Docstoc

GIG 3.0 Design Factors - Public Intelligence

Document Sample
GIG 3.0 Design Factors - Public Intelligence Powered By Docstoc
					                      GIG 3.0 Design Factors

            An Architecture Proposal for
Aligning NetOps to the Operational Chain of Command




                                     Mr. Randy Cieslak
                                                    CIO

                                    U.S. Pacific Command
                                       11 January 2011



                                      This brief is classified:
                                   UNCLASSIFIED
 This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
          alteration or dissemination of the contents of this information for monetary gain is prohibited.
Cyberspace Operational Requirements


                          Brig Gen Brett Williams,
                      Director, C4 Systems Directorate

                                    Mr. Randy Cieslak
                                Chief Information Officer

                                   U.S. Pacific Command
                                    12 November 2010


                                     This brief is classified:
                                  UNCLASSIFIED
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
         alteration or dissemination of the contents of this information for monetary gain is prohibited.
Geographic JOAs
Where is the CYBER JOA?
• REQUIREMENT: The JFC must C2 cyberspace operations in the
  same way he executes C2 in the air, land and maritime domains.

• CONCERNS:
   – JFCs lack the architecture, CONOPS, TTP, personnel, training,
     tools, doctrine and policy for full spectrum cyber operations
   – It’s all one big GIG, there is no Cyber JOA.‖
   – The GIG was not built for operations.
   – Sensors are not effectively focused on critical C2 services
   – Type 1 encryption is not responsive to operational requirements
   – Mission-Risk authority in cyberspace is currently held by
     CYBERCOM and the Services, not the JFC

       Cyberspace is the only man made domain.
       It can and must be shaped for the JFC to make
       decisions, direct actions and accept risk in a way
       that does not affect the rest of the GIG.

                                                                   5
                             GIG 3.0
• GIG 2.0 promised an information advantage to the warfighter.

   – It did not address the key issue of ―one big GIG‖

   – It did not align the architecture to the chain of command.


• Components of GIG 3.0:

   – Cyber JOA defined by an Operational Network Domain (OND)

   – Enclaved architecture to enable defense in depth, information
     sharing and agility

   – Multi-enclave client for efficient information access

   – Associated personnel, training, tools and TTP to C2 Cyberspace
     Operations


                                                                      6
Current Architecture

                                             CYBERCOM/Services
                                             Mission-Risk Authority
                             DISA                                                                          Military
                        Enterprise                                                                         Service
                         Services                                                                          Enterprise
                                                                                                           Services




             Defense Enterprise                              DISN
                                                                                                    Defense Enterprise
                                                                 ?
             Operational Theater                                                                   Operational Theater



Command                         HUB
                                                                                                                Theater
Client                                                                                                          Application
Suite                                                                                                           Services
           Common Clients, Single Enclave     CYBERCOM/Services
                                              Mission-Risk Authority




          This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                   alteration or dissemination of the contents of this information for monetary gain is prohibited.            7
                 Characteristics of a Cyber JOA

• The Cyber JOA defines the friendly forces operational network
  domain and is focused on the operate and defend mission.
• The Cyber JOA provides a platform for dynamic network defense
  and facilitates CNA and CNE.
• The Cyber JOA is defined by the systems and networks critical for
  Joint Force Command and Control
• The Cyber JOA is governed by existing doctrine and policy.
• The Cyber JOA allows the commander to:
    – Sense the environment
    – Make decisions
    – Direct operations
    – Assume risk
• The Cyber JOA requires CYBERCOM and the services to execute
  their GIG wide responsibilities within the JOA.


                                                                      8
Defining the JFC’s ―Cyber JOA‖

                                            CYBERCOM is supported and has
                             DISA
                                                Mission-Risk Authority    Military
                        Enterprise                                                                            Service
                         Services                                                                             Enterprise
                                                                                                              Services




                                                                DISN


                                                                                      Controlled Interface

             Defense Enterprise                      Dedicated Network                                 Defense Enterprise
                                                     Domain Gateway
             Operational Theater                     (DNDG)                                           Operational Theater

                                                            Operational
                                                            Network
Command                         HUB                         Domain                                                 Theater
Client                                                                                                             Application
Suite                                                                                                              Services
           Common Clients, Single Enclave
                                          Joint Force Commander
                      is supported and has Mission-Risk authority
          This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                      alteration or dissemination of the contents of this information for monetary gain is prohibited.           9
    Tenets of an Operational Network
• The network must be Commander Centric
   – Commanders balance risk against mission in all domains except cyber
   – An operational network addresses this issue by aligning NetOps to the
     Operational Chain of Command
   – The GIG cannot be vulnerable to risk assumed by one commander
   – The operational network must accommodate the scheme of maneuver

• Commanders must define the requirements for designing and
  building the Operational Network

• Commanders must have the authority and responsibility to operate
  and defend the operational network.

• Supported and supporting roles must be articulated
   – Clear delineation between the responsibilities of the service
     components and the operational commander
   – Clear definition of STRATCOM/CYBERCOM’s role to support the
     operational network while they Operate and Defend the GIG

                                                                             10
   Barriers to Operationalizing the Network

• It’s all one big GIG, there are no JOA boundaries in
  cyberspace

• We are burdened by the costs and policy associated
  with TYPE 1 encryption — works against flexibility,
  adaptability and robustness needed to accommodate the
  scheme of maneuver.

• Current culture and doctrine delegate OPCON of all
  forces except Cyber forces to the Operational
  Commander. Services and CYBERCOM retain network
  authority and responsibility.


                                                         11
                                                                                       2 Nov 2010



10 Propositions Regarding Cyberspace Operations
      (With acknowledgement to Phil Meilinger’s 10 Propositions Regarding Air Power)
 1. The commander is responsible for cyberspace operations; he must
    C2 cyber just as he does the air, land and maritime domains.
 2. C2 of cyberspace is the foundation for operational C2.
 3. There are four lines of operation in cyber—operate, defend, attack
    and exploit, and defense is the dominant mission.
 4. The commander must see and understand cyberspace to defend it
    and he cannot defend it all.
 5. Cyberspace operations must be fully integrated with operations in
    the physical domains.
 6. Our understanding of non-kinetic effects in cyber is immature.
 7. Operational requirements drive cyber architecture, not the other way
    around.
 8. Cyber is the only manmade domain--we built it, we can change it.
 9. Operational impact is the relevant information, not number of
    megabytes exfiltrated.
10. Networks will always be critical and vulnerable--disconnecting is not
    an option, we must fight through the attack.
   Operationalizing the Network
• It’s all one big GIG, there are no JOA boundaries in cyberspace
• We are burdened by the costs and policy associated with TYPE 1
  encryption — works against flexibility, adaptability and
  robustness needed to accommodate the scheme of maneuver.
• Current culture and doctrine delegate OPCON of all forces except
  Cyber forces to the Operational Commander. Services and
  CYBERCOM retain network authority and responsibility.

                         Proposed solution:
     Operational Network Domain (OND)
    – Defines the ―Commander’s Cyberspace JOA‖
    – Utilizes encryption techniques that give the Operational
      Commander the capability to C2 Cyberspace



                                                                     13
       Fundamental Network Challenge
                   And
            Proposed Solution

              Agile Virtual Enclave (AVE)
             Virtual Secure Enclave (VSE)

                                    Mr. Randy Cieslak
                                Chief Information Officer

                                   U.S. Pacific Command
                                     8 December 2010



                                     This brief is classified:
                                  UNCLASSIFIED
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
         alteration or dissemination of the contents of this information for monetary gain is prohibited.
  Current Network Design—This needs to change


                                               CORE or
   ?@#?!                                      BACKPLANE


                                              FW
                                             FW
           Sensitive Unclassified Networks

                                              KG
                 Secret NOFORN
User                                         KG
                                            KG
                                          KG
                                         KG

                  Secret for Allies
                                                KG
                                              KG
                                             KG

                  SCI & SPECATs



                                                          15
 Virtual Secure Enclaves (VSE)
 The foundation of the Operational Network Domain
• The Operational Network is built on IPsec-based VSE’s

• IPsec--Short for IP Security, a set of protocols to support secure
  exchange of packets at the IP layer. IPsec has been deployed widely
  to implement robust Virtual Private Networks (VPNs)

• IPsec provides a COTS/GOTS encryption capability that is certified
  for up to SECRET data

• Advantages of IPsec over TYPE 1 encryption
   – Reduces the Controlled Crypto ―overhead‖
   – Allows visibility into network traffic to enable use of Network
     Management Tools to execute QOS
   – Simplifies adding and removing enclaves from the OND
   – Potential to facilitate Computer Network Operations (CNO)

                                                                       16
TYPE 1 without IPSec

     Each enclave is a separate network requiring it’s own
                    separate infrastructure

                                        Service
       HUB


                                         Service
              HUB


                                          Service
                                       SIPRNETs
                     HUB


                                        SIPRNETs
                                         SIPRNETs


      HUB



                                  Coalition C2 Nets
                                   Coalition C2 Nets
             HUB




                                    Coalition C2 Nets
                    HUB




                                     Coalition C2 Nets
                           HUB




     HUB



                                     IC Networks
            HUB



                                      IC Networks
                   HUB



                                        IC Networks


                                 (It’s not this neat and orderly.)
                                                                     17
        Components of an IPSec Virtual Secure Enclave (VSE)
                                                                                                        Application
                           Protected                                      Protected                      Service
 Customer
                Client    Inter-Nodal                                    Inter-Nodal    Client          Point (ASP)
  Service
Point (CSP)    Services     Network                                        Network     Services
                 VPN       (PIN) VPN                                      (PIN) VPN      VPN
                IPSEC        IPSEC                                         IPSEC        IPSEC
                 VPN          VPN       Network Enclave                     VPN
                                                                           Device
                                                                                         VPN
                                                                                        Device
                Device       Device

                                                              Firewall                            Firewall Server Suite
Conventional                                               Counter-Denial
                                                                                                  Service
   Client                                                 of Service (DOS)
 Computer
                                                                                                 Protection
                                                              Firewall
                                                                                                  Firewall

   Network Enclave – A protected network environment that contains a single
   security domain (e.g., SECRET//REL USA)
   Application Service Point (ASP) – Suite of servers dedicated to a single enclave to
   provide application services. (e.g., Web, E-Mail, COP and the like)
   Customer Service Point (CSP) – User interface to the enclave
   Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.
   (First layer of wrapping)
   Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave
   threats such as malicious insiders, high-risk applications, or poor system hygiene.
   ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and
   adds additional robustness required for cross-domain use of a common network
   infrastructure by the application service.
                                                                                                                   18
             Components of an IPSec Virtual Secure Enclave (VSE)
                                                                                                             Application
                                Protected                                      Protected                      Service
      Customer
                     Client    Inter-Nodal                                    Inter-Nodal    Client          Point (ASP)
       Service
     Point (CSP)    Services     Network                                        Network     Services
                      VPN       (PIN) VPN                                      (PIN) VPN      VPN
                     IPSEC        IPSEC                                         IPSEC        IPSEC
                      VPN          VPN       Network Enclave                     VPN
                                                                                Device
                                                                                              VPN
                                                                                             Device
                     Device       Device

                                                                   Firewall                            Firewall Server Suite
     Conventional                                               Counter-Denial
                                                                                                       Service
        Client                                                 of Service (DOS)
      Computer
                                                                                                      Protection
                                                                   Firewall
                                                                                                       Firewall

        Network Enclave – A protected network environment that contains a single
        security domain (e.g., SECRET//REL USA)
        Application Service Point (ASP) – Suite of servers dedicated to a single enclave to
        provide application services. (e.g., Web, E-Mail, COP and the like)
        Customer Service Point (CSP) – User interface to the enclave
        Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.
        (First layer of wrapping)
        Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave
        threats such as malicious insiders, high-risk applications, or poor system hygiene.
        ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and
        adds additional robustness required for cross-domain use of a common network
        infrastructure by the application service.
NB                                                                                                                      19
1. Establish a Perimeter for the OND
                        SIPR
                        SVC
                       unique




      HUB




            HUB




                                Coalitio
   Operational                  n C2 Net

    Network
    Domain
                                           20
2. Establish a Type 1 Perimeter for the Classified Enclaves
                         SIPR
                         SVC
                        unique




      HUB




            HUB       Type 1 Perimeter




                                 Coalitio
   Operational                   n C2 Net

    Network
    Domain
                                                              21
3. Establish an IPSec Tunnel for Enclave Client Services
                         SIPR
                         SVC
                        unique




      HUB

                      SIPRNET Enclave
                   Client Services IPSec VPN
            HUB




                                 Coalitio
   Operational                   n C2 Net

    Network
    Domain
                                                           22
4. Establish an outer IPSec Tunnel for Network Protection
   Called the Protected Inter-nodal Network (PIN)
                        SIPR
                        SVC
                       unique




