IETV : IE

refereeoppositeNetworking and Communications

Oct 30, 2013 (3 years and 9 months ago)

87 views

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

Introduction and Objectives

How

will

the

IETV

be

used

during

SFCE

09
?


The

IETV

will

be

used

to

validate

a

nationally
-
provided

(CIS)

system

(LCC
-
HQ


NRF
-
13

(GBR)

and

LCC
-
HQ
-
NRF
-
14

(DNK)

in

support

of

NRF
-
13
/
14
.



To

resolve

an

outstanding

IO

issue

implementing

a

deployable

secure

cross
-
domain

gateway

for

MIP
-
DEM

data

function

to

allow

automated

information

exchange

between

a

national
-
secret

system

(provided

by

1
GNC)

and

the

NATO

secret

system

(JCOP),

in

compliance

with

applicable

INFOSEC

regulations
.



To

experiment

a

future

interoperability

enhancement
,

by

testing

Secure

Voice

Gateway

between

national
-
secret

system

(provided

by

1
GNC)

and

the

NATO

secret

network
.


To

support

t he

SFCE
09

test

plan

with

automation

of

testing

functions
,

allowing

multiple

tests

to

be

conducted

in

few

minutes,

without

operator’s

involvement

and

with

automated

integration

with

SFCE
09

data

base
.

What is the IETV?


The
IETV

(
Interoperability Experimentation, Testing and Validation
) is

a tool in support of (CIS) systems certification,
interoperability enhancement and experimentation
for multinational, NATO
-
led expeditionary operations.



Where

is

the

IETV?


The

IETV

has

a

deployable

footprint,

which

provides

basic

on
-
site

(deployed)

representative

interfaces

and

gateways
.


Then,

connects

through

any

(NATO

or

not)

WAN

to

the

static

part

of

the

IETV,

which

groups

most

NC
3
A

test

beds

and

laboratories
.

What makes up the IETV?


The IETV Capability is made
-
up of four essential components:

-

Processes

-

Supporting Documentation

-

A (HW/SW) test bed

-

Know
-
how

Which

CIS

functions

does

the

IETV

cover?


The

IETV

covers

CIS

interfaces

(with

the

national

systems),

transmission,

bandwidth

management,

voice/video/VTC

services,

information

exchange,

network

services,

core

IS

services,

functional

services,

information

assurance

and

management
.


What

can

it

be

used

for?


The

IETV

Capability

can

be

used

to
:

-

Validate

nationally
-
provided

CIS

-

Support

the

Commander

with

the

certification

of

the

Unit

-

Develop

new

applications

and

technologies

-

Experiment

and

test

new

CIS

concepts

and

applications

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

The IETV Architecture

A

generic

architecture

based

on

a

functional

analysis
.

Comprises

all

relevant

CIS

functions

in

the

Deployable

CIS

for

a

NATO

expeditionary

mission
.


Allows

maximum

modularity

and

re
-
use

of

existing

test

beds

and

labs

at

NC
3
A
.

The

modular

design

allows

deploying

only

those

elements

which

are

essential

to

provide

local,

identical

interfaces

and

services
.

This

is

called

the

deployable

footprint

of

the

IETV
.


The

most

complex

systems

stays

at

the

static

part

of

the

IETV,

in

The

Hague,

along

with

the

on
-
site

expertise

and

know
-
how
.

This

optimizes

availability

of

the

test

bed

and

reduces

the

cost

of

deployment
.

National

facilities

can

join

the

IETV

as

needed
.


In

2009
,

an

extended

(i ncludes

some

information

systems)

deployable

footprint

of

the

IETV

can

be

seen

at

SFCE

09

Exercise

CORE SERVICES

INFORMATION

ASSURANCE

INFORMATION

EXCHANGE

INFORMATION

ASSURANCE

INTERFACES

NETWORK

SERVICES

VOICE/VIDEO

BANDWIDTH

MANAGEMENT

TRANSMISSION

Nationally

-

provided

systems to validate,

test and experiment

EXPERIMENTS

Deployable Point

of Presence (

dPoP

)

Interface with

Nations Module (INM)

Micro information

Systems Module (

µ

ISM)

To static IETV core

infrastructure

at NC3A (The Hague)

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

CIS Validation using the IETV

The

CIS

Validation

process

(left)

departs

from

a

nationally

assessed

systems,

and

uses

verificati on

to

determine

compliance

with

NATO

DCIS

requirements
.


Results

from

verification

are

subject

to

a

verification

assessment

process

(right),

which

ai ms

to

explain

which

are

the

interoperabili ty

issues,

how

to

mi tigate

them,

and

consequences

of

not

doing

so
.

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

The IETV in SFCE 09
(II: detailed view)

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

The IETV Automated Testing Tool (IATT)

What is the IATT?


