gig 3.0 design factors - public intelligence · gig 3.0 •gig 2.0 promised an information...

This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,

alteration or dissemination of the contents of this information for monetary gain is prohibited.

GIG 3.0 Design Factors

An Architecture Proposal for

Aligning NetOps to the Operational Chain of Command

This brief is classified:

UNCLASSIFIED

Mr. Randy CieslakCIO

U.S. Pacific Command

11 January 2011



Cyberspace Operational Requirements


UNCLASSIFIED

Brig Gen Brett Williams,

Director, C4 Systems Directorate

Mr. Randy CieslakChief Information Officer


12 November 2010

Geographic JOAs

Where is the CYBER JOA?

• REQUIREMENT: The JFC must C2 cyberspace operations in the

same way he executes C2 in the air, land and maritime domains.

• CONCERNS:

– JFCs lack the architecture, CONOPS, TTP, personnel, training,

tools, doctrine and policy for full spectrum cyber operations

– It’s all one big GIG, there is no Cyber JOA.‖

– The GIG was not built for operations.

– Sensors are not effectively focused on critical C2 services

– Type 1 encryption is not responsive to operational requirements

– Mission-Risk authority in cyberspace is currently held by CYBERCOM and the Services, not the JFC

5

Cyberspace is the only man made domain.

It can and must be shaped for the JFC to make

decisions, direct actions and accept risk in a way

that does not affect the rest of the GIG.

GIG 3.0

• GIG 2.0 promised an information advantage to the warfighter.

– It did not address the key issue of ―one big GIG‖

– It did not align the architecture to the chain of command.

• Components of GIG 3.0:

– Cyber JOA defined by an Operational Network Domain (OND)

– Enclaved architecture to enable defense in depth, information

sharing and agility

– Multi-enclave client for efficient information access

– Associated personnel, training, tools and TTP to C2 Cyberspace

Operations

6



DISN

DISA

Enterprise

Services

Theater

Application

Services

HUB

Common Clients, Single Enclave

HUB


Command

Client

Suite

Defense Enterprise

Operational Theater

Military

Service

Enterprise

Services

CYBERCOM/Services

Mission-Risk Authority

?

Current Architecture

Defense Enterprise

Operational Theater

CYBERCOM/Services


7

Characteristics of a Cyber JOA

• The Cyber JOA defines the friendly forces operational network

domain and is focused on the operate and defend mission.

• The Cyber JOA provides a platform for dynamic network defense

and facilitates CNA and CNE.

• The Cyber JOA is defined by the systems and networks critical for

Joint Force Command and Control

• The Cyber JOA is governed by existing doctrine and policy.

• The Cyber JOA allows the commander to:

– Sense the environment

– Make decisions

– Direct operations

– Assume risk

• The Cyber JOA requires CYBERCOM and the services to execute

their GIG wide responsibilities within the JOA.

8



DISN

DISA

Enterprise

Services

Theater

Application

Services

HUB


HUB


Command

Client

Suite

Defense Enterprise

Operational Theater

Joint Force Commander

is supported and has Mission-Risk authority

Military

Service

Enterprise

Services

CYBERCOM is supported and has


Defining the JFC’s ―Cyber JOA‖

Defense Enterprise

Operational Theater

Operational

Network

Domain

Dedicated Network

Domain Gateway

(DNDG)

Controlled Interface

9

Tenets of an Operational Network

• The network must be Commander Centric

– Commanders balance risk against mission in all domains except cyber

– An operational network addresses this issue by aligning NetOps to the Operational Chain of Command

– The GIG cannot be vulnerable to risk assumed by one commander

– The operational network must accommodate the scheme of maneuver

• Commanders must define the requirements for designing and building the Operational Network

• Commanders must have the authority and responsibility to operate and defend the operational network.

• Supported and supporting roles must be articulated

– Clear delineation between the responsibilities of the service components and the operational commander

– Clear definition of STRATCOM/CYBERCOM’s role to support the operational network while they Operate and Defend the GIG

10

Barriers to Operationalizing the Network

• It’s all one big GIG, there are no JOA boundaries in

cyberspace

• We are burdened by the costs and policy associated

with TYPE 1 encryption — works against flexibility,

adaptability and robustness needed to accommodate the

scheme of maneuver.

• Current culture and doctrine delegate OPCON of all

forces except Cyber forces to the Operational

Commander. Services and CYBERCOM retain network

authority and responsibility.

11

10 Propositions Regarding Cyberspace Operations(With acknowledgement to Phil Meilinger’s 10 Propositions Regarding Air Power)

1. The commander is responsible for cyberspace operations; he must C2 cyber just as he does the air, land and maritime domains.

2. C2 of cyberspace is the foundation for operational C2.

3. There are four lines of operation in cyber—operate, defend, attack and exploit, and defense is the dominant mission.

4. The commander must see and understand cyberspace to defend it and he cannot defend it all.

5. Cyberspace operations must be fully integrated with operations in the physical domains.

6. Our understanding of non-kinetic effects in cyber is immature.

7. Operational requirements drive cyber architecture, not the other way around.

8. Cyber is the only manmade domain--we built it, we can change it.

9. Operational impact is the relevant information, not number of megabytes exfiltrated.

10. Networks will always be critical and vulnerable--disconnecting is not an option, we must fight through the attack.

2 Nov 2010

Operationalizing the Network

• It’s all one big GIG, there are no JOA boundaries in cyberspace

• We are burdened by the costs and policy associated with TYPE 1 encryption — works against flexibility, adaptability and robustness needed to accommodate the scheme of maneuver.

• Current culture and doctrine delegate OPCON of all forces exceptCyber forces to the Operational Commander. Services and CYBERCOM retain network authority and responsibility.

Proposed solution:

Operational Network Domain (OND)

– Defines the ―Commander’s Cyberspace JOA‖

– Utilizes encryption techniques that give the Operational

Commander the capability to C2 Cyberspace

13



Fundamental Network Challenge

And

Proposed Solution

Agile Virtual Enclave (AVE)

Virtual Secure Enclave (VSE)


UNCLASSIFIED

Mr. Randy CieslakChief Information Officer


8 December 2010

Current Network Design—This needs to change

Sensitive Unclassified Networks

Secret NOFORN

Secret for Allies

SCI & SPECATs

?@#?!

User

KG

KGKG

KGKG

KGKG

KG

FWFW

CORE or

BACKPLANE

15

Virtual Secure Enclaves (VSE)

The foundation of the Operational Network Domain

• The Operational Network is built on IPsec-based VSE’s

• IPsec--Short for IP Security, a set of protocols to support secure

exchange of packets at the IP layer. IPsec has been deployed widely

to implement robust Virtual Private Networks (VPNs)

• IPsec provides a COTS/GOTS encryption capability that is certified

for up to SECRET data

• Advantages of IPsec over TYPE 1 encryption

– Reduces the Controlled Crypto ―overhead‖

– Allows visibility into network traffic to enable use of Network

Management Tools to execute QOS

– Simplifies adding and removing enclaves from the OND

– Potential to facilitate Computer Network Operations (CNO)

16

TYPE 1 without IPSec

HUB

HUB

HUB

Service

SIPRNETs

Coalition C2 Nets

IC NetworksIC Networks

IC Networks

Coalition C2 NetsCoalition C2 Nets

Coalition C2 Nets

HUB

HUB

HUB

HUB

HUB

HUB

Service

SIPRNETsHUB

Service

SIPRNETs

Each enclave is a separate network requiring it’s own

separate infrastructure

(It’s not this neat and orderly.)

17

Components of an IPSec Virtual Secure Enclave (VSE)

Network Enclave

Firewall Server Suite

Conventional

Client

Computer

Client

Services

VPN

Protected

Inter-Nodal

Network

(PIN) VPN

Counter-Denial

of Service (DOS)

Firewall

Service

Protection

Firewall

Protected

Inter-Nodal

Network

(PIN) VPN

Client

Services

VPN

Application

Service

Point (ASP)Customer

Service

Point (CSP)

Application Service Point (ASP) – Suite of servers dedicated to a single enclave to

provide application services. (e.g., Web, E-Mail, COP and the like)

Customer Service Point (CSP) – User interface to the enclave

Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.

