introduction and objectives

IETV : INTEROPERABILITY EXPERIMENTATION, TESTING AND VALIDATION CAPABILITY

© NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int For additional information contact : [email protected]

Introduction and Objectives

How will the IETV be used during SFCE 09?

The IETV will be used to validate a nationally-provided (CIS) system (LCC-HQ –NRF-13 (GBR) and LCC-HQ-NRF-14 (DNK) in support of NRF-13/14.

To resolve an outstanding IO issue implementing a deployable secure cross-domain gateway for MIP-DEM data function to allow automated information exchange between a national-secret system (provided by 1GNC) and the NATO secret system (JCOP), in compliance with applicable INFOSEC regulations.

To experiment a future interoperability enhancement, by testing Secure Voice Gateway between national-secret system (provided by 1GNC) and the NATO secret network.

To support the SFCE09 test plan with automation of testing functions, allowing multiple tests to be conducted in few minutes, without operator’s involvement and with automated integration with SFCE09 data base.

What is the IETV?The IETV (Interoperability Experimentation, Testing and Validation) is a tool in support of (CIS) systems certification,

interoperability enhancement and experimentation for multinational, NATO-led expeditionary operations.

Where is the IETV?The IETV has a deployable footprint, which provides basic on-site

(deployed) representative interfaces and gateways.Then, connects through any (NATO or not) WAN to the static part of the

IETV, which groups most NC3A test beds and laboratories.

What makes up the IETV?The IETV Capability is made-up of four essential components:

- Processes- Supporting Documentation- A (HW/SW) test bed- Know-how

Which CIS functions does the IETV cover?The IETV covers CIS interfaces (with the national systems),

transmission, bandwidth management, voice/video/VTC services, information exchange, network services, core IS services, functional services, information assurance and management.

What can it be used for?The IETV Capability can be used to:

- Validate nationally-provided CIS- Support the Commander with the certification of the Unit- Develop new applications and technologies- Experiment and test new CIS concepts and applications



The IETV Architecture

A generic architecture based on a functional analysis. Comprises all relevant CIS functions in the Deployable CIS for a NATO expeditionary mission. Allows maximum modularity and re-use of existing test beds and labs at NC3A.

The modular design allows deploying only those elements which are essential to provide local, identical interfaces and services. This is called the deployable footprint of the IETV.

The most complex systems stays at the static part of the IETV, in The Hague, along with the on-site expertise and know-how. This optimizes availability of the test bed and reduces the cost of deployment. National facilities can join the IETV as needed.

In 2009, an extended (includes some information systems) deployable footprint of the IETV can be seen at SFCE 09 Exercise

Network Services

Information Exchange Mechanisms (Examples)

Core Services

Information Assurance Services

Functional Services

Interfaces

Circuit-Switched (CS)

Foundation Services

Identity Mgmt

Specialized Data Services

Data Exchange and Interoperability

DirectoryE-mail Web

CollaborationFile Sharing CollaborationFile Sharing

FileE-mail Socket Database

IP LAN (NS) IntrusionDetection

Reference Systems

IP LAN (MS)

IP LAN (NU)

Information Exchange Services

Military Messaging

Authentication

Virus Protection

Import/Export ReplicationSerial FeedImport/Export

NATOGateway and Guard

NATOC2 Applications

National C2Applications

Packet-Switched (PS)

Time-Division Multiplexing (TDM)

BandwidthManagement

Function(BMF)

TRANSMISSION

NATOGateway and Guard

Voice/Fax/Telex/Video/VTC

SwitchConference

Unit

User terminal Equipment

Deployed NATO CISDeployed NATO-Nation CIS

Deployed Coalition-Nation CISLocal Authorities

NGO’s

CORE SERVICES

INFORMATION ASSURANCE

INFORMATIONEXCHANGE

INFORMATION ASSURANCE

INTE

RFA

CES

NETWORKSERVICES

VOICE/VIDEO

BANDWIDTHMANAGEMENT

TRANSMISSION

Nationally-provided systems to validate, test and experiment

EXPERIMENTS

Deployable Point of Presence (dPoP)

Interface with Nations Module (INM)

Micro information Systems Module ( µISM)

To static IETV coreinfrastructure

at NC3A (The Hague)



CIS Validation using the IETV

DESCRIPTION OFUNIT’S CIS

ANALYSIS

PREPARE SPECIFIC TEST PLAN

PREPARE SUPPORTING DOCUMENTS(HANDBOOKS, TEMPLATES, etc.)

