This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution, alteration or dissemination of the contents of this information for monetary gain is prohibited. GIG 3.0 Design Factors An Architecture Proposal for Aligning NetOps to the Operational Chain of Command This brief is classified: UNCLASSIFIED Mr. Randy Cieslak CIO U.S. Pacific Command 11 January 2011
112
Embed
GIG 3.0 Design Factors - Public Intelligence · GIG 3.0 •GIG 2.0 promised an information advantage to the warfighter. –It did not address the key issue of ―one big GIG‖ –It
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
GIG 3.0 Design Factors
An Architecture Proposal for
Aligning NetOps to the Operational Chain of Command
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakCIO
U.S. Pacific Command
11 January 2011
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Cyberspace Operational Requirements
This brief is classified:
UNCLASSIFIED
Brig Gen Brett Williams,
Director, C4 Systems Directorate
Mr. Randy CieslakChief Information Officer
U.S. Pacific Command
12 November 2010
Geographic JOAs
Where is the CYBER JOA?
• REQUIREMENT: The JFC must C2 cyberspace operations in the
same way he executes C2 in the air, land and maritime domains.
• CONCERNS:
– JFCs lack the architecture, CONOPS, TTP, personnel, training,
tools, doctrine and policy for full spectrum cyber operations
– It’s all one big GIG, there is no Cyber JOA.‖
– The GIG was not built for operations.
– Sensors are not effectively focused on critical C2 services
– Type 1 encryption is not responsive to operational requirements
– Mission-Risk authority in cyberspace is currently held by CYBERCOM and the Services, not the JFC
5
Cyberspace is the only man made domain.
It can and must be shaped for the JFC to make
decisions, direct actions and accept risk in a way
that does not affect the rest of the GIG.
GIG 3.0
• GIG 2.0 promised an information advantage to the warfighter.
– It did not address the key issue of ―one big GIG‖
– It did not align the architecture to the chain of command.
• Components of GIG 3.0:
– Cyber JOA defined by an Operational Network Domain (OND)
– Enclaved architecture to enable defense in depth, information
sharing and agility
– Multi-enclave client for efficient information access
– Associated personnel, training, tools and TTP to C2 Cyberspace
Operations
6
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN
DISA
Enterprise
Services
Theater
Application
Services
HUB
Common Clients, Single Enclave
HUB
Common Clients, Single Enclave
Command
Client
Suite
Defense Enterprise
Operational Theater
Military
Service
Enterprise
Services
CYBERCOM/Services
Mission-Risk Authority
?
Current Architecture
Defense Enterprise
Operational Theater
CYBERCOM/Services
Mission-Risk Authority
7
Characteristics of a Cyber JOA
• The Cyber JOA defines the friendly forces operational network
domain and is focused on the operate and defend mission.
• The Cyber JOA provides a platform for dynamic network defense
and facilitates CNA and CNE.
• The Cyber JOA is defined by the systems and networks critical for
Joint Force Command and Control
• The Cyber JOA is governed by existing doctrine and policy.
• The Cyber JOA allows the commander to:
– Sense the environment
– Make decisions
– Direct operations
– Assume risk
• The Cyber JOA requires CYBERCOM and the services to execute
their GIG wide responsibilities within the JOA.
8
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN
DISA
Enterprise
Services
Theater
Application
Services
HUB
Common Clients, Single Enclave
HUB
Common Clients, Single Enclave
Command
Client
Suite
Defense Enterprise
Operational Theater
Joint Force Commander
is supported and has Mission-Risk authority
Military
Service
Enterprise
Services
CYBERCOM is supported and has
Mission-Risk Authority
Defining the JFC’s ―Cyber JOA‖
Defense Enterprise
Operational Theater
Operational
Network
Domain
Dedicated Network
Domain Gateway
(DNDG)
Controlled Interface
9
Tenets of an Operational Network
• The network must be Commander Centric
– Commanders balance risk against mission in all domains except cyber
– An operational network addresses this issue by aligning NetOps to the Operational Chain of Command
– The GIG cannot be vulnerable to risk assumed by one commander
– The operational network must accommodate the scheme of maneuver
• Commanders must define the requirements for designing and building the Operational Network
• Commanders must have the authority and responsibility to operate and defend the operational network.