(First layer of wrapping)

Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave

threats such as malicious insiders, high-risk applications, or poor system hygiene.

ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and

adds additional robustness required for cross-domain use of a common network

infrastructure by the application service.

Network Enclave – A protected network environment that contains a single

security domain (e.g., SECRET//REL USA)

IPSEC

VPN

Device

IPSEC

VPN

Device

Firewall

IPSEC

VPN

Device

IPSEC

VPN

Device

18

Components of an IPSec Virtual Secure Enclave (VSE)

Network Enclave

Firewall Server Suite

Conventional

Client

Computer

Client

Services

VPN

Protected

Inter-Nodal

Network

(PIN) VPN

Counter-Denial

of Service (DOS)

Firewall

Service

Protection

Firewall

Protected

Inter-Nodal

Network

(PIN) VPN

Client

Services

VPN

Application

Service

Point (ASP)Customer

Service

Point (CSP)

Application Service Point (ASP) – Suite of servers dedicated to a single enclave to

provide application services. (e.g., Web, E-Mail, COP and the like)

Customer Service Point (CSP) – User interface to the enclave

Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.

(First layer of wrapping)

Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave

threats such as malicious insiders, high-risk applications, or poor system hygiene.

ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and

adds additional robustness required for cross-domain use of a common network

infrastructure by the application service.

Network Enclave – A protected network environment that contains a single

security domain (e.g., SECRET//REL USA)

IPSEC

VPN

Device

IPSEC

VPN

Device

Firewall

IPSEC

VPN

Device

IPSEC

VPN

Device

NB 19

1. Establish a Perimeter for the OND

SIPR

SVC

unique

Coalitio

n C2 Net

HUB

HUB

Operational

Network

Domain20

2. Establish a Type 1 Perimeter for the Classified Enclaves

SIPR

SVC

unique

Coalitio

n C2 Net

Type 1 Perimeter

HUB

HUB

Operational

Network

Domain21

3. Establish an IPSec Tunnel for Enclave Client Services

SIPR

SVC

unique

Coalitio

n C2 Net

SIPRNET EnclaveHUBHUB

Client Services IPSec VPNHUB

Operational

Network

Domain22

SIPRNET Enclave

4. Establish an outer IPSec Tunnel for Network Protection

Called the Protected Inter-nodal Network (PIN)

SIPR

SVC

unique

Coalitio

n C2 Net

SIPRNET EnclaveHUB

PIN IPSec VPNHUB

Operational

Network

Domain

Enclave Operator Services IPSec VPN

23

5. Establish a controlled interface from the enterprise network

to the OND Enclave

SIPR

SVC

unique

Coalitio

n C2 Net

SIPRNET EnclaveHUB

DNGW

SIPR

HUB

Operational

Network

Domain24

6. Swing operational area services to the associated OND

enclave

SIPR

SVC

unique

SIPRNET EnclaveHUB

DNGW

SIPR

HUB

Coalitio

n C2 NetOperational

Network

Domain25

7. Repeat this process for internal operational networks

SIPR

SVC

unique

SIPRNET EnclaveHUB

DNGW

SIPR

HUB Coalition C2 Enclave

Operational

Network

Domain26

DNGW

IC

IC Enclave

8. Additional enclaves can be added as modules

SIPR

SVC

unique

HUB

DNGW

SIPR


Operational

Network

Domain

HUB

NIPR

SVC

unique

DNGW

NIPR

NIPRNET Enclave

HUB

IC

SIPRNET Enclave

27

Data CenterEnd User Site

Application

Service

Points

DEG

IC

IC Enclave

9. Configure and provide training to end-user-sites and Data

Centers accordingly

SIPR

SVC

unique

HUB

DEG

SIPR


Operational

Network

Domain

HUB

NIPR

SVC

unique

DEG

NIPR

NIPRNET Enclave

HUB

IC

SIPRNET Enclave

28


Application

Service

Points

DNGW

IC

IC Enclave

10. Take advantage of Multi-Enclave Clients from Agile Virtual

Enclave (AVE) Project

SIPR

SVC

unique

DNGW

SIPR

Coalition C2 Enclave

NIPR

SVC

unique

DNGW

NIPR

NIPRNET Enclave

IC

SIPRNET EnclaveHUB

Multi-

Enclave

Clients

Operational

Network

Domain29


DNGW

IC

IC Enclave

11. Take advantage of cross-domain gateways and guards to

move information between enclaves (e.g., Trusted Network

Environment (TNE))SIPR

SVC

unique

DNGW

SIPR


NIPR

SVC

unique

DNGW

NIPR

NIPRNET Enclave

IC

SIPRNET Enclave

AVE-Enabled

HUB

Multi-

Enclave

Clients

Operational

Network

Domain

To move

info across

domains

Cross

Domain

Gateway

30


DNGW

IC

IC Enclave

12. Monitor and Control the OND

SIPR

SVC

unique


NIPR

SVC

unique

IC

SIPRNET Enclave

AVE-Enabled

HUB

Multi-

Enclave

Clients

Operational

Network

Domain

Cross

Domain

Gateway

Control of:

Risks / Capabilities / Performance / Resources

Network Operations & Security Center

Dynamic Computer

Network Defense

RISK

LEVEL

UTILITYPRIORITYCAPACITY

Quality of Service

Common

Operational

Picture

DNGW

NIPR

NIPRNET Enclave

DNGW

SIPR

31

Network

Operations Center


DNGW

IC

IC Enclave

OND-related Areas of Responsibility

SIPR

SVC

unique

DNGW

SIPR


NIPR

SVC

unique

DNGW

NIPR

NIPRNET Enclave

IC

SIPRNET Enclave

AVE-Enabled

HUB

Multi-

Enclave

Clients

Operational

Network

Domain

Cross

Domain

Gateway

Supporting Service/Agency

Responsibility

Supported Operational Command

Responsibility32



Operational Network Domains (OND) and

Security Domain Enclaves

through the

Classified Military Network

(CMILNet)


UNCLASSIFIED



29 June 2010

33

Technical Challenges

• Challenge #1: Creation of Agile Virtual Enclaves (AVEs),

which are networked security domains that allow reuse of the

same network infrastructure from the client through the

network cloud.

• Challenge #2: Creation of Operational Network Domains

(ONDs) with sufficient strength of separation to support

different risk jurisdictions within each AVE.

– Virtual Secure Enclaves (VSEs) are the instantiation of

AVEs within the OND.

• Challenge #3: Creation of a ―black core capable‖ DISN

designed to create Agile Virtual Enclaves (AVEs) to enable

Virtual Secure Enclaves within Operational Network Domains

(ONDs)

– Must accommodate more than NIPRNET, SIPRNET, and

JWICS34

Solution Toolkit – Network Virtualization

• Performance-based Virtualization

– Multi-Protocol Layered Switching (MPLS)

– Generic Routing Encapsulation (GRE)

– Virtual Local Area Networks (VLAN)

• Security-based Virtualization a.k.a. Virtual

Private Networks (VPNs)

– High Assurance Internet Protocol Encryption

(HAIPE)

– Internet Protocol Security (IPSec)

– Transport Layer Security (TLS)

Use these

for ONDs

Use this for

AVEs and

VSEs

Solution must employ both types of

virtualization, together, to optimize capability,

security and performance.35

Technical Solutions

• Challenge #1: Creation of Agile Virtual Enclaves (AVEs), which are

networked security domains that allow reuse of the same network

infrastructure from the client through the network cloud

• Solution #1: Employ rigorously tested IPSec implemented in

accordance with NSA standards

• Challenge #2: Creation of Operational Network Domains (ONDs) with

sufficient strength of separation to support different risk jurisdictions within

each AVE.

• Solution #2: Employ Intrusion Protection System (IPS) – based

firewalls with access controls and service filters

• Challenge #3: Creation of a ―black core capable‖ DISN designed to create

Agile Virtual Enclaves (AVEs) to enable Virtual Secure Enclaves within

Operational Network Domains (ONDs).

