This document provides an overview of gSNAP, Sun Microsystems' Secure Network Access Platform reference architecture for secure collaboration in government customers. It describes gSNAP as a "70% solution" that leverages Sun's trusted computing environment, ultra-thin client technology, and partner products for secure access across multiple network security domains from a single desktop. Use cases are presented for gSNAP deployments in defense, public safety, and health agencies to enable secure collaboration within and between organizations. Requirements for trusted computing, secure inter-domain data transfer, and remote access are outlined. The document positions gSNAP against market drivers in government for increased cross-agency collaboration and mobility requirements.

1. gSNAP Primer
Kevin Mayo
–Chief Architect – Global Government
●Sun Microsystems, Inc.
●

2. Introduction – What is gSNAP?
• (government) Secure Network Access Platform
• Reference Architecture for secure collaboration at
the desktop
■ “70% solution” developed specifically for govt
customers
• Competitive advantage for Sun in specific markets
■ Sun unique products and technology
■ CSO technical engagements
■ Complimentary partner products and integration
Sun Confidential: Internal or Partner Use Only

3. How We Use IT is Also Changing
Dynamic Coalition and
Interoperability
Formation
Standards
Best of Class
Threat of Global
Security
Terrorism
Access Anytime
Technology As Major
Anywhere
Element of Operations
Sun Confidential: Internal or Partner Use Only

4. gSNAP Market Drivers
• Government agencies have increasing need to collaborate
■ Within agency
■ With other agencies
■ With trusted partners (suppliers, research centres)
■ With agencies of other nations
• Government users have increasing need to access
information from anywhere, anytime
• Security and privacy are key requirements
• Sources of information are increasingly diverse
Sun Confidential: Internal or Partner Use Only

5. gSNAP Market Positioning
• Government agencies with collaboration needs
■ Defence (NATO)
■ Public security/ public safety (Interpol)
■ Emergency response (central, provincial, city)
■ Public health (CDC, WHO)
■ Government research centres and universities
Sun Confidential: Internal or Partner Use Only

6. Government System Requirements
• Trusted computing environment
• Single Virtual Switch to Multiple Networks
■
■
Single desktop with connections to multiple security
domains implemented as physically separated networks
(without enabling intra-domain routing)
End-users have controlled access to domains based on
security level, compartmentalization
• Secure Inter-Domain Data Transfer
■
Automated and manual auditing based on pre-defined
policies and procedures
• Remote Access Protocol Options
■
Tarantella, Citrix, RDP, X Windows or Browser.
Sun Confidential: Internal or Partner Use Only

7. Changing the Game—
Single Multi-Tiered Secure Communications
SINGLE-POINT FOR INFO ASSURANCE
Secure Domain A, Apps 1,2,3
Secure Domain B, Apps 4,5,6
Secure Domain C, Apps 7,8,9
Secure Domain D, Apps 10,11
Secure Domains A to Z
On ONE Terminal
With data assurance across security
domains
Sun Confidential: Internal or Partner Use Only

8. Desktop Consolidation:
Ultra-Thin Client Front-End
Before:
After:
To ensure a high level of security
physically isolated clients were
deployed often resulting in up to 10
different Desktops in a single office
Full Session Mobility enabled by a
single stateless Sun Ray TM frontend and protected by a Trusted
Solaris TM based back-end
Sun Confidential: Internal or Partner Use Only

9. The Sun Solution:
Secure Network Access Platform
User
Community
A
Switch
User
Community
B
Switch
Switch
User
Community
C
User
Community
D
Switch
Switch
Trusted Solaris
● Sun Ray Session
● Server
●
Switch
Switch
Switch
●
●
●
●
●
24/7 remote management
Sun Ray stateless
Clients Java
Card identity
Network attached storage
for audit logs
Sun Jumpstart Software
for automated site replication
Sun Confidential: Internal or Partner Use Only
• Highly scalable
• Multi-network
consolidation
• Ultra secure
• Identity/Role-based
access
• Audit ability
• Session mobility

10. Secure Network Access Platform for
Government Solution
3rd Party Security
Extensions
TCS, TNE, AC Tech,
Cryptek, Tenix, RSA, Maxim, etc.
Integration to Legacy
Systems
Tarantella, Citrix, RDP, Thinsoft
Java Ultra-Thin Client
Environment
SunRay 1G, 170; Sun Ray Session Server,
Trusted CDE, Java Cards
Government Accredited
Trusted Operating Env
Trusted Solaris Certified EAL4 (B1):
CAPP, LSPP, RBPP
Sun Solaris
Enterprise StorEdge ™ 9
RAS Compute Platform
Consulting, Training,
and Support Services
Sun Servers
Sun Open Work Practice, Workshop, POC,
Architecture and Implementation + Training
and Support
Sun Confidential: Internal or Partner Use Only

11. Trusted Solaris Direction
Trusted Solaris
BSM
Solaris
Solaris
2.3
Trusted Networking
Trusted Desktop
RBAC
Trusted
Solaris
layered
on Solaris
Process Attributes
Device Allocation
Virtualization
Privilege Policy
Solaris
8/9
Sun Confidential: Internal or Partner Use Only
Solaris 10

