Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 22 Network Operations Center

Published byAshlee Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "Topic 22 Network Operations Center"— Presentation transcript:

1 Topic 22 Network Operations Center
Fleet Network Operations Centers (FLTNOCs) Introduction Understanding IP connectivity and services provided to the Strike Group is critical to the modern warfighter. The purpose of this topic is to introduce the student to the architecture, hardware, services, and support provided by the Fleet Network Operations Centers (FLTNOCs). B. Enabling Objectives DESCRIBE the basic architecture for a Fleet Network Operations Center (FLTNOC). DISCUSS services provided by the FLTNOC. IDENTIFY the reference for and EXPLAIN INCHOP / OUTCHOP procedures. C. Topic Outline FLTNOC architecture FLTNOC core equipment FLTNOC ADNS Inc II architecture FLTNOC services FLTNOC firewall system FLTNOC web services FLTNOC support concept INCHOP / OUTCHOP Procedures High Speed Global Ring (HSGR) D. References 1. NTP-4, Naval Communications, 18 January 2008 Topic 22 Network Operations Center Enabling Objectives DESCRIBE the basic architecture for a Fleet Network Operations Center (FLTNOC). DISCUSS services provided by the FLTNOC. IDENTIFY the reference for and EXPLAIN INCHOP / OUTCHOP procedures.

2 Figure 21.1 - The FLTNOC Architecture.
Fleet Network Operations Centers (FLTNOCs) The FLTNOCs provide Internet Protocol (IP) connectivity and services to the Fleet (both underway and pier side) and act as regional gateways to the Defense Information Systems Network (DISN) in their respective Areas of Responsibility (AOR). This is accomplished through the use of a flexible network architecture that can meet unique needs of the different regional forces. The nomenclature for the FLTNOC is AN/FSQ-206. There are four sites designated as FLTNOCs’: European Central Region Network Operations Center (ECRNOC) NCTS Naples, Italy, Indian Ocean Region Network Operations Center (IORNOC) NCTS Bahrain, Pacific Region Network Operations Center (PRNOC) NCTAMS PAC and Unified Atlantic Region Network Operations Center (UARNOC) NCTAMS LANT. There is also a PRNOC detachment located in Yokosuka, Japan for 7th Fleet support. The four FLTNOCs are geographically dispersed around the world to service deployed users, provide the entry points for Navy Tactical Satellite Systems and also operate and maintain one of the DSCS terminals. Each FLTNOC is typically responsible for providing services to Fleet users located in their corresponding AOR. The current FLTNOC network architecture operates as the individual interface points for Navy units within the AOR to provide access to the DISN. Connectivity to the FLTNOC while underway is primarily done through ADNS, which uses available satellite communications systems to enable ship-to-shore data connectivity. While pier side, the Base Level Information Infrastructure (BLII) is used to connect the ship’s networks to the FLTNOC.

3 Figure 21.2 - FLTNOC Core Equipment.
Figure 21.2 provides a list of baseline equipment for the FLTNOC per enclave and is to be used in conjunction with Figure 21.1 which provides a simplified graphical depiction of the FLTNOC architecture. For the sake of brevity, server subsystems are indicated as Service Suites and do not display the correct number of servers. For example, each FLTNOC has at least four DNS Mail servers in the unclassified enclave but is displayed as a single Mail/DNS Suite. Other suites that make up the FLTNOC architecture are the Firewall, Virtual Private Network (VPN), Intrusion Detection, Virus Scan, and Web Cache suites. The Premise Router is the interface for the FLTNOC to the DISN and is considered an untrusted interface. The Fleet Router is the interface to the afloat networks and is considered a trusted network. To enhance network security, FLTNOCs use a feature called Split Horizon Domain Name Service (DNS). This is used to provide different DNS query answers to requests initiated inside or outside the Navy enclave. If the DNS zone is active internally (inside the FLTNOC enclave), the DNS/Mail Suite replies to a DNS query that will associate an IP address to a ship if the query is initiated from inside the enclave. To minimize configuration changes when ships transit from one AOR to another, the FLTNOCs use IP addresses called Virtual IPs (VIP), which are duplicated between each FLTNOC. VIPs are used within each enclave for DNS forwarding, web cache, Simple Mail Transfer (SMTP) relay, and Network Time Protocol (NTP). Once the afloat network is configured with the correct FLTNOC’s IP addresses, a unit should be able to enter or exit an AOR seamlessly.