• Supported and supporting roles must be articulated
– Clear delineation between the responsibilities of the service components and the operational commander
– Clear definition of STRATCOM/CYBERCOM’s role to support the operational network while they Operate and Defend the GIG
10
Barriers to Operationalizing the Network
• It’s all one big GIG, there are no JOA boundaries in
cyberspace
• We are burdened by the costs and policy associated
with TYPE 1 encryption — works against flexibility,
adaptability and robustness needed to accommodate the
scheme of maneuver.
• Current culture and doctrine delegate OPCON of all
forces except Cyber forces to the Operational
Commander. Services and CYBERCOM retain network
authority and responsibility.
11
10 Propositions Regarding Cyberspace Operations(With acknowledgement to Phil Meilinger’s 10 Propositions Regarding Air Power)
1. The commander is responsible for cyberspace operations; he must C2 cyber just as he does the air, land and maritime domains.
2. C2 of cyberspace is the foundation for operational C2.
3. There are four lines of operation in cyber—operate, defend, attack and exploit, and defense is the dominant mission.
4. The commander must see and understand cyberspace to defend it and he cannot defend it all.
5. Cyberspace operations must be fully integrated with operations in the physical domains.
6. Our understanding of non-kinetic effects in cyber is immature.
7. Operational requirements drive cyber architecture, not the other way around.
8. Cyber is the only manmade domain--we built it, we can change it.
9. Operational impact is the relevant information, not number of megabytes exfiltrated.
10. Networks will always be critical and vulnerable--disconnecting is not an option, we must fight through the attack.
2 Nov 2010
Operationalizing the Network
• It’s all one big GIG, there are no JOA boundaries in cyberspace
• We are burdened by the costs and policy associated with TYPE 1 encryption — works against flexibility, adaptability and robustness needed to accommodate the scheme of maneuver.
• Current culture and doctrine delegate OPCON of all forces exceptCyber forces to the Operational Commander. Services and CYBERCOM retain network authority and responsibility.
Proposed solution:
Operational Network Domain (OND)
– Defines the ―Commander’s Cyberspace JOA‖
– Utilizes encryption techniques that give the Operational
Commander the capability to C2 Cyberspace
13
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Fundamental Network Challenge
And
Proposed Solution
Agile Virtual Enclave (AVE)
Virtual Secure Enclave (VSE)
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakChief Information Officer
U.S. Pacific Command
8 December 2010
Current Network Design—This needs to change
Sensitive Unclassified Networks
Secret NOFORN
Secret for Allies
SCI & SPECATs
?@#?!
User
KG
KGKG
KGKG
KGKG
KG
FWFW
CORE or
BACKPLANE
15
Virtual Secure Enclaves (VSE)
The foundation of the Operational Network Domain
• The Operational Network is built on IPsec-based VSE’s
• IPsec--Short for IP Security, a set of protocols to support secure
exchange of packets at the IP layer. IPsec has been deployed widely
to implement robust Virtual Private Networks (VPNs)
• IPsec provides a COTS/GOTS encryption capability that is certified
for up to SECRET data
• Advantages of IPsec over TYPE 1 encryption
– Reduces the Controlled Crypto ―overhead‖
– Allows visibility into network traffic to enable use of Network
Management Tools to execute QOS
– Simplifies adding and removing enclaves from the OND
– Potential to facilitate Computer Network Operations (CNO)
16
TYPE 1 without IPSec
HUB
HUB
HUB
Service
SIPRNETs
Coalition C2 Nets
IC NetworksIC Networks
IC Networks
Coalition C2 NetsCoalition C2 Nets
Coalition C2 Nets
HUB
HUB
HUB
HUB
HUB
HUB
Service
SIPRNETsHUB
Service
SIPRNETs
Each enclave is a separate network requiring it’s own
separate infrastructure
(It’s not this neat and orderly.)
17
Components of an IPSec Virtual Secure Enclave (VSE)
Network Enclave
Firewall Server Suite
Conventional
Client
Computer
Client
Services
VPN
Protected
Inter-Nodal
Network
(PIN) VPN
Counter-Denial
of Service (DOS)
Firewall
Service
Protection
Firewall
Protected
Inter-Nodal
Network
(PIN) VPN
Client
Services
VPN
Application
Service
Point (ASP)Customer
Service
Point (CSP)
Application Service Point (ASP) – Suite of servers dedicated to a single enclave to
provide application services. (e.g., Web, E-Mail, COP and the like)
Customer Service Point (CSP) – User interface to the enclave
Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.
