Agile Coalition Environment (ACE) Freedom within a Framework. Michele McGuire Space & Naval Warfare Systems Command Office of Chief Engineer (056)

Transcription

1 Agile Coalition Environment (ACE) Freedom within a Framework Michele McGuire Space & Naval Warfare Systems Command Office of Chief Engineer (056)

2 Points of Contact Sponsor: U.S. Pacific Command Mr. Randall Cieslak, CIO (808) Program Manager: SPAWAR, Office of Chief Engineer: Ms. Michele McGuire, O56 (858)

3 Overview Background Joint Warrior Interoperability Demonstration (JWID) ACE Overview ACE Architecture ACE Capabilities Summary & Questions 2

4 Background Technology evolved during 5 years of development & experimentation Network Centric Q-70 Tech Insertion Program w/ Naval Sea Systems Command Space and Naval Warfare (SPAWAR) System Center San Diego Lab USS Coronado Sea Based Battle Lab (SBBL) Fleet Battle Experiment India (FBE I) Joint Warrior Interoperability Demonstrations (JWID) in 2000, 2001, and Pacific Theater Initiative 2002 U.S. Pacific Command (PACOM) ACE Architecture Development Currently in Spiral Development/ Operational Experimentation Phase 3

5 Basic Architecture Overview VPN 4

6 Experimentation - JWID 03 Camp Smith, HI Pacific Command Headquarters Mail & COP Guards VPN Multi- National Task Force (MTF) CFMCC San Diego CFBL Network CFLCC Dahlgren 10 Eyes VPN Access 6 Eyes VPN Access 10 Eyes Network 6 Eyes Network United Kingdom Canada 6 Eyes Network w/ 10 Eye Tunneling End User Stations Australia New Zealand 10 Eyes Access VPN Device Stateless Dynamic VPN and improves and protects information networks Ultra Thinfrom attack Dual-Domain Access Client 6 Eyes Access Smartcard Single Display Strong I&A 5

7 JWID 2003 Benefits & Results Benefits: Eliminated need for Type 1 devices for data separation Stateless seats coupled to Enhanced Assurance Level (EAL) 4 certified Virtual Private Network (VPN) devices allow access to multiple domains Server-centric construct used to build centralized and manageable Communities of Interest (COIs) Centralized network management with dynamic re-configuration in near real-time Results: Successfully demonstrated data sharing between two domains across 7 sites Successfully provided Coalition Interoperability Successfully provided information sharing between Coalition partners ACE Successfully leverages demonstrated new information ability technology to rapidly to connect reconfigure troops COIs and their operations Successfully demonstrated user access control to the network 6

8 Agile Coalition Environment Technology successfully demonstrated during previous JWIDs Network Centric Computing (NCC) plus VPN s & Trusted Solaris (TSol) to consolidate networks & enhance flexibility for rapid reconfiguration Integrate High Assurance VPNs onto existing, ubiquitous networks Data domain separation Centralized, policy driven network access control tied to strong 2-factor Identification & Authentication (I&A) Appropriate data encryption for separation vs. confidentiality: Type 2 where appropriate and Type 1 where necessary 7

9 Consolidation & Simultaneous Visualization Single Display Visualization of many Desktops 8

10 ACE Architectural Direction Coalition WAN Centralized, policy driven network access controllers Positioned in U.S. spaces Type 1 devices eliminated for data separation U.S. PCs Fastlane Fastlane U.S. NOC Coalition Network Security Controller DVPN Traditional clients supported via tunneling Coalition Enclave Traditional PCs And Servers HA VPN for selective inclusion of users with need via GW connect U.S. Network Security Controller DHCP TSOL Session Gateway EAL4 Certified VPN/Firewall 10 EYES APP Servers ACE leverages new information technology Swappable to connect troops and their operations Disk Drives Trusted Session Se Low BW stateless clients coupled to HA VPN access control Trusted Gateway provides Access via secure VPN 9

11 Risk Reduction: Global WAN STEP 1 Vulnerability Risk GLOBAL WAN Risk Reduction SPECIFIC VPN/COI User Population 10

12 Data Separation on Network Type 2 3DES Tunnels 6 Eyes Type 1 Network 6 Eyes 10 Eyes 10 Eyes Concept introduced in Global Information Grid (GIG) Tested at Joint Interoperability Test Center & SPAWAR, SSC SD Accepted by Coalition Partners ACE leverages EAL4 VPN new subjected information to technology 6+ months to of connect internal troops and their operations NSA and testing improves and and evaluation protects information NSA approved networks for from attack JWID Proof-of-Concept 11