The IETV Automated Testing Tool (IATT) provides the means to quickly verify a number of interoperability
requirements in an automatic manner. This degree of automation allows conducting a large number of tests in a few
minutes, and repeat those tests for different security domains and different units.

How does it work?


Two IATT nodes (master and slave) are connected at
the user sides of two networks interconnected
through a Service Interoperability Point (SIOP). Each
node represents a different user communities.


Automatic processes exercise multiple traffic types
and services across the SIOP. Tests are done in
accordance with outstanding interoperability criteria
(NC3A TN
-
1174). Results are captured and reported
back to the user.


Several CIS can be verified at the same time using
only one master IATT node and several slave IATT
nodes, one per CIS.

Which functionality is provided?


The IATT automatically verifies CIS interoperability
for the following services:


Transmission and communications:
connectivity, routing, protocol/port/service
filtering, NTP, DNS, FTP, etc.


core services, mail, web and secure web

How

can

nations

use

the

IATT

?


By

using

the

IATT

nations

can

quickly

and

inexpensively

identify

and

resolve

configuration

issues

that

might

impair

interoperability

at

the

application

level
.

In

particular,

the

IATT

looks

at

the

interconnection

of

NATO

and

Nation

with

special

emphasis

on

firewall/gateway

configuration,

services

configuration,

routing

capabilities

or

network/application

protocols,

to

name

a

few
.

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int



The IETV Automated Testing Tool (IATT)
-
II


IATT in SFCE
-
09


The IATT automatically verifies CIS
interoperability for the following
services:



Transmission and
communications: connectivity,
routing, protocol/port/service
filtering, NTP, DNS, etc.


core services, mail, web and
secure web


IATT will integrate the results of the
automated test in the exercise data
base,


IATT will be deploy during all the
exercise in LCC
-
HQ
-
NRF
-
13/14
helping to resolve interoperability
issues.

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int





NC3A Experimentation Program of Work

IEG
-
Light Extension “MIP
-
DEM”

What is the MIP
-
DEM IEG
-
Light Extension


The
MIP
-
DEM IEG
-
Light Extension

proxy functionality for the MIP
-
DEM protocol for interconnecting C2 application across security
domains (NATO Secret
<
-
> National Secret)
.

How

does

it

work?


JCOP

Layer

Manager

(LM)

implantation

is

used

as

service

proxy
.

All

MIP
-
DEM

information

exchange

is

terminated

and

forwarded

by

the

MIP
-
DEM

IEG
-
Light

Extension

in

both

directions
.



The

contracts

between

the

C
2

applications

on

the

different

security

domains

are

always

created

via

the

MIP
-
DEM

Proxy

located

in

the

IEG
-
Light
.


Which functionality is provided?



Controlling

the

information

flow

between

the

security

domains


Ensuring

the

integrity

of

the

MIP
-
DEM

protocol

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

IEG
-
Light

Voice
-

Gateway


What is the IVM?


The
IEG
-
Light Voice Module
(
IVM
) provides a secured voice gateway functionality between voice services of different security
domains.

How

does

it

work?


The

IVM

prototype

is

realized

with

single

board

computers

(SBC),

running

the

EAL
4
+

evaluated

Linux

operating

system

and

the

Asterisk

soft

switch

software
.



All

VoIP

traffic

from

one

security

domain

is

terminated

at

the

IVM
.

All

incoming

calls

are

converted

to

ISDN

(G
.
711
)

and

forwarded

over

an

ISDN

E
1

trunk
.

The

outgoing

traffic

is

transcoded

to

any

required

codec

(G
.
726
,

G
.
729
,

G
.
711

etc
.
)
.

Supported

protocols

for

interconnecting

to

the

IVM

are

SIP,

AIX
2

(IP

trunking)

and

H
.
323
.


Actual IVM developments will allow to recognise the contents
and type of the traffic (Voice, FAX, Modem) as well as detect
hidden channels. Traffic is going to be controlled due to it’s
contents.

Which functionality is provided?



Access

Control

for

security

domain

access


LDAP

/

PIN

/

Calling

Party

number


Limits

the

information

exchange

between

security

domains

to

voice/fax/modem

services


Codec

and

Protocol

Conversion



Content

Scanning,

control

if

voice,

fax

or

modem

signals

are

transported

in

the

channels

Security
Domain B

e.g.
NATIONAL
Secret

Security
Domain A

e.g.

NATO

Secret

Protocol

Conversion

Access

Control

Codec

Conversion

Content

Scanning

ISDN

E1

IP

SIP/IAX2

H.323

IP

SIP/IAX2

H.323



NC3A Experimentation Program of Work

IEG
-
Light Extension “IEG
-
Light Voice Module”

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

What is the SVG?


