IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
Introduction and Objectives
How
will
the
IETV
be
used
during
SFCE
09
?
The
IETV
will
be
used
to
validate
a
nationally
-
provided
(CIS)
system
(LCC
-
HQ
–
NRF
-
13
(GBR)
and
LCC
-
HQ
-
NRF
-
14
(DNK)
in
support
of
NRF
-
13
/
14
.
To
resolve
an
outstanding
IO
issue
implementing
a
deployable
secure
cross
-
domain
gateway
for
MIP
-
DEM
data
function
to
allow
automated
information
exchange
between
a
national
-
secret
system
(provided
by
1
GNC)
and
the
NATO
secret
system
(JCOP),
in
compliance
with
applicable
INFOSEC
regulations
.
To
experiment
a
future
interoperability
enhancement
,
by
testing
Secure
Voice
Gateway
between
national
-
secret
system
(provided
by
1
GNC)
and
the
NATO
secret
network
.
To
support
t he
SFCE
09
test
plan
with
automation
of
testing
functions
,
allowing
multiple
tests
to
be
conducted
in
few
minutes,
without
operator’s
involvement
and
with
automated
integration
with
SFCE
09
data
base
.
What is the IETV?
The
IETV
(
Interoperability Experimentation, Testing and Validation
) is
a tool in support of (CIS) systems certification,
interoperability enhancement and experimentation
for multinational, NATO
-
led expeditionary operations.
Where
is
the
IETV?
The
IETV
has
a
deployable
footprint,
which
provides
basic
on
-
site
(deployed)
representative
interfaces
and
gateways
.
Then,
connects
through
any
(NATO
or
not)
WAN
to
the
static
part
of
the
IETV,
which
groups
most
NC
3
A
test
beds
and
laboratories
.
What makes up the IETV?
The IETV Capability is made
-
up of four essential components:
-
Processes
-
Supporting Documentation
-
A (HW/SW) test bed
-
Know
-
how
Which
CIS
functions
does
the
IETV
cover?
The
IETV
covers
CIS
interfaces
(with
the
national
systems),
transmission,
bandwidth
management,
voice/video/VTC
services,
information
exchange,
network
services,
core
IS
services,
functional
services,
information
assurance
and
management
.
What
can
it
be
used
for?
The
IETV
Capability
can
be
used
to
:
-
Validate
nationally
-
provided
CIS
-
Support
the
Commander
with
the
certification
of
the
Unit
-
Develop
new
applications
and
technologies
-
Experiment
and
test
new
CIS
concepts
and
applications
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
The IETV Architecture
A
generic
architecture
based
on
a
functional
analysis
.
Comprises
all
relevant
CIS
functions
in
the
Deployable
CIS
for
a
NATO
expeditionary
mission
.
Allows
maximum
modularity
and
re
-
use
of
existing
test
beds
and
labs
at
NC
3
A
.
The
modular
design
allows
deploying
only
those
elements
which
are
essential
to
provide
local,
identical
interfaces
and
services
.
This
is
called
the
deployable
footprint
of
the
IETV
.
The
most
complex
systems
stays
at
the
static
part
of
the
IETV,
in
The
Hague,
along
with
the
on
-
site
expertise
and
know
-
how
.
This
optimizes
availability
of
the
test
bed
and
reduces
the
cost
of
deployment
.
National
facilities
can
join
the
IETV
as
needed
.
In
2009
,
an
extended
(i ncludes
some
information
systems)
deployable
footprint
of
the
IETV
can
be
seen
at
SFCE
09
Exercise
CORE SERVICES
INFORMATION
ASSURANCE
INFORMATION
EXCHANGE
INFORMATION
ASSURANCE
INTERFACES
NETWORK
SERVICES
VOICE/VIDEO
BANDWIDTH
MANAGEMENT
TRANSMISSION
Nationally
-
provided
systems to validate,
test and experiment
EXPERIMENTS
Deployable Point
of Presence (
dPoP
)
Interface with
Nations Module (INM)
Micro information
Systems Module (
µ
ISM)
To static IETV core
infrastructure
at NC3A (The Hague)
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
CIS Validation using the IETV
The
CIS
Validation
process
(left)
departs
from
a
nationally
assessed
systems,
and
uses
verificati on
to
determine
compliance
with
NATO
DCIS
requirements
.
Results
from
verification
are
subject
to
a
verification
assessment
process
(right),
which
ai ms
to
explain
which
are
the
interoperabili ty
issues,
how
to
mi tigate
them,
and
consequences
of
not
doing
so
.
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
The IETV in SFCE 09
(II: detailed view)
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
The IETV Automated Testing Tool (IATT)
What is the IATT?
The IETV Automated Testing Tool (IATT) provides the means to quickly verify a number of interoperability
requirements in an automatic manner. This degree of automation allows conducting a large number of tests in a few
minutes, and repeat those tests for different security domains and different units.