      HUB
                      SIPRNET Enclave
                  Enclave Operator Services IPSec VPN
            HUB




                    PIN IPSec VPN




                                Coalitio
   Operational                  n C2 Net

    Network
    Domain
                                                            23
5. Establish a controlled interface from the enterprise network
   to the OND Enclave
                         SIPR
                         SVC
                        unique


                        DNGW
                         SIPR




      HUB

                      SIPRNET Enclave

            HUB




                                 Coalitio
   Operational                   n C2 Net

    Network
    Domain
                                                                  24
6. Swing operational area services to the associated OND
   enclave
                        SIPR
                        SVC
                       unique


                       DNGW
                        SIPR




       HUB

                      SIPRNET Enclave

       HUB




                                Coalitio
   Operational                  n C2 Net

    Network
    Domain
                                                           25
7. Repeat this process for internal operational networks

                        SIPR
                        SVC
                       unique


                        DNGW
                         SIPR




       HUB

                       SIPRNET Enclave

       HUB

                     Coalition C2 Enclave




   Operational
    Network
    Domain
                                                           26
8. Additional enclaves can be added as modules

              NIPR               SIPR
                                 SVC                    IC
              SVC
             unique             unique


                      DNGW       DNGW                DNGW
                       NIPR       SIPR                 IC




     HUB


                               NIPRNET Enclave
     HUB

                               SIPRNET Enclave
       HUB

                              Coalition C2 Enclave
     HUB

                                  IC Enclave




   Operational
    Network
    Domain
                                                             27
   9. Configure and provide training to end-user-sites and Data
      Centers accordingly
                   NIPR              SIPR
                                     SVC                       IC
                   SVC
                  unique            unique


                           DEG       DEG                 DEG
                           NIPR      SIPR                 IC




          HUB


                                   NIPRNET Enclave
          HUB

                                   SIPRNET Enclave                      Application
                                                                        Service
            HUB

                                  Coalition C2 Enclave                  Points


          HUB

                                      IC Enclave

End User Site                                                       Data Center



       Operational
        Network
        Domain
                                                                                  28
    10. Take advantage of Multi-Enclave Clients from Agile Virtual
       Enclave (AVE) Project
                  NIPR               SIPR
                                     SVC                    IC
                  SVC
                 unique             unique


                          DNGW       DNGW                DNGW
                           NIPR       SIPR                 IC




                                   NIPRNET Enclave

          HUB
                                   SIPRNET Enclave                     Application
                                                                       Service
                                  Coalition C2 Enclave                 Points
Multi-
Enclave
Clients
                                      IC Enclave

 End User Site                                                     Data Center



                                                     Operational
                                                      Network
                                                      Domain                     29
    11. Take advantage of cross-domain gateways and guards to
       move information between enclaves (e.g., Trusted Network
       Environment (TNE))
                 NIPR               SIPR
                                    SVC                    IC
                 SVC
                unique             unique


                         DNGW       DNGW                DNGW
                          NIPR       SIPR                 IC


                                                                        To move
                                                                       info across
                                  NIPRNET Enclave                       domains

          HUB                     SIPRNET Enclave
                                                                        Cross
                                 Coalition C2 Enclave                  Domain
Multi-                                                                 Gateway
Enclave
Clients                              IC Enclave
AVE-Enabled
End User Site                                                     Data Center



                                                    Operational
                                                     Network
                                                     Domain                      30
    12. Monitor and Control the OND                    Network Operations & Security Center



                    NIPR               SIPR
                                                                               Common
                                       SVC                       IC
                    SVC                                                       Operational
                   unique             unique                                                 UTILITY
                                                                                Picture
                                                                                             PRIORITY
                                                                      RISK                   CAPACITY
                                                                      LEVEL
                            DNGW       DNGW                DNGW
                             NIPR       SIPR                 IC
                                                           Dynamic Computer
                                                            Network Defense                  Quality of Service




                                     NIPRNET Enclave

           HUB                       SIPRNET Enclave
                                                                                                    Cross
                                    Coalition C2 Enclave                                           Domain
 Multi-                                                                                            Gateway
 Enclave
 Clients                                IC Enclave
 AVE-Enabled
  End User Site                                                                             Data Center



                                                        Operational
Control of:
Risks / Capabilities / Performance / Resources
                                                         Network
                                                         Domain                                                   31
    OND-related Areas of Responsibility

                     NIPR               SIPR
                                        SVC                    IC
                     SVC
                    unique             unique


Network                      DNGW       DNGW                DNGW
Operations Center             NIPR       SIPR                 IC




                                      NIPRNET Enclave

          HUB                         SIPRNET Enclave
                                                                            Cross
                                     Coalition C2 Enclave                  Domain
Multi-                                                                     Gateway
Enclave
Clients                                  IC Enclave
AVE-Enabled
End User Site                                                         Data Center


          Supporting Service/Agency
          Responsibility                                Operational
          Supported Operational Command
                                                         Network
          Responsibility                                 Domain                      32
Operational Network Domains (OND) and
       Security Domain Enclaves
               through the
       Classified Military Network
                (CMILNet)


                                     Mr. Randy Cieslak
                                                    CIO

                                    U.S. Pacific Command
                                          29 June 2010



                                      This brief is classified:
                                   UNCLASSIFIED
 This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
          alteration or dissemination of the contents of this information for monetary gain is prohibited.            33
    Technical Challenges

• Challenge #1: Creation of Agile Virtual Enclaves (AVEs),
  which are networked security domains that allow reuse of the
  same network infrastructure from the client through the
  network cloud.

• Challenge #2: Creation of Operational Network Domains
  (ONDs) with sufficient strength of separation to support
  different risk jurisdictions within each AVE.

   – Virtual Secure Enclaves (VSEs) are the instantiation of
     AVEs within the OND.

• Challenge #3: Creation of a ―black core capable‖ DISN
  designed to create Agile Virtual Enclaves (AVEs) to enable
  Virtual Secure Enclaves within Operational Network Domains
  (ONDs)

   – Must accommodate more than NIPRNET, SIPRNET, and
     JWICS
                                                                 34
   Solution Toolkit – Network Virtualization

• Performance-based Virtualization
   – Multi-Protocol Layered Switching (MPLS)
   – Generic Routing Encapsulation (GRE)
   – Virtual Local Area Networks (VLAN)


• Security-based Virtualization a.k.a. Virtual     Use these
                                                   for ONDs
  Private Networks (VPNs)
   – High Assurance Internet Protocol Encryption
     (HAIPE)
   – Internet Protocol Security (IPSec)            Use this for
                                                   AVEs and
   – Transport Layer Security (TLS)
                                                   VSEs
    Solution must employ both types of
    virtualization, together, to optimize capability,
    security and performance.
                                                                  35
     Technical Solutions
• Challenge #1: Creation of Agile Virtual Enclaves (AVEs), which are
  networked security domains that allow reuse of the same network
  infrastructure from the client through the network cloud
• Solution #1: Employ rigorously tested IPSec implemented in
  accordance with NSA standards
• Challenge #2: Creation of Operational Network Domains (ONDs) with
  sufficient strength of separation to support different risk jurisdictions within
  each AVE.
• Solution #2: Employ Intrusion Protection System (IPS) – based
  firewalls with access controls and service filters
• Challenge #3: Creation of a ―black core capable‖ DISN designed to create
  Agile Virtual Enclaves (AVEs) to enable Virtual Secure Enclaves within
  Operational Network Domains (ONDs).
• Solution #3: Employ a next-generation network strategy that
  accommodates solutions 1 and 2 as a fourth enterprise network
  domain using MPLS-based domain techniques and IPv6 improving
  upon how SIPRNET and NIPRNET is done on the DISN

                                   GIG 3.0
                                                                                     36
   Why We Need a Black Core CMILNet

Today’s Network – The Singapore Case   Packet

        NIPRNET / Internet                      H
        SIPRNET                                 H
        CENTRIXS-GCTF                           H
        CENTRIXS-CMFP                           H         Payload
        CENTRIXS-SGP                            P         efficiency




                                                            H   H
                                                            H   H
                                                 Low = Poor H       High = Good
  CMILNet Black Core                   Packet   Performance H
                                                                P
                                                                    Performance
                                                            H
      CMILNet - Black                           H
                                                           P
       CENTRIXS-SGP                             P
       CENTRIXS-GCTF
       CENTRIXS-CMFP

       SIPRNET

        NIPRNET
        Internet


                                                                           37
   Global Enterprise OND Concept – Today’s State
                            DISN Backbone

              P
    UPE               CPE


NIPRNET     SIPRNET      JWICS      DSN     DRSN   DVS-G

 P – Premise Equipment

UPE – Unclassified Premise Equipment
   CPE – Classified Premise Equipment




                                                           38
   Global Enterprise OND Concept – Today’s State
                            DISN Backbone

              P
    UPE               CPE


NIPRNET     SIPRNET      JWICS

 P – Premise Equipment

UPE – Unclassified Premise Equipment
   CPE – Classified Premise Equipment




                                                   39
   Global Enterprise OND Concept – Near Term?
                            DISN Backbone

              P
    UPE               CPE                   BPE


NIPRNET     SIPRNET      JWICS

 P – Premise Equipment

UPE – Unclassified Premise Equipment
   CPE – Classified Premise Equipment

      BPE – Black Premise Equipment


              Extremely useful in the creation of CMILNet
              Common Mission Network Transport
                          (CMNT)                            40
          Army
         NIPRNET
      Marine Corps
         NIPRNET
          Navy


                                   U
         NIPRNET
        Air Force


                         NIPRNET
         NIPRNET
        Agency’s
         NIPRNET
          Army
         SIPRNET
      Marine Corps
         SIPRNET
          Navy
         SIPRNET
                         SIPRNET




        Air Force
         SIPRNET
        Agency’s
         SIPRNET
                                   C




         DODIIS
         NSA Net
         NGA Net
                         JWICS
                                       P




           Etc
                       OND
                       AMN
                                           DISN Backbone



                     CENTCOM
                                                           Global Enterprise OND Concept

                                   B




     Gateway for the

     Mission Network
     CENTCOM Afghan
     Dedicated Network




41
                                           Global Enterprise OND Concept
                                                                                                                                                                                                                                             DISN Backbone       Actual Connections
                                                                                                                                                                                                                                         P
                                                                                                                                                                                                                                                                      B
                                            U                                                                                                                                                               C

                        NIPRNET                                                                                               SIPRNET                                                                                    JWICS                      CENTCOM
                                                                                                                                                                                                                                                      AMN
                                                                                                                                                                                                                                                      OND
                 Marine Corps




                                                                                                                       Marine Corps                                                                                                                  CMFC




                                                                                                                                                                                                                                   NGA Net
                                                           Air Force




                                                                                                                                                                 Air Force
                                                                                 Agency’s




                                                                                                                                                                                       Agency’s



                                                                                                                                                                                                                         NSA Net
                                NIPRNET




                                                                       NIPRNET




                                                                                                                                      SIPRNET




                                                                                                                                                                             SIPRNET




                                                                                                                                                                                                                DODIIS
       NIPRNET




                                                                                                             SIPRNET
                                                 NIPRNET




                                                                                                                                                       SIPRNET
                                                                                            NIPRNET




                                                                                                                                                                                                  SIPRNET
Army




                                                                                                      Army
                                          Navy




                                                                                                                                                Navy




                                                                                                                                                                                                                                              Etc
                                                                                                                                                                                                                                                      GCTF

                                                                                                                                                                                                                                                      ISAF

                                                                                                                                                                                                                                                      MNFI

                                                                                                                                                                                                                                                        CCER
                                                                                                                                                                                                                                                         TNE



                                                                                                                                                                                                                                                      Agency
                                                                                                         Logical                                                                                                                                     Air Force
                                                                                                       Connections
                                                                                                                                                                                                                                                       Navy

                                                                                                                                                                                                                                                     Marines

                                                                                                                                                                                                                                                      Army

                                                                                                                                                                                                                                                     Agency

                                                                                                                                                                                                                                                     Air Force

                                                                                                                                                                                                                                                       Navy

                                                                                                                                                                                                                                                     Marines

                                                                                                                                                                                                                                                      Army

                                                                                                                                                                                          Internet                                                   Internet

                                                                                                                                                                                                                                                                                      42
                                           Global Enterprise OND Concept
                                                                                                                                                                                                                                             DISN Backbone       Actual Connections
                                                                                                                                                                                                                                         P
                                                                                                                                                                                                                                                                      B
                                            U                                                                                                                                                               C

                        NIPRNET                                                                                               SIPRNET                                                                                    JWICS                      CENTCOM           PACOM       EUCOM
                                                                                                                                                                                                                                                      AMN             Theater     Theater
                                                                                                                                                                                                                                                      OND              OND         OND
                                                                                                                                                                                                                                                                                       AFRICOM
                 Marine Corps




