This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
GIG 3.0 Design Factors
An Architecture Proposal for
Aligning NetOps to the Operational Chain of Command
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakCIO
U.S. Pacific Command
11 January 2011
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Cyberspace Operational Requirements
This brief is classified:
UNCLASSIFIED
Brig Gen Brett Williams,
Director, C4 Systems Directorate
Mr. Randy CieslakChief Information Officer
U.S. Pacific Command
12 November 2010
Geographic JOAs
Where is the CYBER JOA?
• REQUIREMENT: The JFC must C2 cyberspace operations in the
same way he executes C2 in the air, land and maritime domains.
• CONCERNS:
– JFCs lack the architecture, CONOPS, TTP, personnel, training,
tools, doctrine and policy for full spectrum cyber operations
– It’s all one big GIG, there is no Cyber JOA.‖
– The GIG was not built for operations.
– Sensors are not effectively focused on critical C2 services
– Type 1 encryption is not responsive to operational requirements
– Mission-Risk authority in cyberspace is currently held by CYBERCOM and the Services, not the JFC
5
Cyberspace is the only man made domain.
It can and must be shaped for the JFC to make
decisions, direct actions and accept risk in a way
that does not affect the rest of the GIG.
GIG 3.0
• GIG 2.0 promised an information advantage to the warfighter.
– It did not address the key issue of ―one big GIG‖
– It did not align the architecture to the chain of command.
• Components of GIG 3.0:
– Cyber JOA defined by an Operational Network Domain (OND)
– Enclaved architecture to enable defense in depth, information
sharing and agility
– Multi-enclave client for efficient information access
– Associated personnel, training, tools and TTP to C2 Cyberspace
Operations
6
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN
DISA
Enterprise
Services
Theater
Application
Services
HUB
Common Clients, Single Enclave
HUB
Common Clients, Single Enclave
Command
Client
Suite
Defense Enterprise
Operational Theater
Military
Service
Enterprise
Services
CYBERCOM/Services
Mission-Risk Authority
?
Current Architecture
Defense Enterprise
Operational Theater
CYBERCOM/Services
Mission-Risk Authority
7
Characteristics of a Cyber JOA
• The Cyber JOA defines the friendly forces operational network
domain and is focused on the operate and defend mission.
• The Cyber JOA provides a platform for dynamic network defense
and facilitates CNA and CNE.
• The Cyber JOA is defined by the systems and networks critical for
Joint Force Command and Control
• The Cyber JOA is governed by existing doctrine and policy.
• The Cyber JOA allows the commander to:
– Sense the environment
– Make decisions
– Direct operations
– Assume risk
• The Cyber JOA requires CYBERCOM and the services to execute
their GIG wide responsibilities within the JOA.
8
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN
DISA
Enterprise
Services
Theater
Application
Services
HUB
Common Clients, Single Enclave
HUB
Common Clients, Single Enclave
Command
Client
Suite
Defense Enterprise
Operational Theater
Joint Force Commander
is supported and has Mission-Risk authority
Military
Service
Enterprise
Services
CYBERCOM is supported and has
Mission-Risk Authority
Defining the JFC’s ―Cyber JOA‖
Defense Enterprise
Operational Theater
Operational
Network
Domain
Dedicated Network
Domain Gateway
(DNDG)
Controlled Interface
9
Tenets of an Operational Network
• The network must be Commander Centric
– Commanders balance risk against mission in all domains except cyber
– An operational network addresses this issue by aligning NetOps to the Operational Chain of Command
– The GIG cannot be vulnerable to risk assumed by one commander
– The operational network must accommodate the scheme of maneuver
• Commanders must define the requirements for designing and building the Operational Network
• Commanders must have the authority and responsibility to operate and defend the operational network.
• Supported and supporting roles must be articulated
– Clear delineation between the responsibilities of the service components and the operational commander
– Clear definition of STRATCOM/CYBERCOM’s role to support the operational network while they Operate and Defend the GIG
10
Barriers to Operationalizing the Network
• It’s all one big GIG, there are no JOA boundaries in
cyberspace
• We are burdened by the costs and policy associated
with TYPE 1 encryption — works against flexibility,
adaptability and robustness needed to accommodate the
scheme of maneuver.
• Current culture and doctrine delegate OPCON of all
forces except Cyber forces to the Operational
Commander. Services and CYBERCOM retain network
authority and responsibility.
11
10 Propositions Regarding Cyberspace Operations(With acknowledgement to Phil Meilinger’s 10 Propositions Regarding Air Power)
1. The commander is responsible for cyberspace operations; he must C2 cyber just as he does the air, land and maritime domains.
2. C2 of cyberspace is the foundation for operational C2.
3. There are four lines of operation in cyber—operate, defend, attack and exploit, and defense is the dominant mission.
4. The commander must see and understand cyberspace to defend it and he cannot defend it all.
5. Cyberspace operations must be fully integrated with operations in the physical domains.
6. Our understanding of non-kinetic effects in cyber is immature.
7. Operational requirements drive cyber architecture, not the other way around.
8. Cyber is the only manmade domain--we built it, we can change it.
9. Operational impact is the relevant information, not number of megabytes exfiltrated.
10. Networks will always be critical and vulnerable--disconnecting is not an option, we must fight through the attack.
2 Nov 2010
Operationalizing the Network
• It’s all one big GIG, there are no JOA boundaries in cyberspace
• We are burdened by the costs and policy associated with TYPE 1 encryption — works against flexibility, adaptability and robustness needed to accommodate the scheme of maneuver.
• Current culture and doctrine delegate OPCON of all forces exceptCyber forces to the Operational Commander. Services and CYBERCOM retain network authority and responsibility.
Proposed solution:
Operational Network Domain (OND)
– Defines the ―Commander’s Cyberspace JOA‖
– Utilizes encryption techniques that give the Operational
Commander the capability to C2 Cyberspace
13
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Fundamental Network Challenge
And
Proposed Solution
Agile Virtual Enclave (AVE)
Virtual Secure Enclave (VSE)
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakChief Information Officer
U.S. Pacific Command
8 December 2010
Current Network Design—This needs to change
Sensitive Unclassified Networks
Secret NOFORN
Secret for Allies
SCI & SPECATs
?@#?!
User
KG
KGKG
KGKG
KGKG
KG
FWFW
CORE or
BACKPLANE
15
Virtual Secure Enclaves (VSE)
The foundation of the Operational Network Domain
• The Operational Network is built on IPsec-based VSE’s
• IPsec--Short for IP Security, a set of protocols to support secure
exchange of packets at the IP layer. IPsec has been deployed widely
to implement robust Virtual Private Networks (VPNs)
• IPsec provides a COTS/GOTS encryption capability that is certified
for up to SECRET data
• Advantages of IPsec over TYPE 1 encryption
– Reduces the Controlled Crypto ―overhead‖
– Allows visibility into network traffic to enable use of Network
Management Tools to execute QOS
– Simplifies adding and removing enclaves from the OND
– Potential to facilitate Computer Network Operations (CNO)
16
TYPE 1 without IPSec
HUB
HUB
HUB
Service
SIPRNETs
Coalition C2 Nets
IC NetworksIC Networks
IC Networks
Coalition C2 NetsCoalition C2 Nets
Coalition C2 Nets
HUB
HUB
HUB
HUB
HUB
HUB
Service
SIPRNETsHUB
Service
SIPRNETs
Each enclave is a separate network requiring it’s own
separate infrastructure
(It’s not this neat and orderly.)
17
Components of an IPSec Virtual Secure Enclave (VSE)
Network Enclave
Firewall Server Suite
Conventional
Client
Computer
Client
Services
VPN
Protected
Inter-Nodal
Network
(PIN) VPN
Counter-Denial
of Service (DOS)
Firewall
Service
Protection
Firewall
Protected
Inter-Nodal
Network
(PIN) VPN
Client
Services
VPN
Application
Service
Point (ASP)Customer
Service
Point (CSP)
Application Service Point (ASP) – Suite of servers dedicated to a single enclave to
provide application services. (e.g., Web, E-Mail, COP and the like)
Customer Service Point (CSP) – User interface to the enclave
Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.
(First layer of wrapping)
Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave
threats such as malicious insiders, high-risk applications, or poor system hygiene.
ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and
adds additional robustness required for cross-domain use of a common network
infrastructure by the application service.