How does it work?
Two IATT nodes (master and slave) are connected at
the user sides of two networks interconnected
through a Service Interoperability Point (SIOP). Each
node represents a different user communities.
Automatic processes exercise multiple traffic types
and services across the SIOP. Tests are done in
accordance with outstanding interoperability criteria
(NC3A TN
-
1174). Results are captured and reported
back to the user.
Several CIS can be verified at the same time using
only one master IATT node and several slave IATT
nodes, one per CIS.
Which functionality is provided?
The IATT automatically verifies CIS interoperability
for the following services:
•
Transmission and communications:
connectivity, routing, protocol/port/service
filtering, NTP, DNS, FTP, etc.
•
core services, mail, web and secure web
How
can
nations
use
the
IATT
?
By
using
the
IATT
nations
can
quickly
and
inexpensively
identify
and
resolve
configuration
issues
that
might
impair
interoperability
at
the
application
level
.
In
particular,
the
IATT
looks
at
the
interconnection
of
NATO
and
Nation
with
special
emphasis
on
firewall/gateway
configuration,
services
configuration,
routing
capabilities
or
network/application
protocols,
to
name
a
few
.
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
The IETV Automated Testing Tool (IATT)
-
II
IATT in SFCE
-
09
The IATT automatically verifies CIS
interoperability for the following
services:
•
Transmission and
communications: connectivity,
routing, protocol/port/service
filtering, NTP, DNS, etc.
•
core services, mail, web and
secure web
IATT will integrate the results of the
automated test in the exercise data
base,
IATT will be deploy during all the
exercise in LCC
-
HQ
-
NRF
-
13/14
helping to resolve interoperability
issues.
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
NC3A Experimentation Program of Work
IEG
-
Light Extension “MIP
-
DEM”
What is the MIP
-
DEM IEG
-
Light Extension
The
MIP
-
DEM IEG
-
Light Extension
proxy functionality for the MIP
-
DEM protocol for interconnecting C2 application across security
domains (NATO Secret
<
-
> National Secret)
.
How
does
it
work?
JCOP
Layer
Manager
(LM)
implantation
is
used
as
service
proxy
.
All
MIP
-
DEM
information
exchange
is
terminated
and
forwarded
by
the
MIP
-
DEM
IEG
-
Light
Extension
in
both
directions
.
The
contracts
between
the
C
2
applications
on
the
different
security
domains
are
always
created
via
the
MIP
-
DEM
Proxy
located
in
the
IEG
-
Light
.
Which functionality is provided?
•
Controlling
the
information
flow
between
the
security
domains
•
Ensuring
the
integrity
of
the
MIP
-
DEM
protocol
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
IEG
-
Light
Voice
-
Gateway
What is the IVM?
The
IEG
-
Light Voice Module
(
IVM
) provides a secured voice gateway functionality between voice services of different security
domains.
How
does
it
work?
The
IVM
prototype
is
realized
with
single
board
computers
(SBC),
running
the
EAL
4
+
evaluated
Linux
operating
system
and
the
Asterisk
soft
switch
software
.
All
VoIP
traffic
from
one
security
domain
is
terminated
at
the
IVM
.
All
incoming
calls
are
converted
to
ISDN
(G
.
711
)
and
forwarded
over
an
ISDN
E
1
trunk
.
The
outgoing
traffic
is
transcoded
to
any
required
codec
(G
.
726
,
G
.
729
,
G
.
711
etc
.
)
.
Supported
protocols
for
interconnecting
to
the
IVM
are
SIP,
AIX
2
(IP
trunking)
and
H
.
323
.
Actual IVM developments will allow to recognise the contents
and type of the traffic (Voice, FAX, Modem) as well as detect
hidden channels. Traffic is going to be controlled due to it’s
contents.
Which functionality is provided?
•
Access
Control
for
security
domain
access
–
LDAP
/
PIN
/
Calling
Party
number
•
Limits
the
information
exchange
between
security
domains
to
voice/fax/modem
services
•
Codec
and
Protocol
Conversion
•
Content
Scanning,
control
if
voice,
fax
or
modem
signals
are
transported
in
the
channels
Security
Domain B
e.g.
NATIONAL
Secret
Security
Domain A
e.g.
NATO
Secret
Protocol
Conversion
Access
Control
Codec
Conversion
Content
Scanning
ISDN
E1
IP
SIP/IAX2
H.323
IP
SIP/IAX2
H.323
NC3A Experimentation Program of Work
IEG
-
Light Extension “IEG
-
Light Voice Module”
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
What is the SVG?
The
Secure Voice Gateway
(
SVG
) is a tool designed to provide end
-
to
-
end secure voice services
between networks using different voice and/or encryption technology (ISDN, POTS, VoIP, etc.).
