Secret Internet Protocol Router Network

(SIPRNET) Network Security Plan

8 May 1998

Prepared by: SIPRNET PROGRAM MANAGEMENT OFFICE (D3113)

DISN NETWORKS, DISN TRANSMISSION SERVICES

Issued by: DISA DEPUTY DIRECTOR FOR OPERATIONS (D3)

 Table of Contents

Table of Contents...................................................................................ii

1.0 Introduction..............................................................................1
1.1 System Identification....................................................................1
1.2 Purpose........................................................................................3
1.3 Scope............................................................................................1
1.4 Document Organization................................................................2

2.0 SIPRNET Overview...................................................................2

3.0 Network Management.............................................................3

3.1 Network Management Centers (NMCs)........................................3
3.2 Network Management and Control...............................................3
3.3 GOSC Network Management Center............................................4
3.4 ROSC Network Management Center (NMC)..................................4
3.5 Local Control Center (LCC)...........................................................5
3.6 DISA-Europe Regional Operations and Security Center................5
3.7 DISA-Pacific Regional Operations and Security Center.................5

4.0 Individual Roles and Responsibilities...................................5

4.1 DISN Designated Approving Authorities......................................5
4.2 DISN Information Systems Security Officer (ISSO).......................6
4.3 Network Security Officer..............................................................7
4.4 ROSC NMC Security Manager.......................................................7
4.5 ROSC NMC System Administrators...............................................8
4.6 DISN Security Accreditation Working Group...............................10
4.7 DISN Connection Security Responsibilities.................................10
4.7.1 DISN Subscribers.....................................................................10
4.7.2 Subscriber Designated Approving Authorities.........................11
4.7.3 Service/Agency........................................................................11
4.7.4 DISA DISN CSR ......................................................................11
4.7.5 DISA Certification Authority.....................................................11
4.7.6 DISN Security Accreditation Working Group............................11
4.7.7 DISA DAA.................................................................................11
4.7.8 Joint Staff.................................................................................11

5.0 SIPRNET Security...................................................................12

5.1 Security Requirements...............................................................12
5.2 Network Security Services..........................................................12
5.2.1 Availability...............................................................................12
5.2.2 Confidentiality.........................................................................12
5.2.3 Access Control.........................................................................13
5.2.4 Authentication.........................................................................13
5.2.5 Integrity...................................................................................13

ii
5.2.6 Security Management.............................................................13
5.2.7 Non-Repudiation......................................................................13
5.3 SIPRNET Architectural Overview.................................................13
5.3.1 WAN Infrastructure..................................................................14
5.3.2 Subscriber Infrastructure.........................................................14
5.3.2.1 SIPRNET-to-Subscriber Boundary.........................................14
5.3.2.2 Subscriber Community.........................................................16
5.3.3 Router Network Transmission.................................................16
5.3.4 SIPRNET Components..............................................................17
5.3.4.2 SIPRNET Routers...................................................................17
5.3.4.3 Backbone Routers................................................................17
5.3.4.4 ITSDN Routers......................................................................18
5.3.4.5 Circuits.................................................................................18

6.0 Network Security Management...........................................18

6.1 SIPRNET Support Center.............................................................19
6.2 Communication Server (CS).......................................................21
6.3 XTACACS Server Hosts...............................................................22
6.4 Domain Name Service (DNS) Server..........................................23

7.0 Router Layer Security...........................................................23

7.1 Principle of Least Privilege.........................................................23
7.2 Types of Access Service.............................................................23
7.2.1 Access Services Used by Network Management Centers........23
7.2.1.1 TELNET Access.....................................................................24
7.2.1.2 Simple Network Management Protocol (SNMP) Access........24
7.2.1.3 Trivial File Transfer Protocol (TFTP) Access..........................24
7.2.2 Access Services Used by Subscribers......................................24
7.2.2.1 Transmission Control Protocol/Internet Protocol (TCP/IP).....25
7.2.2.2 Serial Line Internet Protocol (SLIP).......................................25
7.2.2.3 Compressed SLIP (CSLIP)......................................................25
7.2.2.4 Point-to-Point Protocol (PPP).................................................25
7.2.2.5 Compressed PPP (CPPP).......................................................25
7.3 Access Control............................................................................26
7.3.1 Management Center Access to Routers..................................26
7.3.1.1 Direct Access to a Router.....................................................26
7.3.1.2 Remote Access via a Network Management System (NMS). 27
7.3.2 Subscriber Access via Communication Servers.......................27
7.3.2.1 Dial-In Access.......................................................................27
7.3.2.2 Privileged Access..................................................................28
7.3.3 Access Control Lists (ACLs).....................................................28
7.3.3.1 At the Network Management Centers..................................28
7.3.3.2 At the Communications Server.............................................29
7.4 Authentication of Interactive Terminal Sessions........................29
7.4.1 Identification and Authentication............................................29
7.4.1.1 At the Network Management Centers..................................30

iii
7.4.1.2 At the Communication Servers.............................................31
7.4.2 Protection of Passwords..........................................................31
7.4.2.1 At the Network Management Centers.................................31
7.4.2.2 At the Communication Servers............................................31
7.4.3 Control of Sessions..................................................................31
7.4.3.1 At the Network Management Centers..................................31
7.4.3.2 At the Communication Servers.............................................32
7.4.4 Inactive Time Out....................................................................32
7.4.4.1 At the Network Management Centers..................................32
7.4.4.2 At the Communication Servers............................................33
7.5 Authentication of Routers...........................................................33
7.5.1 SNMP Authentication...............................................................33
7.5.2 TFTP Authentication................................................................33
7.6 Privileges and Authorizations for Routers...................................33
7.7 Accountability.............................................................................34
7.7.1 Router Audit Events.................................................................34
7.7.2 Router NMS Audit Events........................................................35
7.7.3 Communication Server Audit Events.......................................35

8.0 Other Administrative Network Security Controls.............35

8.1 Password Management..............................................................35
8.2 Network Security Testing...........................................................36
8.3 Network Audits...........................................................................36
8.4 Network Monitoring....................................................................37
8.5 Monitoring of Network Activities.................................................37
8.6 Tracking Abusers........................................................................38
8.7 Reporting Security Faults and Violations....................................39
8.8 Tools for Investigating Network Incidents..................................39
8.9 Recurring Reports.......................................................................39
8.10 Incident Reports.......................................................................39
8.11 Requested Reports...................................................................40
8.12 Site Visits and Security Reviews...............................................40

9.0 Encryption Controls and Key Management.......................40

9.1 Link Encryption...........................................................................40
9.2 Dial-up Encryption......................................................................40
9.3 KG-84.........................................................................................41
9.4 KG-194.......................................................................................41
9.5 KIV-7...........................................................................................41

10.0 Connection Security............................................................41

11.0 Additional Security Features.............................................43

11.1 Wang C2 Guard........................................................................43
11.2 Firewalls...................................................................................45
11.3 KMD5........................................................................................45

iv
11.4 Fortezza....................................................................................45

12.0 Information Security...........................................................45

12.1 Accountability for Output Products...........................................46
12.2 Security Marking......................................................................47
12.3 Network Components...............................................................47
12.4 Printed Paper Output................................................................47
12.5 Microfilm and Microfiche..........................................................47
12.6 CRT Display..............................................................................48
12.7 Magnetic Storage Marking........................................................48
12.8 Clearing, Declassification, and Destruction of Media...............48
12.9 Magnetic Storage Media Clearing.............................................49
12.10 Semiconductor Memory.........................................................50
12.10.1 Volatile Semiconductor Memory..........................................50
12.10.2 Nonvolatile Semiconductor Memory....................................50
12.11 Test and Diagnostic Equipment..............................................50

13.0 SIPRNET Administrative Security......................................50

13.1 Personnel Security....................................................................51
13.2 Required Clearance Levels.......................................................51
13.3 Foreign Nationals.....................................................................52
13.4 Contractors...............................................................................52
13.5 Personnel Problems..................................................................53
13.6 Dismissed and Departed Personnel..........................................53
13.7 Termination Briefings...............................................................53

14.0 Physical Security.................................................................54

14.1 Entry Control............................................................................54
14.2 Required Physical Security Controls.........................................55
14.3 Structural Considerations.........................................................55
14.4 Protection of IS Resources from Fire and Water.......................56
14.5 Electric Power...........................................................................56
14.6 NMC Housekeeping..................................................................56
14.7 Protection of Magnetic Media...................................................56
14.8 User Registration Controls........................................................56

15.0 Configuration Management...............................................57

15.1 Configuration Management Databases....................................57
15.2 Configuration Management Requirements...............................58
15.3 Detailed Configuration Information..........................................58
15.4 Routers.....................................................................................58
15.5 Network Management Systems................................................59
15.6 Encryption Devices...................................................................59
15.7 Communication Servers...........................................................59

16.0 Contingency Planning.........................................................60

v
16.1 Contingency Plan Elements......................................................60
16.1.1 Emergency Response Plan....................................................61
16.1.2 Backup Operation Plan..........................................................61
16.1.3 Restoration Action Plan.........................................................61
16.1.4 Test and Maintenance Plan...................................................61
16.2 Required Procedures................................................................62

17.0 Security Training.................................................................63

17.1 Security Training Program........................................................63
17.2 Initial Briefings.........................................................................64
17.3 Refresher Briefings...................................................................64
17.4 Specific Assignment Security Training.....................................64
17.5 Foreign Travel Briefings...........................................................65

List of References.............................................................................66

Glossary..............................................................................................69

Appendix A. Standard Operating Procedures..............................75

vi
SIPRNET Network Security Plan

1.0 Introduction

1.1 System identification

The Defense Information System Network (DISN) is a major Department of Defense (DOD)
program for the purpose of providing long-haul information transfer mechanisms to DOD
users worldwide. As shown in Figure 1, DISN has Internet Protocol (IP) router networks
operating under differing security levels. The Secret Internet Protocol Router Network
(SIPRNET) was the first to become operational.

TS/SCI Layer

SIPRNET
Secret Layer

NIPRNET
Sensitive But
UNCLASSIFIED Layer

Figure 1. DISN IP Router Architecture

1.2 Purpose

The purpose of this document, the Secret Internet Protocol Router Network (SIPRNET)
Network Security Plan, is to serve as a handbook for the SIPRNET security personnel and
System Administrators in implementing the DISN security policy (DISA, 1993) and
architecture (DISA, 1992). It identifies the SIPRNET networking components and other
SIPRNET resources that need to be protected. It also describes procedures that must be
followed and specific actions that should be taken by SIPRNET security personnel and
System Administrators at SIPRNET Regional Operational and Security Centers (ROSCs) to
accomplish DISN security objectives.

1.3 Scope

The plan presents a high-level description of the security procedures for the SIPRNET. It
should be viewed as an evolutionary document, which will be continually updated to reflect
changes in the SIPRNET architecture and its security requirements due to incorporation of

1
SIPRNET Network Security Plan

new technologies. Only the current SIPRNET architecture has been considered in the plan.
The plan presents a high-level description of the security procedures for the SIPRNET.

1.4 Document Organization

The document consists of 16 sections, including this introductory section, and one
appendices. The sections addressing specific SIPRNET security concerns are, in general,
designed to be stand-alone sections, although some of these sections are cross-referenced in
the document.

2.0 SIPRNET Overview

SIPRNET is a system-high network serving single-level subscriber systems that operate at

the classified Secret level. It is comprised primarily of routers for transporting data at high
speeds. The fundamental requirement for the SIPRNET is to provide a transmission medium
to interconnect all subscriber systems, regardless of whether they are hosts, local distribution
systems, or routers supporting a multitude of local systems. The SIPRNET architecture was
designed to meet these overall goals:

 Provide a baseline that can be used for future growth and change.
 Allow for a large growth in subscriber networking requirements, both in quantity of
subscriber systems and in end-to-end throughput.
 Allow for the deployment of new standard routing protocols, as they become available.
 Be capable of taking advantage of new technologies as they become commercially
available
 Be capable of providing GOSIP service

SIPRNET is managed within the DISN network management structure. The DISN Global
Operational and Security Center (GOSC) provides DISA management oversight to
SIPRNET. The day-to-day management of SIPRNET is executed through the ROSCs.
There are three permanent ROSCs. The primary ROSC is in the Pentagon where it provides
network support, administration, operations, and status monitoring of DISA assets and
services for the Continental United States and senior management services to the other
ROSCs. The two other permanent ROSCs are located respectively within the Headquarters
(HQ) DISA Europe and DISA Pacific. The DISA Europe and DISA Pacific ROSCs provide
network support, administration, operations, and status monitoring of DISA assets and
services for their assigned geographic areas of responsibility. When required, a fourth DISA
ROSC has been constituted in South West Asia to support the requirements of HQ Central
Command (CENTCOM).

Integral to the operations of the ROSCs is the SIPRNET Support Center (SSC), which
provides 24 hours a day, 7 days-a-week value-added support services to SIPRNET. The SSC
is located in Vienna, Virginia.

2
SIPRNET Network Security Plan

3.0 Network Management

The SIPRNET network management concept has been developed to deal with information
networking from end to end. Under this concept, DISA is responsible for providing and
managing end-to-end information transfer services. The concept provides for a single
interface to the subscriber for the full range of SIPRNET services. To accomplish this, one
level of network management support has been established through the ROSC. The
SIPERNET Support Center in Vienna, VA, provides secondary support services, while the
GOSC at DISA HQ provides DISA management oversight.

3.1 Network Management Centers (NMCs)

The SIPRNET has three permanent ROSC NMCs:

 Main Continental US (CONUS) ROSC NMC at the Pentagon

 DISA Europe (EUR) ROSC NMC at Stuttgart, Germany

This facility is responsible for the network management workload in the European Theater of
operations.

 DISA Pacific (PAC) ROSC NMC at Wheeler Army Air Field (AAF), Hawaii

This facility is responsible for the network management workload in the Pacific Theater of
operations.

As previously stated, a fourth ROSC in South West Asia can support HQ Central Command
(CENTCOM) when required.

3.2 Network Management and Control

Under the DISN concept, DISA is responsible for providing and managing end-to-end
information transfer services. Many organizational entities make up and administer the end-
to-end transfer services as shown in Figure 2. These entities include the GOSC, the ROSC,
the DISN long-haul communications structure, the LCC S/As' network managers, and others.

In order for subscribers' problems to be solved and end-to-end service maintained, all of
these groups interact at the international, national, regional, and local levels. The types of
problems expected on the SIPRNET are similar to those found in the pre-DISN environment.
For example, a subscriber may not have the ability to make a connection that requires
SIPRNET services. An incorrect network component configuration, a break in transmission
lines, or a corrupted IP routing table may cause this. Another type of problem might be
deterioration in quality of service (e.g., intermittent disconnection because of timing out
problems to a remote host). This problem might appear to an end subscriber as slow network
response and could be caused by degraded transmission lines, which subsequently disrupt IP
routing. These problems can occur anywhere along the path from end subscriber across the

3
SIPRNET Network Security Plan

DISN to another end subscriber. In order to effectively support the end-to-end information
service responsibilities, it is necessary to establish very specific, formal relationships
between all of the multiple managers of the SIPRNET. SIPRNET operators and
administrators at the ROSCs are not responsible for subscribers' local systems, but need to be
aware of subscriber networks as a potential source of problems. Information will need to be
exchanged between network managers from the different S/As.

Figure 2. Network Management Structure

3.3 GOSC Network Management Center

The top-level system, the GOSC performs the executive management oversight and
monitoring of the DISN. The GOSC includes the NMS'S, organizations, personnel, and
resources for providing the overall operational direction and management control over all
elements of DISN. The GOSC monitors the status of the entire, worldwide DISN structure,
including the SIPRNET WAN. The GOSC works through the ROSCs to accomplish this
mission. The GOSC consults on and resolves issues that the SIPRNET ROSCs cannot solve
locally. The GOSC works with the National Command Authority (NCA) and the DISA
management structure and conveys all policy and management decisions to the ROSCs.

3.4 ROSC Network Management Center (NMC)

Regional Operations and Security Center NMCs are responsible for the day-to-day operation
of the SIPRNET, executing operational direction and control of the network on a 24-hour-a-
day, 7 day-a-week basis. The ROSC NMCs include organizations, personnel, and resources

4
SIPRNET Network Security Plan

performing the day-to-day management over the DISN. ROSC NMCs receive operational
direction from the GOSC NMC and provide status information reports to the GOSC.

The ROSCs provide centralized administration, provisioning, customer service, operation,

maintenance, monitoring and control of the SIPRNET assets and services. The ROSCs will
make every effort to resolve regional problems and issues before escalating requests for
support to the GOSC.

3.5 Local Control Center (LCC)

The Local Control Centers (LCCs) support local subscribers' communications infrastructures.
DISA establishes guidance and standards for the establishment and management of
telecommunication activities and the local telecommunication infrastructure.