The
Secure Voice Gateway

(
SVG
) is a tool designed to provide end
-
to
-
end secure voice services
between networks using different voice and/or encryption technology (ISDN, POTS, VoIP, etc.).


How does it work?


The

SVG

prototype

is

built

from

two

(a

secure

and

a

non
-
secure)

PABX,

which

are

connected

via

appropriate

crypto

devices
.

Currently,

the

two

PABXs

are

realized

with

single

board

computers

(SBC),

running

the

EAL
4
+

eval uated

Linux

operating

system

and

the

Asterisk

soft

switch

software
.


Traffic

from

User

A

is

encrypted

(using

User

A

specific

cryptos
)

and

tunnel ed

through

the

NATO

network

towards

the

SVG
.

In

the

SVG

the

traffic

is

decrypted,

encrypted

(using

the

User

B
1

specific

cryptos
),

switched

and

forwarded

to

User

B
1
.

Alternatively

users

on

the

red

IP

network

(User

B
2
)

can

reach

users

on

the

PSTN

network

(User

A

and

B
2
)

and

vice

versa
.


The

SVG

currently

supports

the

following

interfaces
:

ISDN

PRI,

ISDN

BRI,

analogue

and

Ethernet
.


Which functionality is provided?



Secure

voice

services

between

participants

using

different

media

and

voice

encryption

devices
.


Local

and

remote
.


Multiple

parallel

voice

services
.


Open

design

for

easy

integration

of

additional

crypto

devices
.




NC3A Experimentation Program of Work

Secure Voice Gateway

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int



NC3A Experimentation Program of Work

NC3A


1GNC Voice Experiment

What is the NC3A


1GNC Voice Experiment about?


Interconnection of Secure Voice Services between 1GNC National Secret (IP based) and NATO Secret
(ISDN based).


The security domains are separated by the IEG
-
Light with a IEG
-
Light Voice Module (IVM). The
transition between Secure ISDN and Voice over Secure IP is done by the Secure Voice Gateway
(SVG) developed by NC3A.

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

The IEG
-
Light (I)

What is the IEG
-
Light?


The Information Exchange Gateway (IEG) “
Light
” is a small, highly deployable and affordable module that provides
secure gateway services between deployed NATO and a deployed national CIS of a NATO member nation.

How does it work?


The IEG
-
Light component filters all traffic from the
nation in its router. The firewall directs all granted
traffic to the proxy servers in the IEG
-
Light DMZ. All
unwanted traffic is dropped. The proxies can be
accessed from the NATO side. All Traffic is audited
by the IDS. Therefore, no direct communication
between the NS network and the national network is
possible. Traffic is audited by the IDS.

The

IVM

prototype

is

realized

with

single

board

computers

(SBC),

running

the

EAL
4
+

evaluated

Linux

operating

system

and

the

Asterisk

soft

switch

software
.


Which functionality is provided?


The IEG
-
Light packet switched (PS) component is a
secure interface between the NATO secret (NS)
network and the national secret network. Services
supported by the IEG
-
Light PS component are the
core information services mail, web publishing and
GAL synchronization.

For SFCE 09 new functionality provided inside the
IEG
-
Light is FS support by the MIP
-
DEM extension
and secure VoIP support by the IEG
-
Light Voice
Module (IVM)

IEG
-
Light Specialized

Module

IEG
-
Light Main Module

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

The IEG
-
Light (II)

Concept of Operation of the IEG
-
Light

IEG
-
Light Functional Architecture

IEG
-
Light Hardware Architecture

IEG
-
Light Software Architecture

IEG
-
Light (Remote) Management Interface

IEG
-
Light Main (bottom) and Specialized

(top) Modules

VOICE
SERVICES

Access
Control

Protocol
Conversion

Codec
Conversion

Content
Scanning

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int

Example of IETV CIS Verification Results

IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY

©

NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int

For additional information contact : ietv@nc3a.nato.int


Primary objectives:


Test and validate nationally provided CIS (LCC
-
HQ
-
NRF
-
13
-
GBR)


Test and validate nationally provided CIS (LCC
-
HQ
-
NRF
-
14
-
DNK)


Test interoperability between NATO C2/FS and National C2/FS


Test cross
-
domain data and voice exchange mechanism


Identification (resolution) of interoperability issues


Other objectives:


Experiment the IETV Automated Testing Tool (IATT)


Experiment NATO gateways for national MIP
-
DEM traffic


Support national experiment with IETV (NRDC
-
SP
-
JCOP
-
XML)


Demonstrate NATO gateways for FS traffic


Demonstrate “
zero
-
configuration
” model for national CIS provision

Objectives of the 2009 SFCE IETV campaign