                                                                                                                       Marine Corps                                                                                                                  CMFC                 CMFP    NATO
                                                                                                                                                                                                                                                                                        Theater




                                                                                                                                                                                                                                   NGA Net
                                                           Air Force




                                                                                                                                                                 Air Force
                                                                                 Agency’s




                                                                                                                                                                                       Agency’s



                                                                                                                                                                                                                         NSA Net
                                NIPRNET




                                                                       NIPRNET




                                                                                                                                      SIPRNET




                                                                                                                                                                             SIPRNET




                                                                                                                                                                                                                DODIIS
       NIPRNET




                                                                                                             SIPRNET
                                                 NIPRNET




                                                                                                                                                       SIPRNET
                                                                                            NIPRNET




                                                                                                                                                                                                  SIPRNET
                                                                                                                                                                                                                                                                                         OND
Army




                                                                                                      Army
                                          Navy




                                                                                                                                                Navy




                                                                                                                                                                                                                                              Etc
                                                                                                                                                                                                                                                      GCTF                GCTF     GCTF
                                                                                                                                                                                                                                                                                        NATONORTHCOM
                                                                                                                                                                                                                                                      ISAF                KOR      FRA         Theater
                                                                                                                                                                                                                                                                                         GCTF
                                                                                                                                                                                                                                                                                    ITA         OND
                                                                                                                                                                                                                                                      MNFI                JPN
                                                                                                                                                                                                                                                                                          FVEY FEMA
                                                                                                                                                                                                                                                       CCER                        CCER            SOUTHCOM
                                                                                                                                                                                                                                                                          CCER
                                                                                                                                                                                                                                                        TNE                TNE      TNE   SAF    GCTFTheater
                                                                                                                                                                                                                                                                                                       OND
                                                                                                                                                                                                                                                                                       CCER
                                                                                                                                                                                                                                                                                  Agency         FVEY MLEC
                                                                                                                                                                                                                                                      Agency          Agency               TNE
                                                                                                         Logical                                                                                                                                     Air Force        Air Force   Air Force      CAN
                                                                                                                                                                                                                                                                                         Agency       GCTF
                                                                                                       Connections                                                                                                                                                                  Navy
                                                                                                                                                                                                                                                       Navy               Navy                   CCER
                                                                                                                                                                                                                                                                                        Air ForceTNE COL
                                                                                                                                                                                                                                                                      Marines     Marines
                                                                                                                                                                                                                                                     Marines
                                                                                                                                                                                                                                                                                          Navy        MEX
                                                                                                                                                                                                                                                                          Army      Army        Agency
                                                                                                                                                                                                                                                      Army
                                                                                                                                                                                                                                                                                        Marines
                                                                                                                                                                                                                                                                      Agency      Agency              CCER
                                                                                                                                                                                                                                                                                               Air Force
                                                                                                                                                                                                                                                     Agency
                                                                                                                                                                                                                                                                                          Army         TNE
                                                                                                                                                                                                                                                                      Air Force   Air Force       Navy
                                                                                                                                                                                                                                                     Air Force
                                                                                                                                                                                                                                                                                         Agency
                                                                                                                                                                                                                                                                          Navy      Navy              Agency
                                                                                                                                                                                                                                                       Navy                                     Marines
                                                                                                                                                                                                                                                                                        Air Force
                                                                                                                                                                                                                                                                      Marines     Marines            Air Force
                                                                                                                                                                                                                                                     Marines
                                                                                                                                                                                                                                                                                          Navy Army
                                                                                                                                                                                                                                                                          Army      Army               Navy
                                                                                                                                                                                                                                                      Army                                      Agency
                                                                                                                                                                                                                                                                                        Marines
                                                                                                                                                                                           Internet                                                  Internet         Internet    Internet            Marines
                                                                                                                                                                                                                                                                                          Army Air Force

                                                                                                                                                                                                                                                                                          Internet
                                                                                                                                                                                                                                                                                                     Navy Army   43
                                           Global Enterprise OND Concept
                                                                                                                                                                                                                                             DISN Backbone       Actual Connections
                                                                                                                                                                                                                                         P
                                                                                                                                                                                                                                                                      B
                                            U                                                                                                                                                               C

                        NIPRNET                                                                                               SIPRNET                                                                                    JWICS                      CENTCOM           PACOM       EUCOM
                                                                                                                                                                                                                                                      AMN             Theater     Theater
                                                                                                                                                                                                                                                      OND              OND         OND
                                                                                                                                                                                                                                                                                       AFRICOM
                 Marine Corps




                                                                                                                       Marine Corps                                                                                                                  CMFC                 CMFP    NATO
                                                                                                                                                                                                                                                                                        Theater




                                                                                                                                                                                                                                   NGA Net
                                                           Air Force




                                                                                                                                                                 Air Force
                                                                                 Agency’s




                                                                                                                                                                                       Agency’s



                                                                                                                                                                                                                         NSA Net
                                NIPRNET




                                                                       NIPRNET




                                                                                                                                      SIPRNET




                                                                                                                                                                             SIPRNET




                                                                                                                                                                                                                DODIIS
       NIPRNET




                                                                                                             SIPRNET
                                                 NIPRNET




                                                                                                                                                       SIPRNET
                                                                                            NIPRNET




                                                                                                                                                                                                  SIPRNET
                                                                                                                                                                                                                                                                                         OND
Army




                                                                                                      Army
                                          Navy




                                                                                                                                                Navy




                                                                                                                                                                                                                                              Etc
                                                                                                                                                                                                                                                      GCTF                GCTF     GCTF
                                                                                                                                                                                                                                                                                        NATONORTHCOM
                                                                                                                                                                                                                                                      ISAF                KOR      FRA         Theater
                                                                                                                                                                                                                                                                                         GCTF
                                                                                                                                                                                                                                                                                    ITA         OND
                                                                                                                                                                                                                                                      MNFI                JPN
                                                                                                                                                                                                                                                                                          FVEY FEMA
                                                                                                                                                                                                                                                        CCE               CCE      CCER            SOUTHCOM
                                                                                                                                                                                                                                                         R                 R        TNE   SAF    GCTFTheater
                                                                                                                                                                                                                                                        TNE               TNE
                                                                                                                                                                                                                                                                                                       OND
                                                                                                                                                                                                                                                                                       CCER
                                                                                                                                                                                                                                                                                  Agency         FVEY MLEC
                                                                                                         Logical
                                                                                                                                                                                                                                                      Agency

                                                                                                                                                                                                                                                     Air Force
                                                                                                                                                                                                                                                                       MILNet
                                                                                                                                                                                                                                                                      Agency

                                                                                                                                                                                                                                                                      Air Force   Air Force
                                                                                                                                                                                                                                                                                           TNE
                                                                                                                                                                                                                                                                                                 CAN
                                                                                                                                                                                                                                                                                         Agency       GCTF
                                                                                                       Connections
                                                                                                                                                                                                                                                       Navy           (GIG 3.0)
                                                                                                                                                                                                                                                                          Navy      Navy
                                                                                                                                                                                                                                                                                                 CCER
                                                                                                                                                                                                                                                                                        Air ForceTNE COL
                                                                                                                                                                                                                                                                                  Marines
                                                                                                                                                                                                                                                     Marines          Marines
                                                                                                                                                                                                                                                                                          Navy        MEX
                                                                                                                                                                                                                                                                          Army      Army        Agency
                                                                                                                                                                                                                                                      Army
                                                                                                                                                                                                                                                                                        Marines
                                                                                                                                                                                                                                                                      Agency      Agency              CCER
                                                                                                                                                                                                                                                                                               Air Force
                                                                                                                                                                                                                                                     Agency
                                                                                                                                                                                                                                                                                          Army         TNE
                                                                                                                                                                                                                                                                      Air Force   Air Force       Navy
                                                                                                                                                                                                                                                     Air Force
                                                                                                                                                                                                                                                                                         Agency
                                                                                                                                                                                                                                                                          Navy      Navy              Agency
                                                                                                                                                                                                                                                       Navy                                     Marines
                                                                                                                                                                                                                                                                                        Air Force
                                                                                                                                                                                                                                                                      Marines     Marines            Air Force
                                                                                                                                                                                                                                                     Marines
                                                                                                                                                                                                                                                                                          Navy Army
                                                                                                                                                                                                                                                                          Army      Army               Navy
                                                                                                                                                                                                                                                      Army                                      Agency
                                                                                                                                                                                                                                                                                        Marines
                                                                                                                                                                                           Internet                                                  Internet         Internet    Internet            Marines
                                                                                                                                                                                                                                                                                          Army Air Force

                                                                                                                                                                                                                                                                                          Internet
                                                                                                                                                                                                                                                                                                     Navy Army   44
        Army
       NIPRNET
     Marine Corps
       NIPRNET
        Navy

                                       U
       NIPRNET
      Air Force

                      NIPRNET
       NIPRNET
      Agency’s
       NIPRNET
        Army
       SIPRNET
     Marine Corps
       SIPRNET
        Navy
       SIPRNET
                      SIPRNET




      Air Force
       SIPRNET
      Agency’s
       SIPRNET
                                           P

                                       C




       DODIIS
       NSA Net
                                               DISN Backbone




       NGA Net
                     JWICS




         Etc
                                                               Global Enterprise OND Concept




      CENTCOM
        ONDs
       PACOM
         ONDs
       EUCOM
         ONDs
                                       B




      AFRICOM
         ONDs
     NORTHCOM
        ONDs
                    GIG 3.0 / MILNET




     SOUTHCOM
         ONDs
45
                                                                      DISN Backbone
                                                                       (Black Core)

                                 EUCOM              CENTCOM               AFRICOM               PACOM             NORTHCOM              SOUTHCOM
                                  OND                 OND                   OND                  OND                OND                    OND

       SMILNet
       .smil.mil                 SIPRNET              SIPRNET              SIPRNET              SIPRNET              SIPRNET              SIPRNET
      (SIPRNET)
                                  CDCI                 CDCI                  CDCI                 CDCI                 CDCI                 CDCI



                                  NATO                 CNFC                 CMFA                 CMFP                 CMFP                 MLEC
        CMILNet                   GCTF                 GCTF                 GCTF                 GCTF                 GCTF                 GCTF
        .cmil.mil
      (CENTRIXS)                  ACGU                 AMN                  ACGU                 ACGU                 ACGU                 ACGU

                                  FVEY                 FVEY                 FVEY                 FVEY                 FVEY                 FVEY

                                  S-VSE                S-VSE                S-VSE                S-VSE                S-VSE                S-VSE
        MILNet
         .mil
IAP   (NIPRNET)                 NIPRNET               NIPRNET              NIPRNET              NIPRNET              NIPRNET              NIPRNET

                                  HADR                 HADR                 HADR                 HADR                 HADR                  HADR
      Inter-Agency              MOBILITY             MOBILITY             MOBILITY             MOBILITY             MOBILITY             MOBILITY
        Networks
        .gov / .net              HLD/LE               HLD/LE               HLD/LE               HLD/LE               HLD/LE               HLD/LE


                                 Internet             Internet             Internet             Internet             Internet             Internet
        Internet


OND        VSE
            VSE                                                              CDCI    Cross Domain Controlled Interface
             VSE           Dedicated Network Domain Gateway (DNDG)
               VSE                                                                                                                  Yellow Highlight:
                VSEs             Dedicated Network Enclave Gateways (DNEG)    IAP DISN Internet Access Point              S-VSE Primary C2 Network (PCN)
                   This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                          AMN – Afghan Mission Network
                                                                            S-VSE – Standby VSE
                            alteration or dissemination of the contents of this information for monetary gain is prohibited.
                                                                      DISN Backbone
                                                                       (Black Core)

                                                                                               PACOM
                                                                                              US Forces
                                                                                                OND
                                                                                                Korea
                                                                                                OND
       SMILNet
       .smil.mil                                                                                SIPRNET
      (SIPRNET)
                                                                                                 CDCI



                                                                                                 CMFP
        CMILNet                                                                                  GCTF
                                                                                                 UNCK
        .cmil.mil
      (CENTRIXS)                                                                                 ACGU

                                                                                                 KOR
                                                                                                 FVEY

                                                                                                 S-VSE
        MILNet
         .mil
IAP   (NIPRNET)                                                                                 NIPRNET

                                                                                                 HADR
      Inter-Agency                                                                             MOBILITY
        Networks
        .gov / .net                                                                             HLD/LE


                                                                                                Internet
        Internet


OND        VSE
            VSE                                                              CDCI    Cross Domain Controlled Interface
             VSE           Dedicated Network Domain Gateway (DNDG)
               VSE                                                                                                                  Yellow Highlight:
                VSEs             Dedicated Network Enclave Gateways (DNEG)    IAP DISN Internet Access Point              S-VSE Primary C2 Network (PCN)
                   This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                          AMN – Afghan Mission Network
                                                                            S-VSE – Standby VSE
                            alteration or dissemination of the contents of this information for monetary gain is prohibited.
                                                                      DISN Backbone
                                                                       (Black Core)

