IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : Introduction and Objectives How will the IETV be used during SFCE 09? The IETV will be used to validate a nationally-provided (CIS) system (LCC- HQ –NRF-13 (GBR) and LCC-HQ-NRF-14 (DNK) in support of NRF-13/14. To resolve an outstanding IO issue implementing a deployable secure cross-domain gateway for MIP-DEM data function to allow automated information exchange between a national-secret system (provided by 1GNC) and the NATO secret system (JCOP), in compliance with applicable INFOSEC regulations. To experiment a future interoperability enhancement, by testing Secure Voice Gateway between national-secret system (provided by 1GNC) and the NATO secret network. To support the SFCE09 test plan with automation of testing functions, allowing multiple tests to be conducted in few minutes, without operator’s involvement and with automated integration with SFCE09 data base. What is the IETV? The IETV (Interoperability Experimentation, Testing and Validation) is a tool in support of (CIS) systems certification, interoperability enhancement and experimentation for multinational, NATO-led expeditionary operations. Where is the IETV? The IETV has a deployable footprint, which provides basic on-site (deployed) representative interfaces and gateways. Then, connects through any (NATO or not) WAN to the static part of the IETV, which groups most NC3A test beds and laboratories. What makes up the IETV? The IETV Capability is made-up of four essential components: - Processes - Supporting Documentation - A (HW/SW) test bed - Know-how Which CIS functions does the IETV cover? The IETV covers CIS interfaces (with the national systems), transmission, bandwidth management, voice/video/VTC services, information exchange, network services, core IS services, functional services, information assurance and management. What can it be used for? The IETV Capability can be used to: - Validate nationally-provided CIS - Support the Commander with the certification of the Unit - Develop new applications and technologies - Experiment and test new CIS concepts and applications
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : The IETV Architecture A generic architecture based on a functional analysis. Comprises all relevant CIS functions in the Deployable CIS for a NATO expeditionary mission. Allows maximum modularity and re-use of existing test beds and labs at NC3A. The modular design allows deploying only those elements which are essential to provide local, identical interfaces and services. This is called the deployable footprint of the IETV. The most complex systems stays at the static part of the IETV, in The Hague, along with the on-site expertise and know-how. This optimizes availability of the test bed and reduces the cost of deployment. National facilities can join the IETV as needed. In 2009, an extended (includes some information systems) deployable footprint of the IETV can be seen at SFCE 09 Exercise CORE SERVICES INFORMATION ASSURANCE INFORMATION EXCHANGE INFORMATION ASSURANCE INTERFACES NETWORK SERVICES VOICE/VIDEO BANDWIDTH MANAGEMENT TRANSMISSION Nationally-provided systems to validate, test and experiment EXPERIMENTS Deployable Point of Presence (dPoP) Interface with Nations Module (INM) Micro information Systems Module (µISM) To static IETV core infrastructure at NC3A (The Hague)
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : CIS Validation using the IETV The CIS Validation process (left) departs from a nationally assessed systems, and uses verification to determine compliance with NATO DCIS requirements. Results from verification are subject to a verification assessment process (right), which aims to explain which are the interoperability issues, how to mitigate them, and consequences of not doing so.
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : The IETV in SFCE 09 (II: detailed view)
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : The IETV Automated Testing Tool (IATT) What is the IATT? The IETV Automated Testing Tool (IATT) provides the means to quickly verify a number of interoperability requirements in an automatic manner. This degree of automation allows conducting a large number of tests in a few minutes, and repeat those tests for different security domains and different units. How does it work? Two IATT nodes (master and slave) are connected at the user sides of two networks interconnected through a Service Interoperability Point (SIOP). Each node represents a different user communities. Automatic processes exercise multiple traffic types and services across the SIOP. Tests are done in accordance with outstanding interoperability criteria (NC3A TN-1174). Results are captured and reported back to the user. Several CIS can be verified at the same time using only one master IATT node and several slave IATT nodes, one per CIS. Which functionality is provided? The IATT automatically verifies CIS interoperability for the following services: Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, FTP, etc.Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, FTP, etc. core services, mail, web and secure webcore services, mail, web and secure web How can nations use the IATT ? By using the IATT nations can quickly and inexpensively identify and resolve configuration issues that might impair interoperability at the application level. In particular, the IATT looks at the interconnection of NATO and Nation with special emphasis on firewall/gateway configuration, services configuration, routing capabilities or network/application protocols, to name a few.
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : The IETV Automated Testing Tool (IATT)-II IATT in SFCE-09 The IATT automatically verifies CIS interoperability for the following services: Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, etc.Transmission and communications: connectivity, routing, protocol/port/service filtering, NTP, DNS, etc. core services, mail, web and secure webcore services, mail, web and secure web IATT will integrate the results of the automated test in the exercise data base, IATT will be deploy during all the exercise in LCC-HQ-NRF-13/14 helping to resolve interoperability issues.
