More on SIPRNet
by Ex-Eleven
As an open systems geek who makes a living doing network integration along with network security, it makes me smile when my compatriots find weaknesses that I've escalated to network administrators.
I'd like to give a big shout out to the Ruiner for his recent article. Sometimes in the course of my job, I get to work on "sensitive" networks. The SIPRNet is an example of this.
To summarize what Ruiner said, SIPRNet is a network primarily composed of UNIX systems that are connected via encrypted links. In his time, there was a dial-up modem pool that used Cisco 2511 terminal servers and challenge/response authentication. By and large, what he stated is pretty darn accurate, although there have been some changes. We'll get to those shortly.
SIPRNet is a defense network that connects subnets and individual hosts that are classified at the SECRET level. This means that you will find UNCLASSIFIED documents on it (by virtue of being added to a secret host, they become secret) and SECRET classified documents on the network, but you won't find TOP SECRET things like plutonium levels within warheads or launch codes. The SIPRNet is managed by Defense Information Systems Agency (DISA) from a bunker inside a mountain. For those of you who care, the bunker is at Ft. Detrick in Frederick, Maryland.
The dial-up ports have been eliminated to the best of my knowledge and they certainly are not endorsed or supported by SIPRNet network operations. Connectivity is provided via Frame Relay connections starting at 56 kbps and working their way up. Line provisioning is done through GTE Government Systems. No surprise there. The connectivity is done as follows:
The line is fed into a standard Motorola CSU/DSU which connects to the encryption unit (probably Triple DES). The CSU/DSU side of the crypto is known as the BLACK side. The router side is known as the RED side (because this is the unencrypted side). The router is either a Cisco 2501, 2514, 4500, or 7000 depending on the users' needs.
The cryptography unit is either a KG-84 or a KIV-7. The KG-84 has been manufactured by several different companies including Bendix and Allied Signal. The KIV-7 is manufactured by Allied Signal. Both units are designed and approved by the NSA. When installed initially they are basically dumb boxes, until someone loads the crypto keys that will be used on the link. As I understand it, the keys are loaded via a paper tape, although I haven't been able to find this out for sure. I do know that it's something like that but cannot find out since I am not a cleared individual. I know that the crypto devices change their key throughout their connections via something called an OTAR. OTAR stands for Over-The-Air Rekeying. They also have to have a device called a CIK plugged in to be operational. The CIK is a Crypto Ignition Key that looks like a small two-sided plastic comb. When the crypto device is separate from the CIK, it is considered sensitive but not classified. The opposite also applies.
The hosts that are attached to the network have to be secured to at least a C-2 level. Security levels are tested by a SIPRNet tiger team out of Virginia. The exception to this rule though is that there are some Windows NT boxes attached to this network. As you all know, Windows NT is not C-2 unless it doesn't have a network card or floppy drive (go figure).
SIPRNet holds a lot of opportunities for those who have the skills to get access. Perhaps someone on the inside can give us more details.