Topic 22 Network Operations Center Fleet Network Operations Centers (FLTNOCs) Introduction Understanding IP connectivity and services provided to the Strike Group is critical to the modern warfighter. The purpose of this topic is to introduce the student to the architecture, hardware, services, and support provided by the Fleet Network Operations Centers (FLTNOCs). B. Enabling Objectives 21.1 DESCRIBE the basic architecture for a Fleet Network Operations Center (FLTNOC). 21.2 DISCUSS services provided by the FLTNOC. 21.3 IDENTIFY the reference for and EXPLAIN INCHOP / OUTCHOP procedures. C. Topic Outline FLTNOC architecture FLTNOC core equipment FLTNOC ADNS Inc II architecture FLTNOC email services FLTNOC firewall system FLTNOC web services FLTNOC support concept INCHOP / OUTCHOP Procedures High Speed Global Ring (HSGR) D. References 1. NTP-4, Naval Communications, 18 January 2008 Topic 22 Network Operations Center Enabling Objectives 22.1 DESCRIBE the basic architecture for a Fleet Network Operations Center (FLTNOC). 22.2 DISCUSS services provided by the FLTNOC. 22.3 IDENTIFY the reference for and EXPLAIN INCHOP / OUTCHOP procedures.
Figure 21.1 - The FLTNOC Architecture. Fleet Network Operations Centers (FLTNOCs) The FLTNOCs provide Internet Protocol (IP) connectivity and services to the Fleet (both underway and pier side) and act as regional gateways to the Defense Information Systems Network (DISN) in their respective Areas of Responsibility (AOR). This is accomplished through the use of a flexible network architecture that can meet unique needs of the different regional forces. The nomenclature for the FLTNOC is AN/FSQ-206. There are four sites designated as FLTNOCs’: European Central Region Network Operations Center (ECRNOC) NCTS Naples, Italy, Indian Ocean Region Network Operations Center (IORNOC) NCTS Bahrain, Pacific Region Network Operations Center (PRNOC) NCTAMS PAC and Unified Atlantic Region Network Operations Center (UARNOC) NCTAMS LANT. There is also a PRNOC detachment located in Yokosuka, Japan for 7th Fleet support. The four FLTNOCs are geographically dispersed around the world to service deployed users, provide the entry points for Navy Tactical Satellite Systems and also operate and maintain one of the DSCS terminals. Each FLTNOC is typically responsible for providing services to Fleet users located in their corresponding AOR. The current FLTNOC network architecture operates as the individual interface points for Navy units within the AOR to provide access to the DISN. Connectivity to the FLTNOC while underway is primarily done through ADNS, which uses available satellite communications systems to enable ship-to-shore data connectivity. While pier side, the Base Level Information Infrastructure (BLII) is used to connect the ship’s networks to the FLTNOC.
Figure 21.2 - FLTNOC Core Equipment. Figure 21.2 provides a list of baseline equipment for the FLTNOC per enclave and is to be used in conjunction with Figure 21.1 which provides a simplified graphical depiction of the FLTNOC architecture. For the sake of brevity, server subsystems are indicated as Service Suites and do not display the correct number of servers. For example, each FLTNOC has at least four DNS Mail servers in the unclassified enclave but is displayed as a single Mail/DNS Suite. Other suites that make up the FLTNOC architecture are the Firewall, Virtual Private Network (VPN), Intrusion Detection, Virus Scan, and Web Cache suites. The Premise Router is the interface for the FLTNOC to the DISN and is considered an untrusted interface. The Fleet Router is the interface to the afloat networks and is considered a trusted network. To enhance network security, FLTNOCs use a feature called Split Horizon Domain Name Service (DNS). This is used to provide different DNS query answers to requests initiated inside or outside the Navy enclave. If the DNS zone is active internally (inside the FLTNOC enclave), the DNS/Mail Suite replies to a DNS query that will associate an IP address to a ship if the query is initiated from inside the enclave. To minimize configuration changes when ships transit from one AOR to another, the FLTNOCs use IP addresses called Virtual IPs (VIP), which are duplicated between each FLTNOC. VIPs are used within each enclave for DNS forwarding, web cache, Simple Mail Transfer (SMTP) relay, and Network Time Protocol (NTP). Once the afloat network is configured with the correct FLTNOC’s IP addresses, a unit should be able to enter or exit an AOR seamlessly.