                                                                                                                     US Forces
                                                                                                                       Korea
                                                                                                                       OND
       SMILNet
       .smil.mil                                                                                                      SIPRNET
      (SIPRNET)
                                                                                                                        CDCI




        CMILNet                                                                                                        UNCK
        .cmil.mil
      (CENTRIXS)
                                                                                                                        KOR


        MILNet
         .mil
IAP   (NIPRNET)                                                                                                       NIPRNET


      Inter-Agency
        Networks
        .gov / .net

                                                                                                                      Internet
        Internet


OND        VSE
            VSE                                                              CDCI    Cross Domain Controlled Interface
             VSE           Dedicated Network Domain Gateway (DNDG)
               VSE                                                                                                                  Yellow Highlight:
                VSEs             Dedicated Network Enclave Gateways (DNEG)    IAP DISN Internet Access Point              S-VSE Primary C2 Network (PCN)
                   This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                          AMN – Afghan Mission Network
                                                                            S-VSE – Standby VSE
                            alteration or dissemination of the contents of this information for monetary gain is prohibited.
                               Actual Connections         DISN Backbone


   MILNet                CMILNet             SMILNet                                                 U.S. Forces Korea                            AUS

    .mil                 .cmil.mil           .smil.mil                                                     (USFK)                                BEL
                                                                                                    Operational Network
 (NIPRNET)             (CENTRIXS)           (SIPRNET)
                                                                                                       Domain (OND)                              CAN
IAP
                                                                                SIPRNET                “Korea Mission
                                                                                                                                                  COL
                                                                                                       Network” (KMN)




                                                                                                                                                          Coalition Links
                                                                                                                                                  DNK

                                                                                                                                                  FRA

                                                                                 CDCI                                                             GRC

                 Logical Connections                                                                                                              GBR




                                                                 KMN Backbone
                                                                                                                                                  KOR

                                                                                 UNCK                                                             NLD

                                                                                                                                                  NOR

                                                                                                                                                   NZL

                                                                                                                                                   PHI
                                                                                 KOR                Client Command
                                                                                                       (e.g., Osan)
                                                                                                                                                   THA
                                                                                                                         Client Command
                                                                                                                           (e.g., Taegu)   Multilateral Enclaves
                                                                                                                                           UNCK – United Nations Command Korea

                                                                                NIPRNET                                                    Country Codes
                                                                                                                                           AUS – Australia
                                                                                                              Client Command               BEL – Belgium
                                                                                                                                           COL – Columbia
                                        Internet                                Internet                       (e.g., Yongsan)
                                                                                                                                           DNK – Denmark
                                                                                                                                           FRA – France
                                                                                                                                           GRC - Greece
              Dedicated Network Gateways (DNG)                                                                                             GBR – United Kingdom of Great Britain
                                                                                                                                           KOR – Republic of South Korea
                                                                                                                                           NLD - Netherlands
      CDCI    Cross Domain Controlled Interface                                                                                            NZL – New Zealand
               Dedicated Network Domain Gateway (DDG)                                                                                      NOR - Norway
                                                                          Application                Multi-                                PHI – Philippines
               Dedicated Network Enclave Gateway (DEG)                      Service                 Enclave               KOR              THA –Thailand
               DISN Internet Access Point                                    Point                   Client
        IAP
                           This presentation and individual slides            privileged
                                                                      contain(ASP)                      unauthorizedC2 Network distribution,
                                                                                           information. Any
                                                                                                     (MEC)   Primary disclosure,
                                    alteration or dissemination of the contents of this information for monetary gain is prohibited.
                               Actual Connections         DISN Backbone


   MILNet                CMILNet             SMILNet                                                  U.S. Forces Korea                            AUS

    .mil                 .cmil.mil           .smil.mil                                                      (USFK)                                BEL
                                                                                                     Operational Network
 (NIPRNET)             (CENTRIXS)           (SIPRNET)
                                                                                                        Domain (OND)                              CAN
IAP
                                                                                SIPRNET                 “Korea Mission
                                                                                                                                                   COL
                                                                                                        Network” (KMN)




                                                                                                                                                           Coalition Links
                                                                                                                                                   DNK
                                                                                           CDCI                                                    FRA

                                                                                 CDCI                                                              GRC

                 Logical Connections                                                                                                               GBR




                                                                 KMN Backbone
                                                                                                                                                   KOR

                                                                                 UNCK                                                              NLD

                                                                                                                                                   NOR

                                                                                                                                                    NZL

                                                                                                                                                    PHI
                                                                                 KOR                 Client Command
                                                                                                        (e.g., Osan)
                                                                                                                                                    THA
                                                                                                                          Client Command
                                                                                                                            (e.g., Taegu)   Multilateral Enclaves
                                                                                                                                            UNCK – United Nations Command Korea

                                                                                NIPRNET                                                     Country Codes
                                                                                                                                            AUS – Australia
                                                                                                               Client Command               BEL – Belgium
                                                                                                                                            COL – Columbia
                                        Internet                                Internet                        (e.g., Yongsan)
                                                                                                                                            DNK – Denmark
                                                                                                                                            FRA – France
                                                                                                                                            GRC - Greece
              Dedicated Network Gateways (DNG)                                                                                              GBR – United Kingdom of Great Britain
                                                                                                                                            KOR – Republic of South Korea
                                                                                                                                            NLD - Netherlands
      CDCI    Cross Domain Controlled Interface                                                                                             NZL – New Zealand
               Dedicated Network Domain Gateway (DDG)                                                                                       NOR - Norway
                                                                          Application                 Multi-                                PHI – Philippines
               Dedicated Network Enclave Gateway (DEG)                      Service                  Enclave               KOR              THA –Thailand
               DISN Internet Access Point                                    Point                    Client
        IAP
                           This presentation and individual slides            privileged
                                                                      contain(ASP)                      unauthorizedC2 Network distribution,
                                                                                            information. Any
                                                                                                      (MEC)  Primary disclosure,
                                    alteration or dissemination of the contents of this information for monetary gain is prohibited.
Selected GIG 3.0 Components to Show On the Next
Slide – Geographic Topology for CENTRIXS-KOR



                               CDCI

                        CDCI




            CMILNet
            .cmil.mil
          (CENTRIXS)
                                                   KOR




                        KOR           Client Command
                                         (e.g., Osan)




                                                         51
        GIG 3.0 Interface Components
                         Internal to a single security enclave

                              CDCI

                       CDCI
                                                                            DESP                       PNSP

                                                                                                                                 Cross-
                                                                          DISN Link                 Partner Link
  CMILNet                                                                                                                      Domain Link
  .cmil.mil
(CENTRIXS)                                                                               DNEG                               CDSP
                                                      KOR
                                                                                      ENI     PNI              CDCI

                       KOR               Client Command
                                            (e.g., Osan)

                                                                                        DNN
                                                                           CNI                           ANI
                                                                                         NDSN                              ASP
                                                                 CSP
     System Design View                                                                System Component View

                                                            Acronyms
   ASP – Application Service Point                                       DNEG – Dedicated Network Enclave Gateway
   ANI – Application Network Interface                                   DNN – Domain Network Node
   CNI – Client Network Interface                                        ENI – Enterprise Network Interface
   CDCI – Cross-Domain Controlled Interface                              NDSN – Network Domain Service Node
   CDSP – Cross-Domain Service Point                                     NSP – Network Service Point
   CSP – Customer Service Point                                          PNI – Partner Network Interface
   DESP – Defense Enterprise Service Point                               PNSP – Partner Network Service Point
              This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                       alteration or dissemination of the contents of this information for monetary gain is prohibited.                      52
         GIG 3.0 Interface, Enclave and Service Point Definitions
• ASP – Application Service Point                                   • DNEG – Dedicated Network Enclave Gateway
 – Server suite and software that provides application programs      – Controlled interfaces with firewalls (access control system, information
   to the user.                                                        protection system) that separates selected network services and
 – Examples: Microsoft Exchange Server, Apache Web Server              activities between the external networks (e.g., DISN or coalition
                                                                       partner) and the OND.
• ANI – Application Network Interface
                                                                     – Contains ENIs and PNIs.
 – Network router or switch that connects the ASP to the network
                                                                    • DNN – Domain Network Node
• AVE – Agile Virtual Enclave
                                                                     – Router / switch with control and monitoring that interconnects sites,
 – IPSec-based Virtual Private Network (VPN) that provides
                                                                       interfaces, network assets, clients, servers and network checkpoints
   robust protection of an information sharing enclave across the
                                                                       across the GIG 3.0 infrastructure..
   enterprise. Each CENTRIXS network can be implemented on
   the same network infrastructure using AVEs.                      • ENI – Enterprise Network Interface
• CNI – Client Network Interface                                     – VSE IPSec crypto, firewall (access control system, information
                                                                       protection system) and network router or switch that connects the
 – VSE IPSec crypto and network router or switch that connects
                                                                       DESP to the OND VSE.
   the ASP to the Client VPN. Is the ASP interface for the MECs.
                                                                    • NDSN – Network Domain Service Node
• CDCI – Cross-Domain Controlled Interface
                                                                     – Major node on the OND that includes the ANI, DN and/or CNI
 – High assurance filter and guard that provides for a controlled
                                                                       providing information capability to the OND.
   transfer of information between enclaves. (e.g., between
   CENTRIXS-KOR and CENTRIXS-UNCK)                                  • NSP – Network Service Point
• CDSP – Cross-Domain Service Point                                  – Point of presence for monitoring, control, configuration and
                                                                       maintenance of network devices.
 – Relative to one enclave (e.g., CENTRIXS-KOR), the service
   point providing information from another domain (e.g.,           • OND – Operational Network Domain
   CENTRIXS-UNCK)                                                    – Network infrastructure bounded by a parameter of DNDGs that contain
 – Examples: Trusted Network Environment (TNE), Joint Cross            VSEs
   Domain Exchange System (JCDX).                                   • PNI – Partner Network Interface
• CSP – Customer Service Point                                       – High assurance filter and guard that provides for a controlled transfer
 – Client point of presence to the network. Best serviced by a         of information between the USA’s partner network (e.g., CENTRIXS)
   single MEC. Today CSPs consist of multiple client computer,         and the coalition partner’s ASP – called a PNSP.
   each dedicated to a single networked enclave.                    • PNSP – Partner Network Service Point
 – In this context CSPs are serviced by MECs.                        – Server suite and/or network interface owned and operated by a
• DNDG – Dedicated Network Domain Gateway                              coalition partner designated to provide information services to the USA
                                                                       enclave (e.g., CENTRIXS.)
 – Generic reference to the set of DNEGs that form the perimeter
   of an OND.                                                       • VSE – Virtual Secure Enclave
• DESP – Defense Enterprise Service Point                            – Specific instantiation of an AVE within an OND or for situations when a
                                                                       higher assurance protected network domain is needed within a less
 – ASP(s) that are in the DISN external to the OND.
                                                                       trusted network.