The Services and Agencies (S/As) operate the LCCs. Where established, the management of
base/post/camp/station telecommunication infrastructures is performed by the LCCS. On an
as-requested basis by the S/A, individual LCC functions may be integrated into the ROSCs
with read-only access to the real-time DISN management database. LCCs need access to the
SIPRNET WAN performance management data retained at the ROSCs to effectively provide
support services to their constituencies.

3.6 DISA-Europe Regional Operations and Security Center

The DISA-Europe ROSC NMC is responsible for monitoring and controlling the backbone
routers, the Communication Servers, and the Modems/STU-111 Secure Data Devices
geographically located within the European Theater. The DISA-Europe ROSC has been
activated at Stuttgart, Germany (connected to IPR 182, Vaihingen).

3.7 DISA-Pacific Regional Operations and Security Center

The DISA-Pacific ROSC NMC is responsible for monitoring and controlling the backbone
routers, the Communication Servers, and the Modems/STU-111 Secure Data Devices
geographically located within the Pacific Theater. The DISA-Pacific ROSC is at Wheeler
AAF, Hawaii.

4.0 Individual Roles and Responsibilities

4.1 DISN Designated Approving Authorities

DISN supports and employs security services, protection mechanisms and procedures
identified in the DISN Security Architecture (DISA, 1992) that are based upon and reaffirm
the accreditation process specified in DOD directive 5200.28 (DOD, 1988). According to
this directive, DISA is the Designated Approving Authority (DAA) responsible for
implementing the security architecture and other programs across DISN that handle clear-text
(unencrypted/RED) General Service (GENSER) traffic. In other words, the DISA DAA is

5
SIPRNET Network Security Plan

responsible only for the UBS and Secret router networks. DISA, as DAA, is responsible for
executing Memorandum of Agreement (MOA) with the DAAs of the subscribers' Automated
Information Systems (AIS's) that attach to the DISN. According to DOD directive 5200.28,
the DIA is the DAA responsible for implementing security programs on the TS/SCI router
network. In addition, NSA is responsible for validating requirements for, and managing and
accrediting all NSA and/or Central Security Service (CSS) cryptographic systems.

Each of the DAAs, (DISA, DIA, NSA, and the JS) performs the following functions as
described in the DISA Security Requirements for Automated Information Systems (DISA,
1991):

 Reviews and approves security safeguards of components that comprise DISN network
layers and issue accreditation statements for each component under the DAA's
jurisdiction based on the acceptability of the security safeguards for the component.

 Ensures that all safeguards required, as stated in the accreditation document for each
component, are implemented and maintained.

 Develops policies and operating procedures to ensure the implementation of DOD

Directive 7920.1 (DOD, 1988) and to ensure the effective application of component life-
cycle management principles.

 Identifies security deficiencies and, where the deficiencies are serious enough to preclude
accreditation, take action (e.g., allocate additional resources) to achieve an acceptable
security level.

 Ensures that an Information System Security Officer is named for the DISN, and that he
or she receives applicable training to carry out the duties of this function. It is
recommended that the Information Systems Security Officer (ISSO) not report to an
operational element of the DISN over which the security requirements of this function
must be enforced.

 Requires that a security education and training program be in place for the DISN.

 Ensures that data ownership is established for each DISN component, to include
accountability, access rights, and special requirements.

4.2 DISN Information Systems Security Officer (ISSO)

The DISN ISSO, appointed by the DISA DAA, acts as the main point of contact for DISN
security. This position carries the following responsibilities:

 Develop, implement, promulgate, and maintain an effective DISN Security Management

Program.

6
SIPRNET Network Security Plan

 Conduct periodic reviews of the implemented DISN security management program and
procedures to ensure their compliance with DISN security policy and security
architecture.

 Select security events to be audited and remotely collected.

 Ensure that DISN security is included in all Contingency Plans.

 Review network modification plans to ensure that the security of DISN is not adversely
affected.

 Represent DISA in the DISN Security Accreditation Working Group

 Advise the DISN DAAs on the use of specific security mechanisms within the DISN.

 Maintain accreditation documentation for all DISN layers (and network layers within a
layer) and their components.

 Report all security violations to the relevant DAA. Maintain a record of all incidents
related to network security and report serious and unresolved incidents to the DAA.
Report any incident involving the possible loss or compromise of classified information
to the DAA.

 Identify resources required to implement an adequate DISN security awareness and

training program and prepare necessary budget input.

 Apply for billet positions for personnel requiring TS/SCI clearances to work in the DISN
GOSC and ROSC NMCs, as required.

 Administer (develop and deliver) security awareness and training programs.

 Ensure that a security manager is appointed for each ROSC NMC.

 Act as the focal point and advisor to ROSC security managers.

 Identify DISN node site coordinators and conduct annual DISN security management
workshops.

 Prepare and conduct briefings, attend conferences, and perform site visits, as required, to
ensure that the security requirements of DISN are met.

 Maintain a log of verified software releases and changes for various DISN sites.

7
SIPRNET Network Security Plan

4.3 Network Security Officer

The primary responsibility of the Network Security Officer (NSO) is to direct and coordinate
investigations into network security incidents that could lead to compromise of classified or
UBS information. The NSO will perform an initial evaluation of security problems. If
necessary, the NSO will temporarily deny access to the affected portion of the network and
report security problems to the appropriate authorities. The NSO will work closely with
Federal law enforcement agencies, military services, or Federal agencies in investigating
security incidents. The NSO will keep DISN ISSO apprised of the status of all DISN
security incidents being investigated, directed, or coordinated by the NSO.

4.4 ROSC NMC Security Manager

Each SIPRNET ROSC NMC Security Manager acts on behalf of the DISN ISSO to
implement the SIPRNET Security Management Plan and acts as a point of contact for all
network security matters within each respective theater (OCONUS, EUR, PAC). This
position reports to the DISN ISSO and carries the following responsibilities:

 Implements network security procedures as directed by the DISN ISSO.

 Prepares, distributes, and maintains plans, instructions, guidance, and the Standard
Operating Procedures (SOPS) concerning the security of DISN and the NMC operations.

 Is responsible for physical security of the NMC.

 Is responsible for declassification of all NMC hardware and firmware components.

 Ensures that all DISN COTS software is properly screened for malicious software being
installed on DISN components.

 Monitors the execution of SOPs to ensure compliance with DISN security policy and
procedures.

 Establishes a system for establishing, issuing, protecting, and changing passwords for the
various NMS's in the NMC and the various DISN components, such as routers and
multiplexers.

 Develops and implements procedures to access DISN components, including controls for
network passwords.

 Appoints personnel for the system administration (system configuration,

installation/maintenance of software and hardware) of the security of DISN NMC and
DISN backbone components.

 Develops and implements procedures to manage cryptography, which includes issuing,

distributing, renewing, and tracking of encryption keys.

8
SIPRNET Network Security Plan

 Manages and administers STU III/SACS devices used to access ports through dial-up
links.

 Selects network events that need to be audited and perform periodic audit reviews.

 Prepares the network continuity of operation plan and monitor systems recovery
processes to ensure that network security features are properly restored.

 Performs initial evaluation of network security incidents, make recommendations to the

DISN NSO, and provide all pertinent information surrounding network security incidents
to assist the DISN NSO in evaluating the severity and ramifications of the network
security incident.

 Reports security incidents to ASSIST immediately upon discovery and ensure that the
NSO and ISSO are also informed of the incident.

 Adjudicates NMC personnel problems and refer cases of misconduct to Central

Adjudication Facility for further evaluation and investigation of the misconduct.

 Prepares and oversees the preparation of the accreditation documentation for DISN
components.

 Ensures that the NMC personnel and other users receive network security training related
to network access and operations,

 Maintains hardware, software, and documentation configuration management databases.

 Administers the registration, modification and change of passwords for ROSC System
Administrators.

 Examines ROSC audit logs.

 Verifies security clearances and access authorizations for personnel having access to the
NMCs and periodically review their TS/SCI holdings to determine continued access
requirements.

 Submits a report on the number of established TS billets each year to the Deputy under
Secretary of Defense for Policy as part of the annual clearance report.

4.5 ROSC NMC System Administrators

Each ROSC System Administrator is responsible for the following functions to ensure
smooth functioning of DISN components:

 Installs and maintains system and application software for DISN components.

9
SIPRNET Network Security Plan

 Configures DISN components.

 Performs system backups as necessary.

 Troubleshoots DISN component problems.

 Uses current management software for monitoring the SIPRNET routers.

4.6 DISN Security Accreditation Working Group

The DISN Security Accreditation Working Group (DSAWG) that operates by the authority
of Chairman of the Joint Chiefs of Staff instruction (CJCSI) 6211.02, Defense Information
System Network and Connected Systems, dated 23 June 1993 (CJCSI, 1993) provides,
interprets, and approves DISN security policy; guides architecture development; and
recommends accreditation decisions to the four DISN DAAs listed above.

The DSAWG provides a forum for the DOD services and agencies in coordinating their
information system and network security requirements. The DSAWG addresses issues of
system security Certification and Accreditation (C&A), including programmatic as well as
technical elements. The DSAWG can reach consensus on the acceptability of the risks and
pursue solutions.

A Lead Security Officer chairs the DSAWG from the DISA Center for Information Systems
Security (CISS). The core group is composed of representatives of the four DISN DAAS.
The group consists of one representative of each Service, a DISN Program Manager
representative, a DISN Operations Security Manager representative, and an Information
Security (INFOSEC) engineer for each DISN subsystem. Points of contact, representing all
other organizations that use DISN services, may attend DSAWG meetings to discuss items
that uniquely affect their organizations.

The DSAWG is responsible for the accreditation of the DISN backbone, which is managed
by GOSC and ROCS NMCs.

4.7 DISN Connection Security Responsibilities

4.7.1 DISN Subscribers

The Subscriber must validate with the appropriate Service/Agency the requirement to
connect to DISN. The Joint Staff will validate requirements for foreign connections,
Contractor connections, and connections by non-DoD entities. After the requirement to
connect is validated, the Subscriber is responsible for beginning an accreditation update with
the local DAA and for contacting the Service/Agency and DISN Customer Service
Representative (CSR) to begin the connection security process. If the connection request is
forwarded by the DISN CSR to the DISN Security Accreditation Working Group (DSAWG)

10
SIPRNET Network Security Plan

for recommendation, the Subscriber will be responsible for briefing the DSAWG, as
necessary.

4.7.2 Subscriber Designated Approving Authorities

The local Designated Approving Authority (DAA) is responsible for accrediting, or issuing
an Interim Authority To Operate (IATO) for the Local Subscriber Environment (LSE) to
include the proposed DISN connection. The accreditation or IATO memorandum must be
provided to the DISA DISN CSR.

4.7.3 Service/Agency

The appropriate Service/Agency will ensure the completeness of connection approval

packages prior to forwarding them to the DISA DISN CSR.

4.7.4 DISA DISN CSR

The DISN CSR will acknowledge the initial Subscriber contact within 5 working days.
Based on the complexity of the request, the DISN CSR will forward the details of the
connection security component to the DSAWG for analysis. The DISN CSR will coordinate
interim connection approval with the DISA Certification Authority and final connection
approval with the DSAWG and the DISA DAA.

4.7.5 DISA Certification Authority

The DISA Certification Authority will provide interim connection approvals to the DISN
CSR and will coordinate with the DISA DAA.

4.7.6 DISN Security Accreditation Working Group

The DSAWG will provide recommendations for approval or disapproval of the proposed
connection security component. The DSAWG will also advise the Subscriber on any
potential security issues.

4.7.7 DISA DAA

The DISA DAA will render the final connection approval decision.

4.7.8 Joint Staff

The Joint Staff will validate requirements for foreign connections, Contractor connections,
and connections by non-DoD entities.

11
SIPRNET Network Security Plan

5.0 SIPRNET Security

5.1 Security Requirements

The SIPRNET is used for passing datagrams at the Secret classification level.

The following security requirements apply to the SIPRNET:

• All exposed backbone router Internet Router Trunks (IRTS) in the WAN must be
protected with KG-type technology.

• All exposed access subscriber connections to the SIPRNET WAN must be

protected with KG-type technology.

All CONUS and OCONUS network components will be physically protected to at least
the Secret level, the level of traffic that they handle.

All CONUS and OCONUS information systems (IS's) that connect to the WAN will be
physically and, if necessary, cryptographically, protected to at least the Secret level.

To insure against the possibility of unprotected “backdoor” connections through a

subscriber connected network into the SIPRNET, all subscribers must meet formal
certification and accreditation of their own systems.

5.2 Network Security Services

The SIPRNET must fulfill a number of security goals as itemized below.

5.2.1 Availability

The SIPRNIET must insure uninterrupted user access to authorized functions and
information. The purpose is to provide assured delivery or connectivity at the required speed
of service. Mechanisms and procedures to detect or prevent degradation of processing
capabilities will be provided.

5.2.2 Confidentiality

SIPRNET design will ensure that means to prevent the unauthorized disclosure/dissemination
of information are incorporated. Access to information is granted only to authorized users
with a "need-to-know" and a clearance level equal to or higher than the information's
assigned classification. The SIPRNET is responsible for protecting the information
transported to the Secret level.

12
SIPRNET Network Security Plan

5.2.3 Access Control

SIPRNET design will ensure that means to enforce restrictions based on a user's clearance
level and privileges ("need-to-know") are incorporated. This information will be provided to
the network access control and network management systems and updated, as required, by
the DISN Program Security Manager.

5.2.4 Authentication

SIPRNET design will ensure that means to identify and authenticate the identity of users are
incorporated into any elements that grant network usage and, or, network control privileges.

5.2.5 Integrity

SIPRNET design will prevent the unauthorized modification or destruction of data

transmitted by the system. It is generally recognized that it is the end-user system's
responsibility to detect and recover information that may have been damaged or altered by
the communication process through the transport service.

DISN must ensure that controls are in place to prevent unauthorized configuration
modification.

5.2.6 Security Management

The SIPRNET must support the program security manager in performing security
administration functions such as audit, key management, traffic flow security and
configuration management in support of the security mechanisms. Adequate program
management, including system security engineering and configuration management, is
required to ensure that the SIPRNET will meet its security goals.

5.2.7 Non-Repudiation

The SIPRNET does not provide for non-repudiation (that is, protect against attempts by the
sender to falsely deny originating the information, also called proof of origin).

5.3 SIPRNET Architectural Overview

The target architecture can be generally viewed as a two-level hierarchy. At the top of the
hierarchy is the SIPRNET wide-area router backbone that provides for the long-haul
interconnection of subscriber systems. The second level is made up of subscriber systems
that include LANs, routers, and hosts.

13
SIPRNET Network Security Plan

5.3.1 WAN Infrastructure

The SIPRNET WAN infrastructure itself consists of two layers (illustrated in Figure 3). The
first is the DISN transmission layer and the second is the IP router layer. The IP routers
provide the common data transport service at aggregate rates from 512 Kbps to mostly TI
rates (1.544 Mbps). At locations where there are two hub routers, the co-located hubs are
connected via Ethernet trunks. The SIPRNET backbone routers are interconnected by DISN
transmission service and by dedicated leased circuits, as appropriate, for each backbone
router to backbone router serial link. The routers provide a relatively highspeed datagram
switched service supporting the DOD standard IP protocol. Long-haul service is provided
primarily via an intelligent multiplexer of the DISN transmission system. Each SIPRNET
backbone router contains a mixture of serial and Ethernet port cards, depending on the
communications requirements being satisfied at that backbone location.

All SIPRNET backbone routers will operate as a single administrative domain and with a
common internal routing protocol. The backbone routers will form both the high-speed core
of the WAN and the regionalized access points for subscriber connections. Backbone router
to backbone router connectivity will be determined based on the availability of existing
bandwidth and traffic/cost considerations. The specific port configuration and quantity of
backbone routers at a geographical location will depend on the quantity and volume of the
subscriber requirements within that area.

5.3.2 Subscriber Infrastructure

Subscriber connections are primarily serial links between the subscriber's premise router and
the backbone router. The subscriber's routing domain is exterior from the SIPRNET
backbone routing domain. Some subscribers, co-located with a backbone router, connect via
10 MB Ethernet ports. While subscribers connecting to the SIPRNET via serial links use
backbone network addresses on their access circuit, subscribers connecting via an Ethernet
port may use either backbone network addresses or a subscriber network address.

5.3.2.1 SIPRNET-to-Subscriber Boundary

The boundary between the SIPRNET backbone and the individual subscriber environments
varies according to the type of the subscriber connection. In general, DISA is responsible for
the backbone IP routers, the ITSDN Cisco routers, the backbone circuits, access circuits
(serial and Ethernet connections), and the backbone and access encryption devices (KGs and
some Communication Servers). Additionally, DISA provides the IP address representing the
subscriber’s serial connection to the SIPRNET backbone router. Note that subscribers can
use their own address if they have an Ethernet connection. DISA's responsibility ends at the
encryption device and access circuit connecting the subscriber’s host, LAN or premise router
to the SIPRNET. Figure 3 describes the existing SIPRNET to subscriber boundary.