Network Enclave – A protected network environment that contains a single
security domain (e.g., SECRET//REL USA)
IPSEC
VPN
Device
IPSEC
VPN
Device
Firewall
IPSEC
VPN
Device
IPSEC
VPN
Device
18
Components of an IPSec Virtual Secure Enclave (VSE)
Network Enclave
Firewall Server Suite
Conventional
Client
Computer
Client
Services
VPN
Protected
Inter-Nodal
Network
(PIN) VPN
Counter-Denial
of Service (DOS)
Firewall
Service
Protection
Firewall
Protected
Inter-Nodal
Network
(PIN) VPN
Client
Services
VPN
Application
Service
Point (ASP)Customer
Service
Point (CSP)
Application Service Point (ASP) – Suite of servers dedicated to a single enclave to
provide application services. (e.g., Web, E-Mail, COP and the like)
Customer Service Point (CSP) – User interface to the enclave
Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.
(First layer of wrapping)
Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave
threats such as malicious insiders, high-risk applications, or poor system hygiene.
ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and
adds additional robustness required for cross-domain use of a common network
infrastructure by the application service.
Network Enclave – A protected network environment that contains a single
security domain (e.g., SECRET//REL USA)
IPSEC
VPN
Device
IPSEC
VPN
Device
Firewall
IPSEC
VPN
Device
IPSEC
VPN
Device
NB 19
1. Establish a Perimeter for the OND
SIPR
SVC
unique
Coalitio
n C2 Net
HUB
HUB
Operational
Network
Domain20
2. Establish a Type 1 Perimeter for the Classified Enclaves
SIPR
SVC
unique
Coalitio
n C2 Net
Type 1 Perimeter
HUB
HUB
Operational
Network
Domain21
3. Establish an IPSec Tunnel for Enclave Client Services
SIPR
SVC
unique
Coalitio
n C2 Net
SIPRNET EnclaveHUBHUB
Client Services IPSec VPNHUB
Operational
Network
Domain22
SIPRNET Enclave
4. Establish an outer IPSec Tunnel for Network Protection
Called the Protected Inter-nodal Network (PIN)
SIPR
SVC
unique
Coalitio
n C2 Net
SIPRNET EnclaveHUB
PIN IPSec VPNHUB
Operational
Network
Domain
Enclave Operator Services IPSec VPN
23
5. Establish a controlled interface from the enterprise network
to the OND Enclave
SIPR
SVC
unique
Coalitio
n C2 Net
SIPRNET EnclaveHUB
DNGW
SIPR
HUB
Operational
Network
Domain24
6. Swing operational area services to the associated OND
enclave
SIPR
SVC
unique
SIPRNET EnclaveHUB
DNGW
SIPR
HUB
Coalitio
n C2 NetOperational
Network
Domain25
7. Repeat this process for internal operational networks
SIPR
SVC
unique
SIPRNET EnclaveHUB
DNGW
SIPR
HUB Coalition C2 Enclave
Operational
Network
Domain26
DNGW
IC
IC Enclave
8. Additional enclaves can be added as modules
SIPR
SVC
unique
HUB
DNGW
SIPR
HUB Coalition C2 Enclave
Operational
Network
Domain
HUB
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
HUB
IC
SIPRNET Enclave
27
Data CenterEnd User Site
Application
Service
Points
DEG
IC
IC Enclave
9. Configure and provide training to end-user-sites and Data
Centers accordingly
SIPR
SVC
unique
HUB
DEG
SIPR
HUB Coalition C2 Enclave
Operational
Network
Domain
HUB
NIPR
SVC
unique
DEG
NIPR
NIPRNET Enclave
HUB
IC
SIPRNET Enclave
28
Data CenterEnd User Site
Application
Service
Points
DNGW
IC
IC Enclave
10. Take advantage of Multi-Enclave Clients from Agile Virtual
Enclave (AVE) Project
SIPR
SVC
unique
DNGW
SIPR
Coalition C2 Enclave
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
IC
SIPRNET EnclaveHUB
Multi-
Enclave
Clients
Operational
Network
Domain29
Data CenterEnd User Site
DNGW
IC
IC Enclave
11. Take advantage of cross-domain gateways and guards to
move information between enclaves (e.g., Trusted Network
Environment (TNE))SIPR
SVC
unique
DNGW
SIPR
Coalition C2 Enclave
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
To move
info across
domains
Cross
Domain
Gateway
30
Data CenterEnd User Site
DNGW
IC
IC Enclave
12. Monitor and Control the OND
SIPR
SVC
unique
Coalition C2 Enclave
NIPR
SVC
unique
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Control of:
Risks / Capabilities / Performance / Resources
Network Operations & Security Center
Dynamic Computer
Network Defense
RISK
LEVEL
UTILITYPRIORITYCAPACITY
Quality of Service
Common
Operational
Picture
DNGW
NIPR
NIPRNET Enclave
DNGW
SIPR
31
Network
Operations Center
Data CenterEnd User Site
DNGW
IC
IC Enclave
OND-related Areas of Responsibility
SIPR
SVC
unique
DNGW
SIPR
Coalition C2 Enclave
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Supporting Service/Agency
Responsibility
Supported Operational Command
Responsibility32
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Operational Network Domains (OND) and
Security Domain Enclaves
through the
Classified Military Network
(CMILNet)
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakCIO
U.S. Pacific Command
29 June 2010
33
Technical Challenges
• Challenge #1: Creation of Agile Virtual Enclaves (AVEs),
which are networked security domains that allow reuse of the
same network infrastructure from the client through the
network cloud.
• Challenge #2: Creation of Operational Network Domains
(ONDs) with sufficient strength of separation to support
different risk jurisdictions within each AVE.
– Virtual Secure Enclaves (VSEs) are the instantiation of
AVEs within the OND.
• Challenge #3: Creation of a ―black core capable‖ DISN
designed to create Agile Virtual Enclaves (AVEs) to enable
Virtual Secure Enclaves within Operational Network Domains
(ONDs)
– Must accommodate more than NIPRNET, SIPRNET, and
JWICS34
Solution Toolkit – Network Virtualization
• Performance-based Virtualization
– Multi-Protocol Layered Switching (MPLS)
– Generic Routing Encapsulation (GRE)
– Virtual Local Area Networks (VLAN)
• Security-based Virtualization a.k.a. Virtual
Private Networks (VPNs)
– High Assurance Internet Protocol Encryption
(HAIPE)
– Internet Protocol Security (IPSec)
– Transport Layer Security (TLS)
Use these
for ONDs
Use this for
AVEs and
VSEs
Solution must employ both types of
virtualization, together, to optimize capability,
security and performance.35
Technical Solutions
• Challenge #1: Creation of Agile Virtual Enclaves (AVEs), which are
networked security domains that allow reuse of the same network
infrastructure from the client through the network cloud
• Solution #1: Employ rigorously tested IPSec implemented in
accordance with NSA standards
• Challenge #2: Creation of Operational Network Domains (ONDs) with
sufficient strength of separation to support different risk jurisdictions within
each AVE.
• Solution #2: Employ Intrusion Protection System (IPS) – based
firewalls with access controls and service filters
• Challenge #3: Creation of a ―black core capable‖ DISN designed to create
Agile Virtual Enclaves (AVEs) to enable Virtual Secure Enclaves within
Operational Network Domains (ONDs).
• Solution #3: Employ a next-generation network strategy that
accommodates solutions 1 and 2 as a fourth enterprise network
domain using MPLS-based domain techniques and IPv6 improving
upon how SIPRNET and NIPRNET is done on the DISN
GIG 3.036
CMILNet - Black
CENTRIXS-SGP
Why We Need a Black Core CMILNet
Today’s Network – The Singapore Case
CMILNet Black Core
PH
HH
H
Packet
PH
Packet
Payload
efficiency
Low = Poor
Performance
High = Good
Performance
CENTRIXS-SGP
CENTRIXS-CMFPCENTRIXS-GCTFSIPRNETNIPRNET / Internet
CENTRIXS-GCTF
CENTRIXS-CMFP
NIPRNET
Internet
SIPRNET
P
H
HH
H
H P
HH
37
Global Enterprise OND Concept – Today’s State
DSN DRSN DVS-GJWICSNIPRNET SIPRNET
P
UPE CPE
DISN Backbone
UPE – Unclassified Premise Equipment
CPE – Classified Premise Equipment
P – Premise Equipment
38
Global Enterprise OND Concept – Today’s State
JWICSNIPRNET SIPRNET
P
UPE CPE
DISN Backbone
UPE – Unclassified Premise Equipment
CPE – Classified Premise Equipment
P – Premise Equipment
39
Global Enterprise OND Concept – Near Term?