                                                                                                                                                  53
 – Examples: DISA DECC, Air Force NOSC.
                                                                     – A VSE is a AVE aligned within an OND guarded by a controlled
                                                                       interface (DNEG).
       GIG 3.0 Interface Components
                        Internal to a single security enclave
                                                                                                                      CDCI

                                                                                                               CDCI
       DESP                        PNSP

                                                             Cross-
      DISN Link                 Partner Link                                          CMILNet
                                                           Domain Link
                                                                                      .cmil.mil
                     DNEG                                                           (CENTRIXS)
                                                        CDSP                                                                                   KOR
                  ENI     PNI             CDCI

                                                                                                               KOR                Client Command
                                                                                                                                     (e.g., Osan)

                    DNN
       CNI                          ANI
                    NDSN                               ASP
CSP                                                                                         System Design View
                   System Component View

                                                          Acronyms
 ASP – Application Service Point                                         DNEG – Dedicated Network Enclave Gateway
 ANI – Application Network Interface                                     DNN – Domain Network Node
 CNI – Client Network Interface                                          ENI – Enterprise Network Interface
 CDCI – Cross-Domain Controlled Interface                                NDSN – Network Domain Service Node
 CDSP – Cross-Domain Service Point                                       NSP – Network Service Point
 CSP – Customer Service Point                                            PNI – Partner Network Interface
 DESP – Defense Enterprise Service Point                                 PNSP – Partner Network Service Point
             This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                      alteration or dissemination of the contents of this information for monetary gain is prohibited.                              54
USFK Geo Depiction of the CENTRIXS-KOR VSE




                                             55
            USFK Geo Depiction of the Korea Theater Black
            Core




         Common Mission Network
(CMNT)   Transport




                                                            56
Example Korea System Topology
                                         REL KOR




                                                                                     REL KOR



        Camp Casey              Osan                      Camp Humphreys                       Kunsan

                                                    Common Mission Network (DETS)
                                              DISN Edge Transport Services Transport (CMNT)
                                                         ―Black Core‖
         Yongsan                                           Camp Walker                         Chinhae




                                                                                     REL KOR

                             REL KOR




                                                                    ROK    REL KOR
                                                                    PNSP
                              REL UNCK




 AUS     BEL   CAN    ROK
 PNSP   PNSP   PNSP   PNSP


                                                                                                         57
DISN Edge Transport Services ―black core‖
                                         REL KOR




                                                                                     REL KOR



        Camp Casey              Osan                      Camp Humphreys                       Kunsan

                                                    Common Mission Network (DETS)
                                              DISN Edge Transport Services Transport (CMNT)
                                                         ―Black Core‖
         Yongsan                                           Camp Walker                         Chinhae




                             REL KOR




                                                                    ROK    REL KOR
                                                                    PNSP
                              REL UNCK
 AUS     BEL   CAN    ROK
 PNSP   PNSP   PNSP   PNSP




                                                                                                         58
GIG 3.0 CMILNet / SMILNet / MILNet ―brown core‖
                                         REL KOR




                                                                                     REL KOR



        Camp Casey              Osan                      Camp Humphreys                       Kunsan

                                              DISN Edge Transport Services (DETS)
                                                         ―Black Core‖
         Yongsan                                          Camp Walker                          Chinhae




                             REL KOR




                                                                   ROK     REL KOR
                                                                   PNSP
                              REL UNCK
 AUS     BEL   CAN    ROK
 PNSP   PNSP   PNSP   PNSP




                                                                                                         59
CENTRIXS-KOR
                                          REL KOR
                                          REL KOR




                                                                                         REL KOR




                                                                                        REL KOR



        Camp Casey               Osan                      Camp Humphreys                           Kunsan
          Camp Casey               Osan                      Camp Humphreys
                                               DISN Edge Transport Services (DETS)
                                                          ―Black Core‖
         Yongsan                                           Camp Walker                              Chinhae
           Yongsan                                           Camp Walker                               Chinhae




                              REL KOR


                                                                                          REL KOR
                                REL KOR




                                                                    ROK       REL KOR
                                                                   PNSP
                                                                   ROK
                               REL UNCK                                       REL KOR
                                                                   PNSP
 AUS     BEL   CAN     ROK
                        ROK
 PNSP   PNSP   PNSP    PNSP
                       PNSP




                                                                                                                 60
CENTRIXS-UNCK
                                          REL KOR




                                                                                        REL KOR



        Camp Casey               Osan                      Camp Humphreys                         Kunsan
          Camp Casey               Osan                      Camp Humphreys
                                               DISN Edge Transport Services (DETS)
                                                          ―Black Core‖
         Yongsan                                           Camp Walker                            Chinhae
           Yongsan                                           Camp Walker                             Chinhae




                              REL KOR




                                                                    ROK       REL KOR
                                                                   PNSP
                                                                   ROK
                               REL UNCK
                                                                   PNSP
 AUS     BEL   CAN     ROK    REL UNCK
 PNSP   PNSP   PNSP    PNSP




 AUS
 PNSP
         BEL
        PNSP
               CAN
               PNSP
                      ROK
                      PNSP
                                                                                                               61
    GIG 3.0 Interface Components
                    Internal to a single security enclave
                                                                                           For Governance
        DESP                       PNSP

                                                             Cross-
       DISN Link                Partner Link
                                                                                         PNSP            PNI




                                                                                                                   DNEG
                                                           Domain Link




                                                                                                                            CDCI
                      DNEG                              CDSP                             DESP            ENI
                   ENI     PNI            CDCI
                                                                                                        DNN           NSP




                                                                                                NDSN
                                                                                                        ANI               ASP
                     DNN
        CNI                         ANI                                                                 CNI           CSP
                     NDSN                              ASP
 CSP                                                                                        Block Diagram View
                    System Component View

                                                    Acronyms
ASP – Application Service Point                                   DNEG – Dedicated Network Enclave Gateway
ANI – Application Network Interface                               DNN – Domain Network Node
CNI – Client Network Interface                                    ENI – Enterprise Network Interface
CDCI – Cross-Domain Controlled Interface                          NDSN – Network Domain Service Node
CDSP – Cross-Domain Service Point                                 NSP – Network Service Point
CSP – Customer Service Point                                      PNI – Partner Network Interface
DESP – Defense Enterprise Service Point                           PNSP – Partner Network Service Point
       This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                alteration or dissemination of the contents of this information for monetary gain is prohibited.                   62
               GIG 3.0 Network Layers
                                                                                  1             PACOM Internet

                                                                                  2         PACOM NIPRNET
                                                                                                                                                 PACOM VSEs
                                                                                  3         PACOM SIPRNET                                                                                                                        Type 1 separation (e.g., HAIPE)
                                                                                  4      PACOM REL ACGU                                                                                                                           ―Type 2‖ separation (e.g., IPSec)
                                                                                  5             PACOM REL ...
                                                                                                                                                PACOM OND                                                                                 ―Type 3‖ separation (e.g., Firewall & TLS/SSL)
                          PACOM MEC
       1                                                                                                                               3                                                                                                     4
                                       2
TRANSCOM

           STRATCOM




                                                                                                                                                                                                                                                                                                                                             5
                                                        NORTHCOM

                                                                   SOUTHCOM




                                                                                                                                                                                                                                                              NORTHCOM

                                                                                                                                                                                                                                                                         SOUTHCOM
                                                                                                                                                          NORTHCOM

                                                                                                                                                                     SOUTHCOM
                                                                                                 TRANSCOM

                                                                                                            STRATCOM




                                                                                                                                                                                                                                                                                                      TRANSCOM




                                                                                                                                                                                                                                                                                                                                                               NORTHCOM
                                                                                                                                                                                                   TRANSCOM




                                                                                                                                                                                                                                                                                                                  STRATCOM
                                                                                                                                                                                                              STRATCOM




                                                                                                                                                                                                                                                                                                                                                                          SOUTHCOM
                                              CENTCOM




                                                                                                                                                                                                                                                    CENTCOM
                                                                                                                                               CENTCOM
                      SOCOM




                                                                                                                                                                                                                                                                                                                                                     CENTCOM
                                                                                      AFRICOM




                                                                                                                                                                                                                                                                                            AFRICOM
                                                                                                                                                                                         AFRICOM
                              JFCOM




                                                                                                                       SOCOM
                                                                              EUCOM




                                                                                                                                                                                                                                                                                                                             SOCOM
                                      PACOM




                                                                                                                                                                                                                         SOCOM




                                                                                                                                                                                                                                                                                    EUCOM
                                                                                                                                                                                 EUCOM




                                                                                                                                                                                                                                            PACOM
                                                                                                                                       PACOM
                                                                                                                               JFCOM




                                                                                                                                                                                                                                                                                                                                     JFCOM
                                                                                                                                                                                                                                  JFCOM




                                                                                                                                                                                                                                                                                                                                             PACOM




                                                                                                                                                                                                                                                                                                                                                                                     EUCOM
           UNCLAS
           Internet                                             UNCLAS USA                                                                                SECRET//USA Only                                                                                    SECRET//REL ACGU                                                               SECRET//REL AC
           Enclave                                             ―NIPRNet‖ AVE                                                                               ―SIPRNet‖ AVE                                                                                            AVE                                                                           AVE



           .net / .org                                                                                                                                                          .smil.mil                                                                                                                        .cmil.mil
                                         MILNET .mil                                                                                                                                                                              CMILNET
                                 “unclassified brown core”                                                                                                                                                                 “classified brown core”

                                                                                                 DISN Edge Transport Services (DETS)
                                                                                                      Common Mission Network Transport (CMNT)
                                                                                                            “black core”

                                                                   Global Cyberspace Telecommunications Transport
           AVE – Agile Virtual Enclave                                                     IP – Internet Protocol                                        OND – Operational Network Domain


                                                                                                                                                                                                                                                                                                                                                                          63
           DETS – DISN Edge Transport Service                                              IPSec – IP Security                                           SSL – Secure Socket Layer
           HAIPE – High Assurance IP Encryption                                            MEC – Multi Enclave Client                                    TLS – Transport Layer Security
                                                                                                                                                         VSE – Virtual Secure Enclave
                                                GIG 3.0

                         VPN Enclave Control
                                  &
                          User Client Cases


                                    Mr. Randy Cieslak
                                                   CIO

                                   U.S. Pacific Command
                                      25 Octover 2010



                                     This brief is classified:
                                  UNCLASSIFIED
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
         alteration or dissemination of the contents of this information for monetary gain is prohibited.
CMILNet VPN and Client Components for Enclave
Protection

Virtual Private Networks (VPNs)
    •   Transport VPN (Type 1 / HAIPE)
    •   Transit VPN
    •   Protected Internodal Network
    •   Client Service VPN
 User Client Workstations (UCWS)
    • Common Conventional
    • Virtual Secure Enclave (VSE) Enabled
    • Agile Trusted Multi Enclave (ATME)
       CMILNet VPN and Client Services
                          SIPRNE                  Service
       NIPRNE
                             T                    Unique                                                             R
          T
                                                  Network
                                                                                                                         Client Svc
         Transit            Transit                 Transit                                                              IPSec VPN
       IPSec VPN
                                                                                                           R
                                                                                                          Transit
                          IPSec VPN               IPSec VPN
                                                                                                         IPSec VPN
                                                                                                                              PIN
                                                                                                                    Client
        Transport         Transport                Transport                                                               IPSec VPN
                                                                                                  R               IPSec VPN
       HAIPE VPN         HAIPE VPN                HAIPE VPN                                       Transit
                                                                                                IPSec VPN
                                                                                                          Client    PIN
                                                                                                       IPSec VPN
                                                                                                                   R
                                                                                                                 IPSec VPN
                                                                                           Transit
                                                                                         IPSec VPN
                                  Operational                                                               PIN
                                                                                                            R
                                                                                                         IPSec VPN
                                   Network
                                   Domain                                                            R


             R                                R                         R

                                                                                                              R
         Transport                                                   Transport
                                           Transport
        HAIPE VPN                                                   HAIPE VPN
                                          HAIPE VPN
                                                                                                           Transport
            PIN                                                                                 R         HAIPE VPN
         IPSec VPN                           PIN                        PIN
                                          IPSec VPN                  IPSec VPN

         Client Svc
         IPSec VPN


                                                                       HUB
                                             HUB
           HUB




                                      VSE-Enabled Clients      ATME-Enabled Clients
Common Conventional Clients
                                        (IPSec Enabled)        (E.g., NetTop 2.2, HAP)
       CMILNet In Action: Transport Encryption
                          SIPRNE                  Service
       NIPRNE
                             T                    Unique                                                             R
          T
                                                  Network
                                                                                                                         Client Svc
         Transit            Transit                 Transit                                                              IPSec VPN
       IPSec VPN
                                                                                                           R
                                                                                                          Transit
                          IPSec VPN               IPSec VPN
                                                                                                         IPSec VPN
                                                                                                                              PIN
                                                                                                                    Client
        Transport         Transport                Transport                                                               IPSec VPN
                                                                                                  R               IPSec VPN
       HAIPE VPN         HAIPE VPN                HAIPE VPN                                       Transit
                                                                                                IPSec VPN
                                                                                                          Client    PIN
                                                                                                       IPSec VPN
                                                                                                                   R
                                                                                                                 IPSec VPN
                                                                                           Transit
                                                                                         IPSec VPN
                                  Operational                                                               PIN
                                                                                                            R
                                                                                                         IPSec VPN
                                   Network
                                   Domain                                                            R


             R                                R                         R

                                                                                                              R
         Transport                                                   Transport
                                           Transport
        HAIPE VPN                                                   HAIPE VPN
                                          HAIPE VPN
                                                                                                           Transport
            PIN                                                                                 R         HAIPE VPN
         IPSec VPN                           PIN                        PIN
                                          IPSec VPN                  IPSec VPN

         Client Svc
         IPSec VPN


                                                                       HUB
                                             HUB
           HUB




                                      VSE-Enabled Clients      ATME-Enabled Clients
Common Conventional Clients
                                        (IPSec Enabled)        (E.g., NetTop 2.2, HAP)
       CMILNet In Action: Transit VPNs
                          SIPRNE                  Service
       NIPRNE
          T                  T                    Unique
                                                  Network
                                                               These are ―backside‖                                    R

                                                               connections that                                            Client Svc
         Transit            Transit                 Transit                                                                IPSec VPN
       IPSec VPN                                               interconnect servers                          R
                                                                                                            Transit
                          IPSec VPN               IPSec VPN
                                                                                                           IPSec VPN

