UNCLASSIFIED Joint Information Environment Management Network (JIE JMN) David Hoon DISA NetOps PMO Project Lead JIE JMN Integrated Design Team Lead 14 May 2014 UNCLASSIFIED 1 UNCLASSIFIED JIE JMN Overview • The JIE JMN is the collection of systems and elements that enable Enterprise Operations Centers (EOC) components of the Joint Information Environment (JIE) to securely exercise Command and Control (C2) for their assigned Area of Support (AoS). – Organized around the following primary areas: • JIE Management Network (JMN): Identifies the out of band (OOB) design principles and requirements for the implementation of the management network employed by EOC in performing its mission operations. • JIE User/Mission Network: Describes the specific needs of the JIE User/Mission Network by EOC personnel and discusses specific areas where logical and/or physical separation of management data and traffic may not be practical nor cost effective in the conduct of EOC mission operations. • JIE Enterprise Operations Support Systems (EOSS): Describes a framework that represents the collection of tools used by the EOC to operate and defend the portions of the JIE in its logical and/or geographic AoS. It includes the tools needed to perform DoDIN Operations and the portions of DCO-IDM mission assigned to the EOC. UNCLASSIFIED 2 UNCLASSIFIED JMN OV-1 UNCLASSIFIED 3 UNCLASSIFIED JIE Management Network (JMN) • A logically separated data communications network built using: – Physically separated networking components within facility spaces – Optically separated networking components for long-haul communications • e.g., Multi-Protocol Label Switching Virtual Private Networks (MPLS VPNs) or Wavelength-Division Multiplexing (WDM) optical wavelengths • JMN is physically part of the JIE WAN architecture, which also includes the User/Mission Network and a Replication Network. However, – it is a distinct Internet Protocol (IP) network from the user and replication networks – it implements a separate, dedicated identity and access management solution, known as the JMN IdAM Solution (JIS) UNCLASSIFIED 4 UNCLASSIFIED JIE OOB UNCLASSIFIED 5 UNCLASSIFIED JMN Criticality Levels and Security Zones UNCLASSIFIED 6 UNCLASSIFIED JMN Traffic Segmentation CL JMN Zone JMN Zone Description 1 Critical Infrastructure JIE WAN backbone infrastructure, PKI, DNS 1 Shared Tools Services/Tools shared for the management of the DODIN (Ticketing services, syslog, patch servers, HBSS) 1 Compute CDC and IPN Servers and cloud platform services 2 CND Services used in support Network Defense (e.g., IDS/IPS sensors, netflow sensors, firewalls, Insider threat services) 2 Mobility Services used in support of mobility services 2 UC Services used in support of unified communications (e.g., collaboration, Voice over IP, streaming video) 2 Network Infrastructure LAN infrastructure (e.g., routers, switches, Storage Area Networks) 3 Backup/Recovery Services used to support data backups. 3 Application Cloud hosted application servers, web servers, 3 OS Workstations and cloud hosted virtual servers 3 Peripherals Printers and Network Scanners •CL1 (High) •Management performed by strictly regulated personnel using the principle of least privilege via dedicated management terminals or workstations over a closed management network •Data traffic is natively routed via encrypted communications across the JMN •Remote access is expressly forbidden •Management equipment is isolated from external network connectivity •CL 2 (Med) and CL3 (Low) •Management performed by closely regulated personnel using trusted and secured GFE terminals or workstations •CL2: •Remote access is only permitted during transition to JMN •Sourced from DoD network boundaries; No connectivity to production network(s) •CL3: •Sourced directly from the JMN or from sources within DoD network boundaries or authorized mission partners via authorized remote access VPN services •May have connectivity to production network(s) at equivalent levels of security protection •Unclassified terminals and workstations may have connectivity to the Internet when not connected to JMN UNCLASSIFIED 7 UNCLASSIFIED JMN Traffic Segmentation Constraints • CL1 (High) – Management performed by strictly regulated personnel using the principle of least privilege via dedicated management terminals or workstations over a closed management network • Data traffic is natively routed via encrypted communications across the JMN • Remote access is expressly forbidden • Management equipment is isolated from external network connectivity • CL 2 (Med) and CL3 (Low) – Management performed by closely regulated personnel using trusted and secured GFE terminals or workstations • CL2: – Remote access is only permitted during transition to JMN – Sourced from DoD network boundaries; No connectivity to production network(s) • CL3: – Sourced directly from the JMN or from sources within DoD network boundaries or authorized mission partners via authorized remote access VPN services – May have connectivity to production network(s) at equivalent levels of security protection – Unclassified terminals and workstations may have connectivity to the Internet when not connected to JMN UNCLASSIFIED 8 UNCLASSIFIED JIE User/Mission Network • Accessibility of JMN from the User/Mission Network • Privileged users are dual-credentialed to both the User/Mission network and the JMN to facilitate this capability • Personas are managed and synchronized between parallel identity management and access control systems • In-Band Management Scenarios – Technical, Temporal and/or Financial Limitation(s) • Failure of local JMN infrastructure/network appliances • Managed devices without a dedicated management port • Managed devices for which a dedicated management port exists, but is connected to an existing management network • Circumstances for which a connected facility has insufficient connectivity to dedicate bandwidth exclusively for management use UNCLASSIFIED 9 UNCLASSIFIED JIE Enterprise Operations Support System (EOSS) UNCLASSIFIED 10 UNCLASSIFIED JIE EOSS Overview • The JIE Enterprise Operations Support Systems (EOSS) is a framework that represents the collection of tools used by the EOC to operate and defend the portions of the JIE in its AoS UNCLASSIFIED 11 UNCLASSIFIED JIE EOSS Framework Organization • The JIE EOSS framework depicts two-overlapping areas and six layers to organize the lower-level systems and functions. The two functional areas are: – DoDIN Operations: This area includes the tools necessary for the EOC to perform its responsibilities in DoDIN Operations, including designing, building, configuring, securing, operating, maintaining, and sustaining DOD networks to create and preserve information assurance on the DODIN. – DCO-IDM: This area includes the tools necessary for the EOC to perform its responsibilities in DCO-IDM, a subcomponent of Defensive Cyberspace Operations. This includes the monitoring, detecting, characterization, countering, and mitigations within the defended AoS. • The following slides describe the systems and functions available within each of the six layers: – – – – – – Element Management Layer Service and Infrastructure Management Layer Business Service Management Layer DoDIN Security Monitoring and Management Layer Cyberspace Observation and Decision Support Layer Information Sharing and Presentation Layer UNCLASSIFIED 12 UNCLASSIFIED CSAAC UNCLASSIFIED 13 Enterprise Visualization based on Area of Interest CONSUME, PROCESS, and VISUALIZE UNCLASSIFIED IMPORT IMPORT IMPORT REDUCE REDUCE REDUCE Regional Distribution Global Access COLLECT, CORRELATE and REDUCE OWF Environment Hadoop Distributed File System (HDFS) (Data and Analytics) DATA MAPPING LOG CSV CONFIG XML Performance TROUBLE TICKETS TEXT PCAP metadata Raw ALARMS Intrusion data Processed UNCLASSIFIED Driven by Operational Requirements HIGH VOLUME DATA FLOWS INGEST DATA to CLOUD UNCLASSIFIED Data interface overview UNCLASSIFIED 15 UNCLASSIFIED POC Information POC: DISA NetOps PMO Project Lead Email: [email protected] Phone: 301-225-8642 UNCLASSIFIED 16
© Copyright 2024 ExpyDoc