JWICSNIPRNET SIPRNET
P
UPE CPE
DISN Backbone
BPE
UPE – Unclassified Premise Equipment
CPE – Classified Premise Equipment
P – Premise Equipment
BPE – Black Premise Equipment
Extremely useful in the creation of CMILNet
Common Mission Network Transport
(CMNT) 40
Global Enterprise OND ConceptDISN Backbone
JWICSNIPRNET SIPRNET
P
CU
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
DO
DIIS
NS
A N
et
NG
A N
et
Etc
B
CENTCOM
AMN
OND Dedicated Network
Gateway for the
CENTCOM Afghan
Mission Network
41
Global Enterprise OND ConceptDISN Backbone
JWICSNIPRNET SIPRNET
P
CU
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
DO
DIIS
NS
A N
et
NG
A N
et
Etc
B
CENTCOM
AMN
OND
CMFC
GCTF
ISAF
MNFI
CCER
TNE
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet Internet
Logical
Connections
Actual Connections
42
CENTCOM
AMN
OND
PACOM
Theater
OND
Global Enterprise OND Concept
DISN Backbone
JWICS
DO
DIIS
NS
A N
et
NG
A N
et
Etc
NIPRNET
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
SIPRNET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
Agency
P
CUB
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet InternetInternet
CCER
TNE
CCER
TNE
CMFC
GCTF
ISAF
MNFI
CMFP
GCTF
KOR
JPN
Logical
Connections
Actual Connections
EUCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FRAFRA
ITAITA
AFRICOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
NATO
GCTF
FVEY
SAF
AFRICOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FVEYFVEY
SAFSAF
NORTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
FEMA
GCTF
FVEY
CAN
NORTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
FEMAFEMA
GCTFGCTF
FVEYFVEY
CANCAN
SOUTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
MLEC
GCTF
COL
MEX
SOUTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
MLECMLEC
GCTFGCTF
COLCOL
MEXMEX
43
CENTCOM
AMN
OND
PACOM
Theater
OND
Global Enterprise OND Concept
DISN Backbone
JWICS
DO
DIIS
NS
A N
et
NG
A N
et
Etc
NIPRNET
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
SIPRNET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
Agency
P
CUB
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet InternetInternet
CCE
R
TNE
CCE
R
TNE
CMFC
GCTF
ISAF
MNFI
CMFP
GCTF
KOR
JPN
Logical
Connections
Actual Connections
EUCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FRAFRA
ITAITA
AFRICOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
NATO
GCTF
FVEY
SAF
AFRICOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FVEYFVEY
SAFSAF
NORTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
FEMA
GCTF
FVEY
CAN
NORTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
FEMAFEMA
GCTFGCTF
FVEYFVEY
CANCAN
SOUTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
MLEC
GCTF
COL
MEX
SOUTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
MLECMLEC
GCTFGCTF
COLCOL
MEXMEX
MILNet
(GIG 3.0)
44
Global Enterprise OND Concept
DISN Backbone
DO
DII
S
NS
A N
et
NG
A N
et
Etc
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
P
CU B
EU
CO
MO
ND
s
CE
NT
CO
M
ON
Ds
PA
CO
MO
ND
s
AF
RIC
OM
ON
Ds
NO
RT
HC
OM
ON
Ds
SO
UT
HC
OM
ON
Ds
GIG 3.0 / MILNETJWICSNIPRNET SIPRNET
45
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
PACOM
OND
SIPRNET
NIPRNET
CMFP
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
NORTHCOM
OND
SIPRNET
NIPRNET
CMFP
GCTF
ACGU
FVEY
Internet
CDCI
S-VSE
HADR
MOBILITY
HLD/LE
CENTCOM
OND
SIPRNET
NIPRNET
CNFC
GCTF
AMN
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
AFRICOM
OND
SIPRNET
NIPRNET
CMFA
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
EUCOM
OND
SIPRNET
NIPRNET
NATO
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
SOUTHCOM
OND
SIPRNET
NIPRNET
MLEC
GCTF
ACGU
FVEY
Internet
CDCI
S-VSE
HADR
MOBILITY
HLD/LE
SMILNet
.smil.mil
(SIPRNET)
CMILNet
.cmil.mil
(CENTRIXS)
Inter-Agency
Networks
.gov / .net
MILNet
.mil
(NIPRNET)IAP
Internet
OND VSEVSE
VSEVSEVSEs
Dedicated Network Domain Gateway (DNDG)
Dedicated Network Enclave Gateways (DNEG)
CDCI Cross Domain Controlled Interface
DISN Internet Access PointIAP
DISN Backbone
(Black Core)
S-VSEYellow Highlight:
Primary C2 Network (PCN)
S-VSE – Standby VSEAMN – Afghan Mission Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
US Forces
Korea
OND
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
PACOM
OND
SIPRNET
NIPRNET
CMFP
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
SMILNet
.smil.mil
(SIPRNET)
CMILNet
.cmil.mil
(CENTRIXS)
Inter-Agency
Networks
.gov / .net
MILNet
.mil
(NIPRNET)IAP
Internet
OND VSEVSE
VSEVSEVSEs
Dedicated Network Domain Gateway (DNDG)
Dedicated Network Enclave Gateways (DNEG)
CDCI Cross Domain Controlled Interface
DISN Internet Access PointIAP
DISN Backbone
(Black Core)
S-VSEYellow Highlight:
Primary C2 Network (PCN)
S-VSE – Standby VSEAMN – Afghan Mission Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
US Forces
Korea
OND
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
SMILNet
.smil.mil
(SIPRNET)
CMILNet
.cmil.mil
(CENTRIXS)
Inter-Agency
Networks
.gov / .net
MILNet
.mil
(NIPRNET)IAP
Internet
OND VSEVSE
VSEVSEVSEs
Dedicated Network Domain Gateway (DNDG)
Dedicated Network Enclave Gateways (DNEG)
CDCI Cross Domain Controlled Interface
DISN Internet Access PointIAP
DISN Backbone
(Black Core)
S-VSEYellow Highlight:
Primary C2 Network (PCN)
S-VSE – Standby VSEAMN – Afghan Mission Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN Backbone
MILNet
.mil
(NIPRNET)
SMILNet
.smil.mil
(SIPRNET)
GBR
AUS
CAN
KOR
NZL
THA
PHI
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
CMILNet
.cmil.mil
(CENTRIXS)IAP
Internet
Dedicated Network Domain Gateway (DDG)
Dedicated Network Enclave Gateway (DEG)
Dedicated Network Gateways (DNG)
DISN Internet Access PointIAP
CDCI Cross Domain Controlled Interface
Co
alitio
n L
ink
s
Logical Connections
Actual Connections
Multilateral Enclaves
UNCK – United Nations Command Korea
Country Codes
AUS – Australia
BEL – Belgium
COL – Columbia
DNK – Denmark
FRA – France
GRC - Greece
GBR – United Kingdom of Great Britain
KOR – Republic of South Korea
NLD - Netherlands
NZL – New Zealand
NOR - Norway
PHI – Philippines
THA –Thailand
BEL
COL
DNK
FRA
GRC
NLD
NOR
U.S. Forces Korea
(USFK)
Operational Network
Domain (OND)
“Korea Mission
Network” (KMN)
Client Command
(e.g., Osan)
Client Command
(e.g., Taegu)
Client Command
(e.g., Yongsan)
Application
Service
Point
(ASP)
Multi-
Enclave
Client
(MEC)
KM
N B
ackb
on
e
KOR
Primary C2 Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN Backbone
MILNet
.mil
(NIPRNET)
SMILNet
.smil.mil
(SIPRNET)
GBR
AUS
CAN
KOR
NZL
THA
PHI
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
CMILNet
.cmil.mil
(CENTRIXS)IAP
Internet
Dedicated Network Domain Gateway (DDG)
Dedicated Network Enclave Gateway (DEG)
Dedicated Network Gateways (DNG)
DISN Internet Access PointIAP
CDCI Cross Domain Controlled Interface
Co
alitio
n L
ink
s
Logical Connections
Actual Connections
Multilateral Enclaves
UNCK – United Nations Command Korea
Country Codes
AUS – Australia
BEL – Belgium
COL – Columbia
DNK – Denmark
FRA – France
GRC - Greece
GBR – United Kingdom of Great Britain
KOR – Republic of South Korea
NLD - Netherlands
NZL – New Zealand
NOR - Norway
PHI – Philippines
THA –Thailand
BEL
COL
DNK
FRA
GRC
NLD
NOR
U.S. Forces Korea
(USFK)
Operational Network
Domain (OND)
“Korea Mission
Network” (KMN)
Client Command
(e.g., Osan)
Client Command
(e.g., Taegu)
Client Command
(e.g., Yongsan)
Application
Service
Point
(ASP)
Multi-
Enclave
Client
(MEC)
KM
N B
ackb
on
e
KOR
Primary C2 Network
CDCI
Selected GIG 3.0 Components to Show On the Next
Slide – Geographic Topology for CENTRIXS-KOR
51
KOR
CDCI
CDCI
Client Command
(e.g., Osan)
KOR
CMILNet
.cmil.mil
(CENTRIXS)
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.52
DISN Link Partner Link
DESP PNSP
ENI PNI
CNI ANI
DNEG
NDSN
GIG 3.0 Interface ComponentsInternal to a single security enclave
Cross-
Domain Link
CDCI
System Component View
ASP – Application Service Point
ANI – Application Network Interface
CNI – Client Network Interface
CDCI – Cross-Domain Controlled Interface
CDSP – Cross-Domain Service Point
CSP – Customer Service Point
DESP – Defense Enterprise Service Point
Acronyms
DNEG – Dedicated Network Enclave Gateway
DNN – Domain Network Node
ENI – Enterprise Network Interface
NDSN – Network Domain Service Node
NSP – Network Service Point
PNI – Partner Network Interface
PNSP – Partner Network Service Point
CDSP
DNN
ASPCSP
KOR
CDCI
CDCI
Client Command
(e.g., Osan)
KOR
CMILNet
.cmil.mil
(CENTRIXS)
System Design View
GIG 3.0 Interface, Enclave and Service Point Definitions
• ASP – Application Service Point
– Server suite and software that provides application programs
to the user.