4 Figure 21.3 - ADNS Increment II FLTNOC architecture.
KG 175 ADNS Increment II ETH P/P To Local EHF TIP P/P P/P DSCS ADNS KG 175 ADNS EHF TIP Teleport Rtrs CWSP EHF TIP Rtr KIV-19 EHF TIP Teleport IAD PSAX 2300 PSAX 1250 PSAX 2300 KG 194 DSCS ADNS Policy Switch ST-1000 EHF MDR Routers KIV 7 CWSP DSCS Routers HSGR INMARSAT D/S KG 84 Newbridge Mainstreet 3600 CWSP Routers HSGR TNX 1100 INM-S Routers Teleport (EHF-MDR) Fiber Modem INM-D Routers KG 175 Route Explorer JCA JCA Router HIS TNX 210 Figure ADNS Increment II FLTNOC architecture. NMCI Pier Router FLTNOC Core Equipment (cont) With the exception of the GENSER SECRET enclave, all IP based data to or from a command is encrypted using a KG-235 or a KG-175 (TACLANE). Of note, the Network Encryption System (NES) had been used for this purpose, prior to the TACLANE. Figure 21.3 provides an overview of an ADNS Increment II FLTNOC architecture, depicting the signal flow through ADNS or Automated Digital Multiplexing System (ADMS), with connectivity to the High-Speed Global Ring (HSGR), DISN, and NMCI. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ADNS SIPR Packeteer Packeteer #1 FLEET SIPR Router SIPRNET NES Tunnel Router Tunnel Switch TACLANE Router TACLANE Switch NES KG 175(s) NES FLEET NIPR Router NIPRNET ADNS NIPR Packeteer Packeteer #2 Unclas Workstation LQoS Mgr Chat Server

5 Email “Store and Forward”
Fm: To: Mail Server Mail Server DNS resolves to UARNOC Premise Router GENSER Router UNCLAS Router Premise Router VSCAN Servers Web Cache ADNS NOC A SUN E250 Outer Router Inner Router UnclasFleet Router RF Cloud NOC A SUN E250 Foundry Outer Switch Figure Store and Forward. Foundry Inner Switch Foundry SVC Switch ADNS Store and Forward As the Navy’s agent for the navy.mil domain, the UARNOC advertises all unit’s Mail Exchange (MX) records to their root (parent) name servers. These MX records will point mail from the outside world to the Mail Transfer Agent (MTA) located within the UARNOC. The Premise Router forwards the mail to the Fleet Firewall. Within the Fleet Firewall are the store and forward MTAs. The Firewall MTAs deliver mail destined for a ship to one of the DNS/Mail Servers located at the FLTNOC. The FLTNOC DNS Mail Hosts maintain an internal list of active network participants. If the recipients domain is listed as ‘active”, the DNS/Mail host routes the to the ship via the Fleet Router. If the recipient domain is “offline”, the is stored for retrieval at a later time by the respective mail server. The FLTNOC is required to store the mail for as long as 14 days due to shipboard tactical or casualty issues. If additional time is required, this can be coordinated directly with the servicing FLTNOC. It should also be noted that attachments are limited to 10Mb in the unclass and secret enclaves by policy, but can change due to the tactical situation and increased network bandwidth needs At the ship, is received via the applicable RF or shore path and processed for delivery by the ADNS router. The ADNS router routes the data to the appropriate enclave router for delivery to the Exchange mail server. ______________________________________________________________________________________________________________________________________ NOC A SUN E250 Tunnel Management Switch NOC A SUN E250 Remember: The UNCLAS and SCI networks use an INE… GENSER is a straight shot DNS/MAIL IDS Server DNS/MAIL NOC Workstations DNS/MAIL