14
SIPRNET Network Security Plan

Figure 3. SIPRNET-to-Subscriber Boundary

15
SIPRNET Network Security Plan

5.3.2.2 Subscriber Community

The SIPRNET Subscriber community can be divided into four basic groups:

 Dedicated Subscribers

Dedicated Subscribers are users on computers (mainframe hosts, PCs, terminals) that are
directly connected to the SIPRNET backbone routers via serial or Ethernet lines.

 Dial-Up Subscribers

Dial-Up Subscribers include remote users who do not have the need for dedicated
connections and travelers on TDY. These users dial in to the network via AT&T STU-III
phones.

 Tactical Subscribers

Tactical Subscribers access the SIPRNET via the Integrated Tactical Strategic Data Network
(ITSDN). Tactical forces are allowed access to the SIPRNET (and other tactical networks)
via the Defense Satellite Communications System (DSCS) through a Standard Tactical Entry
Point (STEP).

 External Network Subscribers

External Network Subscribers are users on networks such as the AFNET and NIPRNET who
require access to the SIPRNET. At this time connections between Unclassified and Secret
users are approved for Unclassified E-mail only. A Secure Network Server (SNS) that
incorporates a Standard Mail Guard (SMG) application is available.

5.3.3 Router Network Transmission

The fundamental requirement for the SIPRNET is to have a transmission infrastructure that
will provide for a complete interconnection of all subscriber systems regardless of whether
they are hosts, local distribution systems, or routers supporting a multitude of local systems.

The SIPRNET backbone routers are interconnected via virtual point-to-point circuits, called
Inter-Router Trunks (IRTs). Different types of transmission systems and media can be used
to provide these IRTS. The IRTs can be leased circuits, time division multiplexer systems,
switched transmission systems, and so forth. Initially, the data transmitted on the SIPRNET
router IRTs will consist of aggregated 512 KBPS and full-time TI subscriber traffic as well
as internal SIPRNET control traffic. As the volume of traffic grows, full-time T3 rate
channels may be required.

The transmission systems need to be compatible with the SIPRNET router interfaces and
provide for complete data protocol transparency with a minimum number of transmission

16
SIPRNET Network Security Plan

switch hop delays and undetected bit errors. The transmission systems will have the
flexibility to provide additional bandwidth within a reasonable amount of time. Through the
use of dynamic bandwidth multiplexing technology, the transmission system will also
attempt to provide unused bandwidth from other services (data, voice, or video) for transport
of the SIPRNET datagrams.

5.3.4 SIPRNET Components

The SIPRNET WAN consists of the following primary components:

A set of high-speed SEPRNET backbone routers

A set of Cisco 7206 routers
DISN multiplexed long-haul circuits (Inter Router Trunks) and DISN access circuits
Channel Service Unit/Data Service Units (CSUs/DSUs)
Five Network Management Centers (NMCs)
Network Management Systems (NMS's)
A SIPRNET Support Center (SSC)
A set of Communication Servers
Link encryption devices primarily composed of KG-194, KG 94, and KIV-7 devices
XTACACS Server Hosts
Domain Name Service (DNS) Servers

5.3.4.2 SIPRNET Routers

The SIPRNET consists of backbone routers, specialized ITSDN routers, and the access
circuits to customer premise routers. 1

5.3.4.3 Backbone Routers

The routers used for the SIPRNET backbone are predominantly Cisco 7506s and 7513s with
some Cisco RSP 7000s. The router chassis used is capable of supporting between 23 and 40
interface connections. The following types of physical interfaces are available:

 HSSI Serial Interface (2-52 Mbps serial connector)

 G.703 DTE Interface (BNC connectors)
 Ethernet AUI Interface (15-pin connector)
 Ethernet 1OBaseT Interface (RJ45 connectors)
 Token Ring Interface (DB-9 PC type)
 Class A, FDDI Dual Attached Station (dual or single connection)

The Cisco router supports synchronous serial circuits at various speeds from 9.6 KBPS to 52
MBPS. Although the Cisco routers support the three ma or LAN media, Ethernet, Token
Ring, and the Fiber Distributed Data Interface (FDDI), only the Ethernet media is currently
used. Flash memory will be used to download software and configuration modifications over
the network.

17
SIPRNET Network Security Plan

Note that premise routers are not SIPRNET backbone routers and are not maintained by
DISA. The premise routers function as the entry point to the WANs and LANs of
organizations and groups requiring access to the SIPRNET, such as CIO, GCCS, and
AFC2N, and are owned and operated by these subscriber organizations. The Premise routers
are of various types (including BayNetwork and Cisco routers) and are connected to the
backbone SIPRNET routers via serial or Ethernet lines. The premise routers are used for
routing traffic from dedicated subscribers on their own networks on and off the SIPRNET.

5.3.4.4 ITSDN Routers

Specialized routers, primarily Cisco, from the Integrated Tactical-Strategic Data Network
(ITSDN) program are being used to provide reach back capabilities for deployed tactical
war-fighters. The tactical forces will be able to access strategic systems via the Defense
Satellite Communications System (DSCS) at several different strategic entry points, called
Standard Tactical Entry Points (STEPs). At each entry point, the ITSDN has installed two
Cisco routers: one router connects the tactical subscriber to strategic networks via the
SIPRNET and the other router connects the tactical subscriber to strategic networks via the
NIPRNET.

The tactical subscriber connections will be serial connections provided by satellite

communications equipment at the STEP sites. The ITSDN gateway routers will support the
standard Transmission Control Protocol/Internet Protocol (TCP/IP) suite for the serial
connections to the gateway routers. Subs will operate with the HDLS on PPP. The BGP4
routing protocol is the protocol of choice.

5.3.4.5 Circuits

The SIPRNET uses two types of circuits: IRTs and access circuits. The SIPRNET backbone
routers are interconnected via DISN long-haul circuits referred to as Internet Router Trunks
(IRTs). The IRTs are multiplexed via the Integrated Digital Network Exchange (IDNX)
family of smart multiplexers at fractional TI (512 KBPS) and TI (1.544 MBPS) rates. Future
expansion may result in upgrading these long haul circuits to the T3 data rate of 45 MBPS.
In addition, the SIPRNET provides the DISN access circuits (serial or Ethernet links) to
connect subscribers to one or more SIPRNET backbone routers.

6.0 Network Security Management

Network management at each of the NMCs is based on the Simple Network Management
Protocol (SNMP). Subscriber routers should support this protocol. Hosts are not directly
connected to the SIPRNET. Hosts not connected are required to have the capability to issue
and respond to a “ping," Internet Control Message Protocol (ICMP) Echo Request and
Response.

Management of 'message' application gateways and directory services components will be

based on the Defense Messaging Service (DMS) network management scheme. DMS

18
SIPRNET Network Security Plan

products will be employed for management of non-router components that support GOSIP
communications and provide messaging services.

HP Openview provides a central control point for monitoring and control of the SIPRNET
router layer. The router management facility may use terminal sessions (Telnet) or
communications between manager-agent processes (SNMP) for the management of routers.

For managing the Communication Servers, the Network Management System relies on
software that is implemented as embedded management functions (SNMP agent). These
agents collect, filter, store and report configuration, fault, performance, security, and
accounting data relative to the functions of each Communication Server. SNMP is also used
to access and set configuration and run time parameters for the Communication Servers.

There is no SNMP support for the AT&T Model 1910 STU-111 Secure Data Device.
Therefore, remote controlled operations (setup/configuration/status/diagnostic) will be
performed via dial in. Initially, the STU-Ills will be configured at a staging site via their
RS232 connector.

DISA uses the Integrated Network Management System (INMS) to consolidate the DISN
network management functions into a conceptual hierarchical structure and allow the DISN
to be managed in a centralized fashion from the GOSC. Since the INMS will not be an
evaluated multilevel-secure system, each INMS will control network layers of only one
security level.

6.1 SIPRNET Support Center

The SIPRNET Support Center (SSC), located at Vienna, Virginia, provides value-added
support services for the SIPRNET similar to the services the NIC provides to the NIPRNET.
The subscriber needs to contact the SSC only and the SSC will coordinate the registration
process with all other agencies. The SSC provides these services:

 Coordination with the NIC for IP Network Numbers and Autonomous System (AS)
Numbers

The SSC will coordinate with the NIC to get IP network numbers and Autonomous System
(AS) numbers for the SIPRNET. The DOD NIC will continue to assign IP network numbers
and AS numbers as well as keep the point of contact (POC) listings for these assignments.
The NIC will also continue to register host names. Registration of E-mail subscribers will be
with the Services and Agencies and not the DOD NIC.

 Registration of Subscribers for Dial-In Access via the Communication Servers.

Dial-in data service provides access to the NIPRNET or SIPRNET via a Secure Telephone
Unit III (STU-111) utilizing the Secure Access Control System (SACS) or through terminals
with direct connects to the Communications Server (CS). Dial-up connection is made
through public or government telephone line, and the use of Serial Line Internet Protocol

19
SIPRNET Network Security Plan

(SLIP), Compressed SLIP (CSLIP), Point-to-Point Protocol (PPP) and Compressed PPP
(CPPP) protocols located on the local host, CS, and remote host.

At the time of an established connection the Communications Server assigns an IP address to

the host and learns the host name that is in use, as long as the name does not conflict with CS
commands. Additionally, the CS assigns logical names to each connection. This logical
name is typically the same as the host name, unless that name is already in use. If the name
is already in use then the CS assigns a null name to the connection.

The initializing connections to the CS is dependent upon the type of connection between the
terminal and the CS. Remote host access is possible by utilizing such protocols as telnet or
Kermit.

The dial-in host must be capable of adopting that IP address on a call by call basis. The
subscriber must first connect to the CS via a dial-up line by dialing the number of the CS
location.

In both NIPRNET and SIPRNET, the subscriber is given access to the network by
successfully completing an authentication procedure controlled by the CS. The subscriber
must input a User ID and access code / password, which is provided by the Network
Information Center (NIC) or SIPRNET Support Center (SSC) help desks. Both the NIC and
SSC have an established registration procedure that the user is to follow for processing. The
NIC or SSC enters the users CS userid and password into the database associated with that
CS.

Once the user types in his / her username and password, in uppercase, the system verifies the
login with the CS database information. The dial-in system includes the extended terminal
access control access control system (XTACACS). The XTACACS security system is
implemented on the CS to authenticate each user through username and password
verification. If an incorrect username or password is entered, the system will respond with
an access denied response. If user believes that there is a problem, the NIC or SSC should be
contacted for assistance. A successful login will provide the user with the herald and
command line prompt. After the user's ID and password have been verified then he / she is
allowed to establish a connection through the network to any remote host to which it has
been authorized access. NOTE: A remote host can enforce its own access control procedure,
requiring the user to type in a proper password.

The SIPRNET Support Center provides keys with User IDs and Department, Agency,
Organization (DAO) Access Codes for users needing dial-in access to the SIPRNET via the
Communication Servers. The DAO code is provided on a special key for SIPRNET dial-in
service. The SSC mails these keys to the users via unclassified U.S. mail.

The DAO Access Code is unclassified and does not provide authentication and access control
but input to an audit process. The User ID and DAO Access Code are entered into the
SIPRNET XTACACS Servers and are used to identify the user as a SIPRNET user when the
user dials in.

20
SIPRNET Network Security Plan

 XTACACS Services

The SSC registers XTACACS users and mails XTACACS cards, with User IDs and
passwords, to users via registered mail. The XTACACS User IDs and passwords provide
authentication and access control of subscribers using the Communication Servers to access
the SIPRNET.

In addition to registering XTACACS users, the SSC maintains the primary XTACACS
server located at the SSC, the five other XTACACS servers on the SIPRNET, and the STU-
IIIs that protect the XTACACS Servers.

 Registration for Domain Name Service and Maintenance of DNS Server.

The SSC provides a centrally managed Domain Name Service (DNS) at the root level for the
SIPRNET and maintains the SIPRNET DNS server at the SSC.

 Maintenance of SIPRNET Help Desk

The SSC will establish and maintain a Help Desk to provide network and user information
services and troubleshoot problems with the DNS, the Communication Servers, and the
XTACACS servers.

 Security Press Release Services

SSC broadcasts security-related bulletins to the SIPRNET.

6.2 Communication Server (CS)

The Cisco Communication Server is the device that provides dial-in access for many
SIPRNET subscribers. Terminals are connected to the SIPRNET backbone routers through
the Communication Server. This device is capable of providing asynchronous terminal
service and TCP/IP-based services, such as Telnet, Serial Line Internet Protocol (SLIP),
Compressed SLIP (CSLIP), Point-to-Point Protocol (PPP), and Compressed PPP (CPPP)
protocols. The Telnet service provides a capability for remote login to hosts on this or other
networks that support a Telnet server running over TCP/IP. This is primarily used for remote
login to hosts for editing text files, checking E-Mail, or running text-oriented applications.
The SLIP and PPP services provide a user with the ability to dial up a port and behave as a
host on the network.

There are two types of access to the Dial-in Service on the SIPRNET: 1-800 service and local
service at selected OCONUS locations. A user is given access to the network by successfully
completing an authentication procedure controlled by the CS. The procedure requires the
user to input a user identification (userid) and password that has been provided by the
SIPRNET Support Center (SSC) help desk, under the direction of Defense Information
Systems Agency (DISA)/WESTHEM WE3353. The SSC has an established registration

21
SIPRNET Network Security Plan

procedure, defined in the DISN Dial-In Data Services Registration Procedures, 11 May 1995,
that the user is to follow for processing. The registration procedure requires that a Local
Access Authority (LAA) submit the request for a user to obtain access to the CS. The
request is through the completion of the registration template. Note: To delete or modify a
users account the appropriate template must be completed. After completion of the
registration templates and approval for access, the SSC enters the user’s CS userid and
password into the database (WHOis) associated with that CS. If a user requires access to a
remote host, this remote host can enforce its own access control procedure, requiring the user
to type in a separate userid and password, provided by the controlling organization of that
host.

Users that require the use of the Secure Telephone Unit III (STU-III) will be issued a STU-III
KSD (Seed Key), also known as a Crypto Ignition Key (CIK), with a unique SIPRNET
Department/Agency/Organization (DAO) code. This key will be required to access the
Communication Server’s STU-III Secure Access Control System (SACS). Under normal
circumstances, all STU-III key material must be updated annually based on the expiration
date indicated on the KSDs. To activate the SACS on each STU-III, the site manager is
required to set the security parameters as indicated in the SIPRNET Communications Server
STU-III Operations and Maintenance Guidebook, June 28, 1995, DISA.

The Communication Server has two separate timers to detect idle sessions, a user EXEC
mode (e.g. command-line) timer and a terminal line session timer. The user EXEC mode
timer starts after a successful CS login and each time the user becomes idle while in the user
EXEC mode. If the terminal remains idle for 5 minutes while in the user EXEC mode, the
terminal connection will be dropped. The terminal line session timer starts after a remote
connection is established from the Communication Server to a remote host and each time the
terminal becomes idle afterwards. The above mentioned user EXEC mode timer is off at this
point. If the terminal line session remains idle for 30 minutes the terminal connection to the
Communication

6.3 XTACACS Server Hosts

There are six XTACACS servers on the SIPRNET to provide an authenticated audit trail for
subscribers using the Communication Servers for access to the network. The six servers
have been divided into three geographical regions: CONUS, Europe, and Pacific. Two
XTACACS servers will be installed in each region. The primary server is maintained at the
SSC. The servers will be connected to a SIPRNET backbone router via an Ethernet
connection. In some cases, the server will be installed on the same LAN being used by the
theater Network Management Centers (NMCs). The XTACACS servers have STU-Ills
attached to their serial ports to permit secure communication between the primary server at
the SSC and the other five XTACACS servers on the network. The STU-IIIs shield the User
ID and password of the XTACACS servers from hackers who may be observing the network.
The STU-IIIs can also be used as an alternative access to the SIPRNET XTACACS server
databases. Network access via Telnet will be the primary means for communicating with the
XTACACS Servers.

22
SIPRNET Network Security Plan

6.4 Domain Name Service (DNS) Server

The Domain Name Service (DNS) provides a mechanism for mapping host names to IP
addresses. The SSC will maintain a centrally managed DNS at the root level on a DNS
server (at Vienna, Virginia) for SIPRNET users.

Each major subscriber will be expected to provide their own Level 11 DNS to interact with
the SIPRNET root server in accordance with applicable DOD standards and naming
conventions. Additionally, individual subscriber hosts will need to support TCP/IP to use the
services of the DNS. LAN users of DNS will be required to support the Address Resolution
Protocol (ARP).

7.0 Router Layer Security

The security mechanisms incorporated in various components of the router layer are
responsible for its secure operation; it is important that the router layer components be
configured properly. This section discusses how each component of the router layer will be
configured.