• Solution #3: Employ a next-generation network strategy that

accommodates solutions 1 and 2 as a fourth enterprise network

domain using MPLS-based domain techniques and IPv6 improving

upon how SIPRNET and NIPRNET is done on the DISN

GIG 3.036

CMILNet - Black

CENTRIXS-SGP

Why We Need a Black Core CMILNet

Today’s Network – The Singapore Case

CMILNet Black Core

PH

HH

H

Packet

PH

Packet

Payload

efficiency

Low = Poor

Performance

High = Good

Performance

CENTRIXS-SGP

CENTRIXS-CMFPCENTRIXS-GCTFSIPRNETNIPRNET / Internet

CENTRIXS-GCTF

CENTRIXS-CMFP

NIPRNET

Internet

SIPRNET

P

H

HH

H

H P

HH

37

Global Enterprise OND Concept – Today’s State

DSN DRSN DVS-GJWICSNIPRNET SIPRNET

P

UPE CPE

DISN Backbone

UPE – Unclassified Premise Equipment

CPE – Classified Premise Equipment

P – Premise Equipment

38

Global Enterprise OND Concept – Today’s State

JWICSNIPRNET SIPRNET

P

UPE CPE

DISN Backbone




39

Global Enterprise OND Concept – Near Term?


P

UPE CPE

DISN Backbone

BPE




BPE – Black Premise Equipment

Extremely useful in the creation of CMILNet

Common Mission Network Transport

(CMNT) 40

Global Enterprise OND ConceptDISN Backbone


P

CU

Nav

yN

IPR

NE

T

Arm

yN

IPR

NE

T

Mari

ne C

orp

sN

IPR

NE

T

Air

Fo

rce

NIP

RN

ET

Ag

en

cy’s

NIP

RN

ET

Nav

yS

IPR

NE

T

Arm

yS

IPR

NE

T

Mari

ne C

orp

sS

IPR

NE

T

Air

Fo

rce

SIP

RN

ET

Ag

en

cy’s

SIP

RN

ET

DO

DIIS

NS

A N

et

NG

A N

et

Etc

B

CENTCOM

AMN

OND Dedicated Network

Gateway for the

CENTCOM Afghan

Mission Network

41

Global Enterprise OND ConceptDISN Backbone


P

CU

Nav

yN

IPR

NE

T

Arm

yN

IPR

NE

T

Mari

ne C

orp

sN

IPR

NE

T

Air

Fo

rce

NIP

RN

ET

Ag

en

cy’s

NIP

RN

ET

Nav

yS

IPR

NE

T

Arm

yS

IPR

NE

T

Mari

ne C

orp

sS

IPR

NE

T

Air

Fo

rce

SIP

RN

ET

Ag

en

cy’s

SIP

RN

ET

DO

DIIS

NS

A N

et

NG

A N

et

Etc

B

CENTCOM

AMN

OND

CMFC

GCTF

ISAF

MNFI

CCER

TNE

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet Internet

Logical

Connections

Actual Connections

42

CENTCOM

AMN

OND

PACOM

Theater

OND

Global Enterprise OND Concept

DISN Backbone

JWICS

DO

DIIS

NS

A N

et

NG

A N

et

Etc

NIPRNET

Nav

yN

IPR

NE

T

Arm

yN

IPR

NE

T

Mari

ne C

orp

sN

IPR

NE

T

Air

Fo

rce

NIP

RN

ET

Ag

en

cy’s

NIP

RN

ET

SIPRNET

Nav

yS

IPR

NE

T

Arm

yS

IPR

NE

T

Mari

ne C

orp

sS

IPR

NE

T

Air

Fo

rce

SIP

RN

ET

Ag

en

cy’s

SIP

RN

ET

Agency

P

CUB

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet InternetInternet

CCER

TNE

CCER

TNE

CMFC

GCTF

ISAF

MNFI

CMFP

GCTF

KOR

JPN

Logical

Connections

Actual Connections

EUCOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

NATONATO

GCTFGCTF

FRAFRA

ITAITA

AFRICOM

Theater

OND

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet

CCER

TNE

NATO

GCTF

FVEY

SAF

AFRICOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

NATONATO

GCTFGCTF

FVEYFVEY

SAFSAF

NORTHCOM

Theater

OND

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet

CCER

TNE

FEMA

GCTF

FVEY

CAN

NORTHCOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

FEMAFEMA

GCTFGCTF

FVEYFVEY

CANCAN

SOUTHCOM

Theater

OND

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet

CCER

TNE

MLEC

GCTF

COL

MEX

SOUTHCOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

MLECMLEC

GCTFGCTF

COLCOL

MEXMEX

43

CENTCOM

AMN

OND

PACOM

Theater

OND


DISN Backbone

JWICS

DO

DIIS

NS

A N

et

NG

A N

et

Etc

NIPRNET

Nav

yN

IPR

NE

T

Arm

yN

IPR

NE

T

Mari

ne C

orp

sN

IPR

NE

T

Air

Fo

rce

NIP

RN

ET

Ag

en

cy’s

NIP

RN

ET

SIPRNET

Nav

yS

IPR

NE

T

Arm

yS

IPR

NE

T

Mari

ne C

orp

sS

IPR

NE

T

Air

Fo

rce

SIP

RN

ET

Ag

en

cy’s

SIP

RN

ET

Agency

P

CUB

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet InternetInternet

CCE

R

TNE

CCE

R

TNE

CMFC

GCTF

ISAF

MNFI

CMFP

GCTF

KOR

JPN

Logical

Connections

Actual Connections

EUCOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

NATONATO

GCTFGCTF

FRAFRA

ITAITA

AFRICOM

Theater

OND

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet

CCER

TNE

NATO

GCTF

FVEY

SAF

AFRICOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

NATONATO

GCTFGCTF

FVEYFVEY

SAFSAF

NORTHCOM

Theater

OND

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet

CCER

TNE

FEMA

GCTF

FVEY

CAN

NORTHCOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

FEMAFEMA

GCTFGCTF

FVEYFVEY

CANCAN

SOUTHCOM

Theater

OND

Agency

Air Force

Navy

Marines

Army

Agency

Air Force

Navy

Marines

Army

Internet

CCER

TNE

MLEC

GCTF

COL

MEX

SOUTHCOM

Theater

OND

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

AgencyAgency

Air ForceAir Force

NavyNavy

MarinesMarines

ArmyArmy

InternetInternet

CCER

TNE

MLECMLEC

GCTFGCTF

COLCOL

MEXMEX

MILNet

(GIG 3.0)

44


DISN Backbone

DO

DII

S

NS

A N

et

NG

A N

et

Etc

Nav

yN

IPR

NE

T

Arm

yN

IPR

NE

T

Mari

ne C

orp

sN

IPR

NE

T

Air

Fo

rce

NIP

RN

ET

Ag

en

cy’s

NIP

RN

ET

Nav

yS

IPR

NE

T

Arm

yS

IPR

NE

T

Mari

ne C

orp

sS

IPR

NE

T

Air

Fo

rce

SIP

RN

ET

Ag

en

cy’s

SIP

RN

ET

P

CU B

EU

CO

MO

ND

s

CE

NT

CO

M

ON

Ds

PA

CO

MO

ND

s

AF

RIC

OM

ON

Ds

NO

RT

HC

OM

ON

Ds

SO

UT

HC

OM

ON

Ds

GIG 3.0 / MILNETJWICSNIPRNET SIPRNET

45



PACOM

OND

SIPRNET

NIPRNET

CMFP

GCTF

ACGU

FVEY

Internet

CDCI

HADR

MOBILITY

HLD/LE

S-VSE

NORTHCOM

OND

SIPRNET

NIPRNET

CMFP

GCTF

ACGU

FVEY

Internet

CDCI

S-VSE

HADR

MOBILITY

HLD/LE

CENTCOM

OND

SIPRNET

NIPRNET

CNFC

GCTF

AMN

FVEY

Internet

CDCI

HADR

MOBILITY

HLD/LE

S-VSE

AFRICOM

OND

SIPRNET

NIPRNET

CMFA

GCTF

ACGU

FVEY

Internet

CDCI

HADR

MOBILITY

HLD/LE

S-VSE

EUCOM

OND

SIPRNET

NIPRNET

NATO

GCTF

ACGU

FVEY

Internet

CDCI

HADR

MOBILITY

HLD/LE

S-VSE

SOUTHCOM

OND

SIPRNET

NIPRNET

MLEC

GCTF

ACGU

FVEY

Internet

CDCI

S-VSE

HADR

MOBILITY

HLD/LE

SMILNet

.smil.mil

(SIPRNET)

