Blog Administration
Sunday, October 24. 2004
NMCI Runs Afoul Of DISA
In what can only be viewed as an effort to expand their empire, EDS and NMCI have been bragging about their efforts to utilize voice-over-IP technology to provide voice (telephone) service to its customers. NMCI has not yet convinced anyone that they are contractually entitled to take over traditional switched telephone service on Navy and Marine Corps facilities. VoIP offers them an avenue to carry voice services over their existing IP-based infrastructure.
Except for one problem. They might be breaking DoD regulations by doing it.
A Bit of Background
Voice-over-IP popularity exploded in 2002 or even earlier. Dozens of vendors offered hundreds of solutions from full-blown IP PBXs to desktop phones to box-to-box solutions. The salivating communications guru was greeted with nearly unlimited options to solve his voice requirements. VoIP was an elegant solution because of several reasons.
It was designed from the ground up to interface with traditional analog and digital phone switches so the engineer could create hybrid systems. It was easy to encrypt as individual circuits or in bulk. It offered a scalable solution where hundreds of users could be carried on a single CAT-5 cable as opposed to the huge bundles of copper required for traditional phone systems. It was extremely efficient in terms of bandwidth usage not only because of the packetized nature but because it did away with the 64 kbps DS0 barrier. It allowed "toll skipping" which could potentially save thousands of dollars on long distance charges.
Yet VoIP was not without its drawbacks. In an organization as technically and geographically diverse as the DoD, there are bound to be incompatibilities between VoIP systems and traditional phone systems (or even other VoIP systems). This problem was not helped by the VoIP industry that -- like nearly every other standards-based organization in the world -- failed to agree on universal protocols and interfaces. There was also the question of security. Who was making sure that these new-fangled VoIP boxes hitting the market didn't have security flaws or even malicious back door compromises in them? This was certainly a large concern for any organization but especially the US Military.
A Big Hand of Guidance
Enter DISA. The Defense Information Systems Agency is tasked with ensuring Information Assurance within the DoD and have, for better or worse, built an empire controlling information and communications systems within the Department of Defense. Their charter is beyond the scope of this posting but their web site has lots of information.
In April 2004 the Field Security Operations Division of DISA released the Voice over Internet Protocol Security Technical Implementation Guide (VoIP STIG) which gives DoD facilities guidance and best practices for implementing VoIP. Of course the focus of this document is on security and Information Assurance. This document is based on the overarching principles and authority of DoD Directive 8500.1.
The VoIP STIG does an excellent job of pointing out the vulnerabilities of VoIP (which will be left as an exercise to the reader) but more importantly identifies the urgent need for interoperability and security testing of any IP-based system. The need for this, especially in a command and control (C2) environment, should be self-evident.
Who does this interoperability and security testing? The Joint Interoperability Test Command out of Fort Huachuca, Arizona is the primary command currently allowed to "bless" these technical solutions. Simply put, if a VoIP solution has not been tested and approved by JITC, it is not supposed to be connected to a DoD phone network. And certainly not to a Defense Switched Network (DSN) backbone.
NMCI Says It Isn't Us
So who would dare violate a DISA directive? Who would subvert DoD 8500.1? Certainly not NMCI. Or would they?
Apparently NMCI and possibly others have run afoul of the DISA directive because an April 2004 advisory from the Navy's Network Warfare Command (NETWARCOM), in cooperation with the Marine Corps Network Operations and Security Command (MCNOSC), notified several commands that they were in non-compliance with DISA directives.
It states that at least 16 DoN commands have uncertified VoIP systems. This number resulted from a telephone switch inventory done as part of the National Defense Authorization Act FY2003 (Public Law 107-314). Although it does not state categorically that these non-certified systems are NMCI offspring, the advisory makes direct reference to the EDS VoIP solution and states that commands are not allowed to implement any VoIP solution without JITC certification.
It would be interesting to know how much JITC/DISA oversight was done on the VoIP solutions that NMCI is bragging about. Apparently it was not as complete as it should have been or NETWARCOM would not have felt the need to remind Navy and Marine Corps users of the certification and approval process. The rules are there for everyone.
