Mr. Walter L. Coley, Jr. JAG/CCM Chair
description
Transcript of Mr. Walter L. Coley, Jr. JAG/CCM Chair
![Page 1: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/1.jpg)
Effects of restricting ports 20/21 on DoD Networks and
Information Transfer OperationsFall COPC 2007
Mr. Walter L. Coley, Jr.JAG/CCM Chair
![Page 2: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/2.jpg)
2
2
Overview
Guidance
Effects
DoC Initiative
Navy Initiative
AFW Initiative
Options
Recommendation
![Page 3: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/3.jpg)
3
Guidance
All standards are based on NIST guidance DoC follows NIST DoD modified to satisfy mission
Use of anonymous protocols is restricted “Risk Accepted by one is accepted by all”
Guidance concerns IPv4 IPv6 guidance is under review
![Page 4: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/4.jpg)
44
DISA Guidance
Xx
FOUO
FOUO
![Page 5: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/5.jpg)
5
Guidance (cont)..What the Chart Colors Mean
Guidance from PPS Category Assignments list release 6.8.1 (Aug 2007) Those PPS designated as Red will be severely
restricted. Those PPS designated as Yellow may be allowed
through with specific negotiation and limitations on use. Acceptance of those PPS designated as Green is
generally automatic.
5
![Page 6: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/6.jpg)
6
Effects
No more unrestricted data transfer
All traffic is segmented outside VPN
DoD can push and pull data
Non-DoD can only push or pull data within DATMS-U
No more store and forward systems
![Page 7: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/7.jpg)
7
Acceptable Services
Short Term Goal – all sites (6 months) FTP Ports 20/21 (Conditional)
Session from Enclave DMZ to DoD Network to Enclave DMZ
HTTP (Port 80 for non-DoD only) HTTPS (TCP) Port 443
Long Term Goal SFTP (SSH) Port 22 only HTTPS (TCP) Port 443
HTTP (Port 80 for non-DoD only)
7
![Page 8: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/8.jpg)
8
Acceptable Services (cont)
DDM-SSL (TCP) Port 448
FTPS-DATA (TCP) Ports 989/990 (Army)
Some proprietary others
SFTP has most utility and economy
DOD can initiate FTP sessions
![Page 9: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/9.jpg)
9
9
Navy Initiative
FNMOC/NAVO are going through site accreditation
Required to secure communication ports and bring the operation in line with DISA/Navy guidance
Sites will use HTTPS and SFTP
![Page 10: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/10.jpg)
1010
DoC Initiative
NWS is moving away from FTP to HTTP(s)-based file transfer.
NWS will support SFTP Need funding to support encryption
NESDIS uses Public Keys
NWSTG supports RSA 2 factor authentication
![Page 11: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/11.jpg)
11
Air Force Initiative
Air Force supports SFTP and HTTPS
Systems tuned to work with DMZ
Conversion to data ‘pull’ system Operational load and timing issues under study
![Page 12: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/12.jpg)
12
Options
Option 1 Move methodically to secure networks in next 6 months
Can complete HTTPS, but not SFTP without funding No driver for this or funding supporting rapid transition
Option 2 Continue to incrementally improve infrastructure and
document as we go Can still complete HTTPS in 6 months, limited use of SFTP Same effect as option 1 but slower and lower risk Less potentially disruptive to operations
![Page 13: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/13.jpg)
13
RECOMMENDATION
Option 2
Communication uses HTTPS and SFTP FTP where essential
Convert all communications to work through DMZ where possible in next 6-12 months Most work is done All OPC locations continue to support ATO process
![Page 14: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/14.jpg)
14
Questions?
![Page 15: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/15.jpg)
15
Background Information
![Page 16: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/16.jpg)
16
16
DISA Guidance
![Page 17: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/17.jpg)
1717
DoD DMZDoD DMZ
Internal DoD Network
Internal DoD Network
External Network
External Network
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for FTP
Enclave DMZ
Enclave DMZ
DoD Network
DoD Network
13
147
8
1211 9
105
6 3
4
1
2
DoD Network:
NIPRNET, DATMS-U, DREN
Red – PPS CAL Denied/Restricted
Yellow – PPS CAL Conditional
15 – Red16 - Yellow
![Page 18: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/18.jpg)
1818
DoD DMZDoD DMZ
Enclave DoD
Network
Enclave DoD
Network External Network
External Network
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for SFTP
Enclave DMZ
Enclave DMZ
DoD Network
DoD Network
13
147
8
1211 9
105
6 3
4
1
2
DoD Network:
NIPRNET, DATMS-U, DREN
Red – PPS CAL Denied/Restricted
Yellow – PPS CAL Conditional
15-Green16-Yellow
![Page 19: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/19.jpg)
1919
DoD DMZDoD DMZ
Internal DoD Network
Internal DoD Network
External Network
External Network
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for HTTPS
Enclave DMZ
Enclave DMZ
DoD Network
DoD Network
13
147
8
1211 9
105
6 3
4
1
2
DoD Network:
NIPRNET, DATMS-U, DREN
Red – PPS CAL Denied/Restricted
Yellow – PPS CAL Conditional
15 – Green16 - Green
![Page 20: Mr. Walter L. Coley, Jr. JAG/CCM Chair](https://reader036.fdocuments.us/reader036/viewer/2022062520/568159f0550346895dc738bb/html5/thumbnails/20.jpg)
2020
AF DMZAF DMZ
Navy DoD Network
DMZ
Navy DoD Network
DMZ
External Network
DMZ
External Network
DMZ
DMZ Communications