CMILNet

.cmil.mil

(CENTRIXS)

Inter-Agency

Networks

.gov / .net

MILNet

.mil

(NIPRNET)IAP

Internet

OND VSEVSE

VSEVSEVSEs

Dedicated Network Domain Gateway (DNDG)

Dedicated Network Enclave Gateways (DNEG)

CDCI Cross Domain Controlled Interface

DISN Internet Access PointIAP

DISN Backbone

(Black Core)

S-VSEYellow Highlight:

Primary C2 Network (PCN)

S-VSE – Standby VSEAMN – Afghan Mission Network



US Forces

Korea

OND

SIPRNET

NIPRNET

UNCK

KOR

Internet

CDCI

PACOM

OND

SIPRNET

NIPRNET

CMFP

GCTF

ACGU

FVEY

Internet

CDCI

HADR

MOBILITY

HLD/LE

S-VSE

SMILNet

.smil.mil

(SIPRNET)

CMILNet

.cmil.mil

(CENTRIXS)

Inter-Agency

Networks

.gov / .net

MILNet

.mil

(NIPRNET)IAP

Internet

OND VSEVSE

VSEVSEVSEs





DISN Backbone

(Black Core)






US Forces

Korea

OND

SIPRNET

NIPRNET

UNCK

KOR

Internet

CDCI

SMILNet

.smil.mil

(SIPRNET)

CMILNet

.cmil.mil

(CENTRIXS)

Inter-Agency

Networks

.gov / .net

MILNet

.mil

(NIPRNET)IAP

Internet

OND VSEVSE

VSEVSEVSEs





DISN Backbone

(Black Core)






DISN Backbone

MILNet

.mil

(NIPRNET)

SMILNet

.smil.mil

(SIPRNET)

GBR

AUS

CAN

KOR

NZL

THA

PHI

SIPRNET

NIPRNET

UNCK

KOR

Internet

CDCI

CMILNet

.cmil.mil

(CENTRIXS)IAP

Internet

Dedicated Network Domain Gateway (DDG)

Dedicated Network Enclave Gateway (DEG)

Dedicated Network Gateways (DNG)



Co

alitio

n L

ink

s

Logical Connections

Actual Connections

Multilateral Enclaves

UNCK – United Nations Command Korea

Country Codes

AUS – Australia

BEL – Belgium

COL – Columbia

DNK – Denmark

FRA – France

GRC - Greece

GBR – United Kingdom of Great Britain

KOR – Republic of South Korea

NLD - Netherlands

NZL – New Zealand

NOR - Norway

PHI – Philippines

THA –Thailand

BEL

COL

DNK

FRA

GRC

NLD

NOR

U.S. Forces Korea

(USFK)

Operational Network

Domain (OND)

“Korea Mission

Network” (KMN)

Client Command

(e.g., Osan)

Client Command

(e.g., Taegu)

Client Command

(e.g., Yongsan)

Application

Service

Point

(ASP)

Multi-

Enclave

Client

(MEC)

KM

N B

ackb

on

e

KOR

Primary C2 Network



DISN Backbone

MILNet

.mil

(NIPRNET)

SMILNet

.smil.mil

(SIPRNET)

GBR

AUS

CAN

KOR

NZL

THA

PHI

SIPRNET

NIPRNET

UNCK

KOR

Internet

CDCI

CMILNet

.cmil.mil

(CENTRIXS)IAP

Internet

Dedicated Network Domain Gateway (DDG)

Dedicated Network Enclave Gateway (DEG)

Dedicated Network Gateways (DNG)



Co

alitio

n L

ink

s

Logical Connections

Actual Connections

Multilateral Enclaves

UNCK – United Nations Command Korea

Country Codes

AUS – Australia

BEL – Belgium

COL – Columbia

DNK – Denmark

FRA – France

GRC - Greece

GBR – United Kingdom of Great Britain

KOR – Republic of South Korea

NLD - Netherlands

NZL – New Zealand

NOR - Norway

PHI – Philippines

THA –Thailand

BEL

COL

DNK

FRA

GRC

NLD

NOR

U.S. Forces Korea

(USFK)

Operational Network

Domain (OND)

“Korea Mission

Network” (KMN)

Client Command

(e.g., Osan)

Client Command

(e.g., Taegu)

Client Command

(e.g., Yongsan)

Application

Service

Point

(ASP)

Multi-

Enclave

Client

(MEC)

KM

N B

ackb

on

e

KOR

Primary C2 Network

CDCI

Selected GIG 3.0 Components to Show On the Next

Slide – Geographic Topology for CENTRIXS-KOR

51

KOR

CDCI

CDCI

Client Command

(e.g., Osan)

KOR

CMILNet

.cmil.mil

(CENTRIXS)


alteration or dissemination of the contents of this information for monetary gain is prohibited.52

DISN Link Partner Link

DESP PNSP

ENI PNI

CNI ANI

DNEG

NDSN

GIG 3.0 Interface ComponentsInternal to a single security enclave

Cross-

Domain Link

CDCI

System Component View

ASP – Application Service Point

ANI – Application Network Interface

CNI – Client Network Interface

CDCI – Cross-Domain Controlled Interface

CDSP – Cross-Domain Service Point

CSP – Customer Service Point

DESP – Defense Enterprise Service Point

Acronyms

DNEG – Dedicated Network Enclave Gateway

DNN – Domain Network Node

ENI – Enterprise Network Interface

NDSN – Network Domain Service Node

NSP – Network Service Point

PNI – Partner Network Interface

PNSP – Partner Network Service Point

CDSP

DNN

ASPCSP

KOR

CDCI

CDCI

Client Command

(e.g., Osan)

KOR

CMILNet

.cmil.mil

(CENTRIXS)

System Design View

GIG 3.0 Interface, Enclave and Service Point Definitions

• ASP – Application Service Point

– Server suite and software that provides application programs

to the user.

– Examples: Microsoft Exchange Server, Apache Web Server

• ANI – Application Network Interface

– Network router or switch that connects the ASP to the network

• AVE – Agile Virtual Enclave

– IPSec-based Virtual Private Network (VPN) that provides

robust protection of an information sharing enclave across the

enterprise. Each CENTRIXS network can be implemented on

the same network infrastructure using AVEs.

• CNI – Client Network Interface

– VSE IPSec crypto and network router or switch that connects

the ASP to the Client VPN. Is the ASP interface for the MECs.

• CDCI – Cross-Domain Controlled Interface

– High assurance filter and guard that provides for a controlled

transfer of information between enclaves. (e.g., between

CENTRIXS-KOR and CENTRIXS-UNCK)

• CDSP – Cross-Domain Service Point

– Relative to one enclave (e.g., CENTRIXS-KOR), the service

point providing information from another domain (e.g.,

CENTRIXS-UNCK)

– Examples: Trusted Network Environment (TNE), Joint Cross

Domain Exchange System (JCDX).

• CSP – Customer Service Point

– Client point of presence to the network. Best serviced by a

single MEC. Today CSPs consist of multiple client computer,

each dedicated to a single networked enclave.

– In this context CSPs are serviced by MECs.

• DNDG – Dedicated Network Domain Gateway

– Generic reference to the set of DNEGs that form the perimeter

of an OND.

• DESP – Defense Enterprise Service Point

– ASP(s) that are in the DISN external to the OND.

– Examples: DISA DECC, Air Force NOSC.