Figure 21.3 - ADNS Increment II FLTNOC architecture. KG 175 ADNS Increment II ETH P/P To Local EHF TIP P/P P/P DSCS ADNS KG 175 ADNS EHF TIP Teleport Rtrs CWSP EHF TIP Rtr KIV-19 EHF TIP Teleport IAD PSAX 2300 PSAX 1250 PSAX 2300 KG 194 DSCS ADNS Policy Switch ST-1000 EHF MDR Routers KIV 7 CWSP DSCS Routers HSGR INMARSAT D/S KG 84 Newbridge Mainstreet 3600 CWSP Routers HSGR TNX 1100 INM-S Routers Teleport (EHF-MDR) Fiber Modem INM-D Routers KG 175 Route Explorer JCA JCA Router HIS TNX 210 Figure 21.3 - ADNS Increment II FLTNOC architecture. NMCI Pier Router FLTNOC Core Equipment (cont) With the exception of the GENSER SECRET enclave, all IP based data to or from a command is encrypted using a KG-235 or a KG-175 (TACLANE). Of note, the Network Encryption System (NES) had been used for this purpose, prior to the TACLANE. Figure 21.3 provides an overview of an ADNS Increment II FLTNOC architecture, depicting the signal flow through ADNS or Automated Digital Multiplexing System (ADMS), with connectivity to the High-Speed Global Ring (HSGR), DISN, and NMCI. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ADNS SIPR Packeteer Packeteer #1 FLEET SIPR Router SIPRNET NES Tunnel Router Tunnel Switch TACLANE Router TACLANE Switch NES KG 175(s) NES FLEET NIPR Router NIPRNET ADNS NIPR Packeteer Packeteer #2 Unclas Workstation LQoS Mgr Chat Server
Email “Store and Forward” Fm: spouse@aol.com To: sailor@ship.navy.mil Mail Server Mail Server DNS resolves to UARNOC Premise Router GENSER Router UNCLAS Router Premise Router VSCAN Servers Web Cache ADNS NOC A SUN E250 Outer Router Inner Router UnclasFleet Router RF Cloud NOC A SUN E250 Foundry Outer Switch Figure 21.4 - Email Store and Forward. Foundry Inner Switch Foundry SVC Switch ADNS Email Store and Forward As the Navy’s agent for the navy.mil domain, the UARNOC advertises all unit’s Mail Exchange (MX) records to their root (parent) name servers. These MX records will point mail from the outside world to the Mail Transfer Agent (MTA) located within the UARNOC. The Premise Router forwards the mail to the Fleet Firewall. Within the Fleet Firewall are the store and forward MTAs. The Firewall MTAs deliver mail destined for a ship to one of the DNS/Mail Servers located at the FLTNOC. The FLTNOC DNS Mail Hosts maintain an internal list of active network participants. If the recipients domain is listed as ‘active”, the DNS/Mail host routes the email to the ship via the Fleet Router. If the recipient domain is “offline”, the email is stored for retrieval at a later time by the respective mail server. The FLTNOC is required to store the mail for as long as 14 days due to shipboard tactical or casualty issues. If additional time is required, this can be coordinated directly with the servicing FLTNOC. It should also be noted that email attachments are limited to 10Mb in the unclass and secret enclaves by policy, but can change due to the tactical situation and increased network bandwidth needs At the ship, email is received via the applicable RF or shore path and processed for delivery by the ADNS router. The ADNS router routes the data to the appropriate enclave router for delivery to the Exchange mail server. ______________________________________________________________________________________________________________________________________ NOC A SUN E250 Tunnel Management Switch NOC A SUN E250 Remember: The UNCLAS and SCI networks use an INE… GENSER is a straight shot DNS/MAIL IDS Server DNS/MAIL NOC Workstations DNS/MAIL