– Examples: Microsoft Exchange Server, Apache Web Server
• ANI – Application Network Interface
– Network router or switch that connects the ASP to the network
• AVE – Agile Virtual Enclave
– IPSec-based Virtual Private Network (VPN) that provides
robust protection of an information sharing enclave across the
enterprise. Each CENTRIXS network can be implemented on
the same network infrastructure using AVEs.
• CNI – Client Network Interface
– VSE IPSec crypto and network router or switch that connects
the ASP to the Client VPN. Is the ASP interface for the MECs.
• CDCI – Cross-Domain Controlled Interface
– High assurance filter and guard that provides for a controlled
transfer of information between enclaves. (e.g., between
CENTRIXS-KOR and CENTRIXS-UNCK)
• CDSP – Cross-Domain Service Point
– Relative to one enclave (e.g., CENTRIXS-KOR), the service
point providing information from another domain (e.g.,
CENTRIXS-UNCK)
– Examples: Trusted Network Environment (TNE), Joint Cross
Domain Exchange System (JCDX).
• CSP – Customer Service Point
– Client point of presence to the network. Best serviced by a
single MEC. Today CSPs consist of multiple client computer,
each dedicated to a single networked enclave.
– In this context CSPs are serviced by MECs.
• DNDG – Dedicated Network Domain Gateway
– Generic reference to the set of DNEGs that form the perimeter
of an OND.
• DESP – Defense Enterprise Service Point
– ASP(s) that are in the DISN external to the OND.
– Examples: DISA DECC, Air Force NOSC.
53
• DNEG – Dedicated Network Enclave Gateway
– Controlled interfaces with firewalls (access control system, information
protection system) that separates selected network services and
activities between the external networks (e.g., DISN or coalition
partner) and the OND.
– Contains ENIs and PNIs.
• DNN – Domain Network Node
– Router / switch with control and monitoring that interconnects sites,
interfaces, network assets, clients, servers and network checkpoints
across the GIG 3.0 infrastructure..
• ENI – Enterprise Network Interface
– VSE IPSec crypto, firewall (access control system, information
protection system) and network router or switch that connects the
DESP to the OND VSE.
• NDSN – Network Domain Service Node
– Major node on the OND that includes the ANI, DN and/or CNI
providing information capability to the OND.
• NSP – Network Service Point
– Point of presence for monitoring, control, configuration and
maintenance of network devices.
• OND – Operational Network Domain
– Network infrastructure bounded by a parameter of DNDGs that contain
VSEs
• PNI – Partner Network Interface
– High assurance filter and guard that provides for a controlled transfer
of information between the USA’s partner network (e.g., CENTRIXS)
and the coalition partner’s ASP – called a PNSP.
• PNSP – Partner Network Service Point
– Server suite and/or network interface owned and operated by a
coalition partner designated to provide information services to the USA
enclave (e.g., CENTRIXS.)
• VSE – Virtual Secure Enclave
– Specific instantiation of an AVE within an OND or for situations when a
higher assurance protected network domain is needed within a less
trusted network.
– A VSE is a AVE aligned within an OND guarded by a controlled
interface (DNEG).
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.54
DISN Link Partner Link
DESP PNSP
ENI PNI
CNI ANI
DNEG
NDSN
GIG 3.0 Interface ComponentsInternal to a single security enclave
Cross-
Domain Link
CDCI
System Component View
ASP – Application Service Point
ANI – Application Network Interface
CNI – Client Network Interface
CDCI – Cross-Domain Controlled Interface
CDSP – Cross-Domain Service Point
CSP – Customer Service Point
DESP – Defense Enterprise Service Point
Acronyms
DNEG – Dedicated Network Enclave Gateway
DNN – Domain Network Node
ENI – Enterprise Network Interface
NDSN – Network Domain Service Node
NSP – Network Service Point
PNI – Partner Network Interface
PNSP – Partner Network Service Point
CDSP
DNN
ASPCSP
KOR
CDCI
CDCI
Client Command
(e.g., Osan)
KOR
CMILNet
.cmil.mil
(CENTRIXS)
System Design View
USFK Geo Depiction of the CENTRIXS-KOR VSE
55
USFK Geo Depiction of the Korea Theater Black
Core
56
Common Mission Network
Transport(CMNT)
Example Korea System Topology
57
Camp Casey Osan Camp Humphreys Kunsan
Yongsan Camp Walker Chinhae
REL KOR
REL KOR
REL KOR
REL KOR
REL UNCK
ROK
PNSP
ROK
PNSP
AUS
PNSPBEL
PNSP
CAN
PNSP
DISN Edge Transport Services (DETS)
―Black Core‖
REL KOR
Common Mission Network Transport (CMNT)
58
Camp Casey Osan Camp Humphreys Kunsan
Yongsan Camp Walker Chinhae
REL KOR
REL KOR
REL KOR
REL KOR
REL UNCK
ROK
PNSP
ROK
PNSP
AUS
PNSPBEL
PNSP
CAN
PNSP
DISN Edge Transport Services (DETS)
―Black Core‖
DISN Edge Transport Services (DETS)
―Black Core‖
DISN Edge Transport Services ―black core‖
Common Mission Network Transport (CMNT)
GIG 3.0 CMILNet / SMILNet / MILNet ―brown core‖
59
Camp Casey Osan Camp Humphreys Kunsan
Yongsan Camp Walker Chinhae
REL KOR
REL KOR
REL KOR
REL KOR
REL UNCK
ROK
PNSP
ROK
PNSP
AUS
PNSPBEL
PNSP
CAN
PNSP
DISN Edge Transport Services (DETS)
―Black Core‖
60
Camp Casey Osan Camp Humphreys Kunsan
Yongsan Camp Walker Chinhae
REL KOR
REL KOR
REL KOR
REL KOR
REL UNCK
ROK
PNSP
ROK
PNSP
AUS
PNSPBEL
PNSP
CAN
PNSP
DISN Edge Transport Services (DETS)
―Black Core‖
REL KOR
REL KOR
REL KOR
REL KORROK
PNSP
REL KOR
ROK
PNSP
CENTRIXS-KOR
Camp Casey Osan Camp Humphreys
Yongsan Camp Walker Chinhae
61
Camp Casey Osan Camp Humphreys Kunsan
Yongsan Camp Walker Chinhae
REL KOR
REL KOR
REL KOR
REL KOR
REL UNCK
ROK
PNSP
ROK
PNSP
AUS
PNSPBEL
PNSP
CAN
PNSP
DISN Edge Transport Services (DETS)
―Black Core‖
ROK
PNSP
ROK
PNSP
CENTRIXS-UNCK
AUS
PNSPBEL
PNSP
CAN
PNSP
REL UNCK
Camp Casey Osan Camp Humphreys
Yongsan Camp Walker Chinhae
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
ANI
DNN
62
DISN Link Partner Link
DESP PNSP
ENI PNI
CNI ANI
DNEG
NDSN
GIG 3.0 Interface ComponentsInternal to a single security enclave
Cross-
Domain Link
CDCI
System Component View
ASP – Application Service Point
ANI – Application Network Interface
CNI – Client Network Interface
CDCI – Cross-Domain Controlled Interface
CDSP – Cross-Domain Service Point
CSP – Customer Service Point
DESP – Defense Enterprise Service Point
Acronyms
DNEG – Dedicated Network Enclave Gateway
DNN – Domain Network Node
ENI – Enterprise Network Interface
NDSN – Network Domain Service Node
NSP – Network Service Point
PNI – Partner Network Interface
PNSP – Partner Network Service Point
PNIPNSP
DESP ENI
ASP
CNI CSP
DN
EG
ND
SN
CDSP
Block Diagram View
DNN
NSP
ASPCSP
CD
CI
For Governance
GIG 3.0 Network Layers
63
PA
CO
M
CE
NT
CO
M
NO
RT
HC
OM
SO
UT
HC
OM
EU
CO
M
AF
RIC
OM
TR
AN
SC
OM
ST
RA
TC
OM
SO
CO
M
JF
CO
M
PA
CO
M
CE
NT
CO
M
NO
RT
HC
OM
SO
UT
HC
OM
EU
CO
M
AF
RIC
OM
TR
AN
SC
OM
ST
RA
TC
OM
SO
CO
M
JF
CO
M
PA
CO
M
CE
NT
CO
M
NO
RT
HC
OM
SO
UT
HC
OM
EU
CO
M
AF
RIC
OM
TR
AN
SC
OM
ST
RA
TC
OM
SO
CO
M
JF
CO
M
PA
CO
M
CE
NT
CO
M
NO
RT
HC
OM
SO
UT
HC
OM
EU
CO
M
AF
RIC
OM
TR
AN
SC
OM
ST
RA
TC
OM
SO
CO
M
JF
CO
M
PA
CO
M
CE
NT
CO
M
NO
RT
HC
OM
SO
UT
HC
OM
EU
CO
M
AF
RIC
OM
TR
AN
SC
OM
ST
RA
TC
OM
SO
CO
M
JF
CO
M
DISN Edge Transport Services (DETS)
“black core”
Global Cyberspace Telecommunications Transport
UNCLAS USA
―NIPRNet‖ AVE
SECRET//USA Only
―SIPRNet‖ AVESECRET//REL ACGU
AVE
.smil.mil .cmil.mil.mil
SECRET//REL ACGU
CMILNET
“classified brown core”
MILNET
“unclassified brown core”
Type 1 separation (e.g., HAIPE)
―Type 2‖ separation (e.g., IPSec)
―Type 3‖ separation (e.g., Firewall & TLS/SSL)
PACOM Internet
PACOM NIPRNET
PACOM SIPRNET
PACOM REL ACGU
PACOM REL ...PACOM OND
PACOM VSEs
PACOM MEC
AVE
AVE – Agile Virtual Enclave
DETS – DISN Edge Transport Service
HAIPE – High Assurance IP Encryption
.net / .org
UNCLAS
Internet
Enclave
IP – Internet Protocol
IPSec – IP Security
MEC – Multi Enclave Client
OND – Operational Network Domain
SSL – Secure Socket Layer
TLS – Transport Layer Security
VSE – Virtual Secure Enclave
1
1
2
2
3
3
4
4
5
5
Common Mission Network Transport (CMNT)
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
GIG 3.0
VPN Enclave Control
&
User Client Cases
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakCIO
U.S. Pacific Command
25 Octover 2010
CMILNet VPN and Client Components for Enclave
Protection
• Transport VPN (Type 1 / HAIPE)
• Transit VPN
• Protected Internodal Network
• Client Service VPN
Virtual Private Networks (VPNs)
User Client Workstations (UCWS)
• Common Conventional
• Virtual Secure Enclave (VSE) Enabled
• Agile Trusted Multi Enclave (ATME)
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
CMILNet VPN and Client Services
R
Transport
HAIPE VPN
NIPRNE
T
SIPRNE
T
Service
Unique
Network
Transit
IPSec VPNTransit
IPSec VPN
Transit
IPSec VPN
HUB
R
HUB
Client Svc
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client Svc
IPSec VPN
R
PIN
IPSec VPNTransport
HAIPE VPNTransport
HAIPE VPN
Transport
HAIPE VPN
Transport
HAIPE VPN
PIN
IPSec VPN
Transport
HAIPE VPN
Common Conventional Clients VSE-Enabled Clients
(IPSec Enabled)
HUB
R
PIN
IPSec VPN
Transport
HAIPE VPN
ATME-Enabled Clients
(E.g., NetTop 2.2, HAP)
R
Operational
Network
Domain
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
CMILNet In Action: Transport Encryption
R
Transport
HAIPE VPN
NIPRNE
T
SIPRNE
T
Service
Unique
Network
Transit
IPSec VPNTransit
IPSec VPN
Transit
IPSec VPN
HUB
R
HUB
Client Svc
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client Svc
IPSec VPN
R
PIN
IPSec VPNTransport
HAIPE VPNTransport
HAIPE VPN
Transport
HAIPE VPN
Transport
HAIPE VPN
PIN
IPSec VPN
Transport
HAIPE VPN
Common Conventional Clients VSE-Enabled Clients
(IPSec Enabled)
HUB
R
PIN
IPSec VPN
Transport
HAIPE VPN
ATME-Enabled Clients
(E.g., NetTop 2.2, HAP)
R
Operational
Network
Domain
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
CMILNet In Action: Transit VPNs
R
Transport
HAIPE VPN
NIPRNE
T
SIPRNE
T
Service
Unique
Network
Transit
IPSec VPNTransit
IPSec VPN
Transit
IPSec VPN
HUB
R
HUB
Client Svc
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client Svc
IPSec VPN
R
PIN
IPSec VPNTransport
HAIPE VPNTransport
HAIPE VPN
Transport
HAIPE VPN
Transport
HAIPE VPN
PIN
IPSec VPN
Transport
HAIPE VPN
Common Conventional Clients VSE-Enabled Clients
(IPSec Enabled)
HUB
R
PIN
IPSec VPN
Transport
HAIPE VPN
ATME-Enabled Clients
(E.g., NetTop 2.2, HAP)
R
Operational
Network
Domain
These are ―backside‖
connections that
interconnect servers
and network gateways.
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
CMILNet In Action: Protected Inter-nodal
Networks (PIN) VPNs
R
Transport
HAIPE VPN
NIPRNE
T
SIPRNE
T
Service
Unique
Network
Transit
IPSec VPNTransit
IPSec VPN
Transit
IPSec VPN
HUB
R
HUB
Client Svc
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client Svc
IPSec VPN
R
PIN
IPSec VPNTransport
HAIPE VPNTransport
HAIPE VPN
Transport
HAIPE VPN
Transport
HAIPE VPN
PIN
IPSec VPN
Transport
HAIPE VPN
Common Conventional Clients VSE-Enabled Clients
(IPSec Enabled)
HUB
R
PIN
IPSec VPN
Transport
HAIPE VPN
ATME-Enabled Clients
(E.g., NetTop 2.2, HAP)
R
Operational
Network
Domain
PIN
IPSec VPN
PIN
IPSec VPNPIN
IPSec VPN
PIN
IPSec VPN
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client
IPSec VPN
R
PIN
IPSec VPN
CMILNet In Action: Client Services VPNs
R
Transport
HAIPE VPN
NIPRNE
T
SIPRNE
T
Service
Unique
Network
Transit
IPSec VPNTransit
IPSec VPN
Transit
IPSec VPN
HUB
R
HUB
Client Svc
IPSec VPN
R
PIN
IPSec VPN
R
Transit
IPSec VPN
Client Svc
IPSec VPN
R
PIN
IPSec VPNTransport
HAIPE VPNTransport
HAIPE VPN
Transport
HAIPE VPN
Transport
HAIPE VPN
PIN
IPSec VPN
Transport
HAIPE VPN
Common Conventional Clients VSE-Enabled Clients
(IPSec Enabled)
HUB
R
PIN
IPSec VPN
Transport
HAIPE VPN
ATME-Enabled Clients
(E.g., NetTop 2.2, HAP)
R
Operational
Network
Domain
Client Svc
IPSec VPN
Client Svc
IPSec VPN
Network Operations CenterOND Network Operations
NIPRNE
T
SIPRNE
T
Service
Unique
Network
Transit
IPSec VPNTransit
IPSec VPN
Transit
IPSec VPN
HUB
R
HUB
Client Svc
IPSec VPN
R
PIN
IPSec VPN
Transport
HAIPE VPNTransport
HAIPE VPN
Transport
HAIPE VPN
Transport
HAIPE VPN
PIN
IPSec VPN
Transport
HAIPE VPN
Common Conventional Clients VSE-Enabled Clients
(IPSec Enabled)
HUB
R
PIN
IPSec VPN
Transport
HAIPE VPN
ATME-Enabled Clients
(E.g., NetTop 2.2, HAP)
Transport
HAIPE VPN
R
Transit
IPSec VPN
Client Svc
IPSec VPN
R
PIN
IPSec VPN
R Transport
HAIPE VPN
Application Service
Center
Dynamic Computer
Network Defense
RISK
LEVEL
Operational
Network
Domain
UTILITYPRIORITYCAPACITY
Quality of Service
Risk vs. Capability vs. Performance
vs. Resource
Decisions
MadeCommon
Operational
Picture
Data CenterEnd User Site
DNGW
IC
IC Enclave
Questions?