12. Secure Foundation of Dramatic Improvements
Solaris 10 Security
Digital Certificates Everywhere
Secure Execution
User Rights Management
Process Rights Management
Cryptographic Framework
IPFilter
Kerberos Single Sign On
Easily Activated Security Profiles
Sun Confidential: Internal or Partner Use Only

13. Multi-Level Labeled Security
Trusted Extensions
Adds labeled security to Solaris 10
Multi-level networking, printing
Multi-level CDE GUI
Leverages User & Process RM
Uses Containers
Compatible with all Solaris apps
Target of CAPP, RBACPP, LSPP @
EAL 4+
Available 1HCY2006
Sun Confidential: Internal or Partner Use Only

14. Sun Confidential: Internal or Partner Use Only

15. Based on Best
Practices From
Innovative Customer
Solutions:
DTW—DODIIS Trusted Workstation
●
Proven solution developed at Joint
Intelligence Center Pacific—JICPAC
●
Mandated by DIA as standard secure
desktop access solution for DODIIS
community
Coalition
Sun Confidential: Internal or Partner Use Only
DEA
INS
Circa 2000 seats deployed, multi-year
program managed by JEDI
Sun Network Access Platform
Solution
military
Intelligence
●
Government
Control
Center

16. DTW Components
JEDI JUMPSTART IMAGE:
Trusted Solaris 8 (12/02)
SunRay Software 2.0 w/Failover Groups
JMDI (JEDI) Extensions
Jumpstart support
- Streamlined User & Host management
Audit Management
- Authorized application Mgmt.
TCS software
●
●
●
SunRay thin Clients with 24” Flat-Panel monitors
Load Balanced Sun Servers
Windows 2003 servers connected via RDP
Sun Confidential: Internal or Partner Use Only

17. SPAWAR
●
●
●
●
●
●
Reduced acquisition costs by
consolidating multiple PC clients into a
single Sun Ray ultra-thin client
Improved end-user operational
efficiencies for secure info workflow with
little incremental training
Military grade encryption for transport
through untrusted environments
Highly scalable, with reduced
administration, rock-solid security, and
easy deployment
Provides complete audit trail facilities
Tested and validated with government
Accreditation
SUN RAY SOLUTION
SUPPORTING MULTI-NATIONAL
COALITION FORCES IN THE
ASIA PACIFIC REGION
PROBLEM:
How to dynamically add/subtract foreign
parties into a community of interest at
various levels of need-to-know
SOLUTION:
• Sun Ray Ultra-Thin Client OEM Boards
• Cryptek FIPS-140-1 3DES Encryption
• Sun Fire(TM) Netra servers
• Trusted Solaris(TM) 8
• AC Technology Biometrics
• Smart Card
Sun Confidential: Internal or Partner Use Only

18. JICPAC
●
●
●
●
Reduced acquisition costs by consolidating
multiple PC clients into a single Sun Ray
ultra-thin client
Improved end-user operational efficiencies
for secure info workflow with little
incremental training
Compatible with over 150 existing
applications and INFOSEC tools
Highly scalable, with reduced administration,
rock-solid security, and easy deployment
●
Provides complete audit trail facilities
●
Tested and validated to DIA Accreditation
SUN RAY SOLUTION SUPPORTING US
MILITARY INTEL AT THE
JOINT INTELLIGENCE CENTER OF
THE PACIFIC (JICPAC)
PROBLEM:
How to deploy a COTS single
desktop that provides secure access
to multiple information classifications
and applications under gov't
accreditation
SOLUTION:
•
•
•
•
Sun Confidential: Internal or Partner Use Only
Sun Ray Ultra-Thin Client
Sun Fire(TM) 12K servers
Trusted Solaris(TM) 8
TCS Secure Office

19. MLTC—Multi-Level Thin Client (Centrix M)
●
United States Navy - USJFCOM & SPAWAR
–
–
>100 MLTC terminals were used as part of the USJFCOM CJTFEX Operation
Blinding Storm in June 2004
–
Deployed and in production on the USS Mount Whitney and USS Blueridge and at
New COMPACFLT's Command Center
–
●
Response to the fleets requirement for information sharing among allies and coalition
partners
Schedules for deployment to entire fleet starting FY06
Improved Operational Efficiency:
–
–
Eliminates need for client side storage of sensitive data
–
●
User Mobility saves times as they move locations
–
●
Connectivity to multiple domains from a single seat
Near Real-time Dynamic security policy
Being used in the Middle Eastern Gulf Region
Accredidated Internal use by NSA for DoD (SABI)
for or Partner Use Only
Sun Confidential:

20. CENTRIX-Maritime
Sun V240, V210 and Netra 20 servers running
Trusted Solaris
CITRIX w/Win 2000 servers
All Secret – Siprnet & coalition Networks
Used as a secure Gateway to “PC”
applications.
Maxim provided GOTS code – free within
Government
Sun Confidential: Internal or Partner Use Only
CJTFEX 04-2