How does it work?
The
SVG
prototype
is
built
from
two
(a
secure
and
a
non
-
secure)
PABX,
which
are
connected
via
appropriate
crypto
devices
.
Currently,
the
two
PABXs
are
realized
with
single
board
computers
(SBC),
running
the
EAL
4
+
eval uated
Linux
operating
system
and
the
Asterisk
soft
switch
software
.
Traffic
from
User
A
is
encrypted
(using
User
A
specific
cryptos
)
and
tunnel ed
through
the
NATO
network
towards
the
SVG
.
In
the
SVG
the
traffic
is
decrypted,
encrypted
(using
the
User
B
1
specific
cryptos
),
switched
and
forwarded
to
User
B
1
.
Alternatively
users
on
the
red
IP
network
(User
B
2
)
can
reach
users
on
the
PSTN
network
(User
A
and
B
2
)
and
vice
versa
.
The
SVG
currently
supports
the
following
interfaces
:
ISDN
PRI,
ISDN
BRI,
analogue
and
Ethernet
.
Which functionality is provided?
•
Secure
voice
services
between
participants
using
different
media
and
voice
encryption
devices
.
•
Local
and
remote
.
•
Multiple
parallel
voice
services
.
•
Open
design
for
easy
integration
of
additional
crypto
devices
.
NC3A Experimentation Program of Work
Secure Voice Gateway
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
NC3A Experimentation Program of Work
NC3A
–
1GNC Voice Experiment
What is the NC3A
–
1GNC Voice Experiment about?
Interconnection of Secure Voice Services between 1GNC National Secret (IP based) and NATO Secret
(ISDN based).
The security domains are separated by the IEG
-
Light with a IEG
-
Light Voice Module (IVM). The
transition between Secure ISDN and Voice over Secure IP is done by the Secure Voice Gateway
(SVG) developed by NC3A.
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
The IEG
-
Light (I)
What is the IEG
-
Light?
The Information Exchange Gateway (IEG) “
Light
” is a small, highly deployable and affordable module that provides
secure gateway services between deployed NATO and a deployed national CIS of a NATO member nation.
How does it work?
The IEG
-
Light component filters all traffic from the
nation in its router. The firewall directs all granted
traffic to the proxy servers in the IEG
-
Light DMZ. All
unwanted traffic is dropped. The proxies can be
accessed from the NATO side. All Traffic is audited
by the IDS. Therefore, no direct communication
between the NS network and the national network is
possible. Traffic is audited by the IDS.
The
IVM
prototype
is
realized
with
single
board
computers
(SBC),
running
the
EAL
4
+
evaluated
Linux
operating
system
and
the
Asterisk
soft
switch
software
.
Which functionality is provided?
The IEG
-
Light packet switched (PS) component is a
secure interface between the NATO secret (NS)
network and the national secret network. Services
supported by the IEG
-
Light PS component are the
core information services mail, web publishing and
GAL synchronization.
For SFCE 09 new functionality provided inside the
IEG
-
Light is FS support by the MIP
-
DEM extension
and secure VoIP support by the IEG
-
Light Voice
Module (IVM)
IEG
-
Light Specialized
Module
IEG
-
Light Main Module
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
The IEG
-
Light (II)
Concept of Operation of the IEG
-
Light
IEG
-
Light Functional Architecture
IEG
-
Light Hardware Architecture
IEG
-
Light Software Architecture
IEG
-
Light (Remote) Management Interface
IEG
-
Light Main (bottom) and Specialized
(top) Modules
VOICE
SERVICES
Access
Control
Protocol
Conversion
Codec
Conversion
Content
Scanning
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
Example of IETV CIS Verification Results
IETV : I
NTEROPERABILITY
E
XPERIMENTATION,
T
ESTING AND
V
ALIDATION
C
APABILITY
©
NATO Consultation, Command and Control Agency, 2009. http://www.nc3a.nato.int
For additional information contact : ietv@nc3a.nato.int
•
Primary objectives:
•
Test and validate nationally provided CIS (LCC
-
HQ
-
NRF
-
13
-
GBR)
•
Test and validate nationally provided CIS (LCC
-
HQ
-
NRF
-
14
-
DNK)
•
Test interoperability between NATO C2/FS and National C2/FS
•
Test cross
-
domain data and voice exchange mechanism
•
Identification (resolution) of interoperability issues
•
Other objectives:
•
Experiment the IETV Automated Testing Tool (IATT)
•
Experiment NATO gateways for national MIP
-
DEM traffic
•
Support national experiment with IETV (NRDC
-
SP
-
JCOP
-
XML)
•
Demonstrate NATO gateways for FS traffic
•
Demonstrate “
zero
-
configuration
” model for national CIS provision
Objectives of the 2009 SFCE IETV campaign
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment