140 likes | 255 Views
What is the IETV? The IETV ( Interoperability Experimentation, Testing and Validation ) is a tool in support of (CIS) systems certification, interoperability enhancement and experimentation for multinational, NATO-led expeditionary operations. Which CIS functions does the IETV cover?
E N D
What is the IETV? • The IETV (Interoperability Experimentation, Testing and Validation) is a tool in support of (CIS) systems certification, interoperability enhancement and experimentation for multinational, NATO-led expeditionary operations. Which CIS functions does the IETV cover? The IETV covers CIS interfaces (with the national systems), transmission, bandwidth management, voice/video/VTC services, information exchange, network services, core IS services, functional services, information assurance and management. • What makes up the IETV? • The IETV Capability is made-up of four essential components: • - Processes • - Supporting Documentation • - A (HW/SW) test bed • - Know-how How will the IETV be used during SFCE 09? The IETV will be used to validate a nationally-provided (CIS) system (LCC-HQ –NRF-13 (GBR) and LCC-HQ-NRF-14 (DNK) in support of NRF-13/14. To resolve an outstanding IO issue implementing a deployable secure cross-domain gateway for MIP-DEM data function to allow automated information exchange between a national-secret system (provided by 1GNC) and the NATO secret system (JCOP), in compliance with applicable INFOSEC regulations. To experiment a future interoperability enhancement, by testing Secure Voice Gateway between national-secret system (provided by 1GNC) and the NATO secret network. To support the SFCE09 test plan with automation of testing functions, allowing multiple tests to be conducted in few minutes, without operator’s involvement and with automated integration with SFCE09 data base. Where is the IETV? The IETV has a deployable footprint, which provides basic on-site (deployed) representative interfaces and gateways. Then, connects through any (NATO or not) WAN to the static part of the IETV, which groups most NC3A test beds and laboratories. Introduction and Objectives • What can it be used for? • The IETV Capability can be used to: • - Validate nationally-provided CIS • - Support the Commander with the certification of the Unit • - Develop new applications and technologies • - Experiment and test new CIS concepts and applications
Deployable Point of Presence ( dPoP ) Nationally - provided A generic architecture based on a functional analysis. Comprises all relevant CIS functions in the Deployable CIS for a NATO expeditionary mission. Allows maximum modularity and re-use of existing test beds and labs at NC3A. systems to validate, NETWORK test and experiment SERVICES Interface with Nations Module (INM) VOICE/VIDEO INTERFACES BANDWIDTH INFORMATION MANAGEMENT EXCHANGE TRANSMISSION INFORMATION ASSURANCE To static IETV core infrastructure at NC3A (The Hague) CORE SERVICES EXPERIMENTS INFORMATION ASSURANCE Micro information Systems Module ( µ ISM) The IETV Architecture The modular design allows deploying only those elements which are essential to provide local, identical interfaces and services. This is called the deployable footprint of the IETV. The most complex systems stays at the static part of the IETV, in The Hague, along with the on-site expertise and know-how. This optimizes availability of the test bed and reduces the cost of deployment. National facilities can join the IETV as needed. In 2009, an extended (includes some information systems) deployable footprint of the IETV can be seen at SFCE 09 Exercise
The CIS Validation process (left) departs from a nationally assessed systems, and uses verification to determine compliance with NATO DCIS requirements. Results from verification are subject to a verification assessment process (right), which aims to explain which are the interoperability issues, how to mitigate them, and consequences of not doing so. CIS Validation using the IETV
What is the IATT? The IETV Automated Testing Tool (IATT) provides the means to quickly verify a number of interoperability requirements in an automatic manner. This degree of automation allows conducting a large number of tests in a few minutes, and repeat those tests for different security domains and different units. How can nations use the IATT ? By using the IATT nations can quickly and inexpensively identify and resolve configuration issues that might impair interoperability at the application level. In particular, the IATT looks at the interconnection of NATO and Nation with special emphasis on firewall/gateway configuration, services configuration, routing capabilities or network/application protocols, to name a few. How does it work? Two IATT nodes (master and slave) are connected at the user sides of two networks interconnected through a Service Interoperability Point (SIOP). Each node represents a different user communities. Automatic processes exercise multiple traffic types and services across the SIOP. Tests are done in accordance with outstanding interoperability criteria (NC3A TN-1174). Results are captured and reported back to the user. Several CIS can be verified at the same time using only one master IATT node and several slave IATT nodes, one per CIS. • Which functionality is provided? • The IATT automatically verifies CIS interoperability for the following services: • Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, FTP, etc. • core services, mail, web and secure web The IETV Automated Testing Tool (IATT)
The IETV Automated Testing Tool (IATT)-II • IATT in SFCE-09 • The IATT automatically verifies CIS interoperability for the following services: • Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, etc. • core services, mail, web and secure web • IATT will integrate the results of the automated test in the exercise data base, • IATT will be deploy during all the exercise in LCC-HQ-NRF-13/14 helping to resolve interoperability issues.