TESTSUCCESS

?

Validated CIS

N

Y

TESTING

NATO TECHNICALCIS CRITERIA

<><>

CHANGES

IETV TEST BED

CHANGES &MITIGATIONS

Assessmentresults

Y

N

VERIFICATION ASSESSMENT

Architectures, know-how,

best practices

Verif

icat

ion

Unit-Level Assessment

OK?

The CIS Validation process (left) departs from a nationally assessed systems, and uses verification to determine compliance with NATO DCIS requirements.

Results from verification are subject to a verification assessment process (right), which aims to explain which are the interoperability issues, how to mitigate them, and consequences of not doing so.

VERI

FIC

ATIO

NVE

RIF

ICAT

ION

ASSE

SSM

ENT

Compliant (C)requirements

TECHNICALCRITERIA

“ANALYSIS”REQUIREMENTS

“INSPECTION”REQUIREMENTS

“TEST”REQUIREMENTS

UNIT’sDESIGN

<><><>SUFFICIENTINFO?

SUFFICIENTINFO?

“SIMPLE” TESTCASES<><><>

Available know-howAvailable venue/test

assets

“Covered”requirements

“Non-Covered”requirements

SPECIFIC TESTCASES

TESTINGTESTINGSUCCESS ?SUCCESS ?

SUCCESS ?SUCCESS ?

Partially-Verified and Not-Verified

requirements

PartiallyCompliant (PC)requirements

NonCompliant (NC)requirements

Not Applicable (NA)

requirements

Not Applicable (NA)

requirements

Y

N

Y

N

Y

N

(1) (2)

(2)

(1) (1) (1)

VERIFICATIONASSESSMENT

ENDEND

RISKASSESSMENT

MITIGATIONANALYSIS

REMARKS

MITIGATIONPROCEDURE

CHANGE REQUEST

ACTION ?ACTION ?

Y

CRITICAL ?CRITICAL ?

Y

N

N

Re-do Validation

CRITERIA

RemarksMitigation

CRITICAL ?CRITICAL ?

Y

N

Requiredchanges

VALIDATION OF RESULTS

(Based on Assessment of verification results)



The IETV in SFCE 09 (II: detailed view)



The IETV Automated Testing Tool (IATT)

What is the IATT?

The IETV Automated Testing Tool (IATT) provides the means to quickly verify a number of interoperability requirements in an automatic manner. This degree of automation allows conducting a large number of tests in a few minutes, and repeat those tests for different security domains and different units.

How does it work?Two IATT nodes (master and slave) are connected at the user sides of two networks interconnected through a Service Interoperability Point (SIOP). Each node represents a different user communities.

Automatic processes exercise multiple traffic types and services across the SIOP. Tests are done in accordance with outstanding interoperability criteria (NC3A TN-1174). Results are captured and reported back to the user.

Several CIS can be verified at the same time using only one master IATT node and several slave IATT nodes, one per CIS.

Which functionality is provided?The IATT automatically verifies CIS interoperability for the following services:

• Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, FTP, etc.

• core services, mail, web and secure web

How can nations use the IATT ?By using the IATT nations can quickly and inexpensively identify and resolve

configuration issues that might impair interoperability at the application level. In particular, the IATT looks at the interconnection of NATO and Nation with special emphasis on firewall/gateway configuration, services configuration, routing capabilities or network/application protocols, to name a few.



