Joint Cross Domain EXchange (JCDX): Integrating Multilevel .

1y ago
403.89 KB
18 Pages
Last View : 5d ago
Last Download : 1y ago
Upload by : Cannon Runnels

Joint Cross Domain eXchange (JCDX):Integrating Multilevel Command and Control into a Service OrientedArchitecture to Provide Cross Domain CapabilityAn Accredited Approachto Cross Domain Information SharingPresented By:Christopher J RaneySSC San Diego

Multi-Level Secure (MLS)UNCLASSIFIED MLS labels every file at the appropriate security level Labeled files are only accessible to users with the propersecurity clearance The labeled files arecompared to the user’scredentials and properaccess is only given totheir appropriate levelCMW:Compartmented Mode Workstation. Thecore operating system of an MLS system.UNCLASSIFIED

Multiple Security Levels (MSL)ChallengesUNCLASSIFIED Multiple Security Levels (MSL) A conglomeration of single-level workstations/servers used to provideinformation for analysis. Information is passed between the two systems utilizing security guards,which strips off valuable intelligence data from remarks lines. With an MLS solution such asJCDX, only a single system requiresmanagement. MSL environmentsrequire at a minimum, a separatesystem per security level.MSL should not be confused with MLS:Multiple Security Levels are limited to separateapplication displays and downgrading ofinformation can result in loss of valuable data.UNCLASSIFIED

What is JCDX today?UNCLASSIFIED A certified, operational, multi-level secure (MLS), PL4, allsource data management, display, fusion processing andnear real-time dissemination capable system JCDX labels incoming data (tracks / messages / otherproducts) from multiple sources / classification levels,manages that data (correlation, manipulation) and transmitsdata out to multiple sources at multiple classification levelsExternal Data InputsManual SSIFIEDMultilevelLabeledDatabases&ProcessingLegacy LegacySerialInterfacesInterfacesNetwork ANetwork BNetwork C

Cross Domain Solution ArchitecturesUNCLASSIFIEDGeneric ArchitecturesTodayHIGHDataJCDX pre SOAHigh-Side NetworkHigh COP“Other”DataGENSYNCHNetwork GuardSYNCHRONIZATION TOOLLOWDataDataSanitizerMLS rrelationLow-Side Network“Other”DataSingleCOP“Other” NetworkLOWLOWCOPLOWDataTrue MLS workstations“Other”DataMultiple Security Levels (MSL)Multi-Level Security (MLS)No guard; security is inherent within the systemUNCLASSIFIED

JCDX Architecture with SOA ExtensionsUNCLASSIFIEDNo guard; security is inherent within the systemJCDX MLSServerCDSServicesClients on different WANS:High SideWeb ServiceGatewayQuery message and intelproduct archiveProfile message and intelproduct archive for updatesPost data for collaborationbetween security domainsLow SideWeb ServiceGatewayReceive tracks for displayCOALITION WANsCoalitionNATOWeb ApplicationServerServerUNCLASSIFIEDPROS: Clients only access content releasable totheir domain (Mandatory Access Control) Data producers only need to “Post Once”for data to be available to all applicabledomains No unnecessary data loss fromsanitizers

SOA ArchitectureUNCLASSIFIEDFederatedSearchAppsWeb ProviderAdjudicationServerMLSStoreTrusted O/SServicesJCDXUNCLASSIFIED

JCDX Web ServicesUNCLASSIFIED Classification Policy Decision Service(cPDS)– provides other systems with methods forhandling labeled data such as labelcomparison Federated Search Provider– allows users and applications to search multilevel data stores from single level networksand provides a “read down” capability to alllower level domainsUNCLASSIFIED

cPDS clearance based authenticationUNCLASSIFIED Current NCES Security Services only implements rolebased access control First attempt to authorize the user via NCES RBAC, andthen attempt to authorize the user’s clearance via JCDXcPDSUNCLASSIFIED

Other cPDS methodsUNCLASSIFIED isValid: takes a classification and returns whether the classification is validgetRelationship: takes two arguments, a Subject Clearance and an ObjectClassification and returns the relationship. The relationship can be one ofthe following: Subject Strictly Dominates, Equal, Object Strictly Dominates,and IncomparablegetAggregateClassifcation: takes a list of classifications and produces aclassification that is the ‘sum’ of the arguments. (e.g.getAggregateClassification ‘SECRET REL GBR’ ‘SECRET’‘UNCLASSIFIED’ yields ‘SECRET’).getGroupClearance: takes a list of user clearances and produces a groupclearance. This group clearance is the highest classification that can beread by all of the users in the groupiSReleasableTo: takes a data classification and a list of clearances anddetermines whether the data can be released to all of the users whoseclearances were used as argumentscanReceive: The canReceive method takes a user clearance and a list ofdata classifications and determines whether the user can see all of the datawhose classifications were used as argumentsUNCLASSIFIED

Federated Search ProviderUNCLASSIFIED Allows searching of the JCDX MLS PL4data repository through a Web Service Authenticates the search request viaNCES and cPDS and then returnsmessages at the appropriate classification(including “read-down”)UNCLASSIFIED