7.1 Principle of Least Privilege

Privileges and authorizations granted to System Administrators, Network Controllers,

Security Officers, and subscribers are based on the principle of least privilege and vary
according to the type of service used to access each router and Communication Server.
Each router and Communication Server will be configured to limit each Security Officer,
System Administrator, and subscriber access to what is required to accomplish assigned
tasks. Access beyond those normally required will be granted by the ISSO to accomplish a
specific task and will be issued on a case-by-case basis. It will be granted only for the
duration of the task.

7.2 Types of Access Service

7.2.1 Access Services Used by Network Management Centers

The GOSC and ROSC will require interactive terminal access to the backbone routers in
order to do monitoring, configuration and maintenance. The interactive terminal services
provided include Telnet access, Simple Network Management Protocol (SNMP) access, and
Trivial File Transfer Protocol (TFTP) access.

23
SIPRNET Network Security Plan

7.2.1.1 TELNET Access

Routers support two privilege levels associated with interactive access through the console
ports or Telnet logical ports. The lower privilege level allows execution of commands that
have read capability. These commands can be used to check and monitor the status of a
router but do not allow any configuration changes. The more privileged level allows
monitoring as well as control functions. The SIPRNET Network Security Plan considers three
roles associated with the routers in the router layer:
 GOSC NMC router Security Officers are assigned the lower privilege status
level.
 ROSC router controller/analysts are assigned the higher privilege status level
but are instructed not to use the commands that allow assigning operators,
changing passwords, configuring audit mechanisms, and reviewing audit logs.
 ROSC Security Managers are assigned the higher privilege status level and
are allowed access to all resources on the router layer. The main function of
this role is to register System Administrators, change passwords periodically,
configure audit mechanisms, and review security-relevant audit logs.

7.2.1.2 Simple Network Management Protocol (SNMP) Access

Each community identified by a community string can be allowed to access an SNMP agent
on a router to perform Read-Only (RO) or Read-and-Write (RW) functions. All GOSC
personnel who are authorized to access routers through the SNMP will be given RO access
privileges only.

7.2.1.3 Trivial File Transfer Protocol (TFTP) Access

Routers will not allow any access through the TFTP service unless the TFTP traffic is in
response to a TFTP read request issued by the router. No other access control or privilege is
supported under TFTP.

7.2.2 Access Services Used by Subscribers

Subscribers will acquire access to the SIPRNET via the Cisco Communication Servers. The
Communication Servers allow users at asynchronous terminals to access remote hosts
through the SIPRNET.
To maintain the connection between a terminal and a host, the Communication Servers use
the TCP/IP family of protocols, including TCP/IP, SLIP, CSLIP, PPP and CPPP.

24
SIPRNET Network Security Plan

7.2.2.1 Transmission Control Protocol/Internet Protocol (TCP/IP)

TCP/IP is the underlying protocol used to communicate with remote hosts. TCP is
responsible for ensuring that data sent between the terminal and the host arrive in order and
intact. The Telnet service uses TCP/IP and is normally used for remote login to hosts for
editing text files, using electronic mail, and running text-oriented applications.

7.2.2.2 Serial Line Internet Protocol (SLIP)

SLIP provides a dial-up host capability for dial-in asynchronous serial lines with line speeds
between 1,200 and 19,200 bps. SLIP is a packet framing protocol for defining a sequence of
characters to frame IP packets being sent over standard asynchronous serial lines. It provides
no addressing, packet type identification, error detection/correction or compression
mechanisms.

7.2.2.3 Compressed SLIP (CSLIP)

Because SLIP has more overhead, performance may suffer at the lower speeds of 1200 and
2400 bps. CSLIP can be implemented to make optimal use of the line bandwidth. It uses the
Van Jacobson TCP/IP header compression scheme specified in RFC 1144.

7.2.2.4 Point-to-Point Protocol (PPP)

PPP is another method of encapsulating IP datagrams and other network layer protocol
information over point-to-point lines. It specifies a method of encapsulating datagrams over
serial links, a Link Control Protocol (LCP) for establishing, configuring, and testing data link
connections, and a family of Network Control Protocols (NCPs) for establishing different
network layer protocols.

7.2.2.5 Compressed PPP (CPPP)

CPPP defines a Network Control Protocol for establishing and configuring IP over PPP and a
method to negotiate and use Van Jacobson TCP/IP header compression with PPP.

25
SIPRNET Network Security Plan

7.3 Access Control

This section discusses configuration of access control mechanisms that are used to restrict the
actions performed by various individuals after they are authenticated to a router, a Network
Management System (NMS), or a Communication Server.

Actions allowed by an individual on a router, router NMS components (routers and

workstations) and Communication Servers must be controlled by the Discretionary Access
Control (DAC) mechanisms that are available on these devices. DAC mechanisms will be
configured to restrict System Administrators and Security Managers to the minimum
capabilities that are required by them to perform their assigned duties.

The router NMS’s use the UNIX operating system which has a DAC capability. UNIX DAC
will be configured to allow the following accesses:
 The ROSC NMC System Administrators will be able to configure the router
NMS’s and access the Network Configuration Window that allows control
and monitoring of the SIPRNET.
 The ROSC NMC Security Manager will be able to register operators, change
and modify passwords, configure audit mechanisms, and review audit logs.

The Cisco Communication Servers provide terminal subscriber access to the SIPRNET.
Subscribers will be able to perform such activities as send and receive electronic mail, edit
text files and run text-oriented applications.

7.3.1 Management Center Access to Routers

This section discusses ROSC Security Manager and System Administrator access to the
routers.

7.3.1.1 Direct Access to a Router

Each router in the SIPRNET can be accessed through an RS-232 system console port or
through the router layer. The system console port allows access locally. Eventually, Access
control will be provided by the Fortezza Crypto Card, which contains the Digital Signature
Standard and Secure Hash algorithms.
A setup program will be executed the first time that a router is powered up to allow a System
Administrator to configure the router. Subsequent execution of the setup program will
require explicit invocation of the program through the command language of the router.

26
SIPRNET Network Security Plan

7.3.1.2 Remote Access via a Network Management System (NMS)

Since the audit messages generated on the routers are not adequate to identify the individuals
that perform security-relevant operations, all System Administrators and Security Managers
will be required to access the SIPRNET routers through an NMS by first logging in the NMS
and then establishing a connection to routers in the SIPRNET backbone.
After the initial configuration and installation of a router, remote access is possible through
the use of Telnet, Simple Network Management Protocol (SNMP), and Trivial File Transfer
Protocol (TFTP) and this access will be restricted to GOSC and ROSC NMCs.
TFTP will be used to configure routers from an NMS serving as the TFTP network server.
This server responds to TFTP read request messages issued by a router by sending the router
a copy of the router's corresponding operating system and configuration files. These
configuration files will be generated on the NMS for downloading to routers.

7.3.2 Subscriber Access via Communication Servers

Subscriber access to the SIPRNET via the Cisco Communication Servers will use the STU
IIIs for access control and rely on the Extended Terminal Access Controller Access Control
System (XTACACS) to provide the audit and authentication capabilities for the
Communication Servers. There are three types of access to the Communication Servers:
 Dedicated Access
 Dial-In Access
 Privileged Access

7.3.2.1 Dial-In Access

Terminals can also dial in to the SIPRNET through a STU-III phone. A dial-in connection
means that the user must dial up the Communication Server via a telephone number to
establish the connection.

7.3.2.2 Privileged Access

27
SIPRNET Network Security Plan

Privileged access is reserved for System Administrators at the ROSCs. Only ROSCs are
allowed to access the Communication Servers via Telnet connections. The Telnet connection
is used as an alternative access in the case the XTACACS server is down. In addition,
ROSCs will be able to access Communication Server flash memory and privileged EXEC
mode. EXEC mode allows users to connect to remote systems, change terminal settings,
perform basic tests, and list system information.

7.3.3 Access Control Lists (ACLs)

Access control lists will be used to prevent unauthorized network accesses through the router
network.

7.3.3.1 At the Network Management Centers

At the NMCs, the configuration files for the SIPRNET backbone routers will be configured
with traffic filters to allow only certain types of accesses to the SIPRNET router network.
Traffic filters will restrict traffic by protocol. The following protocols will be allowed:
 Telnet access from GOSC and ROSCs, and to trusted hosts only.
 SNMP (Simple Network Management Protocol), including SNMP trap,
accesses from Global Control, Regional Control, and Local Control NMC
Centers to monitor and obtain status information on routers within the DISN
router layer. SNMP access to the router is restricted via the community string
and host list configuration.
 TFTP (Trivial File Transfer Protocol) responses from ROSCs.
 ICMP (Internet Control Message Protocol) pings from GOSC and ROSCs.
In addition, the following restrictions will be configured:
 Any access not specifically allowed will be denied (e.g., Telnet to router from
any host other than an NMC host).
 Login access to the routers will be allowed only from hosts with NMC
addresses, trusted hosts, and other backbone routers.
 In-bound NMC traffic will be filtered to allow only certain protocols and
“well known” ports on a host-specific, network-specific, or subnet-range
basis.
 Filters for Premise routers will be configured. Backbone Router Interfaces to
Premise Routers will be defined as passive interfaces so that the backbone
internal protocol is not shared with the Premise Routers.

For UNIX NMC hosts connected to the SIPRNET, the following UNIX port access controls
will be configured:

28
SIPRNET Network Security Plan

 Non-essential ports will be disabled.

 NMC Host to NMC host access lists will be maintained for allowed host ports
(FTP, Telnet).

7.3.3.2 At the Communication Server

Only users listed in the STU-III Secure Access Control System (SACS) database will be
allowed to access the SIPRNET Communication Servers. There is a SACS Access Control
List that identifies all the distant STU-IIIs that are permitted to establish a secure call with
the local STU-III. The ACL will authorize access via the STU-III Department, Agency,
Organization Code (DAO-Code).
DISA will collocate unmanned STU-III Access Control Systems at specified locations to
accept the encrypted call. The Services and Agencies dial-up users will be required to obtain
their own STU-III device for remote terminal location.
To obtain authorization, users must acquire their STU-III unique DAO codes through the
SIPRNET Support Center (SSC). The SSC programs the DAO code into the network's SAC
terminals associated with the user's geographical area. After receiving requests from users,
the Secure Access Control System (SACS) compares the ID code received with its internal
listing. If the user is authorized, SACS will go secure, connect to the user's STU-III device
and grant access to the server.

7.4 Authentication of Interactive Terminal Sessions

This section addresses the authentication requirements associated with NMC accesses to
routers and subscriber accesses to the Communication Servers.

7.4.1 Identification and Authentication

User identification and authentication will be accomplished by the use of User IDs and
passwords.

7.4.1.1 At the Network Management Centers

Routers and NMS’s will be configured to require a proper User ID and password to authorize
an access to router services when a System Administrator or Security Manager uses Telnet or
console ports to establish an interactive session. An NMC Security Manager and alternate
will be appointed to ensure that proper procedures for User IDs and passwords are properly
applied.

29
SIPRNET Network Security Plan

Each password will consist of a minimum of seven alphanumeric characters, the first of
which is alphabetic.

The following procedures will be in place for the assignment and auditing of User IDs:
1. Each individual user authorized access to a network element (e.g.,
System Administrator or Security Manager) will be assigned a User ID.
The user identification will consist of a minimum of eight alphanumeric
characters, the first of which will be an alphabetic character. All
maintenance personnel having on-site and/or remote access to SIPRNET
backbone elements will have individual User IDs.
2. Group User IDs may be approved when the use of individual User IDs
impedes operational efficiency. The use of Group User IDs will be
approved by the DISN Information System Security Officer (and will be
assigned by the NMC Security Manager). Use of Group User IDs is
limited to NMCs only. If a Group User ID process is adopted, a group
team chief will be designated in writing.
3. In order to fulfill the DOD Directive 5200.28 requirement for individual
accountability, Group User ID team chiefs will maintain a log of group
member access. The log will contain the date and time a DISN element
is accessed, a terminal ID, and an individual’s name/initials. When
group users change places at a terminal, the date and time will be noted
in the log. Logs will be retained for a period of six months.
4. The group team chief is responsible for ensuring that proper security
practices are followed. He or she is responsible for information security
associated with the Group User ID and will provide a group access list to
the NMC Security Manager, as appropriate.
- Group logins will be enabled on the NMC SUNs.
- Each shift will login at each terminal at the beginning of a
shift and logout from each terminal at the end of a shift.

30
SIPRNET Network Security Plan

7.4.1.2 At the Communication Servers

On the Communication Servers, authentication will be provided by the STU-IIIs on each

access phone line via the STU-III Secure Access Control System (SACS) database and the
Extended Terminal Access Controller Access Control System (XTACACS) capability.
Initially, authentication will be provided by using a fixed User ID and password provided by
XTACACS. XTACACS restricts User IDs/passwords only to those users whose DAO codes
are contained in the STU-III Secure Access Control System (SACS) database. Eventually,
when the Cisco Communication Servers are upgraded to handle the technology,
authentication and access control will be provided by the Fortezza Crypto Card, which
contains the Digital Signature Standard and Secure Hash algorithms. This card will provide
one-time password capability and enable users to sign messages and encrypt them. This
process will require the user's PC to also accommodate the Fortezza card and the processing
required will preclude the use of "dumb terminals."

7.4.2 Protection of Passwords

7.4.2.1 At the Network Management Centers

All routers and NMS’s will protect System Administrator or Security Manager
passwords. To increase access security, when possible, passwords will be encrypted on
both routers and NMS’s and stored encrypted in a database at the NMC.
 Cisco routers are configured to maintain router access passwords in encrypted
format (for Cisco 7000s and AGS+’s with version 9.17 or later).
Note that as a network function, link encryption protects NMC transmission of router
passwords.

7.4.2.2 At the Communication Servers

Passwords on the XTACACS Server will be protected with STU-IIIs. Each XTACACS
Server will be equipped with a Model 1910 STU III. This action will protect the User ID and
password of the SUN from being observed and limit access to those that are on the SACS
Access Control List.

7.4.3 Control of Sessions

7.4.3.1 At the Network Management Centers

It should be ensured that several procedures are followed when a System Administrator or a
Security Manager establishes a session with a SIPRNET router or a router NMS:

31
SIPRNET Network Security Plan

 Automatic logins should not be allowed.

 Terminals should not be left unattended unless they are located in a secure
area.
 Unattended terminals should be required to shift to a password protected
screen saver to prevent personnel with access but without the need to know
from being able to see and manipulate the terminal.
 The last login time and date should be displayed on the screen after a
successful login.
 A message warning against the unauthorized use of resources should be
displayed after a successful login. The actual text of the message will be
provided by the ISSO.

7.4.3.2 At the Communication Servers

It should be ensured that several procedures are followed when a user establishes a session
with a SIPRNET Communication Server:
 Automatic logins should not be allowed.
 Terminals should not be left unattended unless they are located in a secure
area.
 Unattended terminals should be required to shift to a password protected
screen saver to prevent personnel with access but without the need to know
from being able to see and manipulate the terminal.
 The last login time and date should be displayed on the screen after a
successful login.
 A message warning against the unauthorized use of resources should be
displayed after a successful login. The actual text of the message will be
provided by the ISSO.

7.4.4 Inactive Time Out

7.4.4.1 At the Network Management Centers

All routers and their NMS’s will automatically log out a System Administrator or a Security
Manager, terminate all his/her sessions, and clear the associated terminal screen after 15
minutes of inactivity.

32
SIPRNET Network Security Plan

7.4.4.2 At the Communication Servers

While in User EXEC mode, the terminal connection will be dropped after 5 minutes of
inactivity. While in a terminal line session, the connection will be dropped after 15 minutes
of inactivity.

7.5 Authentication of Routers

7.5.1 SNMP Authentication

The SNMP protocol has the option of using an octet string referred to as the community
string for SNMP applications (managers and agents) to identify themselves to each other.
DISN routers will use a community string as a means of authenticating themselves to each
other. Distinct community strings will be assigned to GOSC and ROSC NMCs, and selected
communities within LCC NMCs that need access to routers in order to check their status. No
write or modification operation will be allowed through the use of SNMP.

7.5.2 TFTP Authentication

The TFTP protocol does not support the capability to allow a TFTP application authenticate
its peers. TFTP read requests issued by routers will only be sent to a designated NMS serving
as the TFTP server at the Level II NMC. A router will not accept TFTP packets unless they
are in response to a read request issued by the router.

7.6 Privileges and Authorizations for Routers

Privileges and authorizations granted to System Administrators and Security Officers vary
based on the type of service used to access each router.
Terminal Access. Routers support two privilege levels associated with interactive access
through the console ports or TELNET logical ports. The lower privilege level allows
execution of commands that have read capability. These commands can be used to check
and monitor the status of a router but do not allow any configuration changes. The more
privileged level allows monitoring as well as control functions. The DISN Security
Management Plan considers three roles associated with the routers in the router layer:
 GOSC NMC router Security Officers are assigned the lower privilege status
level.
 ROSC NMC router System Administrators are assigned the higher privilege
status level but are instructed not to use the commands that allow assigning

33
SIPRNET Network Security Plan

operators, changing passwords, configuring audit mechanisms, and reviewing

audit logs.
 ROSC NMC Security Officers are assigned the higher privilege status level
and are allowed access to all resources on the router layer. The main function
of this role is to register System Administrators, change passwords
periodically, configure audit mechanisms, and review security-relevant audit
logs.