NC3A Experimentation Program of Work IEG-Light Extension “MIP-DEM” What is the MIP-DEM IEG-Light Extension The MIP-DEM IEG-Light Extension proxy functionality for the MIP-DEM protocol for interconnecting C2 application across security domains (NATO Secret <-> National Secret). • Which functionality is provided? • Controlling the information flow between the security domains • Ensuring the integrity of the MIP-DEM protocol How does it work? JCOP Layer Manager (LM) implantation is used as service proxy. All MIP-DEM information exchange is terminated and forwarded by the MIP-DEM IEG-Light Extension in both directions. The contracts between the C2 applications on the different security domains are always created via the MIP-DEM Proxy located in the IEG-Light.
NC3A Experimentation Program of Work IEG-Light Extension “IEG-Light Voice Module” What is the IVM? The IEG-Light Voice Module (IVM) provides a secured voice gateway functionality between voice services of different security domains. • Which functionality is provided? • Access Control for security domain access • LDAP / PIN / Calling Party number • Limits the information exchange between security domains to voice/fax/modem services • Codec and Protocol Conversion • Content Scanning, control if voice, fax or modem signals are transported in the channels IEG-Light Voice- Gateway ISDN E1 IP SIP/IAX2 H.323 IP SIP/IAX2 H.323 How does it work? The IVM prototype is realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software. All VoIP traffic from one security domain is terminated at the IVM. All incoming calls are converted to ISDN (G.711) and forwarded over an ISDN E1 trunk. The outgoing traffic is transcoded to any required codec (G.726, G.729, G.711 etc.). Supported protocols for interconnecting to the IVM are SIP, AIX2 (IP trunking) and H.323. Actual IVM developments will allow to recognise the contents and type of the traffic (Voice, FAX, Modem) as well as detect hidden channels. Traffic is going to be controlled due to it’s contents. Access Control Codec Conversion Security Domain A e.g. NATO Secret Security Domain B e.g. NATIONAL Secret Content Scanning Protocol Conversion
NC3A Experimentation Program of Work Secure Voice Gateway What is the SVG? The Secure Voice Gateway (SVG) is a tool designed to provide end-to-end secure voice services between networks using different voice and/or encryption technology (ISDN, POTS, VoIP, etc.). • Which functionality is provided? • Secure voice services between participants using different media and voice encryption devices. • Local and remote. • Multiple parallel voice services. • Open design for easy integration of additional crypto devices. How does it work? The SVG prototype is built from two (a secure and a non-secure) PABX, which are connected via appropriate crypto devices. Currently, the two PABXs are realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software. Traffic from User A is encrypted (using User A specific cryptos) and tunneled through the NATO network towards the SVG. In the SVG the traffic is decrypted, encrypted (using the User B1 specific cryptos), switched and forwarded to User B1. Alternatively users on the red IP network (User B2) can reach users on the PSTN network (User A and B2) and vice versa. The SVG currently supports the following interfaces: ISDN PRI, ISDN BRI, analogue and Ethernet.
NC3A Experimentation Program of Work NC3A – 1GNC Voice Experiment What is the NC3A – 1GNC Voice Experiment about? Interconnection of Secure Voice Services between 1GNC National Secret (IP based) and NATO Secret (ISDN based). The security domains are separated by the IEG-Light with a IEG-Light Voice Module (IVM). The transition between Secure ISDN and Voice over Secure IP is done by the Secure Voice Gateway (SVG) developed by NC3A.
How does it work? The IEG-Light component filters all traffic from the nation in its router. The firewall directs all granted traffic to the proxy servers in the IEG-Light DMZ. All unwanted traffic is dropped. The proxies can be accessed from the NATO side. All Traffic is audited by the IDS. Therefore, no direct communication between the NS network and the national network is possible. Traffic is audited by the IDS. The IVM prototype is realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software. Which functionality is provided? The IEG-Light packet switched (PS) component is a secure interface between the NATO secret (NS) network and the national secret network. Services supported by the IEG-Light PS component are the core information services mail, web publishing and GAL synchronization. For SFCE 09 new functionality provided inside the IEG-Light is FS support by the MIP-DEM extension and secure VoIP support by the IEG-Light Voice Module (IVM) The IEG-Light (I) What is the IEG-Light? The Information Exchange Gateway (IEG) “Light” is a small, highly deployable and affordable module that provides secure gateway services between deployed NATO and a deployed national CIS of a NATO member nation. IEG-Light Main Module IEG-Light Specialized Module
The IEG-Light (II) VOICE SERVICES Access Control Protocol Conversion Codec Conversion Content Scanning Concept of Operation of the IEG-Light IEG-Light Functional Architecture IEG-Light Hardware Architecture IEG-Light Software Architecture IEG-Light (Remote) Management Interface IEG-Light Main (bottom) and Specialized (top) Modules
Example of IETV CIS Verification Results Sample Data
Objectives of the 2009 SFCE IETV campaign • Primary objectives: • Test and validate nationally provided CIS (LCC-HQ-NRF-13-GBR) • Test and validate nationally provided CIS (LCC-HQ-NRF-14-DNK) • Test interoperability between NATO C2/FS and National C2/FS • Test cross-domain data and voice exchange mechanism • Identification (resolution) of interoperability issues • Other objectives: • Experiment the IETV Automated Testing Tool (IATT) • Experiment NATO gateways for national MIP-DEM traffic • Support national experiment with IETV (NRDC-SP-JCOP-XML) • Demonstrate NATO gateways for FS traffic • Demonstrate “zero-configuration” model for national CIS provision