Effects of restricting ports 20/21 on DoD Networks and Information Transfer Operations Fall COPC 2007 Mr. Walter L. Coley, Jr. JAG/CCM Chair
Feb 04, 2016
Effects of restricting ports 20/21 on DoD Networks and
Information Transfer OperationsFall COPC 2007
Mr. Walter L. Coley, Jr.JAG/CCM Chair
2
2
Overview
Guidance
Effects
DoC Initiative
Navy Initiative
AFW Initiative
Options
Recommendation
3
Guidance
All standards are based on NIST guidance DoC follows NIST DoD modified to satisfy mission
Use of anonymous protocols is restricted “Risk Accepted by one is accepted by all”
Guidance concerns IPv4 IPv6 guidance is under review
44
DISA Guidance
Xx
FOUO
FOUO
5
Guidance (cont)..What the Chart Colors Mean
Guidance from PPS Category Assignments list release 6.8.1 (Aug 2007) Those PPS designated as Red will be severely
restricted. Those PPS designated as Yellow may be allowed
through with specific negotiation and limitations on use. Acceptance of those PPS designated as Green is
generally automatic.
5
6
Effects
No more unrestricted data transfer
All traffic is segmented outside VPN
DoD can push and pull data
Non-DoD can only push or pull data within DATMS-U
No more store and forward systems
7
Acceptable Services
Short Term Goal – all sites (6 months) FTP Ports 20/21 (Conditional)
Session from Enclave DMZ to DoD Network to Enclave DMZ
HTTP (Port 80 for non-DoD only) HTTPS (TCP) Port 443
Long Term Goal SFTP (SSH) Port 22 only HTTPS (TCP) Port 443
HTTP (Port 80 for non-DoD only)
7
8
Acceptable Services (cont)
DDM-SSL (TCP) Port 448
FTPS-DATA (TCP) Ports 989/990 (Army)
Some proprietary others
SFTP has most utility and economy
DOD can initiate FTP sessions
9
9
Navy Initiative
FNMOC/NAVO are going through site accreditation
Required to secure communication ports and bring the operation in line with DISA/Navy guidance
Sites will use HTTPS and SFTP
1010
DoC Initiative
NWS is moving away from FTP to HTTP(s)-based file transfer.
NWS will support SFTP Need funding to support encryption
NESDIS uses Public Keys
NWSTG supports RSA 2 factor authentication
11
Air Force Initiative
Air Force supports SFTP and HTTPS
Systems tuned to work with DMZ
Conversion to data ‘pull’ system Operational load and timing issues under study
12
Options
Option 1 Move methodically to secure networks in next 6 months
Can complete HTTPS, but not SFTP without funding No driver for this or funding supporting rapid transition
Option 2 Continue to incrementally improve infrastructure and
document as we go Can still complete HTTPS in 6 months, limited use of SFTP Same effect as option 1 but slower and lower risk Less potentially disruptive to operations
13
RECOMMENDATION
Option 2
Communication uses HTTPS and SFTP FTP where essential
Convert all communications to work through DMZ where possible in next 6-12 months Most work is done All OPC locations continue to support ATO process
14
Questions?
15
Background Information
16
16
DISA Guidance
1717
DoD DMZDoD DMZ
Internal DoD Network
Internal DoD Network
External Network
External Network
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for FTP
Enclave DMZ
Enclave DMZ
DoD Network
DoD Network
13
147
8
1211 9
105
6 3
4
1
2
DoD Network:
NIPRNET, DATMS-U, DREN
Red – PPS CAL Denied/Restricted
Yellow – PPS CAL Conditional
15 – Red16 - Yellow
1818
DoD DMZDoD DMZ
Enclave DoD
Network
Enclave DoD
Network External Network
External Network
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for SFTP
Enclave DMZ
Enclave DMZ
DoD Network
DoD Network
13
147
8
1211 9
105
6 3
4
1
2
DoD Network:
NIPRNET, DATMS-U, DREN
Red – PPS CAL Denied/Restricted
Yellow – PPS CAL Conditional
15-Green16-Yellow
1919
DoD DMZDoD DMZ
Internal DoD Network
Internal DoD Network
External Network
External Network
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for HTTPS
Enclave DMZ
Enclave DMZ
DoD Network
DoD Network
13
147
8
1211 9
105
6 3
4
1
2
DoD Network:
NIPRNET, DATMS-U, DREN
Red – PPS CAL Denied/Restricted
Yellow – PPS CAL Conditional
15 – Green16 - Green
2020
AF DMZAF DMZ
Navy DoD Network
DMZ
Navy DoD Network
DMZ
External Network
DMZ
External Network
DMZ
DMZ Communications