SNMP Access. Each community identified by a community string can be allowed to

access an SNMP agent on a router to perform Read-Only (RO) or Read-and-Write (RW)
functions. All GOSC, ROSC, and selected LCC personnel who are authorized to access
routers through the SNMP will only be given RO access privileges
TFTP Access. Routers will not allow any access through the TFTP service unless the
TFTP traffic is in response to a TFTP read request issued by the router. No other access
control or privilege is supported under the TFTP.

7.7 Accountability

Routers and their supportive equipment will be required to support an audit trail mechanism
that records all security-relevant events that have occurred on each of them. The audit trail
software and the audit log maintained on all DISN routers, NMS’s, and encryption devices
will be protected by the DAC security mechanisms that are available on each component.
The audit trail log will be written to files that will be accessible, configurable, and under the
control of the security manager or a designated alternate authority. Only the Security
Manager or his designated Security Officer will be allowed to examine and review the audit
logs.
The audit log should be reviewed periodically to detect and minimize inadvertent
modification or destruction of data and to detect and prevent malicious modification or
destruction of data.

7.7.1 Router Audit Events

Routers have limited capability in generating audit records for different types of events.
Audit messages can be generated for the following events.
 Reception of SNMP messages with incorrect community string.
 Execution of special procedures to discover System Administrator or Security
Officer passwords.

34
SIPRNET Network Security Plan

7.7.2 Router NMS Audit Events

As a minimum, the following events will be audited on the EMS Platform:

 Successful and failed logins
 Creation, opening, and closing of files
 Actions taken by the System Administrators and Security Managers to change the
configuration of a router network layer, the actions that correspond to invocation of
Telnet application
 Generation of printed outputs
 Failed operations due to security violations
 Audit event enabling and disabling

For each event that is audited, the following information will be recorded in the audit log:
 Date and time of audit
 The unique identifier of the System Administrator or Security Manager that caused the
event to occur
 Success or failure of the event
 Identifier for the terminal used by a System Administrator or Security Manager to login
 Name of the file that was accessed and the type of access
 Description of changes made by the System Administrator to system security databases

7.7.3 Communication Server Audit Events

The Communication Servers will use their XTACACS capability to audit the login and
logoff process. Each fielded Communication Server will interact with its primary designated
XTACACS Server to log the events of the access control process. These events include such
items as login, logoff, and reboot notification.
The Communication Server will collect and store audit trails of security related events and
notify the DISN Network Management System of possible security violations. The DISN
Network Management System performs analysis and resolution of security problems and
shuts down access on ports where access control or privilege violations have occurred.

8.0 Other Administrative Network Security Controls

8.1 Password Management

Passwords will be generated, issued, installed, and controlled. They will be randomly
generated by password generating software and will be protected on each component. They
will only be available to System Administrators and Security Managers at the GOSC and

35
SIPRNET Network Security Plan

ROSC NMCs. A password is issued only after the ROSC NMC Security Manager has
determined that an individual has authorization to access the DISN component.

Since passwords can be captured and used by intruders, all passwords for GOSC and ROSC
System Administrators will be restricted for use for a period of time not to exceed- 90 days to
protect against such weaknesses. These passwords will be generated externally by the
Security Manager and will be distributed in sealed envelopes. The Security Manager will use
a stand-alone system to generate these passwords. At the end of each period, new passwords
will be generated and distributed. After new passwords are distributed, System
Administrators will be required to retire the previous passwords and use the new passwords.

All System Administrators will be required to memorize their passwords and will not write
them on any medium. They should understand that they are responsible to protect their
passwords minimally to the security level of the system to which they are granted access.
They should report any changes in their status and suspected security violations.

One way to gain access to another individual's password is to cause a memory dump that
may output and show passwords in clear-text. Memory dumps must be physically protected
from unauthorized users.

It will be ensured that no weak passwords are generated and used by System Administrators.
A password may be considered as a weak password if it is traceable,, matches a dictionary
word, or does not meet the guidelines enumerated in section 8.4. 1. 1, and the DOD Password
Guideline (DOD, 1985).

All DISN components must have the capability to inhibit displaying or printing of the
passwords. The Security Manager must ensure that the inhibit capability has been properly
configured on all DISN components.

8.2 Network Security Testing

Periodic security testing will be required to ensure that the security mechanisms within each
component work as expected and each component has been configured properly. For each
component, testing will be performed to ensure the following mechanisms work properly:

• Authentication, to include Identification and Authentication (I&A) for interactive

accesses and process-to-process authentication

• Internal DAC mechanisms enforcing the least privilege concept

• Inactivity time out

• Port locking after three unsuccessful login attempts

• Audit generation

36
SIPRNET Network Security Plan

In addition, penetration testing will be performed to search for flaws that may allow
circumventing Identification and Authentication or internal security mechanisms that enforce
the security policy of each component or an entire network layer.

All discovered flaws will be corrected and the components affected will be re-tested to
demonstrate that the flaws have been eliminated and new flaws have not been introduced.

Test documentation and procedures will be developed to perform the stated tests. The
documentation will consist of a test plan stating the mechanisms that are being tested, test
procedures describing the procedures employed to perform the tests, and a description of test
results of the functional testing of the security mechanisms.

8.3 Network Audits

All audit records indicating security-relevant actions on all network components will be sent
to the RROSC NMC for review and archiving. The audit records will be sent from each
component to its associated NMS on a daily basis.

The audit logs will be maintained to provide a history of the use of the network to permit
regular security reviews of system activities. Audit log files will be archived for a period of
at least three years. Additionally, audit logs will be reviewed periodically as determined by
the ISSO for suspicious actions by intruders. Audit logs will also be used to ensure that each
DISN component or system preserves the information entrusted to it.

8.4 Network Monitoring

Using audit analysis tools is an important activity of the Security Manager. The Security
Manager must have the means to electronically scan, filter, summarize and correlate
potentially large amounts of data that are stored in the audit logs. The audit generation,
collection and analysis tools must be trusted not to alter, delete, or damage the audit
information. They should enable the Security Manager to arrive at correct conclusions
regarding security-relevant events that occur within each component and in the entire
network layer.

The security manager will ensure that audit trails are reviewed periodically.

8.5 Monitoring of Network Activities

To ensure that secure services of the SIPRNET are available to subscribers at all times, all
SIPRNET components will be remotely monitored from the ROSC NMCs to ensure the
following:

 The components are operating properly.

 Any attempt by intruders who may subject the network to some sort of attack is detected.

37
SIPRNET Network Security Plan

 Monitoring will include activities required to detect any unauthorized attempts to perform
the following actions:

 Unauthorized access to routers

 Unauthorized access to Communication Servers

 Unauthorized access to multiplexers

 Unauthorized access to NMS's

The above actions can be accomplished through the use of audit logs, accounting
management, user databases, and comparison of directories and files and their attributes
against the information in the configuration databases.

8.6 Tracking Abusers

Perpetrators and abusers must be tracked down by using audit logs and other network
analysis tools that are available on each of the network layers. Perpetrators may access a
network component through a dial-up link, or through physical access to a component or to
NMS'S. In any event, the audit logs on one of network components or NMS's can be used to
establish the presence of intruders, track them down, and determine the means used to access
the network. The audit logs will also help in determining the extent of the damage that an
intruder may have caused.

Examination of the following information in the audit logs will help track down intruders.
Look for the following items:

 Multiple simultaneous logins using the same User IID.

This may reveal the identity of a System Administrator who is sharing his/her
 User ID with others. Find out if these logins have been initiated from multiple locations.
 Excessive connection times to ensure they are not because of intrusion.
 Failed logins.
 Failed attempts due to security violations on a component.
 Newly created files or directories.
 Modification of files or directories.
 Actions performed by the administrators to ensure the actions are carried out are proper.
 Other information in audit logs about security violations.

The Security Manager will perform the above actions.

38
SIPRNET Network Security Plan

8.7 Reporting Security Faults and Violations

After determining a security violation, an incidence report must be generated to inform the
ISSO. The evidence pointing to the violation must be maintained in case there is a need for
prosecution.

8.8 Tools for Investigating Network Incidents

Several types of reports will be generated to help in discovering violations,

8.9 Recurring Reports

These are reports that are generated on a regular basis. The ISSO will determine the
frequency of the reports. The reports will include the following items:

 Number of logins on each component (router, multiplexer, NMS, others) by each

function or facility (console port, Telnet, others).

 Number of logins by each individual, facilities from which logins were initiated, and
duration of sessions.

 A histogram of session duration on each component.

 Individual System Administrator or Security Manager activity report stating the actions
performed by an individual on each network component.

8.10 Incident Reports

Incident reports are triggered because of events that require immediate attention. The
following reports are sent to the DISN ISSO periodically as determined by the ISSO:

 Multiple-logins-on-a-component report: this report will be automatically generated when

more than three simultaneous logins occur on a single component

 Multiple-use-of-an-ID report: this report will be generated when a single User ID is used
to log into a component from more than one location.

 Excess-login-duration report: this report is generated when a System Administrator's or

Security Manager's accumulated connect time on a component exceeds a threshold value
as determined by the ISSO.

39
SIPRNET Network Security Plan

8.11 Requested Reports

Requested reports are singular reports that are used for investigating specific events, and they
are generated only when they are requested. An example of such usage is a report
investigating the activities of a specific individual.

8.12 Site Visits and Security Reviews

The ISSO will visit each site periodically, as required, to review the implementation of the
procedures and guidelines enumerated in this security management plan. These reviews will
cover various security and administrative functions to ensure there are no deviations from the
procedures stated in this document.

9.0 Encryption Controls and Key Management

9.1 Link Encryption

The SIPRNET uses link encryption devices for protection of router-to-router, multiplexer-to-
multiplexer, and subscriber dedicated access links. The devices are Key Generators (KG 84s,
KG 194s, and KIV-7s) and provide cryptological separation between IP routers.

All circuits not contained within a protected space or protected wire distribution system are
encrypted using Type I encryption. KG-84 devices are used for 64 KBPS circuits (and
below) and KG-194 or KIV-7 devices are being used for circuits up to the TI rate. Links
connecting terminals directly will be protected with KG-84s while dial up links for terminals
will be protected by Secure Telephone Unit III/Secure Access Control System (STU
IEYSACS) devices. SIPRNET routers and SIPRNTET monitoring centers will be protected
to the Secret level. KG-84s are scheduled for replacement.

The link encryption equipment on communications links will be updated periodically as

indicated in the Key Management Support Plan included in Appendix C. Each link will be
individually keyed. There will be a manual key exchange at both ends of the line. None of
the link encryption equipment requires real-time communications with other or supportive
equipment to perform its operation.

9.2 Dial-up Encryption

The SIPRNET will use the AT&T STU-III Model 1910 to provide dedicated wireline
encryption of the dial-in link. The throughput on the dial-in ports will be maximized at 112
KBPS. The dial-in link on the STU-IR devices will reach maximum speed at 38.4 KBPS.

The Secure Telephone Unit III /Secure Access Control System (STU-III/SACS) provides
strong authentication and confidentiality for dial-up by controlling access to computer
equipment. Each dial-up user is provided a key with a DAO code that identifies the user as

40
SIPRNET Network Security Plan

an authorized SIPRNET user. This key is good for only SIPRNET use. A list of authorized
DAO codes is entered into the Access Control List (ACL) of the STU-IH. This list identifies
all the distant STU-IIIs that are permitted to establish a secure call with it. The incoming
calls are then screened by comparing the ID of the caller to those DAO codes stored on the
device. Unauthorized attempts are not allowed to access the target system. In addition, the
device generates an audit trail of all attempts to access the system whether successful or not.

9.3 KG-84

The KG-84A is a general purpose encryption device that has four selectable traffic key slots,
improved remote rekeying, and mandatory EIA-RS-449 control signed. It processes data at
digital rates from 50 to 9,600 baud (non-synchronous), up to 32,000 Kb/sec using its internal
clock. It can operate at data rates up to 64,000 Kb/sec using an external clock for
synchronization. It is capable of operating in full duplex, half duplex, or simplex modes.

9.4 KG-194

KG-194 is a full duplex key generator that provides encryption of digital traffic. KG-194
functions with MIL-STD 118/114, RS-422 and RS-449 standard synchronous interfaces.
Encryption and decryption takes place at speeds of 9.6 Kbps to 13 Mbps.

9.5 KIV-7

KIV-7 products protect the communication of sensitive or classified information transmitted

via satellite or ground networks. Primarily, KIV-7 devices secure communications between
local area, video teleconferencing, and other voice and data networks. KIV-7 is ideal for
securing data communication up to Tl data rates.

10.0 Connection Security

A connection to DISN from a local subscriber environment (LSE) represents a significant

security event and always requires an updated local accreditation. However, DISA
recognizes that its potential customer base is much broader than the Department of Defense
and that these accreditation packages may be prepared in conformance with valid guidance
other than DoD Directive 5200.28. As such, the DISN connection security approval process
focuses on the connection security component and a common set of minimum security
requirements applicable to all local subscriber environments. If the local subscriber
environment consists of more than one system, then information on each system in the local
subscriber environment is required, as applicable. This information must be submitted in the
form of a System Security Package (SSP). SSPs must be updated at least once every three
years and also prior to any major system change which might adversely affect the accredited
security posture of the LSE.

The approval process for Subscriber connections to the DISN service delivery points (SDPs)
is depicted in Figure 4. Examples of DISN SDPs include bandwidth managers, digital

41
SIPRNET Network Security Plan

switches, ATM Switches, circuit switches, video teleconferencing (VTC) hubs and
reservation systems, standardized tactical entry points (STEPs), and value-added service
delivery points such as dial-in service (including Private Automated Branch Exchanges
(PABX)) and gateways.

a. Step 1. The requirement to connect to DISN must be validated through the

appropriate Service/Agency. If the Subscriber is requesting a "foreign connection," a
Contractor connection, or connection by a non-DoD entity, the Subscriber must first validate
the requirement to connect with the Joint Staff.

b. Step 2. The Subscriber initiates a local accreditation update, including the

proposed DISN connection, with the appropriate local DAA.

Connection Activation
DISN Subscriber (6)
(1) Validates connection requirement.
(2) Starts local accrditation update.
(3a) Makes initial DISA contact.
(4a) Complete local accreditation update. (3b) Advise Subscriber &
(4b) Submits System Security Package. Forward Draft MOA
VAAP
(3d) Coordination (3c, 4)
DSAWG Coordination DISN DISA
(4a) Connection security (3e)
component approval CSR Certification
Interim Connection
recommendation.
Determination Authority
Final Connection
Approval

(3d, 4c)
DISA DAA (3d, 4c)
(5)
Coordination Coordination

Figure 4. DISN Connection Security Approval Process

c. Step 3. While the local certification and accreditation activities are progressing,
the Subscriber makes initial contact with the DISA DISN CSR. The DISN CSR will advise
the Subscriber on the overall process and on the required documentation and will forward a
draft Memorandum of Agreement (MOA) to the Subscriber. The DISN CSR will coordinate
with the DISA Certification Authority, who will render the interim connection determination

42
SIPRNET Network Security Plan

(an interim approval to connect will be valid for no more than 90 days). The DISN CSR and
the DISA Certification Authority, as required, will also coordinate with the DSAWG, for the
review of draft connection security requests, for advising Subscribers, and for approval
recommendations on connection security components. The DISA Certification Authority
interim recommendation will be forwarded to the DISN CSR and the DISA DAA. If the
recommendation is disapproval, specific guidance will be given to the Subscriber. The
connection process will resume when the concerns have been addressed.

d. Step 4. The Subscriber must receive from their local DAA either a final
accreditation or an interim approval to operate (IATO) for the LSE, which includes the
proposed DISN connection. After receiving a final accreditation or an IATO and interim
approval from the DISA Certification Authority, the Subscriber then submits a formal DISN
connection request package to the DISN CSR in the form of a System Security Package
(SSP). If the request is other than routine, the DISN CSR will forward the connection
security component details to the DSAWG and solicit a recommendation. If the DSAWG
returns a disapproval recommendation, it will be accompanied by specific guidance for the
Subscriber which will be forwarded to the Subscriber by the DISN CSR. The connection
process will resume when the concerns have been addressed. The DISN CSR will also
coordinate with and seek a final approval recommendation from the DISA Certification
Authority. The DISA Certification Authority decision will be based on a review of the SSP
and on the results of Vulnerability Assessment and Analysis Program (VAAP) testing.
Approval recommendations will be forwarded by the DISA Certification Authority to the
DISA DAA for final approval.

e. Step 5. The administrative decision by the DISA DAA may be final approval,
disapproval, or continuation of the interim approval to connect (IATC). If approved, a
Subscriber who only has an IATO from their local DAA will only receive an IATC from the
DISA DAA. A disapproval or an IATC from the DISA DAA will include specific
recommendations and guidance for the Subscriber on obtaining approval. An approval will
include a completed MOA with the Subscriber covering such areas as maintenance of
security posture, acknowledgment of periodic monitoring, DISA notification of relevant
security changes, and periodic reaccreditation. An IATC granted by the DISA DAA will be
valid for no more than 90 days. If the IATO granted by the local DAA expires, the IATC
will expire simultaneously, and Subscriber service will be terminated. Connection to DISN
requires both a local accreditation or IATO and approval from DISA.

