JCALS turns to VPNs as way to serve remote users

Challenged with providing secure transmission among more than 240 Joint Continuous
Acquisition and Lifecycle Support WAN sites, JCALS prime contractor Computer Sciences
Corp. investigated the types of virtual private networks available.


JCALS was established jointly by the Defense Department and the Defense Logistics
Agency in 1991 to link disparate automated systems at military sites across the United
States through a combination of LAN and WAN connections. The connections are designed to
let users access, move and process stored data among all systems. It eliminates paper
tools and processes, and data duplication.


Roughly three years ago, CSC began evaluating and reviewing VPNs.


“We had to choose a VPN solution because of the requirement for end-to-end
encryption from one site to another site,” said Phil Cornacchione, systems engineer
for JCALS at CSC in Morristown, N.J. Previously, the government used link-level encryption
devices to encrypt and decrypt from point A to point B, he said.


About two years ago, CSC chose InfoCrypt Enterprise VPN from Isolation Systems
Inc.—now part of Shiva Corp. of Bedford, Mass.—to connect the Army, Navy, Air
Force and Marines on a secure private DOD IP network.


The implementation incorporates the McLean, Va., company’s InfoCrypt Enterprise,
InfoCrypt Manager, InfoCrypt Desktop and InfoCrypt Certificate Authority. The enterprise
piece incorporates the hardware-based data encryption unit, firewall and router in one
module.


The manager administration tool lets CSC run JCALS from a central site.


The certificate authority tool provides a rigid security policy, allowing a central
management site to issue, revoke, manage and review X.509 digital certificates to identify
all users.


The desktop module provides VPN software at the desktop for secure encrypted tunnels
for remote and internal users between the desktop and WAN data encryption unit.


For remote access, the central site uses a key management system and InfoCrypt Manager
to establish the path for one central site for control management.


“In this way, not just anybody can unilaterally set up their WAN to work with a
desktop,” Cornacchione said. “It can’t be done until you have permission
from the central site.”


VPN security is determined, said Isolation Systems federal sales manager Walter
Henderson, by three factors: the encryption of entire packets including data and IP
addresses, the strength of the underlying algorithm such as the Data Encryption Standard
and the method of authentication such as X.509 digital certificates.


“Tunneling is the only way to truly implement a VPN technology,” he said.
“You have to be able to go end-to-end. Some solutions terminate in front of a
firewall, and that is not very secure.”


CSC chose InfoCrypt for its ability to centrally manage the WAN data encryption units
and key management system, handle a large number of sites or nodes, and support T1 speeds
at 1.54 Mbps.


Other key requirements include Triple DES encryption and compliance with the Federal
Information Processing Standard 140 for cryptographic modules, Cornacchione said.


Isolation System is still in the process of FIPS 140 validation.


Here’s how it works: First, a WAN data encryption unit is installed at each site
to encrypt the JCALS server traffic. After installation at the individual sites, the units
are configured remotely from the central site or system operation support center (SOSC)
managed by CSC. Typically, the WAN data encryption unit sits off the communication hub
where traffic is routed to and from the server.


The JCALS traffic is routed to the data encryption unit, then to the base router over
the Defense Information Systems Network and to the remote site. IP addresses and the
default gateway are set up at the SOSC.


So far, CSC has installed the InfoCrypt enterprise system at 13 locations, including
the SOSC under the JCALS base contract and 24 of 38 sites under the Navy SIM flagship
project. The flagship projects use the JCALS technology for different applications,
Cornacchione said, and the VPN is a security solution for these projects using technology
from JCALS. Several hundred users use the VPNs from their desktop computers.


The network runs primarily in client-server environments using Hewlett-Packard HP-UX
and Digital Unix systems through the DISN over DOD’s Non-Classified IP Router
Network.


CSC is moving to SunSoft Solaris and Microsoft Windows NT.


Growing pains came with setup of the VPN system, but CSC is happy with the solution,
Cornacchione said.


“We put the components under a lot of stress, and we had to upgrade to a higher
speed WAN data encryption unit in order to handle those networks with heavy traffic and
collision storms,” he said.


Establishing a strong relationship with vendors is important when setting up any
integrated system, Cornacchione said, calling Isolation Systems very responsive.  

inside gcn

  • A forward-located Control and Reporting Center. Air Force photo.

    Data security at the tactical edge: Rightsizing solutions

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above