(First layer of wrapping)
Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave
threats such as malicious insiders, high-risk applications, or poor system hygiene.
ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and
adds additional robustness required for cross-domain use of a common network
infrastructure by the application service.
Network Enclave – A protected network environment that contains a single
security domain (e.g., SECRET//REL USA)
IPSEC
VPN
Device
IPSEC
VPN
Device
Firewall
IPSEC
VPN
Device
IPSEC
VPN
Device
18
Components of an IPSec Virtual Secure Enclave (VSE)
Network Enclave
Firewall Server Suite
Conventional
Client
Computer
Client
Services
VPN
Protected
Inter-Nodal
Network
(PIN) VPN
Counter-Denial
of Service (DOS)
Firewall
Service
Protection
Firewall
Protected
Inter-Nodal
Network
(PIN) VPN
Client
Services
VPN
Application
Service
Point (ASP)Customer
Service
Point (CSP)
Application Service Point (ASP) – Suite of servers dedicated to a single enclave to
provide application services. (e.g., Web, E-Mail, COP and the like)
Customer Service Point (CSP) – User interface to the enclave
Client Services VPN – Protects users’ data using NSA-certified IPSec encrytion.
(First layer of wrapping)
Protected Internodal Network (PIN) VPN – Protects the network from intra-enclave
threats such as malicious insiders, high-risk applications, or poor system hygiene.
ASP Firewalls – Protects the IPSec cypto from Denial-of-Service (DOS) attacks and
adds additional robustness required for cross-domain use of a common network
infrastructure by the application service.
Network Enclave – A protected network environment that contains a single
security domain (e.g., SECRET//REL USA)
IPSEC
VPN
Device
IPSEC
VPN
Device
Firewall
IPSEC
VPN
Device
IPSEC
VPN
Device
NB 19
1. Establish a Perimeter for the OND
SIPR
SVC
unique
Coalitio
n C2 Net
HUB
HUB
Operational
Network
Domain20
2. Establish a Type 1 Perimeter for the Classified Enclaves
SIPR
SVC
unique
Coalitio
n C2 Net
Type 1 Perimeter
HUB
HUB
Operational
Network
Domain21
3. Establish an IPSec Tunnel for Enclave Client Services
SIPR
SVC
unique
Coalitio
n C2 Net
SIPRNET EnclaveHUBHUB
Client Services IPSec VPNHUB
Operational
Network
Domain22
SIPRNET Enclave
4. Establish an outer IPSec Tunnel for Network Protection
Called the Protected Inter-nodal Network (PIN)
SIPR
SVC
unique
Coalitio
n C2 Net
SIPRNET EnclaveHUB
PIN IPSec VPNHUB
Operational
Network
Domain
Enclave Operator Services IPSec VPN
23
5. Establish a controlled interface from the enterprise network
to the OND Enclave
SIPR
SVC
unique
Coalitio
n C2 Net
SIPRNET EnclaveHUB
DNGW
SIPR
HUB
Operational
Network
Domain24
6. Swing operational area services to the associated OND
enclave
SIPR
SVC
unique
SIPRNET EnclaveHUB
DNGW
SIPR
HUB
Coalitio
n C2 NetOperational
Network
Domain25
7. Repeat this process for internal operational networks
SIPR
SVC
unique
SIPRNET EnclaveHUB
DNGW
SIPR
HUB Coalition C2 Enclave
Operational
Network
Domain26
DNGW
IC
IC Enclave
8. Additional enclaves can be added as modules
SIPR
SVC
unique
HUB
DNGW
SIPR
HUB Coalition C2 Enclave
Operational
Network
Domain
HUB
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
HUB
IC
SIPRNET Enclave
27
Data CenterEnd User Site
Application
Service
Points
DEG
IC
IC Enclave
9. Configure and provide training to end-user-sites and Data
Centers accordingly
SIPR
SVC
unique
HUB
DEG
SIPR
HUB Coalition C2 Enclave
Operational
Network
Domain
HUB
NIPR
SVC
unique
DEG
NIPR
NIPRNET Enclave
HUB
IC
SIPRNET Enclave
28
Data CenterEnd User Site
Application
Service
Points
DNGW
IC
IC Enclave
10. Take advantage of Multi-Enclave Clients from Agile Virtual