SIPR
SVC
unique
Coalition C2 Enclave
NIPR
SVC
unique
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Control of:
Risks / Capabilities / Performance / Resources
Network Operations & Security Center
Dynamic Computer
Network Defense
RISK
LEVEL
UTILITYPRIORITYCAPACITY
Quality of Service
Common
Operational
Picture
DNGW
NIPR
NIPRNET Enclave
DNGW
SIPR
72
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.73
Agile Virtual Enclaves (AVE) Version 1.2 / 1.3
―Multi Enclave Client‖
(MEC)
This brief is classified:
UNCLASSIFIED
Randy Cieslak
Chief Information Officer
Jim Fordice
Referentia, Inc.
29 June 2010
How We Build Networks in Cyberspace Today
Sensitive Unclassified Networks
Secret NOFORN
Secret for Allies
SCI & SPECATs
?@#?!
User
KG
KGKG
KGKG
KGKG
KG
FWFW
74
Data CenterEnd User Site
DNGW
IC
IC Enclave
Multi Enclave Clients
SIPR
SVC
unique
Coalition C2 Enclave
NIPR
SVC
unique
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Control of:
Risks / Capabilities / Performance / Resources
Network Operations & Security Center
Dynamic Computer
Network Defense
RISK
LEVEL
UTILITYPRIORITYCAPACITY
Quality of Service
Common
Operational
Picture
DNGW
NIPR
NIPRNET Enclave
DNGW
SIPR
Multi Enclave
Clients
75
MEC Candidates Assessed
• Multi-Level Thin Client (MLTC) 3.0
• DoDIIS Trusted Workstation (DTW) 4.0
• Network on a Desktop (NetTop)
• Secure Office Thin Client (SOTTC)
• Trusted Multi-Net (TMN)
• High Assurance Platform (HAP)
• Trusted Virtual Environment (TVE)
Solution CandidatePerformance
ScoreKey
Characteristic
10
17
2926
22
37
29
Dedicated Infrastructure
Modular / Single-Wire
Multi-Wire
Multi-Wire
Dedicated Infrastructure
Dedicated Infrastructure
Dedicated Infrastructure
• Dedicated infrastructure normally means single vendor and often
proprietary
• Multi-Wire means that each network enclave requires its own
physical network link
• Modular / Single Wire means standards-based. As long as COTS or
GOTS products meet the standard and are tested (UCDMO baseline)
they can be used. 76
MEC Candidate Selected
• Network on a Desktop (NetTop)
Solution Candidate
Performance
ScoreKey
Characteristics
29 Modular / Single-Wire
`
ACE Terminal Managed Switch VPN Concentrator Firewall Citrix Server
Network A
Network B
• MEC Terminal: NetTop 1.3.2 (Version 2.2 under NSA review)
• Managed Switch: Cisco Catalyst 2960
• VPN Concentrator: Cisco ASA 5510
• Firewall: McAfee Sidewinder 410F
• Terminal Services Server: Citrix
MEC
77
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
MEC User Terminal View – AVE 1.2
NIPR
NIPR
K
J
VSE
SIPR
K
V
S
E
J
SI
PR
CENTRIXS
Classified
Networks
CLASSIFIED
UNCLASSIFIED
Unclassified
Networks
INTER-
NET
Inter-
Net
AVE 1.2 is based on NetTop 1.3.2
78
MEC based on AVE 1.2 On The UCDMO Baseline
Cross Domain Baseline
V 3.4.0
18 June 2010
79
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
MEC User Terminal View – AVE 1.3
NIPR
NIPR
K
J
VSE
SIPR
K
V
S
E
J
SI
PR
CENTRIXS
Classified
Networks
CLASSIFIED
UNCLASSIFIED
Unclassified
Networks
INTER-
NET
Inter-
Net Agile Virtual Enclave (AVE)
• Includes a Second Wire for
Unclassified Enclaves
• Implemented at USPACOM HQ
AVE 1.3 is based on NetTop 2.2
80
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
AVE Certification & Accreditation
• AVE 1.2 (COMTHIRDFLT)
– DSAWG approved ATC
– Navy ODAA approved ATO
– Approved for UCDMO Baseline v3.4.0 update - June 2010
• AVE 1.3 (HQ USPACOM)
– Demo approved by DSAWG
– USPACOM DAA approved IATT
– NSA has completed AVE 1.3 CT&E
• Evaluating results of NSA testing– Next step is CDTAB/DSAWG to approve use of the technology
– Long term plan is to submit for UCDMO Baseline
81
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Underlying Virtual Machines (AVE 1.3)
ACE Terminal
COI 1
VM
COI 2
VM
COI N
VM
VPN VPN VPN
NIC 1
Classified
Connection
COI 1
VM
COI 2
VM
COI N
VM
VPN VPN VPN
NIC 2
Unclassified
Connection
AVE MEC
82
Enclaves for the USPACOM MEC
Network Start Menu Name
USA USA ThickACGU ACGU Thin
JPN JPN Thin
JPN JPN Thick
KOR KOR Thin
SIPR SIPR Thick
GCTF GCTF Thin
VSE SIPR VSE Thin
APAN APAN
CMFP CMFP Thin
FVEY FVEY Thin
NIPR NIPR Thin
SGP SGP Thin
UNCK UNCK Thin
SECRET//REL KOR
SECRET//REL JPN
SECRET//REL UNCK
UNCLASSIFIED
SECRET
SECRET//REL GCTF
SECRET
Classification Marking
SECRET
SECRET//REL ACGU
SECRET//REL JPN
SECRET//REL CMFP
SECRET//REL FVEY
NIPRNET UNCLASSIFIED//FOUO
SECRET//REL SGP
14 Virtual Machines:
•2 UNCLAS, 12 SECRET
•4 Thick, 10 Thin83
Data CenterEnd User Site
DNGW
IC
IC Enclave
Multi-Enclave Clients
SIPR
SVC
unique
Coalition C2 Enclave
NIPR
SVC
unique
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Control of:
Risks / Capabilities / Performance / Resources
Network Operations & Security Center
Dynamic Computer
Network Defense
RISK
LEVEL
UTILITYPRIORITYCAPACITY
Quality of Service
Common
Operational
Picture
DNGW
NIPR
NIPRNET Enclave
DNGW
SIPR
85
GIG 3.0
Design Approach
Randy Cieslak
U.S. Pacific Command
Chief Information Officer
19 November 2010
Confluence of Concerns & Solutions (1 of 2)
• CONCERN 1
– We need to use the same infrastructure to create network enclaves to replace
the expensive and cumbersome CENTRIXS networks
• SOLUTION: Agile Coalition Environment
* Adaptive Cyber Environment (ACE)
• CONCERN 2
– We need to create defendable network enclaves to fight through cyber attacks
that have left our main networks vulnerable
• SOLUTION: Computer Aided Network Defense in Depth (CANDID)
• CONCERN 3
– We need to create network zones that will permit operational commanders to
manage their own risk to their own mission
• SOLUTION: Cyber Joint Operational Area (JOA) formed by Operational
Network Domains (OND)
• CONCERN 4
– We need tactics, techniques and procedures to surveil, control and operate this
new network environment
• SOLUTION: Joint Cyber Operations (JCO) Joint Test & Evaluation (JT&E)
Confluence of Concerns & Solutions (2 of 2)
• CONCERN 5
– We need a means to safely and securely move authorized information between
enclaves and a simple way to access enclaves not normally used
• SOLUTION: Combined Enterprise Regional Information Exchange System
(CENTRIXS) Cross Enclave Requirement (CCER)
• CONCERN 6
– We need to understand and display network and information system activities,
determine the associated mission risk and provide associated decision support
displays
• SOLUTION: Joint Warfighting Integrated Network Operations (NETOPS)
(JWIN) Joint Concept Technical Demonstration (JCTD)
• CONCERN 7
– We need to take advantage of current and planned network initiatives that
―almost‖ take advantage of modern network technology methods and steer
them to an effective, coherent, consistent overarching approach.
