Ports and Protocols FAQ

Size: px

Start display at page:

Download "Ports and Protocols FAQ"

Robyn Townsend
6 years ago
Views:

1 CLASSIFICATION: UNCLASSIFIED Ports and Protocols FAQ 1. What is the timeline for closing ports and protocols? 2. What TCP/UDP ports are affected? 3. What about ports ,535? 4. Will outbound data requests be affected by the Ports and Protocols Program? 5. What about protocols? 6. If DoD is going to close a port, can I change the port the service or application uses to a port number that is open? 7. Who has access to the Ports and Protocols Registration System? 8. Who are the authorized organizational POC's? 9. What if a DoD Component POC doesn't have access to the SIPRNET? 10. How do I register my Ports and Protocols Utilization? 11. If another Component has an approved waiver for a port that I am also interested in, do I need to submit a waiver request? 12. What happens if, at 0200 hours, I discover that a port has been closed and I need it opened immediately? 13. What are the guidelines being used to determine that a port will be opened? 14. If a DoD Component requires a port to be opened, will it be opened only for that Component? 15. What will happen to the DoD Ports and Protocols Program if the DoD undertakes significant operational missions? 16. What about backdoors and non-niprnet DoD networks? 17. Where can I find additional information? 18. What happens after a Component POC submits a request? 19. What happens after the DSAWG makes a decision on a system? 20. What is the Appeal process? 21. Does the DoD PnP Program affect DoD-to-DoD network traffic? What is the timeline for closing ports and protocols? The inbound port blocking will commence approximately 13 April 2003, (60 days following the release of the implementation message by STRATCOM, which was released on 13 February 2003). (1 of 9)6/1/2005 6:57:26 AM

2 The JTF-GNO will start with ports on approximately 13 April The remainder of ports will be based on the success of the first block closures. It is intended to increase the number of ports closed into larger blocks in order to facilitate completing the process. Inbound transport layer protocol blocking will begin following the initial port blocking effort. What TCP/UDP ports are affected? Only inbound requests for ports in the range What about ports ,535? A few selective ports are blocked if they represent a clear and present danger to DoD networks. Blocking all of the high ports would cause the TCP/IP protocol suite to fail resulting in the NIPRNET failing to operate. Will outbound data requests be affected by the Ports and Protocols Program? The Ports and Protocols Program only deals with inbound requests at this time. Outbound requests are not addressed. What about Protocols? (2 of 9)6/1/2005 6:57:26 AM

3 DoD Components are required to register automated information systems (AIS), as well as their associated transport layer protocols (TCP, UDP, etc.) in the DoD Ports and Protocol Registration System. Transport layer protocols that are not registered will be denied at the Internet access points. At this time, due to technical limitations, we are not able to differentiate between TCP and UDP port numbers on the router access control lists. In the very near future, we will be able to differentiate protocols on every port at the Internet gateways, and therefore need to ensure the proper protocols are registered in the database. If DoD is going to close a port, can I change the port the service or application uses to a port number that is open? No! Reassigning an application or service port number from its normal well known port number to another port number is call port redirection. In accordance with the DoD NIPRNET Ports, Protocols, and Services (PPS) Security Technical Guidance, section 4.4; recognized data services should operate on their accepted well known (system) ports they should not be redirected. For a complete listing of well known port numbers and associated services, please visit Who has access to the Ports and Protocols Registration System? DoD Component-authorized POCs designated to the JTF-GNO will be issued a logon ID and Password. The Primary POC for each Component may add or remove secondary POCs as necessary. If you have any questions on Registration System access contact DISA at baseld@ncr. disa.mil. (3 of 9)6/1/2005 6:57:26 AM

4 Who are the authorized organizational POC's? The PnP Points of Contact are posted on the introduction page. What if a DoD Component POC doesn't have access to the SIPRNET? A Microsoft Excel spreadsheet was developed that mirrors the requirements for the Registration System. Component POCs will complete the spreadsheet with the information required for submitting a waiver request. The POC will this completed spreadsheet to baseld@ncr.disa. mil. This information will be entered into the DoD PNP Registration System. Queries on a PNP request status and copies of the spreadsheet may be obtained by contacting baseld@ncr.disa.mil (703) How do I register my Ports and Protocols utilization? 1) As the authorized Component POC, you will be provided with an ID and Password based upon the information provided to the JTF-GNO 2) You will receive an with your Login and Password information and procedures on the SIPRNET. 3) Enter the information into the Login screen on pnp.cert.smil.mil (if you do not have access to the SIPRNET, see above FAQ entry). 4) Enter ports and protocol requests information into the registration system. 5) Ensure your system is accredited IAW the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) DODI ) Check back later to verify request status. If another Component has an approved request for a port or protocol that I (4 of 9)6/1/2005 6:57:26 AM