Enclave (AVE) Project
SIPR
SVC
unique
DNGW
SIPR
Coalition C2 Enclave
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
IC
SIPRNET EnclaveHUB
Multi-
Enclave
Clients
Operational
Network
Domain29
Data CenterEnd User Site
DNGW
IC
IC Enclave
11. Take advantage of cross-domain gateways and guards to
move information between enclaves (e.g., Trusted Network
Environment (TNE))SIPR
SVC
unique
DNGW
SIPR
Coalition C2 Enclave
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
To move
info across
domains
Cross
Domain
Gateway
30
Data CenterEnd User Site
DNGW
IC
IC Enclave
12. Monitor and Control the OND
SIPR
SVC
unique
Coalition C2 Enclave
NIPR
SVC
unique
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Control of:
Risks / Capabilities / Performance / Resources
Network Operations & Security Center
Dynamic Computer
Network Defense
RISK
LEVEL
UTILITYPRIORITYCAPACITY
Quality of Service
Common
Operational
Picture
DNGW
NIPR
NIPRNET Enclave
DNGW
SIPR
31
Network
Operations Center
Data CenterEnd User Site
DNGW
IC
IC Enclave
OND-related Areas of Responsibility
SIPR
SVC
unique
DNGW
SIPR
Coalition C2 Enclave
NIPR
SVC
unique
DNGW
NIPR
NIPRNET Enclave
IC
SIPRNET Enclave
AVE-Enabled
HUB
Multi-
Enclave
Clients
Operational
Network
Domain
Cross
Domain
Gateway
Supporting Service/Agency
Responsibility
Supported Operational Command
Responsibility32
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
Operational Network Domains (OND) and
Security Domain Enclaves
through the
Classified Military Network
(CMILNet)
This brief is classified:
UNCLASSIFIED
Mr. Randy CieslakCIO
U.S. Pacific Command
29 June 2010
33
Technical Challenges
• Challenge #1: Creation of Agile Virtual Enclaves (AVEs),
which are networked security domains that allow reuse of the
same network infrastructure from the client through the
network cloud.
• Challenge #2: Creation of Operational Network Domains
(ONDs) with sufficient strength of separation to support
different risk jurisdictions within each AVE.
– Virtual Secure Enclaves (VSEs) are the instantiation of
AVEs within the OND.
• Challenge #3: Creation of a ―black core capable‖ DISN
designed to create Agile Virtual Enclaves (AVEs) to enable
Virtual Secure Enclaves within Operational Network Domains
(ONDs)
– Must accommodate more than NIPRNET, SIPRNET, and
JWICS34
Solution Toolkit – Network Virtualization
• Performance-based Virtualization
– Multi-Protocol Layered Switching (MPLS)
– Generic Routing Encapsulation (GRE)
– Virtual Local Area Networks (VLAN)
• Security-based Virtualization a.k.a. Virtual
Private Networks (VPNs)
– High Assurance Internet Protocol Encryption
(HAIPE)
– Internet Protocol Security (IPSec)
– Transport Layer Security (TLS)
Use these
for ONDs
Use this for
AVEs and
VSEs
Solution must employ both types of
virtualization, together, to optimize capability,
security and performance.35
Technical Solutions
• Challenge #1: Creation of Agile Virtual Enclaves (AVEs), which are
networked security domains that allow reuse of the same network
infrastructure from the client through the network cloud
• Solution #1: Employ rigorously tested IPSec implemented in
accordance with NSA standards
• Challenge #2: Creation of Operational Network Domains (ONDs) with
sufficient strength of separation to support different risk jurisdictions within
each AVE.
• Solution #2: Employ Intrusion Protection System (IPS) – based
firewalls with access controls and service filters
• Challenge #3: Creation of a ―black core capable‖ DISN designed to create
Agile Virtual Enclaves (AVEs) to enable Virtual Secure Enclaves within
Operational Network Domains (ONDs).