53

• DNEG – Dedicated Network Enclave Gateway

– Controlled interfaces with firewalls (access control system, information

protection system) that separates selected network services and

activities between the external networks (e.g., DISN or coalition

partner) and the OND.

– Contains ENIs and PNIs.

• DNN – Domain Network Node

– Router / switch with control and monitoring that interconnects sites,

interfaces, network assets, clients, servers and network checkpoints

across the GIG 3.0 infrastructure..

• ENI – Enterprise Network Interface

– VSE IPSec crypto, firewall (access control system, information

protection system) and network router or switch that connects the

DESP to the OND VSE.

• NDSN – Network Domain Service Node

– Major node on the OND that includes the ANI, DN and/or CNI

providing information capability to the OND.

• NSP – Network Service Point

– Point of presence for monitoring, control, configuration and

maintenance of network devices.

• OND – Operational Network Domain

– Network infrastructure bounded by a parameter of DNDGs that contain

VSEs

• PNI – Partner Network Interface

– High assurance filter and guard that provides for a controlled transfer

of information between the USA’s partner network (e.g., CENTRIXS)

and the coalition partner’s ASP – called a PNSP.

• PNSP – Partner Network Service Point

– Server suite and/or network interface owned and operated by a

coalition partner designated to provide information services to the USA

enclave (e.g., CENTRIXS.)

• VSE – Virtual Secure Enclave

– Specific instantiation of an AVE within an OND or for situations when a

higher assurance protected network domain is needed within a less

trusted network.

– A VSE is a AVE aligned within an OND guarded by a controlled

interface (DNEG).




DESP PNSP

ENI PNI

CNI ANI

DNEG

NDSN


Cross-

Domain Link

CDCI









Acronyms








CDSP

DNN

ASPCSP

KOR

CDCI

CDCI

Client Command

(e.g., Osan)

KOR

CMILNet

.cmil.mil

(CENTRIXS)

System Design View

USFK Geo Depiction of the CENTRIXS-KOR VSE

55

USFK Geo Depiction of the Korea Theater Black

Core

56

Common Mission Network

Transport(CMNT)

Example Korea System Topology

57

Camp Casey Osan Camp Humphreys Kunsan

Yongsan Camp Walker Chinhae

REL KOR

REL KOR

REL KOR

REL KOR

REL UNCK

ROK

PNSP

ROK

PNSP

AUS

PNSPBEL

PNSP

CAN

PNSP

DISN Edge Transport Services (DETS)

―Black Core‖

REL KOR

Common Mission Network Transport (CMNT)

58



REL KOR

REL KOR

REL KOR

REL KOR

REL UNCK

ROK

PNSP

ROK

PNSP

AUS

PNSPBEL

PNSP

CAN

PNSP


―Black Core‖


―Black Core‖

DISN Edge Transport Services ―black core‖


GIG 3.0 CMILNet / SMILNet / MILNet ―brown core‖

59



REL KOR

REL KOR

REL KOR

REL KOR

REL UNCK

ROK

PNSP

ROK

PNSP

AUS

PNSPBEL

PNSP

CAN

PNSP


―Black Core‖

60



REL KOR

REL KOR

REL KOR

REL KOR

REL UNCK

ROK

PNSP

ROK

PNSP

AUS

PNSPBEL

PNSP

CAN

PNSP


―Black Core‖

REL KOR

REL KOR

REL KOR

REL KORROK

PNSP

REL KOR

ROK

PNSP

CENTRIXS-KOR

Camp Casey Osan Camp Humphreys


61



REL KOR

REL KOR

REL KOR

REL KOR

REL UNCK

ROK

PNSP

ROK

PNSP

AUS

PNSPBEL

PNSP

CAN

PNSP


―Black Core‖

ROK

PNSP

ROK

PNSP

CENTRIXS-UNCK

AUS

PNSPBEL

PNSP

CAN

PNSP

REL UNCK

Camp Casey Osan Camp Humphreys




ANI

DNN

62


DESP PNSP

ENI PNI

CNI ANI

DNEG

NDSN


Cross-

Domain Link

CDCI









Acronyms








PNIPNSP

DESP ENI

ASP

CNI CSP

DN

EG

ND

SN

CDSP

Block Diagram View

DNN

NSP

ASPCSP

CD

CI

For Governance

GIG 3.0 Network Layers

63

PA

CO

M

CE

NT

CO

M

NO

RT

HC

OM

SO

UT

HC

OM

EU

CO

M

AF

RIC

OM

TR

AN

SC

OM

ST

RA

TC

OM

SO

CO

M

JF

CO

M

PA

CO

M

CE

NT

CO

M

NO

RT

HC

OM

SO

UT

HC

OM

EU

CO

M

AF

RIC

OM

TR

AN

SC

OM

ST

RA

TC

OM

SO

CO

M

JF

CO

M

PA

CO

M

CE

NT

CO

M

NO

RT

HC

OM

SO

UT

HC

OM

EU

CO

M

AF

RIC

OM

TR

AN

SC

OM

ST

RA

TC

OM

SO

CO

M

JF

CO

M

PA

CO

M

CE

NT

CO

M

NO

RT

HC

OM

SO

UT

HC

OM

EU

CO

M

AF

RIC

OM

TR

AN

SC

OM

ST

RA

TC

OM

SO

CO

M

JF

CO

M

PA

CO

M

CE

NT

CO

M

NO

RT

HC

OM

SO

UT

HC

OM

EU

CO

M

AF

RIC

OM

TR

AN

SC

OM

ST

RA

TC

OM

SO

CO

M

JF

CO

M


“black core”

Global Cyberspace Telecommunications Transport

UNCLAS USA

―NIPRNet‖ AVE

SECRET//USA Only

―SIPRNet‖ AVESECRET//REL ACGU

AVE

.smil.mil .cmil.mil.mil

SECRET//REL ACGU

CMILNET

“classified brown core”

MILNET

“unclassified brown core”

Type 1 separation (e.g., HAIPE)

―Type 2‖ separation (e.g., IPSec)

―Type 3‖ separation (e.g., Firewall & TLS/SSL)

PACOM Internet

PACOM NIPRNET

PACOM SIPRNET

PACOM REL ACGU

PACOM REL ...PACOM OND

PACOM VSEs

PACOM MEC

AVE

AVE – Agile Virtual Enclave

DETS – DISN Edge Transport Service

HAIPE – High Assurance IP Encryption

.net / .org

UNCLAS

Internet

Enclave

IP – Internet Protocol

IPSec – IP Security

MEC – Multi Enclave Client

OND – Operational Network Domain

SSL – Secure Socket Layer

TLS – Transport Layer Security

VSE – Virtual Secure Enclave

1

1

2

2

3

3

4

4

5

5




GIG 3.0

VPN Enclave Control

&

User Client Cases


UNCLASSIFIED



25 Octover 2010

CMILNet VPN and Client Components for Enclave

Protection

• Transport VPN (Type 1 / HAIPE)

• Transit VPN

• Protected Internodal Network

• Client Service VPN

Virtual Private Networks (VPNs)

User Client Workstations (UCWS)

• Common Conventional

• Virtual Secure Enclave (VSE) Enabled

• Agile Trusted Multi Enclave (ATME)

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

CMILNet VPN and Client Services

R

Transport

HAIPE VPN

NIPRNE

T

SIPRNE

T

Service

Unique

Network

Transit

IPSec VPNTransit

IPSec VPN

Transit

IPSec VPN

HUB

R

HUB

Client Svc

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client Svc

IPSec VPN

R

PIN

IPSec VPNTransport

HAIPE VPNTransport

HAIPE VPN

Transport

HAIPE VPN

Transport

HAIPE VPN

PIN

IPSec VPN

Transport

HAIPE VPN

Common Conventional Clients VSE-Enabled Clients

(IPSec Enabled)

HUB

R

PIN

IPSec VPN

Transport

HAIPE VPN

ATME-Enabled Clients

(E.g., NetTop 2.2, HAP)