        Transport         Transport                Transport
                                                               and network gateways.                                  Client
                                                                                                                                PIN
                                                                                                                             IPSec VPN
                                                                                                    R               IPSec VPN
       HAIPE VPN         HAIPE VPN                HAIPE VPN                                         Transit
                                                                                                  IPSec VPN
                                                                                                            Client    PIN
                                                                                                         IPSec VPN
                                                                                                                     R
                                                                                                                   IPSec VPN
                                                                                             Transit
                                                                                           IPSec VPN
                                  Operational                                                                 PIN
                                                                                                              R
                                                                                                           IPSec VPN
                                   Network
                                   Domain                                                              R


             R                                R                           R

                                                                                                                R
         Transport                                                     Transport
                                           Transport
        HAIPE VPN                                                     HAIPE VPN
                                          HAIPE VPN
                                                                                                             Transport
            PIN                                                                                   R         HAIPE VPN
         IPSec VPN                           PIN                          PIN
                                          IPSec VPN                    IPSec VPN

         Client Svc
         IPSec VPN


                                                                         HUB
                                             HUB
           HUB




                                      VSE-Enabled Clients        ATME-Enabled Clients
Common Conventional Clients
                                        (IPSec Enabled)          (E.g., NetTop 2.2, HAP)
    CMILNet In Action: Protected Inter-nodal
    Networks (PIN) VPNs
                          SIPRNE                  Service
       NIPRNE
                             T                    Unique                                                             R
          T
                                                  Network
                                                                                                                         Client Svc
         Transit            Transit                 Transit                                                              IPSec VPN
       IPSec VPN
                                                                                                           R
                                                                                                          Transit
                          IPSec VPN               IPSec VPN
                                                                                                         IPSec VPN
                                                                                                                              PIN
                                                                                                                    Client
        Transport         Transport                Transport                                                               IPSec VPN
                                                                                                  R               IPSec VPN
       HAIPE VPN         HAIPE VPN                HAIPE VPN                                       Transit
                                                                                                IPSec VPN
                                                                                                          Client    PIN
                                                                                                       IPSec VPN
                                                                                                                   R
                                                                                                                 IPSec VPN
                                                                                           Transit
                                                                                         IPSec VPN
                                  Operational                                                               PIN
                                                                                                            R
                                                                                                         IPSec VPN
                                   Network
                                   Domain                                                            R


             R                                R                         R

                                                                                                              R
         Transport                                                   Transport
                                           Transport
        HAIPE VPN                                                   HAIPE VPN
                                          HAIPE VPN
                                                                                                           Transport
            PIN                                                                                 R         HAIPE VPN
         IPSec VPN                           PIN                        PIN
                                          IPSec VPN                  IPSec VPN

         Client Svc
         IPSec VPN


                                                                       HUB
                                             HUB
           HUB




                                      VSE-Enabled Clients      ATME-Enabled Clients
Common Conventional Clients
                                        (IPSec Enabled)        (E.g., NetTop 2.2, HAP)
    CMILNet In Action: Client Services VPNs
                          SIPRNE                  Service
       NIPRNE
                             T                    Unique                                                             R
          T
                                                  Network
                                                                                                                         Client Svc
         Transit            Transit                 Transit                                                              IPSec VPN
       IPSec VPN
                                                                                                           R
                                                                                                          Transit
                          IPSec VPN               IPSec VPN
                                                                                                         IPSec VPN
                                                                                                                              PIN
                                                                                                                    Client
        Transport         Transport                Transport                                                               IPSec VPN
                                                                                                  R               IPSec VPN
       HAIPE VPN         HAIPE VPN                HAIPE VPN                                       Transit
                                                                                                IPSec VPN
                                                                                                          Client    PIN
                                                                                                       IPSec VPN
                                                                                                                   R
                                                                                                                 IPSec VPN
                                                                                           Transit
                                                                                         IPSec VPN
                                  Operational                                                               PIN
                                                                                                            R
                                                                                                         IPSec VPN
                                   Network
                                   Domain                                                            R


             R                                R                         R

                                                                                                              R
         Transport                                                   Transport
                                           Transport
        HAIPE VPN                                                   HAIPE VPN
                                          HAIPE VPN
                                                                                                           Transport
            PIN                                                                                 R         HAIPE VPN
         IPSec VPN                           PIN                        PIN
                                          IPSec VPN                  IPSec VPN

         Client Svc
         IPSec VPN


                                                                       HUB
                                             HUB
           HUB




                                      VSE-Enabled Clients      ATME-Enabled Clients
Common Conventional Clients
                                        (IPSec Enabled)        (E.g., NetTop 2.2, HAP)
                                                                        Network Operations Center
      OND Network Operations                                                               Risk vs. Capability vs. Performance
                                                                                                      vs. Resource
                          SIPRNE                   Service                                             Decisions
       NIPRNE
                             T                     Unique
          T                                                                                               Made
                                                   Network                  Common
                                                                           Operational               UTILITY
                                                                             Picture                 PRIORITY
                                                                                                     CAPACITY
                                                                                   RISK
         Transit            Transit                  Transit                       LEVEL
       IPSec VPN          IPSec VPN                IPSec VPN

        Transport          Transport                Transport
       HAIPE VPN          HAIPE VPN                HAIPE VPN           Dynamic Computer
                                                                        Network Defense              Quality of Service



                                  Operational
                                   Network
                                   Domain                                                                   Transport
                                                                                                 R
                                                                                                           HAIPE VPN

             R                                 R                         R
                                                                                                                  R
         Transport                                                    Transport                           Transport
                                            Transport                                                    HAIPE VPN
        HAIPE VPN                                                    HAIPE VPN                          PIN
                                           HAIPE VPN
                                                                                                     IPSec VPN
                                                                                                                        Transit
            PIN                                                                                                       IPSec VPN
         IPSec VPN                            PIN                        PIN
                                                                      IPSec VPN                      Client Svc
                                           IPSec VPN
                                                                                                     IPSec VPN
         Client Svc
         IPSec VPN
                                                                                                                  R
                                                                        HUB
                                              HUB
           HUB



                                                                                                Application Service
                                                                ATME-Enabled Clients
                                                                                                      Center
Common Conventional Clients            VSE-Enabled Clients
                                         (IPSec Enabled)        (E.g., NetTop 2.2, HAP)
                                                        Network Operations & Security Center
      Questions?
                     NIPR               SIPR
                                                                                Common
                                        SVC                       IC
                     SVC                                                       Operational
                    unique             unique                                                 UTILITY
                                                                                 Picture
                                                                                              PRIORITY
                                                                       RISK                   CAPACITY
                                                                       LEVEL
                             DNGW       DNGW                DNGW
                              NIPR       SIPR                 IC
                                                            Dynamic Computer
                                                             Network Defense                  Quality of Service




                                      NIPRNET Enclave

            HUB                       SIPRNET Enclave
                                                                                                     Cross
                                     Coalition C2 Enclave                                           Domain
  Multi-                                                                                            Gateway
  Enclave
  Clients                                IC Enclave
  AVE-Enabled
   End User Site                                                                             Data Center



                                                         Operational
Control of:                                               Network
Risks / Capabilities / Performance / Resources
                                                          Domain                                                   72
Agile Virtual Enclaves (AVE) Version 1.2 / 1.3
                   ―Multi Enclave Client‖
                           (MEC)




       Randy Cieslak                                                          Jim Fordice
  Chief Information Officer                                                  Referentia, Inc.

                                             29 June 2010
                                         This brief is classified:
                                      UNCLASSIFIED
    This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
             alteration or dissemination of the contents of this information for monetary gain is prohibited.            73
   How We Build Networks in Cyberspace Today

   ?@#?!


                                              FW
                                             FW
           Sensitive Unclassified Networks

                                              KG
                 Secret NOFORN
User                                         KG
                                            KG
                                          KG
                                         KG

                  Secret for Allies
                                                KG
                                              KG
                                             KG

                  SCI & SPECATs
                                                     74
                                                    Network Operations & Security Center
    Multi Enclave Clients
                   NIPR                SIPR
                                                                          Common
                                       SVC                  IC
                   SVC                                                   Operational
                  unique              unique                                             UTILITY
                                                                           Picture
                                                                                        PRIORITY
                                                                  RISK                  CAPACITY
                                                                 LEVEL
                           DNGW        DNGW           DNGW
                            NIPR        SIPR            IC
                                                      Dynamic Computer
                                                       Network Defense                  Quality of Service




                                    NIPRNET Enclave
           HUB                      SIPRNET Enclave
                                                                                               Cross
                                                                                              Domain
  Multi-                           Coalition C2 Enclave                                       Gateway
 Enclave
 Clients                               IC Enclave
AVE-Enabled
 End User Site                                                                         Data Center
                 Multi Enclave
                   Clients                            Operational
                   Control of:                         Network
Risks / Capabilities / Performance / Resources
                                                       Domain                                                75
       MEC Candidates Assessed

                                           Performance           Key
    Solution Candidate                        Score          Characteristic
•   Multi-Level Thin Client (MLTC) 3.0         10        Dedicated Infrastructure
•   DoDIIS Trusted Workstation (DTW) 4.0       17        Dedicated Infrastructure
•   Network on a Desktop (NetTop)              29         Modular / Single-Wire
•   Secure Office Thin Client (SOTTC)          26        Dedicated Infrastructure
•   Trusted Multi-Net (TMN)                    22        Dedicated Infrastructure
•   High Assurance Platform (HAP)              37              Multi-Wire
•   Trusted Virtual Environment (TVE)          29              Multi-Wire


     • Dedicated infrastructure normally means single vendor and often
                                  proprietary
       • Multi-Wire means that each network enclave requires its own
                            physical network link
    • Modular / Single Wire means standards-based. As long as COTS or
     GOTS products meet the standard and are tested (UCDMO baseline)
                              they can be used.                      76
      MEC Candidate Selected

                                                Performance              Key
    Solution Candidate                             Score            Characteristics
• Network on a Desktop (NetTop)                      29          Modular / Single-Wire
  MEC Terminal
   ACE           Managed Switch   VPN Concentrator    Firewall        Citrix Server


                                                                                      Network A



           `

                                                                                      Network B



       • MEC Terminal: NetTop 1.3.2 (Version 2.2 under NSA review)
                • Managed Switch: Cisco Catalyst 2960
                 • VPN Concentrator: Cisco ASA 5510
                  • Firewall: McAfee Sidewinder 410F
                   • Terminal Services Server: Citrix
                                                                                                  77
                   MEC User Terminal View – AVE 1.2

AVE 1.2 is based on NetTop 1.3.2                                                         CENTRIXS


                                                                                                                     Classified
                                                                                                            J
                                                                                                                     Networks
                                                                                                K

                                                                                                             SIPR

                                                                                                 VSE


       CLASSIFIED
                           K                                                                            NIPR        INTER-
                               J                                                                                      NET
                          V           NIPR
                          S SI                                                                             Unclassified
                                                           UNCLASSIFIED                                     Networks
                          E PR
                                      Inter-
                                       Net




       This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                alteration or dissemination of the contents of this information for monetary gain is prohibited.                  78
   MEC based on AVE 1.2 On The UCDMO Baseline

Cross Domain Baseline
       V 3.4.0
    18 June 2010




                                                79
                   MEC User Terminal View – AVE 1.3

AVE 1.3 is based on NetTop 2.2                                                           CENTRIXS


                                                                                                                     Classified
                                                                                                            J
                                                                                                                     Networks
                                                                                                K

                                                                                                             SIPR

                                                                                                 VSE


       CLASSIFIED
                           K                                                                            NIPR        INTER-
                               J                                                                                      NET
                          V           NIPR
                          S SI                                                                             Unclassified
                                                           UNCLASSIFIED                                     Networks
                          E PR
                                      Inter-
                                       Net                                 Agile Virtual Enclave (AVE)
                                                                         • Includes a Second Wire for
                                                                             Unclassified Enclaves
                                                                     • Implemented at USPACOM HQ

       This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                alteration or dissemination of the contents of this information for monetary gain is prohibited.                  80
    AVE Certification & Accreditation

• AVE 1.2 (COMTHIRDFLT)
   – DSAWG approved ATC
   – Navy ODAA approved ATO
   – Approved for UCDMO Baseline v3.4.0 update - June 2010

• AVE 1.3 (HQ USPACOM)
   – Demo approved by DSAWG
   – USPACOM DAA approved IATT
   – NSA has completed AVE 1.3 CT&E
       • Evaluating results of NSA testing
   – Next step is CDTAB/DSAWG to approve use of the technology
   – Long term plan is to submit for UCDMO Baseline




         This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                  alteration or dissemination of the contents of this information for monetary gain is prohibited.            81
 Underlying Virtual Machines (AVE 1.3)


                                                      AVE MEC
                                                      ACE Terminal



COI 1          COI 2                            COI N                COI 1                COI 2                               COI N
 VM             VM                               VM                   VM                   VM                                  VM