6 TO SIPRNET VPN WEBCACHE 205.1.213.113 CAS DNSMAIL1 DNSMAIL2
SECRET FIREWALL A NOC SECRET PREMISE CISCO NOC SECRET OUTER CISCO NOC SECRET INNER CISCO NOC SECRET FLEET CISCO SECRET FIREWALL B SECRET FIREWALL C DNSMAIL1 DNSMAIL2 Virtual IP VPN WEBCACHE UNCLAS FIREWALL A UNCLAS FIREWALL B UNCLAS FIREWALL C UNCLAS FIREWALL D CAS Figure Fleet Firewall. NOC UNCLAS PREMISE CISCO NOC UNCLAS OUTER CISCO NOC UNCLAS INNER CISCO TO NOC UNCLAS FLEET CISCO Fleet Firewall The security posture for each FLTNOC is independently administered, but centrally governed by the Chief of Naval Operations (CNO) / NETWARCOM Unclassified Trusted Network Protect (UTN Protect) firewall policy. Use and enforcement of this policy is mandated by CNO and NETWARCOM security policies. The FLTNOCs are also tasked with implementing IP block lists and DNS black hole lists as promulgated by Navy Cyber Defense Operations Center (NCDOC). The Fleet Firewall provides a secure environment for networks. All traffic that passes through the FLTNOC (with the exception of VPN traffic) passes through the Fleet Firewall. The firewall serves as an application gateway, providing packet-level filtering through enterprise-wide policies. The Fleet Firewall, and associated filtering, applies to all inbound and outbound network traffic. The Fleet Firewall is composed of the Outer Router, Outer Foundry ServerIron load balancing switch, the Firewall server farm, the Inner Foundry ServerIron load balancing switch and the inner Router. Also included in this functional area are the Netranger Intrusion Detection System (IDS) and Symantec Virus Scanning software. _________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ DNSMAIL1 DNSMAIL2 DNSMAIL3 DNSMAIL4 TO NIPRNET Virtual IP

7 Web Services RF Cloud Client HTTP Request NIPRNET Web Proxy VSCAN
GENSER Router UNCLAS Router Premise Router VSCAN Servers Web Cache ADNS NOC A SUN E250 Outer Router Inner Router UnclasFleet Router RF Cloud NOC A SUN E250 Foundry Outer Switch Figure Web Services. Foundry Inner Switch Foundry SVC Switch ADNS Web Services An HTTP request originates at the client workstation. The Web Proxy aboard the ship receives the HTTP request and returns the requested page to the user if it is present in local web cache. If not, the request is forwarded to the Web Cache Server (Proxy) at the FLTNOC via the normal network path off the ship via ADNS. If the Web Cache Server at the FLTNOC has the requested page in cache, it is returned to the requesting IP address. If it is not, the Web Cache Server forwards the request via the FLTNOCs DNS/Mail hosts. The DNS/Mail hosts resolve the requested address and routes the request to the appropriate DISN or to the hosting entity behind the Fleet Firewall for delivery back to the requesting client browser. Even though Proxies have packet filtering capability, they are not used for this purpose. The web proxies exist solely to increase the speed of delivery of HTTP requests to the user and to conserve bandwidth. __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ NOC A SUN E250 Tunnel Management Switch NOC A SUN E250 Remember: The UNCLAS and SCI networks use an INE for their connectivity … GENSER is a straight shot DNS/MAIL IDS Server DNS/MAIL NOC Workstations DNS/MAIL

8 Figure 21.7 - FLTNOC Support Levels.
Levels of Service Tier One – Watch Section Tier Two – Systems Administrators Tier Three - FSET Tier Four - ISEA Figure FLTNOC Support Levels. FLTNOC Support Concept The FLTNOCs use a multi-layered support concept. Each support tier is discussed in further detail below. Tier One – Provided 24/7 by the active duty Watch section. This support includes troubleshooting ship-to-shore and intra-NOC communications and acts as the primary resource for FLTNOC operations. Daily configuration changes and maintenance of the system are also performed. Tier Two – System Administrators are responsible for providing the highest state of operational readiness and availability of the FLTNOC to the Fleet. Tier Three – Provided by the Fleet Systems Engineering Team (FSET) engineers which provide specialized system technical support, engineering assistance, and on-site training and troubleshooting support for all NCTAMS/NCTS personnel. Tier Four – SPAWARSYSTCEN Charleston acts as the primary engineering activity for FLTNOC development and provides In-Service Engineering Activity (ISEA) support for FSETs, NCTAMS, NCTS, and other Fleet services. The ISEA also provides logistics support for equipment replacement, testing, and training, as well as hardware and software upgrades. ____________________________________________________________________________________________________________________________________________________