Capt. Chris Christopher, deputy Director of future operations for NMCI has stated that making telephone calls over VoIP was "inevitable." Certainly it is. Let's just hope that NMCI is not usurping DISA in its effort to hasten the inevitable.
Except for one problem. They might be breaking DoD regulations by doing it.
A Bit of Background
Voice-over-IP popularity exploded in 2002 or even earlier. Dozens of vendors offered hundreds of solutions from full-blown IP PBXs to desktop phones to box-to-box solutions. The salivating communications guru was greeted with nearly unlimited options to solve his voice requirements. VoIP was an elegant solution because of several reasons.
It was designed from the ground up to interface with traditional analog and digital phone switches so the engineer could create hybrid systems. It was easy to encrypt as individual circuits or in bulk. It offered a scalable solution where hundreds of users could be carried on a single CAT-5 cable as opposed to the huge bundles of copper required for traditional phone systems. It was extremely efficient in terms of bandwidth usage not only because of the packetized nature but because it did away with the 64 kbps DS0 barrier. It allowed "toll skipping" which could potentially save thousands of dollars on long distance charges.
Yet VoIP was not without its drawbacks. In an organization as technically and geographically diverse as the DoD, there are bound to be incompatibilities between VoIP systems and traditional phone systems (or even other VoIP systems). This problem was not helped by the VoIP industry that -- like nearly every other standards-based organization in the world -- failed to agree on universal protocols and interfaces. There was also the question of security. Who was making sure that these new-fangled VoIP boxes hitting the market didn't have security flaws or even malicious back door compromises in them? This was certainly a large concern for any organization but especially the US Military.
A Big Hand of Guidance
Enter DISA. The Defense Information Systems Agency is tasked with ensuring Information Assurance within the DoD and have, for better or worse, built an empire controlling information and communications systems within the Department of Defense. Their charter is beyond the scope of this posting but their web site has lots of information.
In April 2004 the Field Security Operations Division of DISA released the Voice over Internet Protocol Security Technical Implementation Guide (VoIP STIG) which gives DoD facilities guidance and best practices for implementing VoIP. Of course the focus of this document is on security and Information Assurance. This document is based on the overarching principles and authority of DoD Directive 8500.1.
The VoIP STIG does an excellent job of pointing out the vulnerabilities of VoIP (which will be left as an exercise to the reader) but more importantly identifies the urgent need for interoperability and security testing of any IP-based system. The need for this, especially in a command and control (C2) environment, should be self-evident.
Who does this interoperability and security testing? The Joint Interoperability Test Command out of Fort Huachuca, Arizona is the primary command currently allowed to "bless" these technical solutions. Simply put, if a VoIP solution has not been tested and approved by JITC, it is not supposed to be connected to a DoD phone network. And certainly not to a Defense Switched Network (DSN) backbone.
NMCI Says It Isn't Us
So who would dare violate a DISA directive? Who would subvert DoD 8500.1? Certainly not NMCI. Or would they?
Apparently NMCI and possibly others have run afoul of the DISA directive because an April 2004 advisory from the Navy's Network Warfare Command (NETWARCOM), in cooperation with the Marine Corps Network Operations and Security Command (MCNOSC), notified several commands that they were in non-compliance with DISA directives.
It states that at least 16 DoN commands have uncertified VoIP systems. This number resulted from a telephone switch inventory done as part of the National Defense Authorization Act FY2003 (Public Law 107-314). Although it does not state categorically that these non-certified systems are NMCI offspring, the advisory makes direct reference to the EDS VoIP solution and states that commands are not allowed to implement any VoIP solution without JITC certification.
It would be interesting to know how much JITC/DISA oversight was done on the VoIP solutions that NMCI is bragging about. Apparently it was not as complete as it should have been or NETWARCOM would not have felt the need to remind Navy and Marine Corps users of the certification and approval process. The rules are there for everyone.
Capt. Chris Christopher, deputy Director of future operations for NMCI has stated that making telephone calls over VoIP was "inevitable." Certainly it is. Let's just hope that NMCI is not usurping DISA in its effort to hasten the inevitable.
(Page 1 of 1, totaling 1 entries)