5 am also interested in, do I need to submit a request? Yes! Should the other Component remove the request, or the DSAWG later revoke the request, and no other port/protocol request are contained within the registration system, the JTF-GNO would order the port/protocol blocked. What happens if, at 0200 hours, I discover that a port/protocol is being blocked and I need it opened immediately? The component should go through normal process to debug the problem, usually working through the DISA GNOSC. If it is discovered that the problem is a closed port, the component or GNOSC will contact the JTF-GNO watch officer and inform the watch officer of the port. The JTF-GNO watch officer will order the port opened. The DISA GNOSC will direct the port opened. Be advised, it will take at least 2 hours to open a port. The JTF-GNO will direct either to open only that port, or rollback the entire router access control list (ACL). This decision will be based on the criticality of the service or application. A Component POC will have 30 days to submit a formal request using the process specified in this document. Should the Component fail to submit the request the port will be closed. Should the Component submit a request for a service/application that was denied by the CCB, the JTF- GNO will not open that port. What are the guidelines being used to determine that a port or protocol will be opened? IAW the DoD NIPRNET Ports, Protocols, and Services (PPS) Security Technical Guidance, section E5.2, to obtain approval, a DoD Information System-related port or protocol must: Demonstrate a need to exist. (5 of 9)6/1/2005 6:57:26 AM

6 Not conflict with other ports or protocols. Not increase security risks associates with specific ports and protocols Comply with DoD instructions and the prescribed approval process. Use approved ports and protocols in a manner approved by a designated authority (the DoD CCB). Comply with required testing and/or vulnerability assessment procedure for new DoD information systems prior to approval. A port/protocol will be opened only if the DSAWG determines that the port/protocol is being used by a DoD mission critical and properly registered Automated Information System (AIS). It is the responsibility of the Component Ports and Protocols POC to express the importance of the port/service/application in the DoD Accreditation System. Additionally, it is the responsibility of the components to ensure all port/protocol requests are associated with an accredited AIS. If a Component requires a port to be opened, will it be opened only for that Component? No. Once the DSAWG determines that a Port is being used by a legitimate mission critical application or service, the port will be open for all. What will happen to the DoD Ports and Protocols Program if the DoD undertakes significant operational missions? The Commander JTF-GNO (CJTF) will constantly reevaluate the PNP initiative based on DoD operational tempo (OPTEMPO). Should the CJTF decide that continued implementation of the PNP initiative might have detrimental effects on current operations it will order a strategic pause until operations slow. The JTF-GNO will contact all POCs if this action is necessary. (6 of 9)6/1/2005 6:57:26 AM

7 What about backdoors and non-niprnet DoD networks? The DoD Ports and Protocols Program pertains to all DoD Internet access points all points connected to the Internet. All routers connected to the Internet must be as secure as directed by the DoD Ports and Protocols program. Where can I find additional information? The information on this web page will be updated frequently. Additional information can be obtained on the SIPRNET at Finally, there is a DoD Ports and Protocol Workshop for DoD Component POCs on 28 March Contact the JTF-GNO POC for more information. What happens after a Component POC submits a request? The JTF-GNO will not direct a port/protocol blocked if a there is a pending request from any DoD Component for a system that utilizes that port or protocol. Requests are consolidated by the Technical Applications Group (TAG) and passed to the PNP Configuration Control Board (CCB). The CCB will process requests by automated information system (AIS), in IP ranges as specified by the JTF-GNO. Any system that utilizes a port in that IP range will be reviewed by the CCB. The CCB, utilizing the TAG, will contact the system owners as specified in the PNP Registration System (typically the program manager or designated approval authority). The CCB will verify that the system is accredited, has a valid operational necessity, and will review operational impact if denied. Finally, the CCB will provide a recommendation to the DSAWG to approve or disapprove the request. The DSAWG will then make a decision on approving or disapproving the port utilization by the system (7 of 9)6/1/2005 6:57:26 AM

8 in question. What happens after the DSAWG makes a decision on a system? The DSAWG will approve or disapprove the system, and in some cases validate the decision with the DISN Flag Panel. The DSAWG will forward the results to the CCB. The CCB will forward the decision by to the relevant Component POC and the JTF-GNO. Finally the CCB will update the status of the request in the PnP Registration System to "Approved" or "Disapproved". Each decision will be valid for a specified period of time, normally 12 months. One of two actions may occur: 1. If the DSAWG approves the request, the ports/protocols used by that request will remain open for the time specified by the DSAWG. Before the exception approval expires the Component POC must resubmit the request to ensure the ports/protocols remain opened. Such resubmissions will be processed following the same registration process. 2. If the DSAWG disapproves a request, a Component POC has 30 days from the date of the DSAWG decision to submit an appeal to the DISN Flag Panel (see below). After 30 days, should an appeal not be submitted and no outstanding requests exist that utilizes those ports, the JTF-GNO will order the DISA GNOSC and all components that maintain Internet gateways to deny the port(s)/protocol(s). Once an appeal is submitted, the JTF-GNO will not take action until the DISN Flag Panel adjudicates the appeal. What is the Appeal process? Should a Component wish to present an appeal to the DISN Flag Panel, they should contact the DSAWG Chair directly, and, if appropriate, inform their representative on the DSAWG. More information on the DSAWG can be found at Under most circumstances the Component POC will be required to present an appeal in person to the DISN Flag Panel. IAW the direction of the ASD-C3I, as the DoD CIO, the decision of the DISN Flag Panel is final. Additional details on the appeals process will be added soon. (8 of 9)6/1/2005 6:57:26 AM

9 Does the DoD PnP program affect DoD-to-DoD network traffic? No. The DoD PnP Program only affects the DoD Internet access points - all points connected to the Internet. All routers connected to the Internet must be as secure as directed by the DoD Ports and Protocols program. CLASSIFICATION: UNCLASSIFIED (9 of 9)6/1/2005 6:57:26 AM

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION NUMBER 8551.1 August 13, 2004 ASD(NII)/DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: (a) DoD Directive 8500.1, "Information Assurance (IA),"