Customers coming into to the DTIC network travers either the Internet or the Nipernet. They pass though our Cisco routers that are filtering or blocking for ip’s or domains that have been identified as “dangerous” or problematic. To the Stateful Firewall (PIX) that monitors for traffic patterns that would indicate someone is hacking against the system. For example: If a request comes from the same IP 30 times in a second. That would not be normal behavior. If the firewall detects abnormal behavior it will block the requests. For our public network traffic, they cross the Big IP (Load Balancing boxes) and get routed to their destination. Customer Upload to FTP or Upload servers that have very restricted access. Read/Write access to the Network File Server. Web Page (http) request they are routed to the appropriate front-end server. Read only access to the Network File Server. Application request, such as search, database query, real audio or other application request, they are routed to the appropriate application server. For STI Limited Access, the user traverses the Sidewinder Proxy Firewall to access the web servers. Our Architectural design emphasizes security practices. Public and limited access content are segregated servers. See next slide for details.
Could update but could also show as past performance. Could provide input on decision to upgrade and why.
Back to architecture chart. The first one is the Cisco boxes. The second is the Pix firewall.
We use a very simple rule. Requests from users are routed back out the way they came in. This explains why there is no leakage from one network to the other.
This chart describes the complexity of the user communities that use Web services to access DoD content. The DoD PKI policy recognizes only Private that will eventually have DoD Digital Certificates issued to them (purple) and Public that will have no access control (green). There are many users that fall into a category that we call Extranet (yellow). The content here is not intended for public access… however the target audience fall outside the community that will be issued DoD Digital Certificates… Federal Government, business partners, allies, family members… Hmmm…. I guess we need to modify the policy.
Just a reminder to folks that we have been in the content distribution for a long time. It is not much of a stretch to do access control on computer systems.