R

Operational

Network

Domain

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

CMILNet In Action: Transport Encryption

R

Transport

HAIPE VPN

NIPRNE

T

SIPRNE

T

Service

Unique

Network

Transit

IPSec VPNTransit

IPSec VPN

Transit

IPSec VPN

HUB

R

HUB

Client Svc

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client Svc

IPSec VPN

R

PIN

IPSec VPNTransport

HAIPE VPNTransport

HAIPE VPN

Transport

HAIPE VPN

Transport

HAIPE VPN

PIN

IPSec VPN

Transport

HAIPE VPN


(IPSec Enabled)

HUB

R

PIN

IPSec VPN

Transport

HAIPE VPN



R

Operational

Network

Domain

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

CMILNet In Action: Transit VPNs

R

Transport

HAIPE VPN

NIPRNE

T

SIPRNE

T

Service

Unique

Network

Transit

IPSec VPNTransit

IPSec VPN

Transit

IPSec VPN

HUB

R

HUB

Client Svc

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client Svc

IPSec VPN

R

PIN

IPSec VPNTransport

HAIPE VPNTransport

HAIPE VPN

Transport

HAIPE VPN

Transport

HAIPE VPN

PIN

IPSec VPN

Transport

HAIPE VPN


(IPSec Enabled)

HUB

R

PIN

IPSec VPN

Transport

HAIPE VPN



R

Operational

Network

Domain

These are ―backside‖

connections that

interconnect servers

and network gateways.

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

CMILNet In Action: Protected Inter-nodal

Networks (PIN) VPNs

R

Transport

HAIPE VPN

NIPRNE

T

SIPRNE

T

Service

Unique

Network

Transit

IPSec VPNTransit

IPSec VPN

Transit

IPSec VPN

HUB

R

HUB

Client Svc

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client Svc

IPSec VPN

R

PIN

IPSec VPNTransport

HAIPE VPNTransport

HAIPE VPN

Transport

HAIPE VPN

Transport

HAIPE VPN

PIN

IPSec VPN

Transport

HAIPE VPN


(IPSec Enabled)

HUB

R

PIN

IPSec VPN

Transport

HAIPE VPN



R

Operational

Network

Domain

PIN

IPSec VPN

PIN

IPSec VPNPIN

IPSec VPN

PIN

IPSec VPN

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client

IPSec VPN

R

PIN

IPSec VPN

CMILNet In Action: Client Services VPNs

R

Transport

HAIPE VPN

NIPRNE

T

SIPRNE

T

Service

Unique

Network

Transit

IPSec VPNTransit

IPSec VPN

Transit

IPSec VPN

HUB

R

HUB

Client Svc

IPSec VPN

R

PIN

IPSec VPN

R

Transit

IPSec VPN

Client Svc

IPSec VPN

R

PIN

IPSec VPNTransport

HAIPE VPNTransport

HAIPE VPN

Transport

HAIPE VPN

Transport

HAIPE VPN

PIN

IPSec VPN

Transport

HAIPE VPN


(IPSec Enabled)

HUB

R

PIN

IPSec VPN

Transport

HAIPE VPN



R

Operational

Network

Domain

Client Svc

IPSec VPN

Client Svc

IPSec VPN

Network Operations CenterOND Network Operations

NIPRNE

T

SIPRNE

T

Service

Unique

Network

Transit

IPSec VPNTransit

IPSec VPN

Transit

IPSec VPN

HUB

R

HUB

Client Svc

IPSec VPN

R

PIN

IPSec VPN

Transport

HAIPE VPNTransport

HAIPE VPN

Transport

HAIPE VPN

Transport

HAIPE VPN

PIN

IPSec VPN

Transport

HAIPE VPN


(IPSec Enabled)

HUB

R

PIN

IPSec VPN

Transport

HAIPE VPN



Transport

HAIPE VPN

R

Transit

IPSec VPN

Client Svc

IPSec VPN

R

PIN

IPSec VPN

R Transport

HAIPE VPN

Application Service

Center

Dynamic Computer

Network Defense

RISK

LEVEL

Operational

Network

Domain


Quality of Service

Risk vs. Capability vs. Performance

vs. Resource

Decisions

MadeCommon

Operational

Picture


DNGW

IC

IC Enclave

Questions?

SIPR

SVC

unique


NIPR

SVC

unique

IC

SIPRNET Enclave

AVE-Enabled

HUB

Multi-

Enclave

Clients

Operational

Network

Domain

Cross

Domain

Gateway

Control of:



Dynamic Computer

Network Defense

RISK

LEVEL


Quality of Service

Common

Operational

Picture

DNGW

NIPR

NIPRNET Enclave

DNGW

SIPR

72

0.OND_Switchboard.ppt



Agile Virtual Enclaves (AVE) Version 1.2 / 1.3

―Multi Enclave Client‖

(MEC)


UNCLASSIFIED

Randy Cieslak

Chief Information Officer

Jim Fordice

Referentia, Inc.

29 June 2010

How We Build Networks in Cyberspace Today

Sensitive Unclassified Networks

Secret NOFORN

Secret for Allies

SCI & SPECATs

?@#?!

User

KG

KGKG

KGKG

KGKG

KG

FWFW

74


DNGW

IC

IC Enclave

Multi Enclave Clients

SIPR

SVC

unique


NIPR

SVC

unique

IC

SIPRNET Enclave

AVE-Enabled

HUB

Multi-

Enclave

Clients

Operational

Network

Domain

Cross

Domain

Gateway

Control of:



Dynamic Computer

Network Defense

RISK

LEVEL


Quality of Service

Common

Operational

Picture

DNGW

NIPR

NIPRNET Enclave

DNGW

SIPR

Multi Enclave

Clients

75

0.OND_Switchboard.ppt

MEC Candidates Assessed

• Multi-Level Thin Client (MLTC) 3.0

• DoDIIS Trusted Workstation (DTW) 4.0

• Network on a Desktop (NetTop)

• Secure Office Thin Client (SOTTC)

• Trusted Multi-Net (TMN)

• High Assurance Platform (HAP)

• Trusted Virtual Environment (TVE)

Solution CandidatePerformance

ScoreKey

Characteristic

10

17

2926

22

37

29

Dedicated Infrastructure

Modular / Single-Wire

Multi-Wire

Multi-Wire




• Dedicated infrastructure normally means single vendor and often

proprietary

• Multi-Wire means that each network enclave requires its own

physical network link

• Modular / Single Wire means standards-based. As long as COTS or

GOTS products meet the standard and are tested (UCDMO baseline)

they can be used. 76

MEC Candidate Selected

• Network on a Desktop (NetTop)

Solution Candidate

Performance

ScoreKey

Characteristics

29 Modular / Single-Wire

`

ACE Terminal Managed Switch VPN Concentrator Firewall Citrix Server

Network A

Network B

• MEC Terminal: NetTop 1.3.2 (Version 2.2 under NSA review)

• Managed Switch: Cisco Catalyst 2960

• VPN Concentrator: Cisco ASA 5510

• Firewall: McAfee Sidewinder 410F

• Terminal Services Server: Citrix

MEC

77



MEC User Terminal View – AVE 1.2

NIPR

NIPR

K

J

VSE

SIPR

K

V

S

E

J

SI

PR

CENTRIXS

Classified

Networks

CLASSIFIED

UNCLASSIFIED

Unclassified

Networks

INTER-

NET

Inter-

Net

AVE 1.2 is based on NetTop 1.3.2

78

MEC based on AVE 1.2 On The UCDMO Baseline

Cross Domain Baseline

V 3.4.0

18 June 2010

79



MEC User Terminal View – AVE 1.3

NIPR

NIPR

K

J

VSE

SIPR

K

V

S

E

J

SI

PR

CENTRIXS

Classified

Networks

CLASSIFIED

UNCLASSIFIED

Unclassified

Networks

INTER-

NET

Inter-

Net Agile Virtual Enclave (AVE)

• Includes a Second Wire for

Unclassified Enclaves

• Implemented at USPACOM HQ

AVE 1.3 is based on NetTop 2.2

80



AVE Certification & Accreditation

• AVE 1.2 (COMTHIRDFLT)