VPN             VPN                                VPN                 VPN                  VPN                                VPN



                         NIC 1                                                                    NIC 2


         Classified                                                                                          Unclassified
        Connection                                                                                           Connection




         This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                  alteration or dissemination of the contents of this information for monetary gain is prohibited.                    82
Enclaves for the USPACOM MEC

 Network   Start Menu Name     Classification Marking
   USA         USA Thick                SECRET
  ACGU        ACGU Thin            SECRET//REL ACGU
   JPN          JPN Thin            SECRET//REL JPN
   JPN         JPN Thick            SECRET//REL JPN
   KOR         KOR Thin             SECRET//REL KOR
   SIPR        SIPR Thick               SECRET
  GCTF         GCTF Thin           SECRET//REL GCTF
   VSE       SIPR VSE Thin              SECRET
  APAN            APAN               UNCLASSIFIED
  CMFP        CMFP Thin            SECRET//REL CMFP
  FVEY         FVEY Thin           SECRET//REL FVEY
   NIPR        NIPR Thin      NIPRNET UNCLASSIFIED//FOUO
   SGP          SGP Thin            SECRET//REL SGP
  UNCK         UNCK Thin           SECRET//REL UNCK

               14 Virtual Machines:
             •2 UNCLAS, 12 SECRET
                 •4 Thick, 10 Thin
                                                           83
                                                    Network Operations & Security Center
    Multi-Enclave Clients
                   NIPR                SIPR
                                                                          Common
                                       SVC                  IC
                   SVC                                                   Operational
                  unique              unique                                             UTILITY
                                                                           Picture
                                                                                        PRIORITY
                                                                  RISK                  CAPACITY
                                                                 LEVEL
                           DNGW        DNGW           DNGW
                            NIPR        SIPR            IC
                                                      Dynamic Computer
                                                       Network Defense                  Quality of Service




                                    NIPRNET Enclave
           HUB                      SIPRNET Enclave
                                                                                               Cross
                                                                                              Domain
  Multi-                           Coalition C2 Enclave                                       Gateway
 Enclave
 Clients                               IC Enclave
AVE-Enabled
 End User Site                                                                         Data Center



                                                      Operational
                   Control of:                         Network
Risks / Capabilities / Performance / Resources
                                                       Domain                                                85
    GIG 3.0
Design Approach




     Randy Cieslak
  U.S. Pacific Command
 Chief Information Officer
   19 November 2010
     Confluence of Concerns & Solutions (1 of 2)
• CONCERN 1
    – We need to use the same infrastructure to create network enclaves to replace
      the expensive and cumbersome CENTRIXS networks
        • SOLUTION: Agile Coalition Environment
                            * Adaptive Cyber Environment (ACE)
• CONCERN 2
    – We need to create defendable network enclaves to fight through cyber attacks
      that have left our main networks vulnerable
        • SOLUTION: Computer Aided Network Defense in Depth (CANDID)
• CONCERN 3
    – We need to create network zones that will permit operational commanders to
      manage their own risk to their own mission
        • SOLUTION: Cyber Joint Operational Area (JOA) formed by Operational
           Network Domains (OND)
• CONCERN 4
    – We need tactics, techniques and procedures to surveil, control and operate this
      new network environment
        • SOLUTION: Joint Cyber Operations (JCO) Joint Test & Evaluation (JT&E)
     Confluence of Concerns & Solutions (2 of 2)

• CONCERN 5
    – We need a means to safely and securely move authorized information between
      enclaves and a simple way to access enclaves not normally used
        • SOLUTION: Combined Enterprise Regional Information Exchange System
           (CENTRIXS) Cross Enclave Requirement (CCER)
• CONCERN 6
    – We need to understand and display network and information system activities,
      determine the associated mission risk and provide associated decision support
      displays
        • SOLUTION: Joint Warfighting Integrated Network Operations (NETOPS)
           (JWIN) Joint Concept Technical Demonstration (JCTD)
• CONCERN 7
    – We need to take advantage of current and planned network initiatives that
      ―almost‖ take advantage of modern network technology methods and steer
      them to an effective, coherent, consistent overarching approach.
        • SOLUTIONS:
             – ASIA-PACIFIC Intelligence Network (APIN)
 Integrating the Solutions: ―GIG 3.0‖
ACE:
Agile Coalition Environment
Adaptive Cyber Environment

CANDID JCTD:
Computer-Aided Networked
Defense-In-Depth

Cyber JOA:
Operational Network
Domains (OND)
                               Global Information Grid
JCO JT&E:
Operational Network
                                    Version 3.0
Domains (OND)                         ―GIG 3.0‖
CCER
CENTRIXS Cross Enclave
Requirement

JWIN
Joint Warfighting Integrated
Network Operations (NETOPS)

APIN
Asia-Pacific Intelligence
Network
 Integrating the Solutions: ―GIG 3.0‖

ACE:
                               Global Information Grid
Agile Coalition Environment         Version 3.0
Adaptive Cyber Environment
                                      ―GIG 3.0‖
CANDID JCTD:
Computer-Aided Networked
Defense-In-Depth

Cyber JOA:
Operational Network
Domains (OND)                          FY11                  FY12

JCO JT&E:                      Q1    Q2    Q3   Q4   Q1    Q2    Q3   Q4
Operational Network
Domains (OND)                       TF11   VS11           TF12   VS12

CCER
CENTRIXS Cross Enclave                 Exercise Schedule
Requirement

JWIN
Joint Warfighting Integrated
Network Operations (NETOPS)

APIN
Asia-Pacific Intelligence
Network
    Building GIG 3.0 – A Two-Phase Approach
    Phases to be done concurrently
• Phase 1: Build a agile information infrastructure that:
   – Compartmentalizes the network to enforce information
     protection and control policies
   – Compartmentalizes the network to separate risk-postures
     between the enterprise and the commander’s mission area
   – Leverages and reuses common infrastructure to support
     compartmentalization
   – Provides controlled interfaces into and between the
     compartments
   – Provides access controls and minimizes customer service
     points
• Phase 2: Control, instrument and conceal the network to:
   – Monitor and control the interfaces for optimal performance
   – Detect sources of intrusion and react accordingly
   – Determine and display the level of associated risk to the mission
   – Posture network appearance to maintain information dominance
                   Phase 1:

Agile, Compartmented Information Infrastructure
      Primary Design Driver – Agile Virtual Enclaves (AVE)
      Adopted from ACE


                                             Associated Projects / Efforts
                                             AVE
                                               IPSec – Internet Protocol Security
                                               IPv6 – Internet Protocol Version 6
                                               IKE – Internet Key Exchange
                                               Naming convention
AVE
              NIPRNET                          IP Addressing
                                               DCSP – Differential Code Service Point
                                               DNS – Domain Naming Service
AVE           Intranets                        DNN – Domain Network Node
AVE            Internet

                                      IPSec Provides Sufficient
AVE          SIPRNET                  Strength of Separation.
AVE        CENTRIXS - ABC
AVE        CENTRIXS - XYZ             But classified networks
                                      need a protected
                                      environment.

 This design feature technologically enforces
 information classification, release, exposure and
 disclosure policies.                                                                   93
   Foundation for the AVEs:
   Defense Information Systems Network (DISN)
   Common Mission Network Transport (CMNT)
   Internet Protocol (IP) – Based Telecommunication Services

                                                Provides the wide area
AVE               NIPRNET                       network to deploy and
                                                extend AVEs worldwide.
AVE               Intranets
                                                Employs a separate
AVE                 Internet
                                                MPLS from SIPRNET,
                                                NIPRNET, JWICS
AVE             SIPRNET                          Associated Projects / Efforts
                                                 CMNT (black core) – Common Msn Net Trans.
                                                   MPLS – Multi-Protocol Layered Switching
AVE           CENTRIXS - ABC                       HAIPE – High Assurance IP Encryption
                                                   IPv6
AVE           CENTRIXS - XYZ                       Naming convention
                                                   IP Addressing
      Common Mission Network Transport             DNS
                 (CMNT)                            DNN
               “black core”
AVEs drive the design                    Because it forms the foundation or core of
requirements of the CMNT                 the network and almost all traffic is
Provides both QOS and VPNs.              encrypted it is referred to as a “black core”
     Employing both rigid transport security (TRANSEC)
     (―black traffic‖) with enclave security (―brown traffic‖)
•   Exposed data is “red”
•   Encrypted data is “black”
•   Traffic that is de-encrypted at the black core is “red” to the black core, but still “black” to the customer service point.
•   Hence – the Agile Virtual Enclaves are a combination of red and black, or “brown.”

    AVE                   NIPRNET                                                Associated Projects / Efforts
                                                                                 AVE (brown core)
    AVE                   Intranets                                                IPSec – Internet Protocol Security
                                                                                   IPv6 – Internet Protocol Version 6
    AVE                    Internet                                                IKE – Internet Key Exchange
                                                                                   Naming convention
                                           UNCLASSIFIED                            IP Addressing
                                                                                   DCSP – Differential Code Service Point
                                                                                   DNS – Domain Naming Service
    AVE               SIPRNET                                                      DNN – Domain Network Node
                                                                                   VSE – Virtual Secure Enclaves
    AVE             CENTRIXS - ABC                                                 PINS – Protected Inter-nodal Network
                                                                                   ENIs     - Enterprise Network Interface
    AVE             CENTRIXS - XYZ                                                 PNIs     - Partner Network Interface
                                                                                   ANIs – Application Network Interface
    AVE Environment “brown core” CLASSIFIED                                        CNIs – Client Network Interface
                                                                                 CMNT (black core) – Common Msn Net Trans.
          Common Mission Network Transport                                         MPLS – Multi-Protocol Layered Switching
                     (CMNT)                                                        HAIPE – High Assurance IP Encryption
                   “black core”                                                    IPv6
                                                                                   Naming convention
                                                                                   IP Addressing
                                                                                   DNS
                                                                                   DNN
       Implement Multi-Enclave Clients (MECs) to access the multiple
       enclaves from a single Customer Service Point (CSP)
                   Multi-Enclave Clients
                          (MECs)               Associated Projects / Efforts
                                               AVE (brown core)
                                                 IPSec – Internet Protocol Security
                                                 IPv6 – Internet Protocol Version 6
                                                 IKE – Internet Key Exchange
                                                 Naming convention
 AVE               NIPRNET                       IP Addressing
                                                 DCSP – Differential Code Service Point
 AVE               Intranets                     DNS – Domain Naming Service
                                                 DNN – Domain Network Node
 AVE                Internet                     VSE – Virtual Secure Enclaves
                                                 PINS – Protected Inter-nodal Network
                               UNCLASSIFIED      ENIs      - Enterprise Network Interface
                                                 PNIs      - Partner Network Interface
                                                 ANIs – Application Network Interface
 AVE            SIPRNET                          CNIs – Client Network Interface
                                               CMNT (black core) – Common Msn Net Transport
 AVE          CENTRIXS - ABC                     MPLS – Multi-Protocol Layered Switching
                                                 HAIPE – High Assurance IP Encryption
 AVE          CENTRIXS - XYZ                     IPv6
                                                 Naming convention
 AVE Environment “brown core” CLASSIFIED         IP Addressing
                                                 DNS
       Common Mission Network Transport          DNN
                  (CMNT)                       MEC
                “black core”                     NetTop – ―Network on a Desktop‖

