communications kit, built from CSfC Approved components, creates a secure mobile workspace that is flexible enough to be set-up and taken down instantly. In addition, it is easy to scale this cost-effective solution to any number of remote decision makers or deployed teams.
Take a look, in more detail, at what some typical military communications kits we have helped build for clients have included to get an idea of what you might need.
Additionally, keep in mind that some communications kits can be retrofitted to work with much of your existing Type 1 equipment if you are looking to make a change during your next refresh cycle.
You will also have to think about existing or legacy infrastructure as you consider your military grade VPN options.
What software, hardware or network equipment will the VPN solution have to work within or support a connection for?
There is rarely an instance we’ve seen when building solutions for the military where you don’t have to make sure your VPN can work with some esoteric, legacy system.
Again, a hardware VPN helps you in this instance as it removes much of the interoperability concerns for you while providing the most secure connection.
With a hardware-based VPN, there is nothing to install, nothing that requires training, and nothing that requires maintaining updates on the devices operating over the VPN connection.
With the right hardware VPN, because no software is required on the end user devices, there is no concern about which versions of applications or operating systems are running on those devices.
By contrast, with a software-based solution, there are a whole host of those types of requirements to ensure the VPN can work correctly in the environment.
In addition, the network itself that the VPN needs to connect to may have numerous legacy systems within the environment.
A standards based VPN server-side software that is built to run as a virtual machine, meaning it is agnostic of your existing central network environment, operating systems or applications, provides the greatest flexibility.
Out-of-the-box security configuration
Many VPNs that are considered military-grade will require special licenses and a significant amount of effort and configuration to ensure they operate in the desired way.
There are a few reasons why you’ll want to identify and select a solution that is “military grade out of the box”:
- There will be less effort required to get your VPN up and running in the way you need it to.
- There is less risk of user error or misconfigurations that can cause your VPN to operate in a way that does not comply with the required certifications or encryption requirements.
On many VPNs, you’ll have at least 30 different settings you have to keep track of, or ensure are set correctly to get full protection.
Some VPN providers will find a way to simplify that list down to the minimum you need to do your job.
For instance, on our GoSilent VPN server management console, we’ve narrowed the number of settings you will need to tune down, and we’ve made it very easy to find and adjust those settings rather than burying them deep in the admin interface. The correct security and compliance settings for military use are also pre-configured out of the box.
You have plenty of resources you can use to find VPN solutions that are up to military standards, and you can easily peruse the CSfC component list and identify VPN solutions that are able to meet your security needs and deployment requirements.
The hard part is figuring out how to architect your final solution in a way that ensures it will still be CSfC approved. One of the areas where problems arise is when combining VPNs together and getting past interoperability requirements.
You can read our full CSfC Guide to learn more about building your solution for military communications.