• SOLUTIONS:
– ASIA-PACIFIC Intelligence Network (APIN)
Integrating the Solutions: ―GIG 3.0‖
ACE:
Agile Coalition Environment
Adaptive Cyber Environment
CANDID JCTD:
Computer-Aided Networked
Defense-In-Depth
Cyber JOA:
Operational Network
Domains (OND) Global Information Grid
Version 3.0
―GIG 3.0‖
JCO JT&E:
Operational Network
Domains (OND)
CCER
CENTRIXS Cross Enclave
Requirement
JWIN
Joint Warfighting Integrated
Network Operations (NETOPS)
APIN
Asia-Pacific Intelligence
Network
Integrating the Solutions: ―GIG 3.0‖
ACE:
Agile Coalition Environment
Adaptive Cyber Environment
CANDID JCTD:
Computer-Aided Networked
Defense-In-Depth
Cyber JOA:
Operational Network
Domains (OND)
Global Information Grid
Version 3.0
―GIG 3.0‖
JCO JT&E:
Operational Network
Domains (OND)
CCER
CENTRIXS Cross Enclave
Requirement
JWIN
Joint Warfighting Integrated
Network Operations (NETOPS)
APIN
Asia-Pacific Intelligence
Network
Exercise Schedule
FY11
Q1 Q3Q2 Q4
TF11
FY12
Q1 Q3Q2 Q4
TF12VS11 VS12
Building GIG 3.0 – A Two-Phase ApproachPhases to be done concurrently
• Phase 1: Build a agile information infrastructure that:
– Compartmentalizes the network to enforce information
protection and control policies
– Compartmentalizes the network to separate risk-postures
between the enterprise and the commander’s mission area
– Leverages and reuses common infrastructure to support
compartmentalization
– Provides controlled interfaces into and between the
compartments
– Provides access controls and minimizes customer service
points
• Phase 2: Control, instrument and conceal the network to:
– Monitor and control the interfaces for optimal performance
– Detect sources of intrusion and react accordingly
– Determine and display the level of associated risk to the mission
– Posture network appearance to maintain information dominance
Phase 1:
Agile, Compartmented Information Infrastructure
Primary Design Driver – Agile Virtual Enclaves (AVE)Adopted from ACE
93
AVE
AVE
AVE
AVE
AVE
AVE
Associated Projects / Efforts
AVE
IPSec – Internet Protocol Security
IPv6 – Internet Protocol Version 6
IKE – Internet Key Exchange
Naming convention
IP Addressing
DCSP – Differential Code Service Point
DNS – Domain Naming Service
DNN – Domain Network Node
SIPRNET
CENTRIXS - ABC
CENTRIXS - XYZ
Internet
NIPRNET
Intranets
IPSec Provides Sufficient
Strength of Separation.
But classified networks
need a protected
environment.
This design feature technologically enforces
information classification, release, exposure and
disclosure policies.
Foundation for the AVEs:
Defense Information Systems Network (DISN)
Common Mission Network Transport (CMNT)Internet Protocol (IP) – Based Telecommunication Services
AVE
AVE
AVE
AVE
AVE
AVE
SIPRNET
CENTRIXS - ABC
CENTRIXS - XYZ
Internet
NIPRNET
Intranets
Common Mission Network Transport
(CMNT)
“black core”
Associated Projects / Efforts
CMNT (black core) – Common Msn Net Trans.
MPLS – Multi-Protocol Layered Switching
HAIPE – High Assurance IP Encryption
IPv6
Naming convention
IP Addressing
DNS
DNN
Provides the wide area
network to deploy and
extend AVEs worldwide.
Employs a separate
MPLS from SIPRNET,
NIPRNET, JWICS
Because it forms the foundation or core of
the network and almost all traffic is
encrypted it is referred to as a “black core”
AVEs drive the design
requirements of the CMNT
Provides both QOS and VPNs.
Employing both rigid transport security (TRANSEC)
(―black traffic‖) with enclave security (―brown traffic‖)
Common Mission Network Transport
(CMNT)
“black core”
• Exposed data is “red”
• Encrypted data is “black”
• Traffic that is de-encrypted at the black core is “red” to the black core, but still “black” to the customer service point.
• Hence – the Agile Virtual Enclaves are a combination of red and black, or “brown.”
AVE
AVE
AVE
AVE Environment “brown core”
AVE
AVE
AVE
UNCLASSIFIED
CLASSIFIED
Associated Projects / Efforts
AVE (brown core)
IPSec – Internet Protocol Security
IPv6 – Internet Protocol Version 6
IKE – Internet Key Exchange
Naming convention
IP Addressing
DCSP – Differential Code Service Point
DNS – Domain Naming Service
DNN – Domain Network Node
VSE – Virtual Secure Enclaves
PINS – Protected Inter-nodal Network
ENIs - Enterprise Network Interface
PNIs - Partner Network Interface
ANIs – Application Network Interface
CNIs – Client Network Interface
CMNT (black core) – Common Msn Net Trans.
MPLS – Multi-Protocol Layered Switching
HAIPE – High Assurance IP Encryption
IPv6
Naming convention
IP Addressing
DNS
DNN
SIPRNET
CENTRIXS - ABC
CENTRIXS - XYZ
Internet
NIPRNET
Intranets
Implement Multi-Enclave Clients (MECs) to access the multiple
enclaves from a single Customer Service Point (CSP)
Common Mission Network Transport
(CMNT)
“black core”
AVE
AVE
AVE
AVE Environment “brown core”
AVE
AVE
AVE
UNCLASSIFIED
CLASSIFIED
SIPRNET
CENTRIXS - ABC
CENTRIXS - XYZ
Internet
NIPRNET
Intranets
Multi-Enclave Clients
(MECs) Associated Projects / Efforts
AVE (brown core)
IPSec – Internet Protocol Security
IPv6 – Internet Protocol Version 6
IKE – Internet Key Exchange
Naming convention
IP Addressing
DCSP – Differential Code Service Point
DNS – Domain Naming Service
DNN – Domain Network Node
VSE – Virtual Secure Enclaves
PINS – Protected Inter-nodal Network
ENIs - Enterprise Network Interface
PNIs - Partner Network Interface
ANIs – Application Network Interface
CNIs – Client Network Interface
CMNT (black core) – Common Msn Net Transport
MPLS – Multi-Protocol Layered Switching
HAIPE – High Assurance IP Encryption
IPv6
Naming convention
IP Addressing
DNS
DNN
MEC
NetTop – ―Network on a Desktop‖
For organizations and commands that must operate in multiple security
domains, MECs reduce workstation area, improve information access and
improve maintainability and security through virtualization.
Implement Operational Network Domains (ONDs)Intra-Enclave Controlled Interfaces To Contain Application and Configuration Risk within a
Commander’s Area of Responsibility
Common Mission Network Transport
(CMNT)
“black core”
AVE
AVE
AVE
AVE Environment “brown core”
AVE
AVE
AVE
UNCLASSIFIED
CLASSIFIED
Multi-Enclave Clients
(MECs)
OND OND OND
CLASSIFIED
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
Associated Projects / Efforts
AVE (brown core)
IPSec – Internet Protocol Security
IPv6 – Internet Protocol Version 6
IKE – Internet Key Exchange
Naming convention
IP Addressing
DCSP – Differential Code Service Point
DNS – Domain Naming Service
DNN – Domain Network Node
VSE – Virtual Secure Enclaves
PINS – Protected Inter-nodal Network
ENIs - Enterprise Network Interface
PNIs - Partner Network Interface
ANIs – Application Network Interface
CNIs – Client Network Interface
CMNT (black core) – Common Msn Net Transport
MPLS – Multi-Protocol Layered Switching
HAIPE – High Assurance IP Encryption
IPv6
Naming convention
IP Addressing
DNS
DNN
MEC
NetTop – “Network on a Desktop”
OND (Cyber JOA)
ENIs
PNIs
ANIs
CNIs
Enables “Cyber JOAs.” Solves the “risk assumed by one is a risk
assumed by all” dilemma. Allows commanders to take risk against
their own mission in their own operational area – as is true for all the
other domains.