11.0 Additional Security Features

11.1 Wang C2 Guard

The C2 Guard is a B3-level security device that provides a means to move product files
electronically between networks operating at different security levels. It applies a program-
specific set of rules to determine whether a file can be moved between security
environments.

43
SIPRNET Network Security Plan

Most of the files handled by BC2A have no header information or other explicit meta-data
from which the C2 Guard could determine the classification level of the file. The “BC2A
header” was developed in order to provide a means of identifying classification information
to the C2 Guard.

For a file to be passed by the C2 Guard from the SIPRNET to NATO or to the NIPRNET, the
contents of the BC2A header must indicate that the file is releasable and the file-header
combination must be digitally signed in an appropriate manner.

The C2 Guard monitors a specified directory on a US SECRET side server for files to be
processed. When it finds a file in the directory it ingests the file via FTP. Once the file is
inside the C2 Guard, it first examines the digital signature for validity and then examines the
contents of the “BC2A header” to determine whether this file has been properly marked as
releasable to NATO. If the file passes all of the tests the C2 Guard FTPs it to a specified
directory on a NATO side server.

If the file fails any of the criteria, it remains on the C2 Guard and is added to a reject list that
is displayed to the operator. The operator has the choice of releasing the file manually or
deleting it from the C2 Guard. The Guard configuration is shown in Figure 5.

Figure 5. Wang C2 Guard

44
SIPRNET Network Security Plan

11.2 Firewalls

The Firewall used in SIRPNET is the Cisco Systems' Private Internet Exchange (PIX),
providing full firewall protection that completely conceals the architecture of an internal
network from the outside world. The firewall is a packet filter firewall positioned between
SIPRNET infrastructure and the authentication server and such personnel has the "on-call
expert" (located anywhere) and the network management operator. The firewall is
constructed to meet required functions of the local SIPRNET infrastructure.

IP Packet Filters: Through the use of applied filter rules, established inside and outside of the
network, the information center is protected but accessible by users. The most important
feature of the IP packet filets is that the filters will screen on destination, source and port. If
a message is destined for the infrastructure, it is thrown out.

11.3 KMD5

Typical of router key protection, the KMD5 is able to give partial versus total connection
turn over, and will provide more as required.

11.4 Fortezza

An approved method of providing a secure remote dial-in capability for the NMC operator is
through the use of a Fortezza device and a TACACS+ Authentication Server. The Fortezza
Crypto Card is a small, portable, Personal Computer Memory Card International Association
(PCMCIA) compliant device that provides value-added Type I encryption security services
to protect electronic information.

Fortezza Security Services include:

 Data Integrity
 Verification that the data has not been modified
 Authentication
i.e., your personal signature
 Non-Repudiation
e.g., Sender/Receiver in a financial transaction
 Confidentiality
i.e., encrypted text

12.0 Information Security

DODD 5200.28 requires that classified and UBS output be marked to accurately reflect the
sensitivity of the information. The requirements for security classification and applicable
markings for classified information are discussed in DOD 5200. 1 -R (DOD, 1986).

45
SIPRNET Network Security Plan

Markings may be generated automatically or may be done manually. If automated markings

are used, the DISN component generating them must support Mandatory Access Control
(MAC) policy and meet a minimum evaluation rating of B I according to the DOD 5200.28
standard (NCSC, 1985). Since MAC policy is not enforced by routers, Communication
Servers, or multiplexers, no label information is maintained in any of these DISN
components. For this reason, all DISN components, their output devices, and their outputs
will be protected at the security level of the information handled by the component and its
associated network layer. Outputs will be protected as such until they are declassified by
being manually reviewed by an authorized person to ensure that their security level can be
lowered.

All media and containers will be marked and protected in accordance with their security level
and the most restrictive category of information handled by the associated network layer until
the media are declassified (e.g., degaussed or erased) using DOD-approved methodology
described in the DOD AIS security manual, DOD 5200.28-M (DOD, 1989), or until the
information is declassified or downgraded in accordance to DOD 5200. 1 -R (DOD, 1986).

To avoid confusion in the operation of different network layers, each network component
should be clearly marked with an appropriate symbol to indicate the security level at which
the component is operating.

The marking assigned to each component may be stamped, printed, written, painted, or
affixed by means of a tag, sticker, or decal as considered appropriate.

12.1 Accountability for Output Products

Formal accountability for DISN output products at different security levels, in accordance
with DOD 5200.1-R (DOD, 1986), is required when an item leaves the boundaries or
confines of an NMC or terminal area. This accountability applies only to items containing
classified information.

This accountability applies to all output products including printed listings, microfilm,
microfiche, CRT displays, and removable storage media used on hardware and firmware
attached to DISN network layers.

Organizations will require that Security Officers and System Administrators fill out and sign
proper forms when they require outputs to be transported beyond the confines of a center. A
log identifying the output product by unique identifier, date, and intended recipient will be
used for this purpose; the log should be retained for at least one year. Security Managers and
System Administrators will protect output products as if they were classified at the security
level of the network layer until they have been reviewed and the actual classification
confirmed.

46
SIPRNET Network Security Plan

12.2 Security Marking

DISN output products will be marked with the proper classification for the data present on
them. Normally, UBS material will not be marked or stamped "UNCLASSIFI]ED" unless it
is essential to convey to a recipient of such material that it has been examined to determine
its classification.

12.3 Network Components

All multiplexers and supportive equipment (NMS's, CSU/DSUs, KG devices,

Communication Servers, LAN components) are operating at the Secret security level and will
require marking.

Routers can operate at any one of the four security levels. The security level associated with
each router will be clearly labeled as UBS, Secret, TS, or TS/SCI to display the security level
at which it is operating; UBS components may be unlabeled unless there is a possibility of
confusion.

Communication channels and 1/0 channels connecting to 1/0 devices that carry red data
(unencrypted) will also operate at a single-level and will be marked by an appropriate label
displaying its security level; all ports through which encrypted (black) information is passing
will have a security level of UBS and will be labeled accordingly. All cables carrying
unencrypted information will be marked according to the security level of the information
passing through them.

12.4 Printed Paper Output

Printed output may be generated based on information from any of the network layers
operating at the UBS, Secret, TS, or TS/SCI security level. The printed output from any of
the layers will be appropriately marked to reflect the actual classification of the information.
The classification of the output will be the same as the classification of the network from
which it originates. Since none of the components have Multilevel Secure (MLS)
capabilities, they will not be able to generate a trusted marking through automated means.
Therefore, a manual approach will be used to ensure that classification markings are shown
at the top and bottom of each page that is being printed. Unless technically or operationally
infeasible, the first page of the printout will be marked with the classification and date of
generation of the printout. Each page of a multi-page printout will be sequentially numbered.

The user is responsible for ensuring the continuity of page numbering after receiving the
product.

12.5 Microfilm and Microfiche

All outputs in the form of microfilm and microfiche and their containers will be marked to
ensure that a viewer or recipient will recognize the security level of the information

47
SIPRNET Network Security Plan

associated with that media. In addition to the security level, the markings should include the
date of creation and a unique identifier. Information identifying the product originator, as
well as any downgrading and declassification instructions or exemptions will be displayed
either in the first image, or printed on the special container or envelope provided for storage.
Each image will have a security classification marking that is clearly visible on the top and
bottom when the image is magnified.

12.6 CRT Display

Each CRT display connected to a network layer will be assigned the same security level as
the network layer. Since most operating systems or applications do not provide classification
marking on the display, CRT displays will be physically marked by placing a sticker or other
physical label on the CRT to display its security level. In the future when MLS devices are
deployed in the DISN, the MLS software will clearly display the security level associated
with each window.

12.7 Magnetic Storage Media Marking

All removable storage media will be externally marked according to the classification of the
information they contain; this classification is the same as the classification of the network
layer on which the information was generated. In addition, the marking will include a
permanently assigned identification or control number to aid in inventory control. If the
media is a non removable disk drive, the cabinet housing the media will be noticeably
marked with the classification of the information contained on the media.

This marking will be written in a color code. The colors associated with the different
classifications are:

 Yellow for UB S

 Red for Secret

 TBD for TS/SCI

12.8 Clearing, Declassification, and Destruction of Media

The information generated on any output medium is classified at the classification of the
network on which the information is generated. The information on any of the output media
will be destroyed when there is no further need for the information.

The currently available technology will determine what is and is not considered effective
clearing, declassification or destruction procedures for media.

48
SIPRNET Network Security Plan

12.9 Magnetic Storage Media Clearing

Magnetic media will be cleared according to the guidelines set forth in DOD 5200.28-M.
Information may be purged from a magnetic medium by overwriting, degaussing, or
destruction of the medium. Overwriting applies to magnetic disks. For an overwrite
procedure to work correctly, the equipment will be checked immediately before the
beginning of the overwrite to ensure that malfunctions do not occur that will prevent the
classified information from being effectively overwritten. In addition, DOD 5200.28-M
(DOD, 1989) recommends, as an integral part of the storage subsystem when available, an
AC/DC erase be applied to all data tracks before the tracks are overwritten and overwrite is
verified. Thereafter, all storage locations will be overwritten a minimum of three times, once
with binary "I", once with binary "0," and once with a single character that could be an
alphanumeric or a special character.

If the magnetic medium cannot be overwritten, it should be declassified by exposing the

recording surfaces to a permanent magnetic field with strength of 1,500 OERSTED at the
surface. The surface will be wiped at least three times with this magnetic field. In the event
that degaussing is not feasible, the storage media will be destroyed as appropriate prior to
being removed from the classified area.

Tapes will be declassified by erasing with bulk tape degaussers that have been tested and
certified by an authorized laboratory that adheres to test methods and performance described
in section VIII of DOD 5200.28-M (DOD, 1989). Degaussing will be the dominant method
used by the operations personnel at the GOSC and ROSC NMCs.

Declassification of DISN magnetic storage media is a security auditable event. Accordingly,

upon completion of the declassification procedure, a written Declassification Audit Report
will be submitted to the ISSO or the site's security manager. It will be retained for a period
of one year and will include the following:

 Identification, last location used on the DISN, and destination of the media that was
declassified.

 Identification of the person who performed the declassification procedure.

 Date, time, and location where the declassification procedure was performed.

 Identification of the declassification procedure used and a description of the validation

process.

The ISSO will ensure that each NMC site has an approved overwrite device for media
clearing and declassification. In addition, the ISSO will ensure that NSA-approved hardware
(such as a degausser) is available for media clearing and declassification at each site.

49
SIPRNET Network Security Plan

12.10 Semiconductor Memory

12.10.1 Volatile Semiconductor Memory

Volatile semiconductor memory will be cleared by disconnecting the power cords and
removing all batteries for a period of at least five minutes.

12.10.2 Nonvolatile Semiconductor Memory

All nonvolatile memory used in DISN components that contain classified information need to
be protected. Should there be a need to clear the nonvolatile semiconductors employed in
these devices, they should be cleared by overwrite or other approaches as applicable.

12.11 Test and Diagnostic Equipment

DISN hardware and software maintenance personnel (both Government and contractors)
sometimes use Test and Diagnostic Equipment (T&DE) to perform their maintenance
functions. If this T&DE is connected to a DISN network layer, there is a risk that classified
data could be transferred to the T&DE. Therefore, T&DE and its removable media, such as
floppy diskettes, will be considered to contain information at the security level of the
associated network layer and will be declassified or downgraded to Unclassified before being
removed from the DISN site. This declassification is an auditable event and will be recorded
in audit logs by the responsible Security Manager.

For all T&DE, contractors will provide to the Security Manager written verification from
their respective companies that the T&DE can be declassified or downgraded and will
describe the procedures for the declassification (e.g., removal of power). The Security
Manager will review the procedures and ensure that only verified T&DE and no other
devices are used on DISN components. Unless the T&DE is to be connected continuously to
the DISN, the TEMPEST requirements of section 7 do not apply.

Any test and diagnostic software used for maintenance of a DISN component will be kept on
site with the DISN component.

13.0 SIPRNET Administrative Security

Secure operation of DISN depends on protecting the DISN components and establishing
proper management and control functions to ensure security controls employed in DISN
components are properly installed and they are immune from alterations originated by
unauthorized individuals. This requires, in addition to personal, physical and cryptographic
protections, proper operational security procedures. Careful configuration control of all
network assets including those involved in management activities is also an essential part of
the operational security procedures.

50
SIPRNET Network Security Plan

This section discusses the DISN administrative security that focuses on security procedures
that are required for secure operation of DISN. Cryptographic protection will be discussed
under Encryption control and key management.

13.1 Personnel Security

The objective of personnel security is to determine the trustworthiness, reliability, and loyalty
of individuals by conducting thorough investigations of their backgrounds before granting
them access to classified information or assigning them to sensitive national security duties.

There are different levels of security clearances requiring different types of background
investigations as described in DOD 5200.2-R (DOD, 1987), Section 4, Chapter Ill. The level
of security clearance granted to an individual depends on the security classification of his/her
job as indicated in DOD 5200.2-R, Section 1, Chapter III. The Defense Investigative Service
(DIS) provides a single, centrally directed personnel security investigative service to conduct
personnel security investigations within the fifty states, District of Columbia, and
Commonwealth of Puerto Rico for DOD Components.

Personnel who have been granted security clearances are subjected to an assessment on a
continuing basis for any indications that their trustworthiness has become questionable.

13.2 Required Clearance Levels

All personnel who are responsible for the operation, maintenance, and management of the
NMCs will have clearances according to the following rules:

All NMC personnel (in CONUS and OCONUS) that have access to and can influence the
UBS and Secret level networks will have a Secret clearance based on a current Background
Investigation (BI).

Personnel who are responsible for managing multiplexers will have at least a Secret
clearance based on a BI.

All personnel at the SIPRNET Support Center who will have access to the passwords for the
XTACACS Servers, including the Primary Server or have the ability to change databases
containing the User IDs and Passwords and those individuals at NMCs that have access to
the Enable passwords that allow those individuals to change the configuration of the
Communication Servers must have a Secret level clearance based on a Background
Investigation (BI).

The level of security clearance for personnel responsible for the maintenance of routers
depends on the security level of the information being handled by these devices. A minimum
of Secret clearance is required; however, if the routers belong to the TS/SCI layer of the
DISN network, then the personnel responsible for managing these devices will have
clearances commensurate with their security levels.

51
SIPRNET Network Security Plan

Encryption devices operate at the security level of the network layer to which they are
connected. Personnel who are cleared at the security level of the network layer will manage
them. These personnel will be required to attend Communication Security (COMSEC)
briefings as appropriate.

To control the issuance of TS/SCI clearances, specific designated billets will be established
for positions requiring access to such information. The DISN ISSO will request the DIS to
perform the appropriate personnel security investigation for such individuals. Background
Investigation and Special Background Investigation (BI/SBI) are the principle types of
investigations conducted when an individual requires TS/SCI clearance or is assigned to a
critical sensitive position. Each request to the DIS for a BI/SBI will require inclusion of the
appropriate billet reference. A report on the number of the established TS or TS/SCI billets
will be submitted each year to the Deputy Under Secretary of Defense for Policy as part of
the annual clearance report.

13.3 Foreign Nationals

Only the United States (U.S.) citizens (born or naturalized) are eligible to work in the DISN
NMCS. Naturalized U.S. citizens must satisfy conditions specified in DOD 5200.2-R,
Section 3-402 before they are granted access to the NMCs and other DISN facilities. The
DISN ISSO or security manager will make every effort to ensure that non-U.S. citizens are
not granted access privileges to the NMCs or other DISN facilities. However, when there are
compelling reasons to grant access to the NMCs to an immigrant alien or a foreign national,
limited access authorizations may be granted. In such cases, the conditions specified in DOD
5200.2R, Section 3-403 will apply.

13.4 Contractors

Contractor personnel who are assigned to work inside the DISN NMCs or DISN node sites
on a full-time basis will have the same need-to-know and the same security level of clearance
as the DISN NMC personnel.

Contractor personnel will not serve as security officers in any capacity at any network
management level (GOSC, ROSCs).

Contractors who are responsible for providing maintenance services that require them to have
unescorted access to the NMCs or DISN node sites on a periodic or as-needed basis will
possess a clearance commensurate with the security level associated with the equipment
being maintained.