13 High Assurance VPN Objectives & Benefits Objectives: Integrate High Assurance (HA) VPNs onto existing, ubiquitous networks Data domain separation Centralized, policy driven network access control tied to strong 2-factor Identification & Authentication (I&A) Appropriate data encryption for separation vs. confidentiality - IAW CJCSM , DEFENSE-IN-DEPTH: INFORMATION ASSURANCE AND COMPUTER NETWORK DEFENSE Benefits: Secure VPNs provide risk reduction on global WAN Selective inclusion of finite number of nodes Medium robustness encryption for data domain separation within security level Optimizes use of Type 1 encryption for data confidentiality and separation of security levels Very tight network access control ACE Also leverages supports new secure information access technology from legacy to connect state seats troops and their operations Allows Concept and improves of Operations and protects (CONOPS) information to networks maximize from benefit attack of stateless clients for space, weight, power 12

14 Current ACE Status Warfighters, R&D & Acquisition conducting coordinated Spiral Development Lab, JWIDs, etc. PACOM SJFHQ Install & Follow-on Phases CENTRIXS, NMCI, PEO C4I etc. Theater Requirements Now Emerging Technology Development Non-operational Experimentation Operational Experimentation Operational Programs of Record (Globally) 13

15 ACE Standing Joint Forces HQ (SJFHQ) Architecture 3Com 3Com Legend Secure UTC in VPN mode SJFHQ SUTC X 7 DSC-PC X 2 4Eyes FAT GCTF FAT CENTRIXS JPN ROK FAT FAT NSC Security Enclaves -SIPRNET -CENTRIXS ROK -CENTRIXS JPN -4 Eyes DiamondLink in VPN mode DiamondVPN in VPN mode DiamondCentral (VPN Network Security Controller) SIPRNET NMCI Secret B1 NMCI Network NMCI Secret Hawaii NMCI NOC 4 Eyes GCTF CENTRIXS CENTRIXS -GCTF (Global Counter-Terrorism Force) NSC JPN SUTC Trusted Solaris Session Gateway ROK NIS+ Master Private Network 14

16 Secure Ultra Thin Client (SUTC) Integration of SunRay and secure VPN technology Smartcard maintains user profile for access to network & applications Model designed for low-bandwidth ops over WAN Lessons learned from JWID 2003 being incorporated Inexpensive, multiple purpose and secure seat for global coalition ops Simple to manage and operate 15

17 Client Seats Ultrathin: No CPU, no OS, no local storage, proprietary Thin: No local apps/storage, proprietary Fat: locally run apps, local storage entralized Decentralized Diskless Stateless Clients (DSC) Locally run apps, no local storage Non-proprietary Technology 16

18 Diskless Stateless Client (DSC-PC) Network load of OS on boot from single VPN domain No hard drive locally; uses network-attached storage device at servers Local OS for local processing such as audio collaboration Use Common Access Card (CAC) card for authentication and for PKI Certifications Provides access to one security enclave at a time Allows server-centric management and flexibility to host JAVA based applications such as GCCS- 4.x or IWS requiring lots of CPU and memory Hardware VPN Provides EAL4/FIPS certified from seat to server gateways Disk Images Win 98/DO S Linux GOTS Delta GCCS 4.x DSC Server DSC Clients 17

19 ACE Capabilities Provided to the Warfighter Provides improved means to share data, provide situational awareness & collaboration simultaneously Provides a single seat solution for Multiple COIs Multiple Operating Systems & Applications Provides ability to rapidly reconfigure network globally and in near-real time Dynamic Encryption & Data Labeling Strong I&A Network Centric Computing (NCC) Architecture 18

20 ACE Capabilities Provided to the Warfighter Reduced Total Ownership Costs (TOC) Ease of Scalability to Meet Operational Requirements Provides Right Information to the Right Person at the Right Place at the Right Time to Make the Right Decision 19

21 Current ACE Status Have received Secret and Below Information (SABI) Ticket # Cross Domain Appendix (CDA) has been reviewed and approved by NETWARCOM and PACOM System Security Authorization Agreement (SSAA) in Draft form Have started Pre-CT&E (Certification Test and Evaluation) Two groups at NSA have started to review overall architecture and individual component documentation 20

22 Summary ACE team will continue development & implementations based on: Warfighter Requirements Enhancing Coalition Warfare Capabilities Network Centric Warfare Concepts GIG Standards Cross-Theater/Organization/Agency Information Sharing Provide the right information, to the right person, at the right place, at the right time to make the right decision 21

23 ??? Questions??? 22