Associated Projects / Efforts
AVE (brown core)
IPSec – Internet Protocol Security
IPv6 – Internet Protocol Version 6
IKE – Internet Key Exchange
Naming convention
IP Addressing
DCSP – Differential Code Service Point
DNS – Domain Naming Service
DNN – Domain Network Node
VSE – Virtual Secure Enclaves
PINS – Protected Inter-nodal Network
ENIs - Enterprise Network Interface
PNIs - Partner Network Interface
ANIs – Application Network Interface
CNIs – Client Network Interface
CMNT (black core) – Common Msn Net Transport
MPLS – Multi-Protocol Layered Switching
HAIPE – High Assurance IP Encryption
IPv6
Naming convention
IP Addressing
DNS
DNN
MEC
NetTop – “Network on a Desktop”
OND (Cyber JOA)
ENIs
PNIs
ANIs
CNIs
CDCI – Cross-Domain Controlled Interface
CCER – CENTRIXS Cross Enclave Req’t
Implement Cross-Domain Controlled Interfaces (CDCI) to safely move
authorized information across security domains
Common Mission Network Transport
(CMNT)
“black core”
AVE
AVE
AVE
AVE Environment “brown core”
AVE
AVE
AVE
UNCLASSIFIED
CLASSIFIED
Multi-Enclave Clients
(MECs)
OND OND OND
CLASSIFIED
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
Satisfies the CENTRIXS Cross Enclave Requirement
(CCER). Currently done by Trusted Network Environment
(TNE).
CDCI
CDCI
CDCI
GIG 3.0 Building Blocks – Phase 1 Summary
99
AVE
AVE
AVE
Common Mission Network Transport
(CMNT)
“black core”
AVE Environment “brown core”
AVE
Multi-Enclave Clients
(MECs)
AVE
AVE
OND OND OND
UNCLASSIFIED
CLASSIFIED
CDCI
CDCI
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
CDCI
Associated Projects / Efforts
AVE (brown core)
IPSec – Internet Protocol Security
IPv6 – Internet Protocol Version 6
IKE – Internet Key Exchange
Naming convention
IP Addressing
DCSP – Differential Code Service Point
DNS – Domain Naming Service
DNN – Domain Network Node
VSE – Virtual Secure Enclaves
PINS – Protected Inter-nodal Network
ENIs - Enterprise Network Interface
PNIs - Partner Network Interface
ANIs – Application Network Interface
CNIs – Client Network Interface
CMNT (black core) – Common Msn Net Transport
MPLS – Multi-Protocol Layered Switching
HAIPE – High Assurance IP Encryption
IPv6
Naming convention
IP Addressing
DNS
DNN
MEC
NetTop – “Network on a Desktop”
OND (Cyber JOA)
ENIs
PNIs
ANIs
CNIs
CDCI – Cross-Domain Controlled Interface
CCER – CENTRIXS Cross Enclave Req’t
Phase 2:
Control, Instrument and Conceal the Information
Infrastructure
Instrument the network with sensors at strategic points
101
AVE
AVE
AVE
Common Mission Network Transport
(CMNT)
“black core”
AVE Environment “brown core”
AVE
Multi-Enclave Clients
(MECs)
AVE
AVE
OND OND OND
UNCLASSIFIED
CLASSIFIED
CDCI
CDCI
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
CDCI
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o))
((o))
((o))((o))
((o))((o))
((o))
((o))
Feed network
awareness system
and risk-based
decision support
systems
RISK
Provide network control and quality of service tools
102
AVE
AVE
AVE
Common Mission Network Transport
(CMNT)
“black core”
AVE Environment “brown core”
AVE
Multi-Enclave Clients
(MECs)
AVE
AVE
OND OND OND
UNCLASSIFIED
CLASSIFIED
CDCI
CDCI
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
CDCI
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o))
((o))
((o))((o))
((o))((o))
((o))
((o))
Monitor and control
traffic precedence
based on both
Virtual Private
Networking and
Quality of Service
Develop concealment tools, techniques and procedures
103
AVE
AVE
AVE
Common Mission Network Transport
(CMNT)
“black core”
AVE Environment “brown core”
AVE
Multi-Enclave Clients
(MECs)
AVE
AVE
OND OND OND
UNCLASSIFIED
CLASSIFIED
CDCI
CDCI
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
CDCI
System visibility
and access is
controlled
GIG 3.0 Building Blocks – Phase 2 Summary
AVE
AVE
AVE
Common Mission Network Transport
(CMNT)
“black core”
AVE Environment “brown core”
AVE
Multi-Enclave Clients
(MECs)
AVE
AVE
OND OND OND
UNCLASSIFIED
CLASSIFIED
CDCI
CDCI
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
VSE
CDCI
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o)) ((o)) ((o)) ((o))
((o))
((o))
((o))((o))
((o))((o))
((o))
((o))
Cyberspace
Control
Situation Awareness
Concealment
GIG 3.0
Design Approach
Questions / Discussion
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
GIG 3.0
Governance
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakCIO
U.S. Pacific Command
25 October 2010
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.107
RESERVEDCOALITION
ARESERVEDDISN
Operational
Network
Domain
Dedicated
Network
Domain
Gateway
Dedicated
Network
Enclave
Gateway
(DNEG)
Conventional Site Conventional Site Agile Virtual
Enclave (AVE)
Enabled Site
Agile Virtual
Enclave (AVE)
Enabled Site
Future Agile
Virtual Enclave
(AVE)
Capability
Network Operations Center
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Conventional Site Conventional Site Agile Virtual
Enclave (AVE)
Enabled Site
Agile Virtual
Enclave (AVE)
Enabled Site
Future Agile
Virtual Enclave
(AVE)
Capability
108
Operational Network Domain
Network Operations Center
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Conventional Site Conventional Site Agile Virtual
Enclave (AVE)
Enabled Site
Agile Virtual
Enclave (AVE)
Enabled Site
Future Agile
Virtual Enclave
(AVE)
Capability
109
Operational Network Domain
Network
Operations
Center
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Conventional Site Conventional Site Agile Virtual
Enclave (AVE)
Enabled Site
Agile Virtual
Enclave (AVE)
Enabled Site
Future Agile
Virtual Enclave
(AVE)
Capability
110
Operational Network Domain
Network
Operations
Center
ENCLAVE A
ENCLAVE B
ENCLAVE C
CDS/MDS CONFIGURATIONS
CDS/MDS = Cross Domain System / Multi-Domain System
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Net O
ps
Cen
ter
Co
mm
an
d A
Co
mm
an
d B
Co
mm
an
d C
Ne
t Op
s C
en
ter
Co
mm
an
d D
Co
mm
an
d E
Co
mm
an
d F
Net O
ps
Cen
ter
Co
mm
an
d G
Co
mm
an
d H
Co
mm
an
d I
111
EUCOM ONDDOD Enterprise CENTCOM OND PACOM OND
ENCLAVE A
ENCLAVE B
ENCLAVE C
CDS CONFIG
COMMON
INFRASTRUCTURE
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.112
EUCOM ONDDOD Enterprise CENTCOM OND PACOM OND
CDS
CONFIG
Command
Risk
Authority
Command
Risk
Authority
Information
Domain Control
Authority
Information
Domain Control
Authority
Information
Domain Control
Authority
Information
Domain Control
Authority
Command
Risk
Authority
Virtual
Secure
Enclaves
(VSEs)
ENCLAVE
A
ENCLAVE
B
ENCLAVE
C
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
COMMON
INFRASTRUCTURE
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.113
EUCOM ONDDOD Enterprise CENTCOM OND PACOM OND
CDS
CONFIG
OND
Risk
Authority
OND
Risk
Authority
Information
Domain Control
Authority
Information
Domain Control
Authority
Information
Domain Control
Authority
Information
Domain Control
Authority
OND
Risk
Authority
Virtual
Secure
Enclaves
(VSEs)
ENCLAVE
A
ENCLAVE
B
ENCLAVE
C
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
DN
EG
MOA
MOA
MOA
MOA MOA
MOA
MOA
ATOATO ATO
COMMON
INFRASTRUCTURE
Top Related