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : NC3A Experimentation Program of Work IEG-Light Extension “MIP-DEM” What is the MIP-DEM IEG-Light Extension The MIP-DEM IEG-Light Extension proxy functionality for the MIP- DEM protocol for interconnecting C2 application across security domains (NATO Secret National Secret). How does it work? JCOP Layer Manager (LM) implantation is used as service proxy. All MIP-DEM information exchange is terminated and forwarded by the MIP-DEM IEG-Light Extension in both directions. The contracts between the C2 applications on the different security domains are always created via the MIP-DEM Proxy located in the IEG-Light. Which functionality is provided? Controlling the information flow between the security domainsControlling the information flow between the security domains Ensuring the integrity of the MIP-DEM protocolEnsuring the integrity of the MIP-DEM protocol
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : IEG-Light Voice- Gateway What is the IVM? The IEG-Light Voice Module (IVM) provides a secured voice gateway functionality between voice services of different security domains. How does it work? The IVM prototype is realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software. All VoIP traffic from one security domain is terminated at the IVM. All incoming calls are converted to ISDN (G.711) and forwarded over an ISDN E1 trunk. The outgoing traffic is transcoded to any required codec (G.726, G.729, G.711 etc.). Supported protocols for interconnecting to the IVM are SIP, AIX2 (IP trunking) and H.323. Actual IVM developments will allow to recognise the contents and type of the traffic (Voice, FAX, Modem) as well as detect hidden channels. Traffic is going to be controlled due to it’s contents. Which functionality is provided? Access Control for security domain accessAccess Control for security domain access –LDAP / PIN / Calling Party number Limits the information exchange between security domains to voice/fax/modem servicesLimits the information exchange between security domains to voice/fax/modem services Codec and Protocol ConversionCodec and Protocol Conversion Content Scanning, control if voice, fax or modem signals are transported in the channelsContent Scanning, control if voice, fax or modem signals are transported in the channels Security Domain B e.g. NATIONAL Secret Security Domain A e.g. NATO Secret Protocol Conversion Access Control Codec Conversion Content Scanning ISDN E1 IP SIP/IAX2 H.323 IP SIP/IAX2 H.323 NC3A Experimentation Program of Work IEG-Light Extension “IEG-Light Voice Module”
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : What is the SVG? The Secure Voice Gateway (SVG) is a tool designed to provide end-to-end secure voice services between networks using different voice and/or encryption technology (ISDN, POTS, VoIP, etc.). How does it work? The SVG prototype is built from two (a secure and a non- secure) PABX, which are connected via appropriate crypto devices. Currently, the two PABXs are realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software. Traffic from User A is encrypted (using User A specific cryptos) and tunneled through the NATO network towards the SVG. In the SVG the traffic is decrypted, encrypted (using the User B1 specific cryptos), switched and forwarded to User B1. Alternatively users on the red IP network (User B2) can reach users on the PSTN network (User A and B2) and vice versa. The SVG currently supports the following interfaces: ISDN PRI, ISDN BRI, analogue and Ethernet. Which functionality is provided? Secure voice services between participants using different media and voice encryption devices.Secure voice services between participants using different media and voice encryption devices. Local and remote.Local and remote. Multiple parallel voice services.Multiple parallel voice services. Open design for easy integration of additional crypto devices.Open design for easy integration of additional crypto devices. NC3A Experimentation Program of Work Secure Voice Gateway
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : NC3A Experimentation Program of Work NC3A – 1GNC Voice Experiment What is the NC3A – 1GNC Voice Experiment about? Interconnection of Secure Voice Services between 1GNC National Secret (IP based) and NATO Secret (ISDN based). The security domains are separated by the IEG-Light with a IEG-Light Voice Module (IVM). The transition between Secure ISDN and Voice over Secure IP is done by the Secure Voice Gateway (SVG) developed by NC3A.
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : The IEG-Light (I) What is the IEG-Light? The Information Exchange Gateway (IEG) “Light” is a small, highly deployable and affordable module that provides secure gateway services between deployed NATO and a deployed national CIS of a NATO member nation. How does it work? The IEG-Light component filters all traffic from the nation in its router. The firewall directs all granted traffic to the proxy servers in the IEG-Light DMZ. All unwanted traffic is dropped. The proxies can be accessed from the NATO side. All Traffic is audited by the IDS. Therefore, no direct communication between the NS network and the national network is possible. Traffic is audited by the IDS. The IVM prototype is realized with single board computers (SBC), running the EAL4+ evaluated Linux operating system and the Asterisk soft switch software. Which functionality is provided? The IEG-Light packet switched (PS) component is a secure interface between the NATO secret (NS) network and the national secret network. Services supported by the IEG-Light PS component are the core information services mail, web publishing and GAL synchronization. For SFCE 09 new functionality provided inside the IEG-Light is FS support by the MIP-DEM extension and secure VoIP support by the IEG-Light Voice Module (IVM) IEG-Light Specialized Module IEG-Light Main Module
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : The IEG-Light (II) Concept of Operation of the IEG-LightIEG-Light Functional ArchitectureIEG-Light Hardware Architecture IEG-Light Software ArchitectureIEG-Light (Remote) Management InterfaceIEG-Light Main (bottom) and Specialized (top) Modules VOICE SERVICES Access Control Protocol Conversion Codec Conversion Content Scanning
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : Example of IETV CIS Verification Results
IETV : I NTEROPERABILITY E XPERIMENTATION, T ESTING AND V ALIDATION C APABILITY © NATO Consultation, Command and Control Agency, additional information contact : Primary objectives: Test and validate nationally provided CIS (LCC-HQ-NRF-13-GBR) Test and validate nationally provided CIS (LCC-HQ-NRF-14-DNK) Test interoperability between NATO C2/FS and National C2/FS Test cross-domain data and voice exchange mechanism Identification (resolution) of interoperability issues Other objectives: Experiment the IETV Automated Testing Tool (IATT) Experiment NATO gateways for national MIP-DEM traffic Support national experiment with IETV (NRDC-SP-JCOP-XML) Demonstrate NATO gateways for FS traffic Demonstrate “zero-configuration” model for national CIS provision Objectives of the 2009 SFCE IETV campaign