TO SIPRNET VPN WEBCACHE 205.1.213.113 CAS DNSMAIL1 DNSMAIL2 SECRET FIREWALL A NOC SECRET PREMISE CISCO NOC SECRET OUTER CISCO NOC SECRET INNER CISCO NOC SECRET FLEET CISCO SECRET FIREWALL B SECRET FIREWALL C DNSMAIL1 DNSMAIL2 Virtual IP 205.1.213.100 VPN WEBCACHE 157.153.3.253 UNCLAS FIREWALL A UNCLAS FIREWALL B UNCLAS FIREWALL C UNCLAS FIREWALL D CAS Figure 21.5 - Fleet Firewall. NOC UNCLAS PREMISE CISCO NOC UNCLAS OUTER CISCO NOC UNCLAS INNER CISCO TO NOC UNCLAS FLEET CISCO Fleet Firewall The security posture for each FLTNOC is independently administered, but centrally governed by the Chief of Naval Operations (CNO) / NETWARCOM Unclassified Trusted Network Protect (UTN Protect) firewall policy. Use and enforcement of this policy is mandated by CNO and NETWARCOM security policies. The FLTNOCs are also tasked with implementing IP block lists and DNS black hole lists as promulgated by Navy Cyber Defense Operations Center (NCDOC). The Fleet Firewall provides a secure environment for networks. All traffic that passes through the FLTNOC (with the exception of VPN traffic) passes through the Fleet Firewall. The firewall serves as an application gateway, providing packet-level filtering through enterprise-wide policies. The Fleet Firewall, and associated filtering, applies to all inbound and outbound network traffic. The Fleet Firewall is composed of the Outer Router, Outer Foundry ServerIron load balancing switch, the Firewall server farm, the Inner Foundry ServerIron load balancing switch and the inner Router. Also included in this functional area are the Netranger Intrusion Detection System (IDS) and Symantec Virus Scanning software. _________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ DNSMAIL1 DNSMAIL2 DNSMAIL3 DNSMAIL4 TO NIPRNET Virtual IP 157.153.3.240
Web Services RF Cloud Client HTTP Request NIPRNET Web Proxy VSCAN GENSER Router UNCLAS Router Premise Router VSCAN Servers Web Cache ADNS NOC A SUN E250 Outer Router Inner Router UnclasFleet Router RF Cloud NOC A SUN E250 Foundry Outer Switch Figure 21.6 - Web Services. Foundry Inner Switch Foundry SVC Switch ADNS Web Services An HTTP request originates at the client workstation. The Web Proxy aboard the ship receives the HTTP request and returns the requested page to the user if it is present in local web cache. If not, the request is forwarded to the Web Cache Server (Proxy) at the FLTNOC via the normal network path off the ship via ADNS. If the Web Cache Server at the FLTNOC has the requested page in cache, it is returned to the requesting IP address. If it is not, the Web Cache Server forwards the request via the FLTNOCs DNS/Mail hosts. The DNS/Mail hosts resolve the requested address and routes the request to the appropriate DISN or to the hosting entity behind the Fleet Firewall for delivery back to the requesting client browser. Even though Proxies have packet filtering capability, they are not used for this purpose. The web proxies exist solely to increase the speed of delivery of HTTP requests to the user and to conserve bandwidth. __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ NOC A SUN E250 Tunnel Management Switch NOC A SUN E250 Remember: The UNCLAS and SCI networks use an INE for their connectivity … GENSER is a straight shot DNS/MAIL IDS Server DNS/MAIL NOC Workstations DNS/MAIL
Figure 21.7 - FLTNOC Support Levels. Levels of Service Tier One – Watch Section Tier Two – Systems Administrators Tier Three - FSET Tier Four - ISEA Figure 21.7 - FLTNOC Support Levels. FLTNOC Support Concept The FLTNOCs use a multi-layered support concept. Each support tier is discussed in further detail below. Tier One – Provided 24/7 by the active duty Watch section. This support includes troubleshooting ship-to-shore and intra-NOC communications and acts as the primary resource for FLTNOC operations. Daily configuration changes and maintenance of the system are also performed. Tier Two – System Administrators are responsible for providing the highest state of operational readiness and availability of the FLTNOC to the Fleet. Tier Three – Provided by the Fleet Systems Engineering Team (FSET) engineers which provide specialized system technical support, engineering assistance, and on-site training and troubleshooting support for all NCTAMS/NCTS personnel. Tier Four – SPAWARSYSTCEN Charleston acts as the primary engineering activity for FLTNOC development and provides In-Service Engineering Activity (ISEA) support for FSETs, NCTAMS, NCTS, and other Fleet services. The ISEA also provides logistics support for equipment replacement, testing, and training, as well as hardware and software upgrades. ____________________________________________________________________________________________________________________________________________________