Maintenance personnel who have unescorted access to network equipment on the UBS layer
of DISN will have a Secret clearance based on a background investigation.

Uncleared personnel will perform no maintenance work inside an NMC or a protected DISN
node site. Network components must be disconnected from a network and declassified
before being transported outside DISN protected facilities for repair. Repaired equipment

52
SIPRNET Network Security Plan

will be treated the same as new equipment when received and will go through proper
procedures before being deployed in the DISN.

Personnel who do not possess the proper clearances will be escorted at all times by properly
cleared personnel while in DISN facilities (DISN node sites or NMCS). A record of their
visits will be maintained and retained for a period of time as determined by the DISN ISSO
or security manager. Escorts will be technically competent to ensure that maintenance
personnel do nothing that might degrade or circumvent security countermeasures or
safeguards in the NMCs or node sites. Harmful or questionable actions taken by these
personnel will be reported immediately to the Security Manager.

A mechanism will be in place that will allow the escort to alert other personnel whenever an
escorted person is in the area. Escorts will also ensure that workstation screens and other
devices are protected from casual observation by visitors.

13.5 Personnel Problems

The DISN ISSO or the security manager will monitor, on a continuing basis, the NMC
personnel for indications of instability that might pose a threat to the security of the NMCS.
Such indications may include mental or emotional disorders, substance abuse, financial
problems, and sexual misconduct. Appendix I of DOD 5200.2-R (DOD, 1987) describes, in
detail, other factors that would revoke individual's eligibility for access to classified
information, or appointment to, or retention in sensitive and critical positions.

If there is an evidence or an indication that an individual has been involved in a misconduct,

the security manager will recommend to the ISSO or other appropriate authority, a temporary
suspension of security clearance of that individual, pending an official evaluation of the case.
In such cases, close coordination is required between security authorities and medical, legal,
and supervisory personnel to ensure that all pertinent information available within a
command is considered in the personnel security process,

13.6 Dismissed and Departed Personnel

When employment of NMC personnel terminates, access privileges of such personnel will be
revoked immediately. If employment is being terminated under unfavorable circumstances,
the revocation will be accomplished before the person is notified. Such personnel,
historically present the greatest threat to the security of the automated systems. The
designated security officer will give a terminating briefing to the terminated person and
ensure that he or she is not in possession of any classified material.

13.7 Termination Briefings

Upon termination of employment, the terminating personnel will be given an oral termination
briefing. The ISSO will ensure that terminated personnel return all classified material and
execute a Security Termination Statement and Debriefing Certificate (DA Form 2962) and a
Classified Information Nondisclosure Agreement. During termination- briefing, the

53
SIPRNET Network Security Plan

terminated personnel will be advised of their security related responsibilities including the
following:

 A terminated individual should not have in his possession any classified material.
 A terminated individual will not communicate or transmit classified information to any
unauthorized person or agency.
 A terminated individual will report to the FBI any attempt by any unauthorized person to
solicit classified information.
 A terminated individual will be made aware of the consequences for breach of the
security regulations.

14.0 Physical Security

This section addresses physical security of the DISN GOSC and ROSC NMC, and other
DISN components, such as the routers, multiplexers, Communication Servers, and encryption
devices. Physical security of these components is based upon the requirement that system
resources will be physically protected commensurate with the classification and sensitivity of
the information they process, transmit, or store. Whenever possible, NMCs and network
components will be housed in Government facilities with preference given to DOD facilities.
All facilities will require accreditation.

The objectives of providing physical security to DISN NMCs and other components are as
follows:

I Prevent unauthorized access to equipment, facilities, material, media, and documents.

II Safeguard against espionage, sabotage, damage, and theft.

III Safeguard personnel in the NMCs.

An unauthorized access could result in damage to the facility; modification, destruction, or

disclosure of sensitive information; or denial of service. To provide physical security to the
DISN components, the measures as identified in the following sections need to be
implemented.

14.1 Entry Control

Control is a process by which only authorized personnel are allowed physical access to.
Access to the NMCs and other facilities that house equipment will be controlled in-depth
application of barriers and procedures including continuous surveillance r electronic) of the
protected area. Barriers and procedures may include structural standards, key control,
lighting, lock application, and inventory and accountability. The ROSC NMC security
manager has the responsibility to ensure that the procedures for controlling entry to the
ROSC NMC are fulfilled.

54
SIPRNET Network Security Plan

Only personnel with defined business needs will be authorized to enter an NMC or other
DISN facilities. Authorized personnel will be issued appropriate badges and/or personal
recognition methods to permit entrance. A list of such personnel will be maintained and
reconciled periodically (at least annually or immediately upon any change in the employment
status of personnel) to ensure that these personnel still have the need to access the NMCS.
Personnel who need to enter occasionally will be issued temporary badges or escorted, and a
record of their visits will be kept. This includes equipment maintenance personnel and other
individuals not directly involved with operation of the facility. All visits by non-U.S.
citizens will be coordinated with the cognizant security officer.

14.2 Required Physical Security Controls

The NMCs, at a minimum, will be protected at the Secret level; however, if the network layer
being managed by the NMC is TS/SCI, then the NMC will be protected at the classification
of the network.

The facilities that house smart multiplexers will be protected at the Secret level.

In CONUS, the components of the UBS router network layer of the DISN will be protected
at the UBS level, but if a router is collocated with a multiplexer then it will also be protected
at the Secret level. If these components carry Secret or TS/SCI traffic, they will be protected
according to the security level of the information they are handling. The minimum
protection for OCONUS will be the Secret level.

Encryption devices will be protected at the security level of the clear (red) information they
are protecting.

14.3 Structural Considerations

Facilities, which house the DISN equipment, will be of sufficient structural integrity to
provide effective physical security at a reasonable cost. The facilities will be constructed
using noncombustible material, such as brick, hardened poured concrete, cement block, or
steel. The walls will extend from true floors to true ceiling.

If a facility is on the ground floor and has windows, then the windows will be covered with
grills, steel screens, secure shutters, or other similar protective material. All entrance doors
will be substantially constructed of solid core wood or metal. Hinges will be mounted on the
inside; if this is not possible, the hinge pins will be welded to hinder removal. The entrance
doors will be equipped with a deadbolt having at least one-inch throw. The doors must also
be equipped with heavy-duty pneumatic door closer.

The DISN ISSO will rely on a trained physical security specialist to provide specific
guidance on physical security requirements and in the implementation of specific physical
security procedures. The physical security specialist will also be consulted anytime
modification to a facility is contemplated. Periodic physical security inspections will be

55
SIPRNET Network Security Plan

conducted by a physical security specialist to ensure the protection of DISN resources against
threats.

14.4 Protection of IS Resources from Fire and Water

Proper fire barriers within, above, and below the NMCs plus adequate fire alarms, overhead
water sprinkler, and fire suppression systems will be in place. Properly located, hand
operated extinguishers will be available. Water may accumulate under the raised floors;
therefore, adequate drains will be provided. Waterproofing covers will be provided for all
appropriate IS equipment located in the NMCS, and adequate floor lifters will be available.
Smoke alarms as well as under-floor water detectors will be installed where necessary.

14.5 Electric Power

Operation of the equipment in the NMCs is dependent upon adequate and reliable electric
power. Because the loss of electric power may result in an immediate cessation of the
operation of NMC, the NMCs will be equipped with uninterruptable power supplies.
Emergency (battery powered) lights will be installed and procedures will be in place to check
their operation periodically.

14.6 NMC Housekeeping

NMC housekeeping plays an important role in implementing a sound physical security

program. Food and beverages will be allowed only in certain designated areas inside the
NMCS. Combustible supplies of cleaners paper boxes, and cards will be brought into the
NMCs only on an as needed basis. Approved storage areas will be provided external to the
NMC for storing large numbers of combustible items.

14.7 Protection of Magnetic Media

Magnetic media and its data will be protected against fire, erasure or inadvertent malicious
damage by humans. All media of value will be handled with care and stored in protected
areas with adequate accounting procedures applied. Media containing backups will be stored
in a different facility, if possible.

14.8 User Registration Controls

To obtain access to a multiplexer, router, Communication Server, or NMS, a DISA or

contractor employee will submit a formal request to the appropriate security officer for a
User ID on the component. This request will indicate the category of User ID being
requested (System Administrator or Security Manager) and the privileges required.

As a result of this request, a System Administrator or Security Manager will be issued a User
ID and password. To ensure secure operation of each component, the password management
restrictions will apply to the use of passwords.

56
SIPRNET Network Security Plan

15.0 Configuration Management

Configuration management is generally applied to the hardware and software development

process. However, in the context of DISN security management, it is used to maintain
information on the actual configuration of each network layer and its components.
Considering that many of the DISN components software programs are deployed and
configured to enforce DISN security policy, it is important to ensure that the software
programs are operating correctly: that is, system level programs (e.g., operating systems,
communications software) should not be allowed to be changed arbitrarily. In addition,
procedures will be in place that state who is authorized to make changes to systems, under
what circumstances, and how the changes should be documented.

Configuration management for SIPRNET backbone and ITSDN entities and for SIPRNET
management platforms is maintained at the SIPRNET monitoring center. All configuration
changes are performed at the direction to the SIPRNET Program Manager.

15.1 Configuration Management Databases

The Telecommunications Management System-DISN (TMS-D) (GSI, 1993) is the primary

system used to support configuration management for DISN security management. This is
an interactive menu-oriented environment developed on an EBM mainframe computer using
the Multiple Virtual Storage (MVS) operating system and the Time-Sharing Option (TSO).
Configuration information will be entered into the TMS-D through a customized system of
interactive menus. The actual configuration must be entered for each DISN component.

The Configuration Management module of the TMS-D deals with configuration management
of DISN. This module allows a System Administrator to enter, display, or update data
configuration records. This tool also allows searches for network components that meet
certain characteristics, such as the generic type of a device, its location, status information
and other information stored in configuration records that constitute its configuration profile.

Configuration records represent each of the DISN components, such as routers,

Communication Servers, CSU/DSUs, and encryption devices in the system. Customized
menus are currently available to allow entering configuration information for routers and
multiplexers. Menu screens support entering other relevant DISN configuration information.
After configuration records are created for the hardware component, connections between
them can be defined. These interconnections can be designated as past (historical), current,
or future to reflect the historical changes that have occurred to the network and future plans
for installation of new equipment.

Since at the present time TMS-D is not a secure database, a major portion of the DISN
configuration information will be kept in NMS's and other secure areas under the control of
the ROSC NMC Security Manager. (TMS-D can be accessed via the DISA-LAN drop in the
NMC or via a 3270 session from a UNIX NMC host.)

57
SIPRNET Network Security Plan

15.2 Configuration Management Requirements

DISN configuration management will maintain the following information for each
multiplexer, router, CSU/DSU, Communication Server, encryption device, and NMS:

 Product description
 Vendor
 Product marketing identifier
 Hardware specific information
 Software specific information
 Supplier
 Means of delivery
 Date of delivery
 Date on which it was placed in operation
 Location at which it is installed
 Directly-connected components to record the topology of each DISN layer and its
network layers
 Individual(s) configuring and installing the equipment
 Detailed configuration information

15.3 Detailed Configuration Information

Configuration information associated with each DISN component varies according to the
type of the component. When available, checksums for the files that are critical to the
operation of each DISN network layer and its components will be maintained on an NMS to
ensure the integrity of configuration information.

The following subsections list the minimum configuration information that will be
maintained for each type of component.

15.4 Routers

For routers, the following configuration information will be available:

 The Security Manager will retain user IDs and passwords assigned to individuals who
have highest privilege levels and whose loss makes the corresponding routers
inaccessible in a secure area.

 Community strings assigned to each community will be retained on an NMS.

 Network layer to which the router is connected will be retained on an NMS.

 Access list and filtering table restrictions assigned to each router will be maintained on an
NMS.

58
SIPRNET Network Security Plan

15.5 Network Management Systems

The User IDs and passwords for NMS's assigned to individuals who have the highest
privilege levels will be retained in a secure area by the security manager. The reason for this
is to prevent their loss, which would make the corresponding NMS inaccessible.

15.6 Encryption Devices

The configuration management databases associated with encryption devices will be

maintained in a secure area under the control of the ROSC NMC security manager.

15.7 Communication Servers

The DISN Network Management System will maintain a configuration database in the
Telecommunications Management System-DISN (TMS-D) identifying the Communication
Servers, the Communication Server ports, port configurations, and access lines. The DISN
Network Management System will coordinate its configuration database with other
administrative configuration databases for inventory control.

The configuration file in the Communication Server is initially set up with the global system
characteristics, such as the host name and password, system buffer size, boot file
specification, system security and system management configuration, network services,
console and virtual terminal lines configuration, protocol-specific configuration, etc. A
backup copy of the Communication Server System Configuration file and software image
will be kept in a network based host located at the ROSC.

The configuration management activities are as follows:

 Maintain and track inventories of Communication Server components at all locations.

 Collect and provide information, whenever needed, on current configuration/status.

 Perform software image installation and upgrades:

- Configure the new Communication Server automatically and dynamically.
- Load a System Image and Configuration file remotely from/to a trusted host
(i.e., Network Management Station).
- Load a System Image and Configuration File from/to Flash Memory or from
ROM.

• Make changes to the system configuration from nonvolatile memory or from a file on
a trusted host.
 Report the last time that the configuration file was copied/changed from flash memory
to the TFFP host and vice versa.

 Maintain a backup copy of the system image and configuration file.

59
SIPRNET Network Security Plan

16.0 Contingency Planning

OMB Circular No. A-130 (OMB, 1993) requires contingency plans to be developed to
establish policies and assign responsibilities for assuring that appropriate procedures are
developed and maintained to deal with contingencies affecting DISN components. The
purpose of these plans is to minimize the damage to the DISN computer facilities and
components caused by unexpected and undesirable events. Such plans will address planned
responses to disasters whether they are of minor or major magnitude. The goal of a
contingency plan is to provide for an orderly and timely recovery from interruptions of the
operations of critical DISN components and to prevent the loss of human life and valuable
computing components. The plan should identify what DISA organizations and personnel
will do before, during, and after an adverse event disrupts a mission-critical process at an
NMC or a remote site. Contingency plans will be developed to address the following issues
in order to accomplish the following:

 Minimize the danger to personnel.

 Minimize the extent of the damage on DISN operations.

 Minimize economic impacts.

 Provide for recovery responses.

 Provide backup capabilities at all times.

 Provide procedures for recovering and restoring DISN operations.

 Provide training of personnel on the procedures for dealing with emergency situations
including initial response, recovery, restoration, and testing.

 Train personnel on evacuation procedures and use of emergency equipment. Provide for
facilitating access by uncleared rescue and emergency personnel.

The DISN contingency plan should provide for mitigation of the damaging consequences of
unexpected and undesirable events of whatever magnitude. Part of handling an incident is
being prepared to respond before the incident occurs. This includes establishing a suitable
level of protection so that, if the incident becomes severe, the damage that can occur is
limited. Protection includes preparing incident handling guidelines or a contingency
response plan for each component and site.

16.1 Contingency Plan Elements

The Contingency Plan elements should incorporate an Emergency Response Plan, a Backup
Operation Plan, a Restoration Action Plan, and a Test and Maintenance Plan.

60
SIPRNET Network Security Plan

16.1.1 Emergency Response Plan

This plan discusses the actions that are required to deal with the immediate aspects of an
incident in order to minimize damage caused by the incident. It should provide specific
instructions for rapidly responding to disruptive events that could cause serious damage to
DISN resources. The primary objective of this plan is to protect personnel from injury or
death. The secondary goal of this plan is to minimize and prevent, if possible, the damage to
DISN resources.

The plan will include several sections to address the following issues:

 A summary of emergency events and the types of consequences that they may have on
them DISN resources and personnel.

 Activities and tasks that will be included in the plan for emergency response including
identification of the type of emergency, protection of personnel, suppressing the
emergency condition, notification of responsible authorities, and procedures for returning
to normal operation.

16.1.2 Backup Operation Plan

This plan covers the procedures that are used to enable continued processing of DISN when
some of the regular resources of DISN become inoperative. This plan will address
resumption of DISN operations based on using backup equipment at the same facility at
which an event has occurred or the use of redundant backup sites that can take over the
operation and function in a way that minimizes the disruption of DISN services.

16.1.3 Restoration Action Plan

This plan covers the actions that will be employed to repair and restore DISN resources and
facilities or to build a new facility to replace the destroyed resources. These actions will be
employed to restore DISN to its original or a new permanent configuration. The activities
will include cleanup and rebuilding activities to restore DISN to its new target configuration.

16.1.4 Test and Maintenance Plan

This plan will discuss the activities that will be used to test, maintain, and ensure that the
activities in the previous plans are realistic and adequate for each particular situation. The
plan will include sections to address development of testing exercises that simulate the actual
event, conducting of simulated tests, verifying the adequacy of planed mitigation procedures,
and training of responsible officers and users to become familiar with the procedures.