– DSAWG approved ATC

– Navy ODAA approved ATO

– Approved for UCDMO Baseline v3.4.0 update - June 2010

• AVE 1.3 (HQ USPACOM)

– Demo approved by DSAWG

– USPACOM DAA approved IATT

– NSA has completed AVE 1.3 CT&E

• Evaluating results of NSA testing– Next step is CDTAB/DSAWG to approve use of the technology

– Long term plan is to submit for UCDMO Baseline

81



Underlying Virtual Machines (AVE 1.3)

ACE Terminal

COI 1

VM

COI 2

VM

COI N

VM

VPN VPN VPN

NIC 1

Classified

Connection

COI 1

VM

COI 2

VM

COI N

VM

VPN VPN VPN

NIC 2

Unclassified

Connection

AVE MEC

82

Enclaves for the USPACOM MEC

Network Start Menu Name

USA USA ThickACGU ACGU Thin

JPN JPN Thin

JPN JPN Thick

KOR KOR Thin

SIPR SIPR Thick

GCTF GCTF Thin

VSE SIPR VSE Thin

APAN APAN

CMFP CMFP Thin

FVEY FVEY Thin

NIPR NIPR Thin

SGP SGP Thin

UNCK UNCK Thin

SECRET//REL KOR

SECRET//REL JPN

SECRET//REL UNCK

UNCLASSIFIED

SECRET

SECRET//REL GCTF

SECRET

Classification Marking

SECRET

SECRET//REL ACGU

SECRET//REL JPN

SECRET//REL CMFP

SECRET//REL FVEY

NIPRNET UNCLASSIFIED//FOUO

SECRET//REL SGP

14 Virtual Machines:

•2 UNCLAS, 12 SECRET

•4 Thick, 10 Thin83


DNGW

IC

IC Enclave

Multi-Enclave Clients

SIPR

SVC

unique


NIPR

SVC

unique

IC

SIPRNET Enclave

AVE-Enabled

HUB

Multi-

Enclave

Clients

Operational

Network

Domain

Cross

Domain

Gateway

Control of:



Dynamic Computer

Network Defense

RISK

LEVEL


Quality of Service

Common

Operational

Picture

DNGW

NIPR

NIPRNET Enclave

DNGW

SIPR

85

GIG 3.0

Design Approach

Randy Cieslak


Chief Information Officer

19 November 2010

Confluence of Concerns & Solutions (1 of 2)

• CONCERN 1

– We need to use the same infrastructure to create network enclaves to replace

the expensive and cumbersome CENTRIXS networks

• SOLUTION: Agile Coalition Environment

* Adaptive Cyber Environment (ACE)

• CONCERN 2

– We need to create defendable network enclaves to fight through cyber attacks

that have left our main networks vulnerable

• SOLUTION: Computer Aided Network Defense in Depth (CANDID)

• CONCERN 3

– We need to create network zones that will permit operational commanders to

manage their own risk to their own mission

• SOLUTION: Cyber Joint Operational Area (JOA) formed by Operational

Network Domains (OND)

• CONCERN 4

– We need tactics, techniques and procedures to surveil, control and operate this

new network environment

• SOLUTION: Joint Cyber Operations (JCO) Joint Test & Evaluation (JT&E)

Confluence of Concerns & Solutions (2 of 2)

• CONCERN 5

– We need a means to safely and securely move authorized information between

enclaves and a simple way to access enclaves not normally used

• SOLUTION: Combined Enterprise Regional Information Exchange System

(CENTRIXS) Cross Enclave Requirement (CCER)

• CONCERN 6

– We need to understand and display network and information system activities,

determine the associated mission risk and provide associated decision support

displays

• SOLUTION: Joint Warfighting Integrated Network Operations (NETOPS)

(JWIN) Joint Concept Technical Demonstration (JCTD)

• CONCERN 7

– We need to take advantage of current and planned network initiatives that

―almost‖ take advantage of modern network technology methods and steer

them to an effective, coherent, consistent overarching approach.

• SOLUTIONS:

– ASIA-PACIFIC Intelligence Network (APIN)

Integrating the Solutions: ―GIG 3.0‖

ACE:

Agile Coalition Environment

Adaptive Cyber Environment

CANDID JCTD:

Computer-Aided Networked

Defense-In-Depth

Cyber JOA:

Operational Network

Domains (OND) Global Information Grid

Version 3.0

―GIG 3.0‖

JCO JT&E:

Operational Network

Domains (OND)

CCER

CENTRIXS Cross Enclave

Requirement

JWIN

Joint Warfighting Integrated

Network Operations (NETOPS)

APIN

Asia-Pacific Intelligence

Network

Integrating the Solutions: ―GIG 3.0‖

ACE:

Agile Coalition Environment

Adaptive Cyber Environment

CANDID JCTD:

Computer-Aided Networked

Defense-In-Depth

Cyber JOA:

Operational Network

Domains (OND)

Global Information Grid

Version 3.0

―GIG 3.0‖

JCO JT&E:

Operational Network

Domains (OND)

CCER

CENTRIXS Cross Enclave

Requirement

JWIN

Joint Warfighting Integrated

Network Operations (NETOPS)

APIN

Asia-Pacific Intelligence

Network

Exercise Schedule

FY11

Q1 Q3Q2 Q4

TF11

FY12

Q1 Q3Q2 Q4

TF12VS11 VS12

Building GIG 3.0 – A Two-Phase ApproachPhases to be done concurrently

• Phase 1: Build a agile information infrastructure that:

– Compartmentalizes the network to enforce information

protection and control policies

– Compartmentalizes the network to separate risk-postures

between the enterprise and the commander’s mission area

– Leverages and reuses common infrastructure to support

compartmentalization

– Provides controlled interfaces into and between the

compartments

– Provides access controls and minimizes customer service

points

• Phase 2: Control, instrument and conceal the network to:

– Monitor and control the interfaces for optimal performance

– Detect sources of intrusion and react accordingly

– Determine and display the level of associated risk to the mission

– Posture network appearance to maintain information dominance

Phase 1:

Agile, Compartmented Information Infrastructure

Primary Design Driver – Agile Virtual Enclaves (AVE)Adopted from ACE

93

AVE

AVE

AVE

AVE

AVE

AVE

Associated Projects / Efforts

AVE

IPSec – Internet Protocol Security

IPv6 – Internet Protocol Version 6

IKE – Internet Key Exchange

Naming convention

IP Addressing

DCSP – Differential Code Service Point

DNS – Domain Naming Service


SIPRNET

CENTRIXS - ABC

CENTRIXS - XYZ

Internet

NIPRNET

Intranets

IPSec Provides Sufficient

Strength of Separation.

But classified networks

need a protected

environment.

This design feature technologically enforces

information classification, release, exposure and

disclosure policies.

Foundation for the AVEs:

Defense Information Systems Network (DISN)

Common Mission Network Transport (CMNT)Internet Protocol (IP) – Based Telecommunication Services

AVE

AVE

AVE

AVE

AVE

AVE

SIPRNET

CENTRIXS - ABC

CENTRIXS - XYZ

Internet

NIPRNET

Intranets


(CMNT)

“black core”


CMNT (black core) – Common Msn Net Trans.

MPLS – Multi-Protocol Layered Switching


IPv6

Naming convention

IP Addressing

DNS

DNN

Provides the wide area

network to deploy and

extend AVEs worldwide.

Employs a separate

MPLS from SIPRNET,

NIPRNET, JWICS

Because it forms the foundation or core of

the network and almost all traffic is

encrypted it is referred to as a “black core”

AVEs drive the design

requirements of the CMNT

Provides both QOS and VPNs.

Employing both rigid transport security (TRANSEC)

(―black traffic‖) with enclave security (―brown traffic‖)


(CMNT)

“black core”

• Exposed data is “red”

• Encrypted data is “black”

• Traffic that is de-encrypted at the black core is “red” to the black core, but still “black” to the customer service point.

• Hence – the Agile Virtual Enclaves are a combination of red and black, or “brown.”