Applying JCDX Design Approach to AchieveEnterprise Wide CDS CapabilityUNCLASSIFIEDLEVEL 4 ClientServer - Trusted tterSearchEngineLEVEL 3 ClientMLSLabeledData FormatterTCPSearchEngineCoalition r* Architecture Simplified forIllustrative PurposesPrivilegedProcessLim e

Other Critical Pieces(Future Work)UNCLASSIFIED Trusted EditorTrust ServiceLabeling ServiceAccreditation / Policy ChangesUNCLASSIFIED

Trusted EditorUNCLASSIFIED Content producers need a method toproduce labeled content– Must be able to “trust” the label Unreasonable to expect all users to haveMLS clients– Microsoft Windows has a very low “trust” levelUNCLASSIFIED

Trust ServiceUNCLASSIFIED Transferring labeled data between two systemsmust involve a trusted interaction In non-SOA these trust relationships arestatically defined SOA needs an automated method to determinewhich services on the network are trusted Trust service could be queried to determine thelevel of trust that a given service/system hasUNCLASSIFIED

Labeling ServiceUNCLASSIFIED Must be able to transition unlabeledcontent in to labeled content Labeling service would provide aninterface to allow the submission ofcontent for labeling– assign a security label to the content basedon a pre-defined ruleset– then “sign” the associated label to allow otherservices to verify the given labelUNCLASSIFIED

SummaryUNCLASSIFIED JCDX has begun to bridge the gapbetween traditional MLS systems andSOA and has developed an architecturethat can be applied to other MLS systems JCDX Web Service Gateway’s can beused to extend MLS capabilities to singlelevel clients Extending MLS systems to a SOA enablescoalition operationsUNCLASSIFIED

Points of ContactUNCLASSIFIEDPEO C4IPMW160CDR Wayne Slocum619-524-7511Wayne.slocum@navy.milPEO C4IPMW160 APMMaureen Myer619-553-9748Penney.myer@navy.milPEO C4IPMW160 ChiefEngineerRobert ChiefEngineerPaul Kennedy619-553-9541Paul.kennedy@navy.milJCDX ChiefScientistChris J. C4I FMSCase ManagerSteve FIED

UNCLASSIFIED UNCLASSIFIED Multi-Level Secure (MLS) MLS labels every file at the appropriate security level Labeled files are only accessible to users with the proper security clearance CMW: Compartmented Mode Workstation. The core operating system of an MLS system. The labeled files are compa

Related Documents:

Domain Cheat sheet Domain 1: Security and Risk Management Domain 2: Asset Security Domain 3: Security Architecture and Engineering Domain 4: Communication and Network Security Domain 5: Identity and Access Management (IAM) Domain 6: Security Assessment and Testing Domain 7: Security Operations Domain 8: Software Development Security About the exam:

An Active Directory domain contains all the data for the domain which is stored in the domain database (NTDS.dit) on all Domain Controllers in the domain. Compromise of one Domain Controller and/or the AD database file compromises the domain. The Active Directory forest is the security boundary, not the domain.

cross-domain applications, since a specific domain (e.g., weather forecasting) can be reemployed in another domain (tourism, health, transport, etc.) as depicted in the Figure 1. Figure 1. Reusing domain knowledge to build cross-domain ontology-based applications II. Interlinking domains We describe interoperability issues to interlink these .

Weasler Aftmkt. Weasler APC/Wesco Chainbelt G&G Neapco Rockwell Spicer Cross & Brg U-Joint U-Joint U-Joint U-Joint U-Joint U-Joint U-Joint U-Joint Kit Stock # Series Series Series Series Series Series Series Series 200-0100 1FR 200-0300 3DR 200-0600 6 L6W/6RW 6N

the create button. Click the edit icon next to the Exchange Gateway. In the Domain box, enter the FQDN or IP Address of your Exchange Server (i.e., In the outbound proxy box, enter:;transport tcp but replace . with the FQDN or IP Address of your Exchange Server. The example

monitor and report on those outcomes. Relevant Exchange products include performance contracts, land tenure agreements, and financial . CENTRAL VALLEY HABITAT EXCHANGE USER'S MANUAL 1. THE EXCHANGE: AN INTRODUCTION The Central Valley Habitat Exchange The Central Valley Habitat Exchange (Exchange) is a program that facilitates effective and .

Glossary MAPI - Mail API, since 1990th. Originally library used by Outlook for Windows Desktop. RPC - Remote Procedure Call On-Prem Exchange Server - Physical Exchange Server in your own server topology Exchange Online - Exchange Servers in the Cloud (Microsoft 365) Hybrid Exchange - Configuration where on-prem topology and Exchange Online tenant are connected

sharpen your reading comprehension Do the Level A practice exer cises and score your results Review the answers and explanations for all Level A questions When you have mastered Level A exercises, progress to Levels B and C It’s Your Path to a Higher Test Score Choose Barron’s Method for Success on the SAT’s Critical Reading Sections ISBN-13: 978-0-7641-3381-7 EAN 14.99 Canada 21.99 .