• Solution #3: Employ a next-generation network strategy that
accommodates solutions 1 and 2 as a fourth enterprise network
domain using MPLS-based domain techniques and IPv6 improving
upon how SIPRNET and NIPRNET is done on the DISN
GIG 3.036
CMILNet - Black
CENTRIXS-SGP
Why We Need a Black Core CMILNet
Today’s Network – The Singapore Case
CMILNet Black Core
PH
HH
H
Packet
PH
Packet
Payload
efficiency
Low = Poor
Performance
High = Good
Performance
CENTRIXS-SGP
CENTRIXS-CMFPCENTRIXS-GCTFSIPRNETNIPRNET / Internet
CENTRIXS-GCTF
CENTRIXS-CMFP
NIPRNET
Internet
SIPRNET
P
H
HH
H
H P
HH
37
Global Enterprise OND Concept – Today’s State
DSN DRSN DVS-GJWICSNIPRNET SIPRNET
P
UPE CPE
DISN Backbone
UPE – Unclassified Premise Equipment
CPE – Classified Premise Equipment
P – Premise Equipment
38
Global Enterprise OND Concept – Today’s State
JWICSNIPRNET SIPRNET
P
UPE CPE
DISN Backbone
UPE – Unclassified Premise Equipment
CPE – Classified Premise Equipment
P – Premise Equipment
39
Global Enterprise OND Concept – Near Term?
JWICSNIPRNET SIPRNET
P
UPE CPE
DISN Backbone
BPE
UPE – Unclassified Premise Equipment
CPE – Classified Premise Equipment
P – Premise Equipment
BPE – Black Premise Equipment
Extremely useful in the creation of CMILNet
Common Mission Network Transport
(CMNT) 40
Global Enterprise OND ConceptDISN Backbone
JWICSNIPRNET SIPRNET
P
CU
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
DO
DIIS
NS
A N
et
NG
A N
et
Etc
B
CENTCOM
AMN
OND Dedicated Network
Gateway for the
CENTCOM Afghan
Mission Network
41
Global Enterprise OND ConceptDISN Backbone
JWICSNIPRNET SIPRNET
P
CU
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
DO
DIIS
NS
A N
et
NG
A N
et
Etc
B
CENTCOM
AMN
OND
CMFC
GCTF
ISAF
MNFI
CCER
TNE
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet Internet
Logical
Connections
Actual Connections
42
CENTCOM
AMN
OND
PACOM
Theater
OND
Global Enterprise OND Concept
DISN Backbone
JWICS
DO
DIIS
NS
A N
et
NG
A N
et
Etc
NIPRNET
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
SIPRNET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
Agency
P
CUB
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet InternetInternet
CCER
TNE
CCER
TNE
CMFC
GCTF
ISAF
MNFI
CMFP
GCTF
KOR
JPN
Logical
Connections
Actual Connections
EUCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FRAFRA
ITAITA
AFRICOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
NATO
GCTF
FVEY
SAF
AFRICOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FVEYFVEY
SAFSAF
NORTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
FEMA
GCTF
FVEY
CAN
NORTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
FEMAFEMA
GCTFGCTF
FVEYFVEY
CANCAN
SOUTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
MLEC
GCTF
COL
MEX
SOUTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
MLECMLEC
GCTFGCTF
COLCOL
MEXMEX
43
CENTCOM
AMN
OND
PACOM
Theater
OND
Global Enterprise OND Concept
DISN Backbone
JWICS
DO
DIIS
NS
A N
et
NG
A N
et
Etc
NIPRNET
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
SIPRNET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
Agency
P
CUB
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet InternetInternet
CCE
R
TNE
CCE
R
TNE
CMFC
GCTF
ISAF
MNFI
CMFP
GCTF
KOR
JPN
Logical
Connections
Actual Connections
EUCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FRAFRA
ITAITA
AFRICOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
NATO
GCTF
FVEY
SAF
AFRICOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
NATONATO
GCTFGCTF
FVEYFVEY
SAFSAF
NORTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
FEMA
GCTF
FVEY
CAN
NORTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
FEMAFEMA
GCTFGCTF
FVEYFVEY
CANCAN
SOUTHCOM
Theater
OND
Agency
Air Force
Navy
Marines
Army
Agency
Air Force
Navy
Marines
Army
Internet
CCER
TNE
MLEC
GCTF
COL
MEX
SOUTHCOM
Theater
OND
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
AgencyAgency