For organizations and commands that must operate in multiple security
domains, MECs reduce workstation area, improve information access and
improve maintainability and security through virtualization.
     Implement Operational Network Domains (ONDs)
     Intra-Enclave Controlled Interfaces To Contain Application and Configuration Risk within a
     Commander’s Area of Responsibility
                                                               Associated Projects / Efforts
                     Multi-Enclave Clients                     AVE (brown core)
                            (MECs)                               IPSec – Internet Protocol Security
                                                                 IPv6 – Internet Protocol Version 6
                                                                 IKE – Internet Key Exchange
                                                                 Naming convention
              OND         OND      OND
                                                                 IP Addressing
  AVE        VSE          VSE      VSE                           DCSP – Differential Code Service Point
                                                                 DNS – Domain Naming Service
                                                                 DNN – Domain Network Node
  AVE        VSE          VSE      VSE                           VSE – Virtual Secure Enclaves
                                                                 PINS – Protected Inter-nodal Network
  AVE        VSE          VSE      VSE                           ENIs      - Enterprise Network Interface
                                 UNCLASSIFIED                    PNIs      - Partner Network Interface
                                                                 ANIs – Application Network Interface
                                                                 CNIs – Client Network Interface
  AVE        VSE          VSE      VSE                         CMNT (black core) – Common Msn Net Transport
                                                                 MPLS – Multi-Protocol Layered Switching
  AVE        VSE          VSE      VSE                           HAIPE – High Assurance IP Encryption
                                                                 IPv6
  AVE        VSE          VSE      VSE                           Naming convention
                                                                 IP Addressing
 AVE Environment “brown core” CLASSIFIED                         DNS
                                                                 DNN
      Common Mission Network Transport                         MEC
                                                                 NetTop – “Network on a Desktop”
                     (CMNT)
                                                               OND (Cyber JOA)
                   “black core”                                  ENIs
Enables “Cyber JOAs.” Solves the “risk assumed by one is a risk PNIs
assumed by all” dilemma. Allows commanders to take risk against ANIs
                                                                 CNIs
their own mission in their own operational area – as is true for all the
other domains.
    Implement Cross-Domain Controlled Interfaces (CDCI) to safely move
    authorized information across security domains
                                                         Associated Projects / Efforts
                   Multi-Enclave Clients                 AVE (brown core)
                          (MECs)                           IPSec – Internet Protocol Security
                                                           IPv6 – Internet Protocol Version 6
                                                           IKE – Internet Key Exchange
                                                           Naming convention
             OND       OND       OND                       IP Addressing
                                                           DCSP – Differential Code Service Point
 AVE         VSE       VSE       VSE                       DNS – Domain Naming Service
                                                           DNN – Domain Network Node
 AVE         VSE       VSE       VSE              CDCI     VSE – Virtual Secure Enclaves
                                                           PINS – Protected Inter-nodal Network
 AVE         VSE       VSE       VSE                       ENIs      - Enterprise Network Interface
                                                           PNIs      - Partner Network Interface
                               UNCLASSIFIED                ANIs – Application Network Interface
                                                  CDCI     CNIs – Client Network Interface
             VSE       VSE       VSE                     CMNT (black core) – Common Msn Net Transport
 AVE
                                                           MPLS – Multi-Protocol Layered Switching
                       VSE                        CDCI     HAIPE – High Assurance IP Encryption
 AVE         VSE                 VSE
                                                           IPv6
                                                           Naming convention
 AVE         VSE       VSE       VSE
                                                           IP Addressing
                                                           DNS
 AVE Environment “brown core” CLASSIFIED                   DNN
                                                         MEC
            Common Mission Network Transport               NetTop – “Network on a Desktop”
                       (CMNT)                            OND (Cyber JOA)
                     “black core”                          ENIs
                                                           PNIs
Satisfies the CENTRIXS Cross Enclave Requirement           ANIs
(CCER). Currently done by Trusted Network Environment      CNIs
                                                         CDCI – Cross-Domain Controlled Interface
(TNE).
                                                           CCER – CENTRIXS Cross Enclave Req’t
 GIG 3.0 Building Blocks – Phase 1 Summary
                                                    Associated Projects / Efforts
                                                    AVE (brown core)
                 Multi-Enclave Clients                IPSec – Internet Protocol Security
                        (MECs)                        IPv6 – Internet Protocol Version 6
                                                      IKE – Internet Key Exchange
                                                      Naming convention
           OND       OND       OND                    IP Addressing
                                                      DCSP – Differential Code Service Point
AVE        VSE       VSE       VSE                    DNS – Domain Naming Service
                                                      DNN – Domain Network Node
AVE                  VSE                     CDCI     VSE – Virtual Secure Enclaves
           VSE                 VSE
                                                      PINS – Protected Inter-nodal Network
                                                      ENIs      - Enterprise Network Interface
AVE        VSE       VSE       VSE
                                                      PNIs      - Partner Network Interface
                             UNCLASSIFIED             ANIs – Application Network Interface
                                             CDCI     CNIs – Client Network Interface
                                                    CMNT (black core) – Common Msn Net Transport
AVE        VSE       VSE       VSE                    MPLS – Multi-Protocol Layered Switching
                                                      HAIPE – High Assurance IP Encryption
AVE        VSE       VSE       VSE           CDCI     IPv6
                                                      Naming convention
AVE        VSE       VSE       VSE                    IP Addressing
                                                      DNS
AVE Environment “brown core” CLASSIFIED               DNN
                                                    MEC
          Common Mission Network Transport            NetTop – “Network on a Desktop”
                     (CMNT)                         OND (Cyber JOA)
                                                      ENIs
                   “black core”
                                                      PNIs
                                                      ANIs
                                                      CNIs
                                                    CDCI – Cross-Domain Controlled Interface
                                                      CCER – CENTRIXS Cross Enclave Req’t
                                                                                            99
                   Phase 2:

Control, Instrument and Conceal the Information
                 Infrastructure
 Instrument the network with sensors at strategic points

                      Multi-Enclave Clients
                             (MECs)

                                                                                    RISK
                OND           OND           OND

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))
                                                        ((o))

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))   ((o))   CDCI    Feed network
AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))
                                                        ((o))
                                                                ((o))   awareness system
                                       UNCLASSIFIED                     and risk-based
                                                                CDCI
                                                                        decision support
AVE     ((o)) VSE             VSE           VSE ((o))
                      ((o))         ((o))
                                                        ((o))
                                                                ((o))
                                                                        systems
AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))   ((o))   CDCI
                                                        ((o))
AVE     ((o))   VSE   ((o))   VSE   ((o))   VSE ((o))

AVE Environment “brown core” CLASSIFIED

           Common Mission Network Transport
                      (CMNT)
                    “black core”




                                                                                           101
 Provide network control and quality of service tools

                      Multi-Enclave Clients
                             (MECs)


                OND           OND           OND

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))
                                                        ((o))

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))   ((o))   CDCI    Monitor and control
AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))
                                                        ((o))
                                                                ((o))   traffic precedence
                                       UNCLASSIFIED                     based on both
                                                                CDCI
                                                                        Virtual Private
AVE     ((o)) VSE             VSE           VSE ((o))
                      ((o))         ((o))
                                                        ((o))
                                                                ((o))
                                                                        Networking and
AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))   ((o))   CDCI    Quality of Service
                                                        ((o))
AVE     ((o))   VSE   ((o))   VSE   ((o))   VSE ((o))

AVE Environment “brown core” CLASSIFIED

           Common Mission Network Transport
                      (CMNT)
                    “black core”




                                                                                              102
 Develop concealment tools, techniques and procedures

                 Multi-Enclave Clients
                        (MECs)


           OND       OND       OND

AVE        VSE       VSE       VSE

AVE        VSE       VSE       VSE           CDCI

AVE        VSE       VSE       VSE
                             UNCLASSIFIED
                                             CDCI

AVE        VSE       VSE       VSE

AVE        VSE       VSE       VSE           CDCI

AVE        VSE       VSE       VSE

AVE Environment “brown core” CLASSIFIED

          Common Mission Network Transport
                     (CMNT)                         System visibility
                   “black core”
                                                    and access is
                                                    controlled

                                                                        103
   GIG 3.0 Building Blocks – Phase 2 Summary

                      Multi-Enclave Clients                                Cyberspace
                             (MECs)


                OND           OND           OND                         Situation Awareness

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))
                                                        ((o))

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))   ((o))   CDCI

       ((o))          ((o))   VSE   ((o))
                                                        ((o))                 Control
AVE             VSE                         VSE ((o))           ((o))

                                       UNCLASSIFIED
                                                                CDCI

AVE     ((o)) VSE     ((o))   VSE   ((o))   VSE ((o))           ((o))
                                                        ((o))

AVE    ((o))    VSE   ((o))   VSE   ((o))   VSE ((o))   ((o))   CDCI
                                                        ((o))
AVE     ((o))   VSE   ((o))   VSE   ((o))   VSE ((o))

AVE Environment “brown core” CLASSIFIED

           Common Mission Network Transport
                      (CMNT)
                    “black core”
                                                                           Concealment
    GIG 3.0
Design Approach




 Questions / Discussion
                                                GIG 3.0

                                       Governance



                                    Mr. Randy Cieslak
                                                   CIO

                                   U.S. Pacific Command
                                      25 October 2010



                                     This brief is classified:
                                  UNCLASSIFIED
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
         alteration or dissemination of the contents of this information for monetary gain is prohibited.
                                                                          COALITION
                                     DISN                  RESERVED
                                                                             A
                                                                                          RESERVED




                                                Network Operations Center
Operational                                                                                Dedicated
Network                    Dedicated                                                       Network
                           Network                                                         Enclave
Domain                     Domain                                                          Gateway
                           Gateway                                                         (DNEG)




  Conventional Site           Conventional Site                 Agile Virtual                Agile Virtual                  Future Agile
                                                               Enclave (AVE)                Enclave (AVE)                  Virtual Enclave
                                                               Enabled Site                 Enabled Site                        (AVE)
                                                                                                                              Capability




             This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                      alteration or dissemination of the contents of this information for monetary gain is prohibited.                   107
                                                 Network Operations Center




Operational Network Domain

           Conventional Site            Conventional Site               Agile Virtual            Agile Virtual             Future Agile
                                                                       Enclave (AVE)            Enclave (AVE)             Virtual Enclave
                                                                       Enabled Site             Enabled Site                   (AVE)
                                                                                                                             Capability




          This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                   alteration or dissemination of the contents of this information for monetary gain is prohibited.                    108
Operational Network Domain

 Network      Conventional Site            Conventional Site               Agile Virtual            Agile Virtual             Future Agile
Operations                                                                Enclave (AVE)            Enclave (AVE)             Virtual Enclave
  Center                                                                  Enabled Site             Enabled Site                   (AVE)
                                                                                                                                Capability




             This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                      alteration or dissemination of the contents of this information for monetary gain is prohibited.                    109
 Operational Network Domain

  Network         Conventional Site            Conventional Site              Agile Virtual             Agile Virtual         Future Agile
 Operations                                                                  Enclave (AVE)             Enclave (AVE)         Virtual Enclave
   Center                                                                    Enabled Site              Enabled Site               (AVE)
                                                                                                                                Capability



 ENCLAVE A




 ENCLAVE B




 ENCLAVE C




CDS/MDS CONFIGURATIONS




     CDS/MDS = Cross Domain System / slides contain privileged information. Any unauthorized disclosure, distribution,
             This presentation and individual Multi-Domain System
                          alteration or dissemination of the contents of this information for monetary gain is prohibited.                110
  DOD Enterprise                                     EUCOM OND                                 CENTCOM OND                                                       PACOM OND




                                                                                                                                                Net Ops Center


                                                                                                                                                                   Command G

                                                                                                                                                                               Command H

                                                                                                                                                                                           Command I
                                    Net Ops Center


                                                       Command A

                                                                   Command B

                                                                               Command C




                                                                                           Net Ops Center


                                                                                                            Command D

                                                                                                                        Command E

                                                                                                                                    Command F
 ENCLAVE A




 ENCLAVE B




ENCLAVE C




CDS CONFIG

 COMMON
 INFRASTRUCTURE

             This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                      alteration or dissemination of the contents of this information for monetary gain is prohibited.                                                                     111
  DOD Enterprise                           EUCOM OND                                CENTCOM OND                              PACOM OND
                                                 Command                                 Command                                Command
                                                   Risk                                    Risk                                   Risk
                                                 Authority                               Authority                              Authority



ENCLAVE
A             Information




                                                                                                                      DNEG
                                                                             DNEG
                                    DNEG



           Domain Control
                 Authority
ENCLAVE      Information
B
                                    DNEG




                                                                                                                      DNEG
                                                                             DNEG
          Domain Control
                Authority                                                                Virtual
                                                                                         Secure
ENCLAVE    Information                                                                  Enclaves




                                                                                                                      DNEG
                                                                             DNEG
                                    DNEG




C       Domain Control                                                                   (VSEs)
                Authority


             Information
          Domain Control
CDS             Authority
CONFIG

 COMMON
 INFRASTRUCTURE

                 This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                          alteration or dissemination of the contents of this information for monetary gain is prohibited.                  112
  DOD Enterprise                           EUCOM OND                                CENTCOM OND                              PACOM OND
                                                   OND                                      OND                                    OND
                                                   Risk                                     Risk                                   Risk
                                                 Authority                                Authority                              Authority



ENCLAVE
A             Information




                                                                                                                      DNEG
                                                                             DNEG
                                    DNEG



                                            MOA                                              MOA                                             MOA
           Domain Control
                 Authority
ENCLAVE      Information
B
                                    DNEG




                                                                                                                      DNEG
                                                                             DNEG
          Domain Control                     MOA                                                                                             MOA
                Authority                                                                Virtual
                                                                                         Secure
ENCLAVE    Information                                                                  Enclaves




                                                                                                                      DNEG
                                                                             DNEG
                                    DNEG




C       Domain Control                       MOA                                         (VSEs)                                              MOA
                Authority


             Information
          Domain Control                     ATO
CDS                                                                                          ATO                                             ATO
                Authority
CONFIG

 COMMON
 INFRASTRUCTURE

                 This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
                          alteration or dissemination of the contents of this information for monetary gain is prohibited.                    113

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/12/2013
language:English
pages:112