200 likes | 341 Views
Effects of restricting ports 20/21 on DoD Networks and Information Transfer Operations Fall COPC 2007. Mr. Walter L. Coley, Jr. JAG/CCM Chair. Overview. Guidance Effects DoC Initiative Navy Initiative AFW Initiative Options Recommendation. 2. Guidance.
E N D
Effects of restricting ports 20/21 on DoD Networks and Information Transfer OperationsFall COPC 2007 Mr. Walter L. Coley, Jr. JAG/CCM Chair
Overview Guidance Effects DoC Initiative Navy Initiative AFW Initiative Options Recommendation 2
Guidance • All standards are based on NIST guidance • DoC follows NIST • DoD modified to satisfy mission • Use of anonymous protocols is restricted • “Risk Accepted by one is accepted by all” • Guidance concerns IPv4 • IPv6 guidance is under review
DISA Guidance Xx FOUO FOUO 4
Guidance (cont)..What the Chart Colors Mean 5 • Guidance from PPS Category Assignments list release 6.8.1 (Aug 2007) • Those PPS designated as Red will be severely restricted. • Those PPS designated as Yellow may be allowed through with specific negotiation and limitations on use. • Acceptance of those PPS designated as Green is generally automatic.
Effects • No more unrestricted data transfer • All traffic is segmented outside VPN • DoD can push and pull data • Non-DoD can only push or pull data within DATMS-U • No more store and forward systems
Acceptable Services 7 • Short Term Goal – all sites (6 months) • FTP Ports 20/21 (Conditional) • Session from Enclave DMZ to DoD Network to Enclave DMZ • HTTP (Port 80 for non-DoD only) • HTTPS (TCP) Port 443 • Long Term Goal • SFTP (SSH) Port 22 only • HTTPS (TCP) Port 443 • HTTP (Port 80 for non-DoD only)
Acceptable Services (cont) • DDM-SSL (TCP) Port 448 • FTPS-DATA (TCP) Ports 989/990 (Army) • Some proprietary others • SFTP has most utility and economy • DOD can initiate FTP sessions
Navy Initiative FNMOC/NAVO are going through site accreditation Required to secure communication ports and bring the operation in line with DISA/Navy guidance Sites will use HTTPS and SFTP 9
DoC Initiative NWS is moving away from FTP to HTTP(s)-based file transfer. NWS will support SFTP Need funding to support encryption NESDIS uses Public Keys NWSTG supports RSA 2 factor authentication 10
Air Force Initiative • Air Force supports SFTP and HTTPS • Systems tuned to work with DMZ • Conversion to data ‘pull’ system • Operational load and timing issues under study
Options • Option 1 • Move methodically to secure networks in next 6 months • Can complete HTTPS, but not SFTP without funding • No driver for this or funding supporting rapid transition • Option 2 • Continue to incrementally improve infrastructure and document as we go • Can still complete HTTPS in 6 months, limited use of SFTP • Same effect as option 1 but slower and lower risk • Less potentially disruptive to operations
RECOMMENDATION • Option 2 • Communication uses HTTPS and SFTP • FTP where essential • Convert all communications to work through DMZ where possible in next 6-12 months • Most work is done • All OPC locations continue to support ATO process
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for FTP 13 Internal DoD Network 14 7 DoD Network 1 External Network 8 2 12 9 11 6 3 5 Enclave DMZ 10 DoD DMZ 4 DoD Network: NIPRNET, DATMS-U, DREN 15 – Red 16 - Yellow Red – PPS CAL Denied/Restricted Yellow – PPS CAL Conditional 17
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for SFTP 13 Enclave DoD Network 14 7 DoD Network 1 External Network 8 2 12 9 11 6 3 5 Enclave DMZ 10 DoD DMZ 4 DoD Network: NIPRNET, DATMS-U, DREN 15-Green 16-Yellow Red – PPS CAL Denied/Restricted Yellow – PPS CAL Conditional 18
Ports Protocols & Services Category Assignment List (PPS CAL) Boundaries for HTTPS 13 Internal DoD Network 14 7 DoD Network 1 External Network 8 2 12 9 11 6 3 5 Enclave DMZ 10 DoD DMZ 4 DoD Network: NIPRNET, DATMS-U, DREN 15 – Green 16 - Green Red – PPS CAL Denied/Restricted Yellow – PPS CAL Conditional 19
DMZ Communications AF DMZ External Network DMZ Navy DoD Network DMZ 20