USAF’s Network Gateways Changing Hands, Eliminating “Blind Spots”


Airmen with the 26th Network Operations Squadron perform maintenance on one of 16 virtual gateways USAF uses to allow traffic in and out of its unclassified network. USAF photo by Lt. Lauren Woods.

The Air Force is changing the way it allows web traffic into and out of its networks, relinquishing general oversight and maintenance of these entryways to the Defense Information Systems Agency so it can focus its time elsewhere.

By the end of September 2019, the service plans to have a major portion of its unclassified traffic enter through what are called joint regional security stacks (JRSS), rather than entering through today’s 16 virtual gateways. JRSSs are sets of equipment—like servers and interfaces—running programs and protocols from firewalls to intrusion detection to enterprise management. Each JRSS is like a virtual portcullis.

SPECIFIC NEEDS

The Army was first to join DISA’s first iteration of JRSS, or version 1.0, a project then consolidating about 340 Army base networks into it. But the Air Force needed more than what v1.0 offered, and asked DISA to up its game. Extra needs arose in part because cyber warriors—like those from 33rd Network Warfare Squadron—regularly identify and enable improvements into their cyber defense weapon systems, some of which were not present in v1.0. On top of those capabilities, units like the 33rd NWS also proactively enhance cybersecurity.

A new version of the JRSS designed to fit USAF’s needs—coined version 1.5—included “extra capabilities that our operators wanted for the future mission,” said Lt. Col. Justin Mokrovich, commander of the 26th Network Operations Squadron.

Operating out of Maxwell AFB, Ala., the 26th is in charge of the Air Force Intranet Control Weapon System (AFINC)—one of seven cyber defense weapons the service uses—specifically defending what Mokrovich calls “the Air Force boundary,” though he explained it simply in an interview with Air Force Magazine as “the gateway.” And as such, the 26th has eyes on the point of entry itself, but its vision is currently limited.

“Now, we have segmentation,” said Maj. Abe Redoble, the 26th’s director of operations. That segmentation means traffic is sometimes collected, stored, and reviewed in silos—it also means now “there are blind spots in respect to certain things,” Redoble told Air Force Magazine. JRSS attempts to fix that. He described the move as the communications equivalent of transitioning from an “F-16- or F-22-type airframe, which is largely Air Force-centric … to the Joint Strike Fighter.”

For example, if a piece of data traveled from one Air Force base in Texas to another in Alabama, Redoble said, only the Air Force has eyes on it, and even those eyes don’t always see everything. JRSS will make it “much easier” for the services to see that data and share it, if needed. So, if an adversary were to penetrate blue space, for example, the infiltrated service would not only want eyes on that adversary as it “traveled laterally” from base to base, it would also want to be able to warn other services, and later share information on defending against future similar instances. White-hat hackers demonstrated just such a scenario in early December, hacking DOD’s unclassified network through a vulnerability they found in an Air Force website.

On top of better enabling the security of USAF’s networks, DISA’s ownership of the stacks means new focus areas for some airmen.

“We don’t have to do the maintenance, certification, and accreditation,” Mokrovich said, citing one example of work DISA would be taking over. Instead of using resources to train operators, airmen can “focus on identifying, responding to, and reacting to threats,” he added.

Some cyber warriors, like those running AFINC for the 26th, could then transition from “technicians to tacticians,” enabling them to think on a “higher level” to support the warfighter, Mokrovich concluded.

BROAD STRUCTURE

The ultimate vision of JRSS is to allow any interested (and cleared) person to access any data they want, regardless of service or branch, region or state.

“With JRSS, the tools are in place to make that automated, or more convenient,” said John Palumbo, the 26th’s tech advisor and civilian lead on the JRSS migration. Inspecting and retrieving data, and then acting on it all becomes easier.

A typical JRSS costs anywhere between $20 to $22 million to build, possibly more if the project takes place in a contested environment, explained Army Col. Greg Griffin, chief of the JRSS Program Management Office. It takes “roughly” 90 days to install a JRSS from scratch, he said.

For USAF, 12 of the 20 planned JRSSs—in the unclassified theater of networks—have been installed and are currently in a testing phase, with the rest of the eight planned to be installed by the middle of 2018, Griffin told Air Force Magazine.

“When all is said and done,” Griffin said, there will be 11 stacks in the continental United States, two in Europe, two in the US Central Command area of responsibility, and five in the US Pacific Command AOR.

The classified set of networks will require 25 total JRSSs.

USAF’s migration to JRSS is in line with DOD’s larger call to create the joint information environment, or a “vision, a concept that will be realized through the implementation of discrete capabilities that will result in the modernization of the Department’s IT and cyber environment,” according to the Pentagon’s chief information office.