Figure 21.8 - INCHOP / OUTCHOP process. NCTS NAPLES / ECRNOC NCTAMSLANT / UARNOC NCTS BAHRAIN / IORNOC NCTAMSPAC / PRNOC Figure 21.8 - INCHOP / OUTCHOP process. INCHOP / OUTCHOP Process To obtain IP services from a FLTNOC the following criteria must be met: Must have a valid Interim Authority to Operate (IATO) or Authority to Operate (ATO) obtained from the NETWARCOM Designated Approving Authority (DAA). Submit an IP services request message in accordance with Global Communications Information Bulletin (GCIB) 3A. If service will be provided via satellite communications link, a valid Satellite Access Authorization (SAA) for the intended satellite path is required. The current system allows fleet units to transit between AORs without making configuration changes to their ISNS equipment. This is facilitated by default configurations in the ADNS and the ISNS that use the FLTNOC’s VIP address scheme. With the exception of physical path connectivity, the gaining FLTNOC drives the change of Operational Control (CHOP) process. Once the satellite communications link has been terminated at the gaining Technical Control Facility (TCF), the theater FLTNOC will enable the Fleet unit's DNS zone on the internal DNS/Mail Servers. All zone changes through the entire INCHOP / OUTCHOP process are accomplished by using either the NOC management web interface or the DNS/Mail servers command line. The Fleet units IP addresses are then added to the “trusted networks” table in the Firewall. The fleet unit’s home theater FLTNOC, which is authoritative for their DNS zone resolution, will be notified by the gaining FLTNOC to direct the unit’s external mail to them for delivery.
Figure 21.9 - High Speed Global Ring (HSGR). The AN/USQ-169B (V) 1 High Speed Global Ring (HSGR) provides increased capacity and connectivity in the transport communications links between the major naval ashore commands. The HSGR transforms the legacy ADMS shore connectivity architecture into an integrated network of transport services that provides the warfighter with a dynamic, reliable, flexible, and restorable transport service capability. The HSGR enables implementation of new and improved capabilities, including FLTNOC-to-FLTNOC connectivity and JSIPS-N Concentrator Architecture (JCA) connectivity. The primary purpose of the HSGR is to provide an increased transport link between NCTAMS PAC, NCTS San Diego, NCTAMS LANT, NCTS Naples and NCTS Bahrain. The HSGR network uses Asynchronous Transfer Mode (ATM), which provides transport services for high speed classified and unclassified IP networks as well as existing legacy services to major shore sites. All IP traffic between IT-21 configured commands will remain on Navy controlled networks utilizing the HSGR. The HSGR uses Marconi TNX-1100 and Lucent PSAX 2300 ATM switches interconnected via DISN ATM services or commercial leased lines to interconnect the sites. The ATM backbone enables reconfigurable class and Quality of Service (QoS) parameters for data transport supporting tactical users. ATM is a dedicated connection switching technology that organizes digital data into fixed-size cells and transmits them over a physical medium using digital signal technology. Individually, a cell is processed asynchronously relative to other cells and is queued before being multiplexed and sent over
High Speed Global Ring (cont) Figure 21.10 - HSGR Capacity. High Speed Global Ring (cont) the transmission path. ATM transmission rates operate at either the OC-3 (155 Mbps) or OC-12 (622 Mbps) rates, though speeds on ATM networks can reach up to OC-192 (10 Gbps). Operationally, the HSGR architecture supports the following warfighter requirements: Increased bandwidth ADNS Increment II/III load distribution Enhanced restoral capabilities Interface with other DoD resources ____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
This page intentionally left blank.