9 Figure 21.8 - INCHOP / OUTCHOP process.
NCTS NAPLES / ECRNOC NCTAMSLANT / UARNOC NCTS BAHRAIN / IORNOC NCTAMSPAC / PRNOC Figure INCHOP / OUTCHOP process. INCHOP / OUTCHOP Process To obtain IP services from a FLTNOC the following criteria must be met: Must have a valid Interim Authority to Operate (IATO) or Authority to Operate (ATO) obtained from the NETWARCOM Designated Approving Authority (DAA). Submit an IP services request message in accordance with Global Communications Information Bulletin (GCIB) 3A. If service will be provided via satellite communications link, a valid Satellite Access Authorization (SAA) for the intended satellite path is required. The current system allows fleet units to transit between AORs without making configuration changes to their ISNS equipment. This is facilitated by default configurations in the ADNS and the ISNS that use the FLTNOC’s VIP address scheme. With the exception of physical path connectivity, the gaining FLTNOC drives the change of Operational Control (CHOP) process. Once the satellite communications link has been terminated at the gaining Technical Control Facility (TCF), the theater FLTNOC will enable the Fleet unit's DNS zone on the internal DNS/Mail Servers. All zone changes through the entire INCHOP / OUTCHOP process are accomplished by using either the NOC management web interface or the DNS/Mail servers command line. The Fleet units IP addresses are then added to the “trusted networks” table in the Firewall. The fleet unit’s home theater FLTNOC, which is authoritative for their DNS zone resolution, will be notified by the gaining FLTNOC to direct the unit’s external mail to them for delivery.

10 Figure 21.9 - High Speed Global Ring (HSGR).
The AN/USQ-169B (V) 1 High Speed Global Ring (HSGR) provides increased capacity and connectivity in the transport communications links between the major naval ashore commands. The HSGR transforms the legacy ADMS shore connectivity architecture into an integrated network of transport services that provides the warfighter with a dynamic, reliable, flexible, and restorable transport service capability. The HSGR enables implementation of new and improved capabilities, including FLTNOC-to-FLTNOC connectivity and JSIPS-N Concentrator Architecture (JCA) connectivity. The primary purpose of the HSGR is to provide an increased transport link between NCTAMS PAC, NCTS San Diego, NCTAMS LANT, NCTS Naples and NCTS Bahrain. The HSGR network uses Asynchronous Transfer Mode (ATM), which provides transport services for high speed classified and unclassified IP networks as well as existing legacy services to major shore sites. All IP traffic between IT-21 configured commands will remain on Navy controlled networks utilizing the HSGR. The HSGR uses Marconi TNX-1100 and Lucent PSAX 2300 ATM switches interconnected via DISN ATM services or commercial leased lines to interconnect the sites. The ATM backbone enables reconfigurable class and Quality of Service (QoS) parameters for data transport supporting tactical users. ATM is a dedicated connection switching technology that organizes digital data into fixed-size cells and transmits them over a physical medium using digital signal technology. Individually, a cell is processed asynchronously relative to other cells and is queued before being multiplexed and sent over

11 High Speed Global Ring (cont)
Figure HSGR Capacity. High Speed Global Ring (cont) the transmission path. ATM transmission rates operate at either the OC-3 (155 Mbps) or OC-12 (622 Mbps) rates, though speeds on ATM networks can reach up to OC-192 (10 Gbps). Operationally, the HSGR architecture supports the following warfighter requirements: Increased bandwidth ADNS Increment II/III load distribution Enhanced restoral capabilities Interface with other DoD resources ____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

12 This page intentionally left blank.

Download ppt "Topic 22 Network Operations Center"

Similar presentations

IPv6 Planning and Implementation at PSU.  1986 – PSU gets Class B network (128.118.0.0) & 5 Class C networks 192.5.157-.161  1988 – Department of Computer.

IPv6 Planning and Implementation at PSU.  1986 – PSU gets Class B network ( ) & 5 Class C networks  1988 – Department of Computer.
1 © 2002, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Packet® Icon Library Current as of February 14, 2002.

1 © 2002, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Packet® Icon Library Current as of February 14, 2002.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
WAN Connectivity The VMO Wide Area Network will extend between all stores, offices, and Lyon, France We have designed a highly redundant network with.

WAN Connectivity The VMO Wide Area Network will extend between all stores, offices, and Lyon, France We have designed a highly redundant network with.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
Network Security Overview Tales from the trenches.

Network Security Overview Tales from the trenches.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Network Devices Networking Essentials Chapter 5 Fall, 2012.

Network Devices Networking Essentials Chapter 5 Fall, 2012.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
CHAPTER Introduction to LANs. MODULE Purpose and Use of a Network.

CHAPTER Introduction to LANs. MODULE Purpose and Use of a Network.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.

Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.
The internet and the WWW

The internet and the WWW
A global, public network of computer networks. The largest computer network in the world. Computer Network A collection of computing devices connected.

A global, public network of computer networks. The largest computer network in the world. Computer Network A collection of computing devices connected.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Tim Smith Program Manager Naval Networks

Tim Smith Program Manager Naval Networks
Topic 21 ADNS Overview and Basic IP Routing

Topic 21 ADNS Overview and Basic IP Routing
Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.

Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.

Similar presentations

Ads by Google