The IETV Automated Testing Tool (IATT)-II

IATT in SFCE-09The IATT automatically verifies CIS interoperability for the following services:

• Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, etc.

• core services, mail, web and secure web

IATT will integrate the results of the automated test in the exercise data base,

IATT will be deploy during all the exercise in LCC-HQ-NRF-13/14 helping to resolve interoperability issues.



NC3A Experimentation Program of Work

IEG-Light Extension “MIP-DEM”

What is the MIP-DEM IEG-Light Extension

The MIP-DEM IEG-Light Extension proxy functionality for the MIP-DEM protocol for interconnecting C2 application across security domains (NATO Secret <-> National Secret).

How does it work?JCOP Layer Manager (LM) implantation is used as service proxy. All MIP-DEM information exchange is terminated and forwarded by the MIP-DEM IEG-Light Extension in both directions.

The contracts between the C2 applications on the different security domains are always created via the MIP-DEM Proxy located in the IEG-Light.

Which functionality is provided?• Controlling the information flow between the security domains• Ensuring the integrity of the MIP-DEM protocol



IEG-Light

Voice-Gateway

What is the IVM?

The IEG-Light Voice Module (IVM) provides a secured voice gateway functionality between voice services of different security domains.

How does it work?The IVM prototype is realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software.

All VoIP traffic from one security domain is terminated at the IVM. All incoming calls are converted to ISDN (G.711) and forwarded over an ISDN E1 trunk. The outgoing traffic is transcoded to any required codec (G.726, G.729, G.711 etc.). Supported protocols for interconnecting to the IVM are SIP, AIX2 (IP trunking) and H.323.

Actual IVM developments will allow to recognise the contents and type of the traffic (Voice, FAX, Modem) as well as detect hidden channels. Traffic is going to be controlled due to it’s contents.

Which functionality is provided?• Access Control for security domain access

– LDAP / PIN / Calling Party number• Limits the information exchange between security domains

to voice/fax/modem services• Codec and Protocol Conversion • Content Scanning, control if voice, fax or modem signals

are transported in the channels

Security Domain B

e.g. NATIONAL

Secret

Security Domain A

e.g. NATOSecret

ProtocolConversion

AccessControl

CodecConversion

Content Scanning

ISDNE1

IPSIP/IAX2

H.323

IPSIP/IAX2

H.323

NC3A Experimentation Program of WorkIEG-Light Extension “IEG-Light Voice Module”



What is the SVG?

The Secure Voice Gateway (SVG) is a tool designed to provide end-to-end secure voice services between networks using different voice and/or encryption technology (ISDN, POTS, VoIP, etc.).

How does it work?The SVG prototype is built from two (a secure and a non-secure) PABX, which are connected via appropriate crypto devices. Currently, the two PABXs are realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software.

Traffic from User A is encrypted (using User A specific cryptos) and tunneled through the NATO network towards the SVG. In the SVG the traffic is decrypted, encrypted (using the User B1 specific cryptos), switched and forwarded to User B1. Alternatively users on the red IP network (User B2) can reach users on the PSTN network (User A and B2) and vice versa.

The SVG currently supports the following interfaces: ISDN PRI, ISDN BRI, analogue and Ethernet.

Which functionality is provided?• Secure voice services between participants using

different media and voice encryption devices.• Local and remote.• Multiple parallel voice services.• Open design for easy integration of additional crypto

devices.