61
SIPRNET Network Security Plan

16.2 Required Procedures

The four plans constituting the DISN Contingency Plan will address detailed procedures
dealing with the protection of the following DISN sites:

 GOSC NMC
 ROSC NMC
 Remote router sites
 Remote multiplexer sites

Each plan will include procedures for dealing with different types of events. As a minimum,
the following events will be covered in these plans:

 Wars
 Bombs
 Fires
 Floods
 Earthquakes
 Unauthorized intrusion to DISN sites, network layers or components that may cause
denial of service
 Chemical and radioactive spillage, and industrial accidents

For each type of incident, the plan will describe the approach for evaluating the incident,
identifying the individuals involved, notifications to be made, and the procedures for
responding to and recovering from the situation. Each of following points is important and
should be addressed in an overall plan for handling incidents:

 Assuring integrity of DISN components and network layers including network

management components.

 Maintaining and restoring data critical to the operation of DISN network layers.

 Maintaining and restoring DISN services.

 Determining the reasons for the occurrence of the incident and whether it was caused
intentionally or accidentally to include false alarms.

 Containing the incident to stop escalation of the resulting damages.

 Identifying individuals involved and informing authorities to take necessary disciplinary

action.

It is important to prioritize actions to be taken during an incident well in advance of the time
an incident occurs; otherwise, when an incident occurs, it may be impossible to react at once

62
SIPRNET Network Security Plan

and respond properly. The following is a suggested prioritization of actions that will be
performed when an incident occurs:

 Protection of human life

 Protection of classified and sensitive information

 Protection of other information, the loss of which may hamper the operation of
components and network layers

 Prevention of damage to DISN components that may result in extended down time and
costly recovery

17.0 Security Training

The objective of specialized training and the Security Training and Awareness program is to
make individuals working in the DISN NMCs aware of pertinent security regulations that
pertain to their assigned duties. Further, the individuals must be made aware of the standards
of conduct required of persons holding positions of trust. In this connection, individuals
must recognize and avoid the kind of personal behavior that would result in rendering one
ineligible for continued assignment in a position of trust.

The effectiveness of an individual in meeting security responsibilities is directly proportional

to the degree to which the individual understands them; thus, this understanding is essential
to the efficient functioning of any security program.

The DISN ISSO will establish procedures whereby personnel responsible for the
management, maintenance, and operation of DISN NMCs and other DISN components are
periodically briefed as to their roles and security responsibilities. In the event that system
administrators have a dual security and administration role, the system administrators will
receive specific security training related to their activities. The DISN ISSO will develop and
deliver training programs for Security Officers, Security Managers and system
administrators.

17.1 Security Training Program

The DISN Security Training and Awareness Program will, at a minimum, address the
following:

 Advise personnel of the adverse effects to national security that could result from
unauthorized disclosure of classified information that is within their knowledge,
possession, or control, and of their personal, moral, and legal responsibilities to protect
this classified information.

63
SIPRNET Network Security Plan

 Familiarize personnel with the security requirements, including the unique operating
system security characteristics of their particular assignments.

 Educate personnel on the techniques employed by foreign intelligence activities in

attempting to obtain classified information and their responsibility to report such
incidents.

 Advise personnel of the penalties for engaging in espionage activities.

 Educate personnel about threats, vulnerabilities, and risks associated with the NMCs and
the measures that should be taken to reduce them.

 Instruct NMC personnel that individuals having knowledge, possession, or control of

classified information must determine, before disseminating such information, that
prospective recipients have a need to know and that they have been cleared to the security
level of the information.

 Advise personnel of the requirement to immediately report matters such as deficiencies in

physical security, possible loss or compromise of classified information, and information
that could reflect adversely on the trustworthiness of an individual who has access to
classified information.

 Educate personnel about technological advances made in INFOSEC and its applications as
well as advances in possible hostile capabilities.

17.2 Initial Briefings

The ISSO will arrange for initial security briefings to personnel who have been granted
security clearances to work in the NMCs before they are actually given access to the NMCs.
This indoctrination will specifically address the security aspects of the new assignment. This
initial security briefing will be tailored to the needs of the cleared personnel by taking into
account their experience level in safeguarding classified information.

17.3 Refresher Briefings

The ISSO will establish a program to provide, at least once every six months, security
training for personnel having continued access to classified information. The refresher
training program will be tailored to provide effective education to experienced personnel by
taking into account the nature of their involvement with the Information Security Program.

17.4 Specific Assignment Security Training

Specific Assignment Training will be oriented towards network and operating system
vulnerabilities and the appropriate security mitigation measures. Individuals will receive
instruction on security vulnerability test tools and audit tools available for their system,
security policy associated with their system, as well as configuration management techniques

64
SIPRNET Network Security Plan

used to maintain secure environments. The ISSO should arrange to also receive specific
training as appropriate.

17.5 Foreign Travel Briefings

The layer will establish a program to provide foreign travel security briefings to personnel
who are planning to travel to, or through, communist controlled or known adversarial
countries. Such briefings will be provided before travel takes place. The objective of these
briefings will be to alert the personnel to their possible exploitation and remind them of their
security responsibilities. Personnel, on their return from foreign travel, will be debriefed by
the assigned local security officer.

65
SIPRNET Network Security Plan

List of References

ASD(C3I), Draft, Memorandum, Interim DOD Policy on the Control of Compromising

Emanations, dated 28 January 1994.
Barnes, W., A. Dertke, W. Lazear, and R. Midgette, 1993, DISN Mail Relay Functional
Description, Draft Version 2.90, The MITRE Corporation, McLean, Virginia.
Chairman of the Joint Chiefs of Staff instruction (CJCSI), 1993, Defense Information
System Network and Connected Systems, CJCSI 6211.02.
Defense Information Systems Agency (DISA), 1993, Draft Certification Plan for the
DISN-NT Phase Completion IP Router Implementation on the Unclassified but Sensitive
DISN Subnet, Arlington, Virginia.
Defense Information Systems Agency (DISA), 1993, Charter for Defense Information
Systems Network (DISN) Security Accreditation Working Group (DSAWG), Arlington,
Virginia.
Defense Information Systems Agency (DISA), 1995, Cisco Communication Server User
Guide.
Defense Information Systems Agency (DISA), 1995, Draft, Configuration Management
Plan for the Defense Information Systems Agency Data Systems.
Defense Information Systems Agency (DISA), 1993, Defense Information Systems
Network (DISN) Network Management Operational Policies and Procedures, Draft
DISA Circular 310-70-X, Arlington, Virginia.
Defense Information Systems Agency (DISA), 1992, Defense Information Systems
Network Near-Term Security Architecture, Arlington, Virginia.
Defense Information Systems Agency (DISA), 1993, Draft Defense Information Systems
Network Security Connection Approval Program, Arlington, Virginia.
Defense Information Systems Agency (DISA), 1993, Draft Defense Information Systems
Network (DISN) Security Policy, Arlington, Virginia.
Defense Information Systems Agency (DISA), 1994, Defense Information System Network
Unclassified Internet Protocol Router Wide Area Network Internet Protocol Addressing
Plan.
Defense Information Systems Agency (DISA), 1994, Draft, Integrated Tactical-Strategic
Data Networking Defense Communications System Ground Mobile Force Entry Point
Implementation Plan.
Defense Information Systems Agency (DISA), 1994, Secret Internet Protocol Router
Network (SIPRNET) Internal Protocol Addressing Plan.
Defense Information Systems Agency (DISA), 1995, Security Concept of Operations for
the Standard Mail Guard (Interim Configuration), Arlington, Virginia.
Defense Information Systems Agency (DISA), 1991, Security Requirements for Automated
Information Systems (AIS), DISA Instruction 630-230-19, Arlington, Virginia.
Department of Defense (DOD), 1989, Automated Information System (AIS) Security
Manual, DOD 5200.28-M, Washington, D.C.

66
SIPRNET Network Security Plan

Department of Defense (DOD), 1986, Information Security Program Regulation,

DOD5200.1-R.
Department of Defense (DOD), 1988, Life-Cycle Management of Automated Information
Systems (AISs), DOD Directive 7920.1(D).
Department of Defense (DOD), 1987, DOD Personnel Security Program, DOD 5200.2-R.
Department of Defense (DOD), 1985, Password Management Guideline, CSC-STD-002-
85, Fort Meade, Maryland.
Department of Defense (DOD), 1991, Physical Security Program, DOD 5200.8-R
Department of Defense (DOD), 1988, Security Requirements for Automated Information
Systems (AISs), DOD Directive 5200.28.
Department of Defense (DOD), 1985, Trusted Computer System Evaluation Criteria, DOD
5200.28-STD, Washington, D.C.
Government Systems Inc. (GSI), 1993, TMS-D User's Manual, DISA Contract No.
DCA200-92-C-0039, Vienna, Virginia.
National Computer Security Center (NCSC), 1988, A Guide to Understanding
Configuration Management in Trusted Systems, NCSC-TG-006, Version 1, Fort Meade,
Maryland.
National Computer Security Center (NCSC), 1988, A Guide to Understanding Trusted
Distribution, NCSC-TG-008, Version 1, Fort Meade, Maryland.
National Telecommunication and Information Systems Security Instruction (NTISSI),
1988, TEMPEST Countermeasures for Facilities (S), NTISSI No. 7000.
Office of Management and Budget (OMB), 1993, Management of Federal Information
Resources, OMB Circular No. A-130.

67
SIPRNET Network Security Plan

Glossary
 -70-

ACC Access Control Center

A&E Allocation and Engineering
AHIP ARPANET Host Interface Protocol
AIS Automated Information Systems
ALGW Application Layer Gateway
AT&T American Telephone and Telegraph
AAF Army Air Field
ARP Address Resolution Protocol
ARPANET Advanced Research Projects Agency Network
ATM Asynchronous Transfer Mode
AUI Attachment Unit Interface

BFE Blacker Front End

BBN Bolt, Beranek and Newman
BI Background Investigation
BI/SBI Background Investigation and Special Background
Investigation

BGP Border Gateway Protocol

C3I Command, Control, Communication and

Intelligence
C&A Certification and Accreditation
CCITT Consultative Committee on International Telegraph
and Telephone
CIO Central Imagery Office
CISS Information Systems Security
CJCSI Chairman of the Joint Chiefs of Staff Instruction
CLNP Connectionless Network Protocol
CLNS Connectionless Network Service
CMIP Common Management Information Protocol
 -71-

COMSEC Communication Security

COPS Computer Oracle and Password System
CONUS Continental United States
COTS Commercial Off-The-Shelf
CSS Central Security Service
CSU Channel Service Unit

DAA Designated Approving Authority

DAC Discretionary Access Control
DAO Department, Agency, Organization
DCC Defense Certification Office
DCE Data Communications Equipment
DCS Defense Communications System
DDN Defense Data Network
DEC Digital Equipment Corporation
DECCO Defense Commercial Communications Office
DIA Defense Intelligence Agency
DIS Defense Investigative Service
DISA Defense Information Systems Agency
DISN Defense Information System Network
DISO Defense Information System Organization
DMS Defense Message System
DNS Domain Name System
DOD Department of Defense
DSAWG DISN Security Accreditation Working Group
DSIR DCS Spain, Italy Reconfiguration
DSU Data Service Unit

DTE Data Terminal Equipment

3 End-to-End Encryption
E
 -72-

EKMS Electronic Key Management System

ES-IS End System to Intermediate System Protocol

EGP Exterior Gateway Protocol
ES-IS End System to Intermediate System Protocol

FDDI Fiber Distributed Data Interface

FIPS Federal Information Processing Standards
FTP File Transfer Protocol
FTS2000 Federal Telecommunications System - 2000
FY Fiscal Year

GOSC Global Operations and Security Center

GCCS Global Command and Control System
GENSER General Service
GOSIP Government Open Systems Interconnection
GSA General Services Administration

HDLC High-level Data Link Control

I&A Identification and Authentication

ICMP Internet Control Message Protocol
ID Identifier

IDNX Integrated Digital Network Exchange

IGP Interior Gateway Protocol
IGRP Internet Gateway Routing Protocol
IMC Integrated Management Center
INFOSEC Information Security
INMS Integrated Network Management System
IP Internet Protocol
 -73-

IPC Information Processing Centers

ISDN Integrated Services Digital Network
IS-IS Intermediate System to Intermediate System
Protocol
ISSO Information Systems Security Officer
IST Inter-Switch Trunk
ITSDN Integrated Tactical Strategic Data Networking
IRT Inter Router Trunk

JCS Joint Chiefs of Staff

JIEO Joint Interoperability Engineering Organization
JS Joint Staff

Kbps Kilobytes per second

KG Key Generator (a military grade link encryption
device)
KDC Key Distribution Center

LAN Local Area Network

LAPB Link Access Procedure, Balanced
LCC Local Control Center

MAC Mandatory Access Control

MAU Media Attachment Unit
Mbps Megabytes per second
MILNET Military Network
MISSI Multilevel Information System Security Initiative
MLS Multi-Level Secure
MOA Memorandum of Agreement
MUX Multiplexer
MVS Multiple Virtual Storage

NCS National Communications System

NES Network Encryption System
NET Network Equipment Technologies
NIC Network Information Center
NIPRNET Unclassified but Sensitive Internet Protocol Router
Network
NMC Network Management Center
NMS Network Management System
NOC Network Operation Center
NSA National Security Agency
NSO Network Security Officer

OCONUS Outside Continental United States

OSD Office of the Secretary of Defense
OSI Open Systems Interconnection
OSPF Open Shortest Path First

PCTN Pacific Consolidated Telecommunications Network

PDU Protocol Data Unit
PMO Program Management Office
POC Point of Contact
PPP Point-to-Point Protocol
PSN Packet Switch Node

ROSC Regional Operations and Security Center

RIP Routing Information Protocol
RO Read-Only
RW Read-and-Write (RW)

S/A Service and Agency (ies)

SACS Secure Access Control System
SCAP Security Connection Approval Process
SDLC Synchronous Data Link Control
SDNS Secure Data Network System
SIPRNET Secret Internet Protocol Router Network
SLIP Serial Line IP
SMC System Management Center
SMTP Simple Mail Transfer Protocol
SMUX Smart Multiplexer
SNMP Simple Network Management Protocol
SOP Standard Operating Procedure
SSC SIPRNET Support Center
STEP Standard Tactical Entry Point

74
STU III Secure Telephone Unit III
STU III/SACS Secure Telephone Unit III /Secure Access Control
System

T1/E1 Transmission Circuit operating at 1.544

T3 Transmiccion Circuit operating at 45.0 Mbps
TAC Terminal Access Controller
T&DE Test and Diagnostic Equipment
TCO Telecommunications Certification Office
TCP Transmission Control Protocol
TCSEC Trusted Computer Security Evaluation Criteria
TFTP Trivial File Transfer Protocol
TMS-D Telecommunications Management System - DISN
TP4 OSI Transport Protocol Class 4 (Error Detection
and Recovery Class)
TS Top Secret
TS/SCI Top Secret/Sensitive Compartmented Information
TSO Time Sharing Option

UBS Unclassified but Sensitive

UDP User Datagram Protocol
US United States

WESTHEM Western Hemisphere

75
Appendix A. Standard Operating Procedures

A.1 Router and NMC Host Password Maintenance

The following policy/practice is effective immediately until rescinded.
A. Passwords used for individual or general user accounts on ALL computer systems
residing in our monitoring centers will adhere to the following criteria:
1. All passwords will be regenerated every 90 calendar days.
2. All passwords will be changed immediately after departure of personnel.
3. All passwords will be changed whenever any POSSIBLE compromise
is suspected.
B. All department passwords will be generated, in a random fashion, from an approved
password generator residing on a "stand-alone" computer platform.
C. Each password generated must be a MINIMUM of 8 alpha/numeric characters of
nonpronounceable words. Case sensitivity applies.
D. Passwords used on SIPRNET Hub routers will be in encrypted format to ensure an
increased security posture.
E. Any listing of passwords will be kept under strict control 7 X 24.

A.2 Maintenance of Traffic Filters on Routers

The following policy/practice is effective immediately until rescinded.
A. The purpose of the access lists described below is to provide some degree of network
and HUB router security on the SIPRNET.
1. Access List 19 - Allows ONLY users of the 140.49.0.0 network address and
those using the IGRP and OSPF routing protocols SIPRNET access.
2. Access List 1 - Allows only an NMC host Telnet capability into a SIPRNET
Hub router. All others are denied access.
3. Access List 10 - Allows SNMP queries ONLY by an NMC host. All others are
denied permission.
4. Access List 13 - Allows the I-NET INMS host to perform SNMP queries.

5. Access List 101 - Allows filtering of inbound traffic to an NMC host system.

B. As other access lists are developed and deployed, this procedure will be updated to
reflect ALL current access lists active on the SIPRNET.

76
-77-
-79-
-80-