Friday, March 18, 2011

Why the GIG Warrants Top Priority

The debate about the future of DoD networks and how that can be delivered over the Global Information Grid (GIG) revolves around the question whether the GIG could rely on Internet-based connectivity.  The scope of the GIG is enormous - it encompasses over 10,000 routers and 10 million hosts, including wireless connections. It includes a wide range of nodes, link types as well as human portable and battery powered devices. The GIG provides capabilities from all operating locations (bases, posts, ships, camps, stations, facilities, mobile platforms, and deployed sites). The GIG also provides interfaces to coalition, allied, and non-DoD users and systems.

The GIG overarching policy makes clear that its objectives are all-inclusive of every application, anywhere.  It does not accept the acquisition of IT capabilities as stand-alone systems. It rejects designs that are defined, engineered, and implemented one pair at a time – an approach that focuses on system or platform capabilities rather than on mission capabilities.

Instead, all DoD systems shall be based on a shared GIG. It will be based on a common, communications and computing architecture that provides a full range of information services, for all security classifications and information handling needs. *

GIG data shall be shared and exchanged through common interoperable standards that will be based on the IPv6 common network protocol. It will allow all types of data to move seamlessly on the GIG’s diverse transport layer, which includes landline, radio, and space-based elements. This means that every network link in DoD must be interoperable from a protocol standpoint. That is not the case at present. The diversity of the existing network protocol is not known.

The GIG supports mission critical operations. For complete security it must use IPv6 formats (e.g. IPSec). Connectivity to the GIG depends not only of land circuits and wireless links but also on Radio Frequency (RF) and satellite connections. The GIG must be a trusted network that comprises of units in the field (e.g. army companies or ships), which need to be seamlessly connected to the GIG even while they are mobile.

GIG will operate in accordance with common metrics, measurements, and reporting criteria. ** Originally, the GIG was conceived as a federation; that is, ownership, control, or management of the GIG (people, processes, and hardware/software) was distributed throughout the DoD. *** That approach did not work though it was reaffirmed by the Instructions from the Chairman of the Joint Chiefs of Staff in December 2008.  Instead, the implementation of the GIG concept is now in the hands of USCYBERCOM.

In planning the evolution to the long-term GIG objectives does DoD really require a totally enclosed Intranet (such as NMCI) to assure its security in the interim? Is it possible to make the Internet sufficiently secure so that the costly acquisition of a variety of dedicated circuits, such as for the NGEN transition, is not necessary? Does it make sense for the individual services to continue with the contracting for dedicated networks that provide services to only a limited set of applications?

Though dedicated transmission lines can speed up communications and reduce latency of transmissions between major hubs, the costs of connecting all DoD locations must be planned as a part of the GIG and not on a stand-alone basis. The vulnerability of the Internet to security compromises (which includes corruption of LANs, WANs, intermediate switches and routers) is well understood.  DoD will therefore have to resort to specially configured VPNs (Virtual Private Networks) to protect its transmissions. This cannot be done for only local networks, but must be engineered so that the protocols can be imposed universally.

DoD must develop and install DoD-specific VPN implementations because VPNs are a method for using the existing Internet infrastructure to provide secure access to all every IP addresses.  This avoids the expense for dedicated implementing networks that carries only DoD traffic that work only for individual contracts. The public Internet offers an enormous redundancy with highly distributed links that will overcome local circuits failures that cannot be achieved economically by other means. Internet is more resilient against failure than any Intranet that could be designed, except at an exorbitant cost. However, any reliance on the Internet must be first engineered for enhanced security that would be approved by NSA and only then imposed as a uniform GIG solution.

A DoD version of VPN will encapsulate all transactions using NSA approved cryptographic methods between any points. Cryptography will then keep all data transfers private from intrusion by any internal or external other source. That will also safeguard against security breaches that could happen during a transmission until a transaction reaches its final destination where it can be decrypted.

There are several different classifications, implementations and uses for VPN solutions, which includes compliance with additional restrictions set by NIST and validated by the NSA. There are several standard protocols that assure how the “tunneling” of traffic will take place and how it can be inspected by DoD Network Control Centers. There are codes that will have to be added by DoD to support the end-to-end intrusion-proof procedures throughout the entire transmission sequence. The tunnel’s termination point, i.e., customer edge, will finally offer the authentication of a legitimate recipient while still remaining subject to USCYBERCOM controls.

The most important requirement of a VPN are cryptographic protocols that block any intercepts and which allow sender as well as recipient authentication to preserve message integrity. This includes IPSec (Internet Protocol Security), which was originally developed as a requirement for IPv6. Until that protocol is implemented (see http://pstrassmann.blogspot.com/2011/02/are-ipv4-addresses-exhausted.html) the IPv4 Layer 2 Tunneling Protocol could be used as a substitute, though that is not recommended.

SUMMARY
VPNs play a central role in the (GIG), the combined network-of-networks being developed by not only DoD but also by other US government agencies to support the communication needs of the security, defense and intelligence communities. The GIG architecture can be viewed as having two main components, namely trusted edge networks and a large backbone core consisting of a combination of both trusted and untrusted network segments. In order to achieve privacy and integrity of the data crossing the backbone, edge networks must use consistent VPN gateway protocols to encrypt traffic as it passes through thousands of routers and switches.

VPN will reduce network costs because it avoids the need the dependence on dedicated lines that connect offices to private Intranets during the transition from the current state to where the GIG will ultimately provide for all connections.

Meanwhile, DoD will require the use of dedicated fiber optic connections primarily for back-up and fail-over traffic among data centers. DoD may also find it advantageous to acquire dedicated fiber optic links to servers “on the edge” as a way of reducing the number of “hops” that the public Internet imposes.  Whether such connections are acquired for exclusive DoD uses is a matter of economics as well as of security. In any case, such links will all have to be subjected to the discipline dictated by standard GIG protocols.

Meanwhile, the DoD is struggling to assure its minimum acceptable network security. When asked, in Congressional testimony, how he would grade the U.S. military's ability to protect its networks, Gen. Keith Alexander, commander of U.S. Cyber Command, said he would give it a “C”. For an essential combat capability nothing but an “A+” should be acceptable.  ****

When one examines the priority of all of the issues that affect the conduct of IT in DoD there is no question that proceeding with the implementation of the GIG is on the top of any list of actions that warrant the greatest attention.

A personal note: DISA's role in DoD information management expanded with the implementation, in September 1992, of several Defense Management Report Decisions (DMRD), most notably DMRD 918. DMRD 918 created the Defense Information Infrastructure (DII), now more commonly understood as the GIG. Strassmann was one of the principal authors of DMRD 918.


* DoD Directive 8100.1, 11/21/2003
** DoD Instruction 8410.02, 12/19/2008
*** cio-nii.defense.gov/docs/GIGArchVision.pdf
**** http://defensesystems.com/articles/2011/03/17/cyber-command-head-rates-military-cyber-defense.aspx?admgarea=DS



No comments:

Post a Comment

For comments please e-mail paul@strassmann.com