Air ForceAir Force
NavyNavy
MarinesMarines
ArmyArmy
InternetInternet
CCER
TNE
MLECMLEC
GCTFGCTF
COLCOL
MEXMEX
MILNet
(GIG 3.0)
44
Global Enterprise OND Concept
DISN Backbone
DO
DII
S
NS
A N
et
NG
A N
et
Etc
Nav
yN
IPR
NE
T
Arm
yN
IPR
NE
T
Mari
ne C
orp
sN
IPR
NE
T
Air
Fo
rce
NIP
RN
ET
Ag
en
cy’s
NIP
RN
ET
Nav
yS
IPR
NE
T
Arm
yS
IPR
NE
T
Mari
ne C
orp
sS
IPR
NE
T
Air
Fo
rce
SIP
RN
ET
Ag
en
cy’s
SIP
RN
ET
P
CU B
EU
CO
MO
ND
s
CE
NT
CO
M
ON
Ds
PA
CO
MO
ND
s
AF
RIC
OM
ON
Ds
NO
RT
HC
OM
ON
Ds
SO
UT
HC
OM
ON
Ds
GIG 3.0 / MILNETJWICSNIPRNET SIPRNET
45
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
PACOM
OND
SIPRNET
NIPRNET
CMFP
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
NORTHCOM
OND
SIPRNET
NIPRNET
CMFP
GCTF
ACGU
FVEY
Internet
CDCI
S-VSE
HADR
MOBILITY
HLD/LE
CENTCOM
OND
SIPRNET
NIPRNET
CNFC
GCTF
AMN
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
AFRICOM
OND
SIPRNET
NIPRNET
CMFA
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
EUCOM
OND
SIPRNET
NIPRNET
NATO
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
SOUTHCOM
OND
SIPRNET
NIPRNET
MLEC
GCTF
ACGU
FVEY
Internet
CDCI
S-VSE
HADR
MOBILITY
HLD/LE
SMILNet
.smil.mil
(SIPRNET)
CMILNet
.cmil.mil
(CENTRIXS)
Inter-Agency
Networks
.gov / .net
MILNet
.mil
(NIPRNET)IAP
Internet
OND VSEVSE
VSEVSEVSEs
Dedicated Network Domain Gateway (DNDG)
Dedicated Network Enclave Gateways (DNEG)
CDCI Cross Domain Controlled Interface
DISN Internet Access PointIAP
DISN Backbone
(Black Core)
S-VSEYellow Highlight:
Primary C2 Network (PCN)
S-VSE – Standby VSEAMN – Afghan Mission Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
US Forces
Korea
OND
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
PACOM
OND
SIPRNET
NIPRNET
CMFP
GCTF
ACGU
FVEY
Internet
CDCI
HADR
MOBILITY
HLD/LE
S-VSE
SMILNet
.smil.mil
(SIPRNET)
CMILNet
.cmil.mil
(CENTRIXS)
Inter-Agency
Networks
.gov / .net
MILNet
.mil
(NIPRNET)IAP
Internet
OND VSEVSE
VSEVSEVSEs
Dedicated Network Domain Gateway (DNDG)
Dedicated Network Enclave Gateways (DNEG)
CDCI Cross Domain Controlled Interface
DISN Internet Access PointIAP
DISN Backbone
(Black Core)
S-VSEYellow Highlight:
Primary C2 Network (PCN)
S-VSE – Standby VSEAMN – Afghan Mission Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
US Forces
Korea
OND
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
SMILNet
.smil.mil
(SIPRNET)
CMILNet
.cmil.mil
(CENTRIXS)
Inter-Agency
Networks
.gov / .net
MILNet
.mil
(NIPRNET)IAP
Internet
OND VSEVSE
VSEVSEVSEs
Dedicated Network Domain Gateway (DNDG)
Dedicated Network Enclave Gateways (DNEG)
CDCI Cross Domain Controlled Interface
DISN Internet Access PointIAP
DISN Backbone
(Black Core)
S-VSEYellow Highlight:
Primary C2 Network (PCN)
S-VSE – Standby VSEAMN – Afghan Mission Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN Backbone
MILNet
.mil
(NIPRNET)
SMILNet
.smil.mil
(SIPRNET)
GBR
AUS
CAN
KOR
NZL
THA
PHI
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
CMILNet
.cmil.mil
(CENTRIXS)IAP
Internet
Dedicated Network Domain Gateway (DDG)
Dedicated Network Enclave Gateway (DEG)
Dedicated Network Gateways (DNG)
DISN Internet Access PointIAP
CDCI Cross Domain Controlled Interface
Co
alitio
n L
ink
s
Logical Connections
Actual Connections
Multilateral Enclaves
UNCK – United Nations Command Korea
Country Codes
AUS – Australia
BEL – Belgium
COL – Columbia
DNK – Denmark
FRA – France
GRC - Greece
GBR – United Kingdom of Great Britain
KOR – Republic of South Korea
NLD - Netherlands
NZL – New Zealand
NOR - Norway
PHI – Philippines
THA –Thailand
BEL
COL
DNK
FRA
GRC
NLD
NOR
U.S. Forces Korea
(USFK)
Operational Network
Domain (OND)
“Korea Mission
Network” (KMN)
Client Command
(e.g., Osan)
Client Command
(e.g., Taegu)
Client Command
(e.g., Yongsan)
Application
Service
Point
(ASP)
Multi-
Enclave
Client
(MEC)
KM
N B
ackb
on
e
KOR
Primary C2 Network
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.