SVGRed-SVG

Crypto B

Crypto A

Crypto n

Black-SVG

SwitchCrypto B

Switch

Crypto n

DB

DB

User A(Originator)

User B1

DB Database

User B2

Crypted circuit/packet switched voice traffic (Unclassified, NU)

Uncrypted circuit switched classified voice traffic (NS)

Circuit & PacketSwitched

Circuit & PacketSwitched

PacketSwitched

Uncrypted packet switched classified voice traffic (NS)

Supported Crypto Equipment:• NSIE BRI/PRI• SCIP Sectera crypto• NBSV-II (Integration phase)

NC3A Experimentation Program of WorkSecure Voice Gateway



NC3A Experimentation Program of WorkNC3A – 1GNC Voice Experiment

What is the NC3A – 1GNC Voice Experiment about?Interconnection of Secure Voice Services between 1GNC National Secret (IP based) and NATO Secret

(ISDN based). The security domains are separated by the IEG-Light with a IEG-Light Voice Module (IVM). The

transition between Secure ISDN and Voice over Secure IP is done by the Secure Voice Gateway (SVG) developed by NC3A.



The IEG-Light (I)What is the IEG-Light?

The Information Exchange Gateway (IEG) “Light” is a small, highly deployable and affordable module that provides secure gateway services between deployed NATO and a deployed national CIS of a NATO member nation.

How does it work?The IEG-Light component filters all traffic from the nation in its router. The firewall directs all granted traffic to the proxy servers in the IEG-Light DMZ. All unwanted traffic is dropped. The proxies can be accessed from the NATO side. All Traffic is audited by the IDS. Therefore, no direct communication between the NS network and the national network is possible. Traffic is audited by the IDS.The IVM prototype is realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software.

Which functionality is provided?The IEG-Light packet switched (PS) component is a

secure interface between the NATO secret (NS) network and the national secret network. Services supported by the IEG-Light PS component are the core information services mail, web publishing and GAL synchronization.

For SFCE 09 new functionality provided inside the IEG-Light is FS support by the MIP-DEM extension and secure VoIP support by the IEG-Light Voice Module (IVM)

IEG InfrastructureNation (NAT-S) SideNATO (NS) Side

NICENICE

Firewall

Web

FilteringRouter

NICENICEData (IP)Data (IP)

Messaging

DirectoryServices

Optional IPEncryption

Optional IPEncryption

IDS IDS

IDS

InformationSharing

IEG Core

Functional ServicesXML GuardFunctional

ServicesSanitizing

FunctionalServices

Decompos.

IEG FS

Messaging

IEG-Light

DMZ

Managementworkstation

NATOSECRET

CISNAT-S

CIS

IEG-Light SpecializedModule

IEG-Light Main Module



The IEG-Light (II)

NON CIS

IES – Information Exchange Services

NPS – Network Protection Services

IPS – InformationProtection Services

MANAGEMENT

Power/UPS Enclosure Ancillary

Packet Switching

Transmission

Encryption/Decryption

Circuit Switching

IP Plan / Network Address Translation (NAT)

Numbering/Dialling

Network-level Traffic Filtering

Intrusion Detection

Content Checking

InformationAssurance

Policy-Enforcement

Public KeyInfrastructure

(future upgrade)

DATA SERVICES VTCVOICE

SERVICE “i”

Decomposition

Sanitizing

ReleaseControl

Publishing(Proxy)

SecureForwarding

ContentScanning

SS – SupportingServices

PassiveMonitoring

ActiveMonitoring

Control

Audit/Event Logging

User I/F

AlarmProcessing

ChangeManagement

MailWeb

IEG-LightUPS module

IEG-Lightmain module

IEG-Lightspecialized module #1

IEG-Lightspecialized module #n

LOCAL POWER

UPSPOWER

NATO-side DATA

UPSMANAGEMENT

KVM-input select

KVM-inputselect

DMZ

DMZ

CONSOLE(SCREEN/KBD)

LOCALCONSOLE

Remote Console

Access RouterManagement

Local UPSManagement

Nation-side DATA

IEG-Light

Traffic Monitoring

SoftwarePatch/Update

NATO WAN(NGCS)

NATO HQ/UnitNS

NU

NUMU NS

MS

Z

LOCAL ISP

National HQ/UnitNS

NAT-SRegional, staticIEG scenario B

NATOdPoPIEGC

Deployed C2 Unit NATO-ProvidedCIS

MU

IEG-Light(B)