AVE

AVE

AVE

AVE Environment “brown core”

AVE

AVE

AVE

UNCLASSIFIED

CLASSIFIED


AVE (brown core)




Naming convention

IP Addressing




VSE – Virtual Secure Enclaves

PINS – Protected Inter-nodal Network

ENIs - Enterprise Network Interface

PNIs - Partner Network Interface

ANIs – Application Network Interface

CNIs – Client Network Interface

CMNT (black core) – Common Msn Net Trans.



IPv6

Naming convention

IP Addressing

DNS

DNN

SIPRNET

CENTRIXS - ABC

CENTRIXS - XYZ

Internet

NIPRNET

Intranets

Implement Multi-Enclave Clients (MECs) to access the multiple

enclaves from a single Customer Service Point (CSP)


(CMNT)

“black core”

AVE

AVE

AVE


AVE

AVE

AVE

UNCLASSIFIED

CLASSIFIED

SIPRNET

CENTRIXS - ABC

CENTRIXS - XYZ

Internet

NIPRNET

Intranets


(MECs) Associated Projects / Efforts

AVE (brown core)




Naming convention

IP Addressing










CMNT (black core) – Common Msn Net Transport



IPv6

Naming convention

IP Addressing

DNS

DNN

MEC

NetTop – ―Network on a Desktop‖

For organizations and commands that must operate in multiple security

domains, MECs reduce workstation area, improve information access and

improve maintainability and security through virtualization.

Implement Operational Network Domains (ONDs)Intra-Enclave Controlled Interfaces To Contain Application and Configuration Risk within a

Commander’s Area of Responsibility


(CMNT)

“black core”

AVE

AVE

AVE


AVE

AVE

AVE

UNCLASSIFIED

CLASSIFIED


(MECs)

OND OND OND

CLASSIFIED

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE


AVE (brown core)




Naming convention

IP Addressing













IPv6

Naming convention

IP Addressing

DNS

DNN

MEC

NetTop – “Network on a Desktop”

OND (Cyber JOA)

ENIs

PNIs

ANIs

CNIs

Enables “Cyber JOAs.” Solves the “risk assumed by one is a risk

assumed by all” dilemma. Allows commanders to take risk against

their own mission in their own operational area – as is true for all the

other domains.


AVE (brown core)




Naming convention

IP Addressing













IPv6

Naming convention

IP Addressing

DNS

DNN

MEC


OND (Cyber JOA)

ENIs

PNIs

ANIs

CNIs


CCER – CENTRIXS Cross Enclave Req’t

Implement Cross-Domain Controlled Interfaces (CDCI) to safely move

authorized information across security domains


(CMNT)

“black core”

AVE

AVE

AVE


AVE

AVE

AVE

UNCLASSIFIED

CLASSIFIED


(MECs)

OND OND OND

CLASSIFIED

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

Satisfies the CENTRIXS Cross Enclave Requirement

(CCER). Currently done by Trusted Network Environment

(TNE).

CDCI

CDCI

CDCI

GIG 3.0 Building Blocks – Phase 1 Summary

99

AVE

AVE

AVE


(CMNT)

“black core”


AVE


(MECs)

AVE

AVE

OND OND OND

UNCLASSIFIED

CLASSIFIED

CDCI

CDCI

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

CDCI


AVE (brown core)




Naming convention

IP Addressing













IPv6

Naming convention

IP Addressing

DNS

DNN

MEC


OND (Cyber JOA)

ENIs

PNIs

ANIs

CNIs


CCER – CENTRIXS Cross Enclave Req’t

Phase 2:

Control, Instrument and Conceal the Information

Infrastructure

Instrument the network with sensors at strategic points

101

AVE

AVE

AVE


(CMNT)

“black core”


AVE


(MECs)

AVE

AVE

OND OND OND

UNCLASSIFIED

CLASSIFIED

CDCI

CDCI

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

CDCI

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o))

((o))

((o))((o))

((o))((o))

((o))

((o))

Feed network

awareness system

and risk-based

decision support

systems

RISK

Provide network control and quality of service tools

102

AVE

AVE

AVE


(CMNT)

“black core”


AVE


(MECs)

AVE

AVE

OND OND OND

UNCLASSIFIED

CLASSIFIED

CDCI

CDCI

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

CDCI

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o))

((o))

((o))((o))

((o))((o))

((o))

((o))

Monitor and control

traffic precedence

based on both

Virtual Private

Networking and

Quality of Service

Develop concealment tools, techniques and procedures

103

AVE

AVE

AVE


(CMNT)

“black core”


AVE


(MECs)

AVE

AVE

OND OND OND

UNCLASSIFIED

CLASSIFIED

CDCI

CDCI

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

CDCI

System visibility

and access is

controlled

GIG 3.0 Building Blocks – Phase 2 Summary

AVE

AVE

AVE


(CMNT)

“black core”


AVE


(MECs)

AVE

AVE

OND OND OND

UNCLASSIFIED

CLASSIFIED

CDCI

CDCI

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

VSE

CDCI

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o)) ((o)) ((o)) ((o))

((o))

((o))

((o))((o))

((o))((o))

((o))

((o))

Cyberspace

Control

Situation Awareness

Concealment

GIG 3.0

Design Approach

Questions / Discussion



GIG 3.0

Governance


UNCLASSIFIED



25 October 2010



RESERVEDCOALITION

ARESERVEDDISN

Operational

Network

Domain

Dedicated

Network

Domain

Gateway

Dedicated

Network

Enclave

Gateway

(DNEG)

Conventional Site Conventional Site Agile Virtual

Enclave (AVE)

Enabled Site

Agile Virtual

Enclave (AVE)

Enabled Site

Future Agile

Virtual Enclave

(AVE)

Capability

Network Operations Center




Enclave (AVE)

Enabled Site

Agile Virtual

Enclave (AVE)

Enabled Site

Future Agile

Virtual Enclave

(AVE)

Capability

108

Operational Network Domain

Network Operations Center




Enclave (AVE)

Enabled Site

Agile Virtual

Enclave (AVE)

Enabled Site

Future Agile

Virtual Enclave

(AVE)

Capability

109


Network

Operations

Center




Enclave (AVE)

Enabled Site

Agile Virtual

Enclave (AVE)

Enabled Site

Future Agile

Virtual Enclave

(AVE)

Capability

110


Network

Operations

Center

ENCLAVE A

ENCLAVE B

ENCLAVE C

CDS/MDS CONFIGURATIONS

CDS/MDS = Cross Domain System / Multi-Domain System



Net O

ps

Cen

ter

Co

mm

an

d A

Co

mm

an

d B

Co

mm

an

d C

Ne

t Op

s C

en

ter

Co

mm

an

d D

Co

mm

an

d E

Co

mm

an

d F

Net O

ps

Cen

ter

Co

mm

an

d G

Co

mm

an

d H

Co

mm

an

d I

111

EUCOM ONDDOD Enterprise CENTCOM OND PACOM OND

ENCLAVE A

ENCLAVE B

ENCLAVE C

CDS CONFIG

COMMON

INFRASTRUCTURE




CDS

CONFIG

Command

Risk

Authority

Command

Risk

Authority

Information

Domain Control

Authority

Information

Domain Control

Authority

Information

Domain Control

Authority

Information

Domain Control

Authority

Command

Risk

Authority

Virtual

Secure

Enclaves

(VSEs)

ENCLAVE

A

ENCLAVE

B

ENCLAVE

C

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

COMMON

INFRASTRUCTURE




CDS

CONFIG

OND

Risk

Authority

OND

Risk

Authority

Information

Domain Control

Authority

Information

Domain Control

Authority

Information

Domain Control

Authority

Information

Domain Control

Authority

OND

Risk

Authority

Virtual

Secure

Enclaves

(VSEs)

ENCLAVE

A

ENCLAVE

B

ENCLAVE

C

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

DN

EG

MOA

MOA

MOA

MOA MOA

MOA

MOA

ATOATO ATO

COMMON

INFRASTRUCTURE

gig 3.0 design factors - public intelligence · gig 3.0 •gig 2.0 promised an information...

Documents