DISN Backbone
MILNet
.mil
(NIPRNET)
SMILNet
.smil.mil
(SIPRNET)
GBR
AUS
CAN
KOR
NZL
THA
PHI
SIPRNET
NIPRNET
UNCK
KOR
Internet
CDCI
CMILNet
.cmil.mil
(CENTRIXS)IAP
Internet
Dedicated Network Domain Gateway (DDG)
Dedicated Network Enclave Gateway (DEG)
Dedicated Network Gateways (DNG)
DISN Internet Access PointIAP
CDCI Cross Domain Controlled Interface
Co
alitio
n L
ink
s
Logical Connections
Actual Connections
Multilateral Enclaves
UNCK – United Nations Command Korea
Country Codes
AUS – Australia
BEL – Belgium
COL – Columbia
DNK – Denmark
FRA – France
GRC - Greece
GBR – United Kingdom of Great Britain
KOR – Republic of South Korea
NLD - Netherlands
NZL – New Zealand
NOR - Norway
PHI – Philippines
THA –Thailand
BEL
COL
DNK
FRA
GRC
NLD
NOR
U.S. Forces Korea
(USFK)
Operational Network
Domain (OND)
“Korea Mission
Network” (KMN)
Client Command
(e.g., Osan)
Client Command
(e.g., Taegu)
Client Command
(e.g., Yongsan)
Application
Service
Point
(ASP)
Multi-
Enclave
Client
(MEC)
KM
N B
ackb
on
e
KOR
Primary C2 Network
CDCI
Selected GIG 3.0 Components to Show On the Next
Slide – Geographic Topology for CENTRIXS-KOR
51
KOR
CDCI
CDCI
Client Command
(e.g., Osan)
KOR
CMILNet
.cmil.mil
(CENTRIXS)
This presentation and individual slides contain privileged information. Any unauthorized disclosure, distribution,
alteration or dissemination of the contents of this information for monetary gain is prohibited.52
DISN Link Partner Link
DESP PNSP
ENI PNI
CNI ANI
DNEG
NDSN
GIG 3.0 Interface ComponentsInternal to a single security enclave
Cross-
Domain Link
CDCI
System Component View
ASP – Application Service Point
ANI – Application Network Interface
CNI – Client Network Interface
CDCI – Cross-Domain Controlled Interface
CDSP – Cross-Domain Service Point
CSP – Customer Service Point
DESP – Defense Enterprise Service Point
Acronyms
DNEG – Dedicated Network Enclave Gateway
DNN – Domain Network Node
ENI – Enterprise Network Interface
NDSN – Network Domain Service Node
NSP – Network Service Point
PNI – Partner Network Interface
PNSP – Partner Network Service Point
CDSP
DNN
ASPCSP
KOR
CDCI
CDCI
Client Command
(e.g., Osan)
KOR
CMILNet
.cmil.mil
(CENTRIXS)
System Design View
GIG 3.0 Interface, Enclave and Service Point Definitions
• ASP – Application Service Point
– Server suite and software that provides application programs
to the user.
– Examples: Microsoft Exchange Server, Apache Web Server
• ANI – Application Network Interface
– Network router or switch that connects the ASP to the network
• AVE – Agile Virtual Enclave
– IPSec-based Virtual Private Network (VPN) that provides
robust protection of an information sharing enclave across the
enterprise. Each CENTRIXS network can be implemented on
the same network infrastructure using AVEs.
• CNI – Client Network Interface
– VSE IPSec crypto and network router or switch that connects
the ASP to the Client VPN. Is the ASP interface for the MECs.
• CDCI – Cross-Domain Controlled Interface
– High assurance filter and guard that provides for a controlled
transfer of information between enclaves. (e.g., between
CENTRIXS-KOR and CENTRIXS-UNCK)
• CDSP – Cross-Domain Service Point
– Relative to one enclave (e.g., CENTRIXS-KOR), the service
point providing information from another domain (e.g.,