NationalDefenceNetwork

(NDN)

SubordinateUnit(s)

NS

NAT-S orNon-NS

Z

GOs/NGOs

NGO (unclass) Other NATO HQs/Units

LOCAL ISP

Firewall

Mail Services

Intrusion DetectionSystem

ManagementConsole

Web Services

Information SharingServices

DirectoryServices

Other specializedServices

FunctionalServices

IDS ConfigurationIDS Event Collection

IDS Database

FW Configuration,

FW Engine

OperatingSystem

Drivers

HARDWARE

ContentScanning,

Release Control,Publishing

Content ScanningRelease Control

Relay

Release ControlSynchronization

Customer furnished

applications

Proxyapplications

for otherspecialized

services

MonitoringControlLogging

Alarm ProcessingChange Mgmt.

Concept of Operation of the IEG-Light IEG-Light Functional Architecture IEG-Light Hardware Architecture

IEG-Light Software Architecture IEG-Light (Remote) Management Interface IEG-Light Main (bottom) and Specialized(top) Modules

VOICE SERVICES

Access Control

Protocol Conversion

Codec Conversion

Content Scanning



Compliant (C)

Partially Compliant

(PC)

Not Compliant

(NC)

Not Tested (NT) Total

Low level MS-MS test results

Secure data 31 2 4 7 44Informal messaging system (e-mail) 10 1 2 2 15Directory Service 18 1 1 20Web-based services 12 2 0 14

Low-level tests 71 6 7 9 93 0.84 ||||||||||||||||||||| 0.90 ||||||||||||||||||||||

Inter-domain test results

MS to IETV MS (conf #1) 12 2 1 15 0.86 ||||||||||||||||||||| 0.91 ||||||||||||||||||||||NAT-S to IETV NS 14 2 5 6 27 0.62 ||||||||||||||| 0.78 |||||||||||||||||||MS to IETV NS (conf #1) 12 2 14 0.81 |||||||||||||||||||| 1.00 |||||||||||||||||||||||||NAT-S to IETV MS 8 1 3 1 13 0.61 ||||||||||||||| 0.92 |||||||||||||||||||||||MS to IETV MS (conf #2) 13 13 0.00 0.00NAT-S to static IETV NS 9 7 2 18 0.42 |||||||||| 0.89 ||||||||||||||||||||||MS to static IETV NS (conf #1) 8 1 2 11 0.70 ||||||||||||||||| 1.00 |||||||||||||||||||||||||MS to static IETV NS (conf #2) 9 9 0.00 0.00MCCIS 13 1 4 11 29 0.67 |||||||||||||||| 0.62 |||||||||||||||ICC 19 4 2 6 31 0.79 ||||||||||||||||||| 0.81 ||||||||||||||||||||

Service-Level tests 95 11 26 48 180

FS Tests 32 5 6 17 60Non-FS Tests 63 6 20 31 120

Summary of all tests 166 17 33 57 273 0.74 |||||||||||||||||| 0.79 |||||||||||||||||||

Interoperability (IO) Score

Reliability of IO measure

EXAMPLE CIS INTEROPERABILITY TEST CAMPAIGN RESULTS SUMMARY

Example of IETV CIS Verification Results



• Primary objectives: • Test and validate nationally provided CIS (LCC-HQ-NRF-13-GBR)• Test and validate nationally provided CIS (LCC-HQ-NRF-14-DNK)• Test interoperability between NATO C2/FS and National C2/FS• Test cross-domain data and voice exchange mechanism• Identification (resolution) of interoperability issues

• Other objectives:• Experiment the IETV Automated Testing Tool (IATT)• Experiment NATO gateways for national MIP-DEM traffic • Support national experiment with IETV (NRDC-SP-JCOP-XML)• Demonstrate NATO gateways for FS traffic• Demonstrate “zero-configuration” model for national CIS provision

Objectives of the 2009 SFCE IETV campaign

introduction and objectives

Documents