Marines tunnel to SIPRNET

The Marine Corps is reducing the time and expense of connecting staff at multiple locations to the Defense Department's secure network by using a technique known as tunneling, which lets users traverse a nonsecure network to access a top-secret one.

Marine Corps staff recently began using the Non-Classified Internet Protocol Router Network (NIPRNET) to extend DOD's Secret Internet Protocol Router Network (SIPRNET) to 47 sites in the Marine Forces Pacific command.

Extending DOD's classified network — which allows military staff to access classified applications and databases and conduct secure messaging — to 47 more sites would normally be laborious, costly and time consuming. Although SIPRNET uses IP standards, it is physically and logically separate from all other computer systems, using dedicated and encrypted lines.

But the Marine Corps, along with some private- sector assistance, has found a way to do the job without massive trials and tribulations by tunneling through the NIPRNET, a network of government-owned IP routers used to exchange sensitive information.

Tunneling involves "connecting two computers, using encryption, through an untrusted network," said Col. Mark Clapp of Marine Forces Pacific.

Still, while tunneling is cost-effective and gaining acceptance within DOD, Clapp acknowledged that numerous challenges are involved, including managing and configuring security among myriad encryption devices, NIPRNET's greater susceptibility to denial-of- service and other cyberattacks and interoperability of different Type 1 encryption devices.

Tunneling is not a new concept and is actually used frequently in the private sector with remote workers using virtual private networks (VPNs) to tunnel through the Internet to access their corporate network, said John Pescatore, research director for Internet security at Gartner Inc.

Two main issues must be addressed when using the NIPRNET to access SIPRNET: unpredictable performance of the nonclassified network, and authentication of the person and equipment at the other end of the tunnel, Pescatore said.

If NIPRNET users are watching video feeds or downloading large files, the network's performance can "vary dramatically," a factor that may require backup connections, he said.

With regard to authentication, Pescatore said it's not enough to have Type 1 encryption because the server or PC at the other end of the tunnel could still be compromised. For example, a hacker could trick a VPN user into downloading software that enables the hacker to copy passwords and either gain remote control to the secure PC or access it directly through the tunnel, Pescatore said.

A number of vendors have the technology necessary to meet Marine Forces Pacific's needs, including General Dynamics Corp., Lockheed Martin Corp., Motorola Inc. and Fortress Technologies Inc., he said.

For security reasons, Clapp would not name the contractor or the encryption tools being used, but said they are National Security Agency- approved to protect classified communications up to the top-secret level using the Type 1 encryption algorithm available to authorized personnel.

Final approval came through last month to transfer the Marine Corps' encryption tools to the contractor accounts, Clapp said, adding that all 47 sites are scheduled for completion by next June.

Clapp asked for assistance from the private sector in enhancing encryption technologies so that one day, there might not be a need for separate nonclassified and secret networks.

***

Tunnel vision

To access the Defense Department's network, the Marine Corps is using a technology called tunneling, in which two computers are connected through an untrusted network using encryption.

Tunneling pros:

* Cheaper.

* Faster installation.

* Increased mobility.

* Extended access.

Tunneling cons:

* Unpredictable performance and greater susceptibility to service denial and other cyber-attacks on the nonclassified network.

* Potential difficulty athenticating the person and equipment at the other end of the tunnel.

* Managing and configuring security among multiple encryption devices.

* Interoperability of different Type I encryption devices.