Add to collection(s) Add to saved
  1. No category
Uploaded by redarmy24

WIN-T Staff Course Volume 1: Network Architecture & Management

advertisement 
Table of Contents
Volume 1
Architecture & Equipment
Chapter 1
WIN-T Inc 1 Overview
1
Chapter 2
STT Overview
49
Chapter 3
Equipment Overview & Architecture
85
Chapter 4
JNN-CPN-STT Network Overview
99
Chapter 5
Line of Sight (LOS) Case Overview
111
Volume 2
Network Management
Chapter 6
Introduction to Network Management
135
Chapter 7
SNMPc
181
Chapter 8
SolarWinds Engineer’s Toolset
217
Chapter 9
SolarWinds Cirrus Configuration Manager
277
Chapter 10
SolarWinds Orion
303
Chapter 11
NetMRI-Network Analysis
339
Information Assurance
Chapter 12
Introduction to Information Assurance
379
Chapter 13
Cisco Security Monitoring Analysis and
Response System (CSMARS)
425
Chapter 14
Cisco ASA Adaptive Security Appliance
445
Chapter 15
Cisco Intrusion Prevention System
479
Chapter 16
Cisco Security Manager
523
Chapter 17
eEye Retina Scanner
539
Chapter 18
Hercules Vulnerability Remediation Management
551
Insert TAB
Architecture & Equipment
WIN-T Inc 1a Overview
2
WIN-T Inc 1 System Overview
Increment 1a
Increment 1b
Increment 1a
+
+
Colorless Core
NCW Modem
(MPM-1000)
WIN-T Increment 1 is a state-of the-art COTS/GOTS communications network
that enables the exchange of voice, video, and data throughout the tactical Army
unit and into the sustaining base. It leverages commercial satellite technology to
provide beyond line of site capabilities and commercial internet networking
technology to increase functionality and efficiency while reducing size, weight,
and power.
WIN-T Increment 1 components reside at the Theater, Corps, Division, Brigade,
and Battalion levels and provide interfaces to lower level systems including on
the move and soldier platforms.
Increment 1a Capabilities:
 Extended Networking at-the-Halt: Former JNN program with Ka military
satellite communications capability.
 Connectivity: Commercial and military frequency satellite communications
(SATCOM) to Theater, Corps, Division, Brigade and Battalion.
 Equipment: radios, routers, servers, encryption, modems, antennas
(transportable).
 Capability: Enables quality voice, data, and limited video communications
at-the-halt. Provides for coordinated actions between geographically
separated units.
3
What WIN-T Increment 1 Delivers:
 Network service to Command Posts and Commanders while at-the-halt.
 Improved battle command for Modular Force – increased satellite
communications, extends to Bn level.
The mandatory upgrade to previous fielded systems issued under spirals/Lots 19:
 AN/TTC-59 Joint Network Node (JNN)
 AN/TTC- 56 Single Shelter Switch (SSS)
 AN/TTC-64 Battalion Command Post Node (BnCPN)
 Baseband Tactical Hub Node (THN)
Inc 1a Baseline gives systems the same functionality and hardware baseline as
Inc 1 (Lot 10).
Items being replaced are end of life and no longer supportable
*Operational impact:
Declining availability of spare items to replace those that fail in the field.
Critical issues with sparing KIV-7s and KIV-19s at CSLA.
4
WIN-T Inc 1 Network Diagram
TDMA (IP)
FDMA (IP & CKT)
STEP Site
DISN Services
KU-Band
Satellite
HUB
SHF X-band (GMF)
EHF (SMART-T)
LOS
JTF
EHF-band
Satellite
JNN
SHF X-Band
Satellite
XX
DMAIN
TSC-85
XX
JNN
XX
DMAIN
JNN
JNN
TAC
X
SSS
DIV
SMART-T
SMART-T
TSC-93
II
JNN
SMART-T
JNN
X JNN
II
KU
KU
II
BDE
KU
II
KU
KU
JNN
II
KU
KU
II II KU
KU
BDE
II
X
II
KU
II
JNN
BnCP
The WINT Inc 1 network employs a variety of transmission methods to pass
voice, data, and video throughout the network.
Two primary means of communication (the Ku, Frequency Division Multiple
Access (FDMA) and Time Division Multiple Access (TDMA), both satellitebased), are typically used to provide the backbone links between Joint Network
Transport Capability – Spiral (JNTC-S) elements.
Cable, Line-Of-Sight (LOS) radio, Ground Mobile Forces (GMF), Tactical Satellite
(TACSAT), Secure Mobile Anti-Jam Reliable Tactical-Terminal (SMART-T), etc.
augment the basic capabilities.
5
WIN-T Inc 1 Architecture
GIG
ESB
DIV/BCT
Bn
Delivers COTS/GOTS network For the Current Force.
 Connects the Warfighter to the Global Information Grid.
 115 Mbps Internet Based Connectivity Per Division.
 DISN connectivity down To battalion level.
 Enhanced mobility and communications At The Quick Halt.
 Joint and coalition connectivity.
 Provides Interface to legacy systems.
 “Black” Internet backbone.
 SATCOM and terrestrial connectivity.
 Autonomous Brigade operations.
The WIN-T INC 1 Network Satellite Bandwidth:
 WIN-T INC 1 Network supports TDMA and FDMA satellite
communications.
 Brigades have the capability to communicate via TDMA or FDMA Satellite
waveforms.
 Battalions have TDMA Satellite capability only.
 Both support LOS.
 Shared TDMA bandwidth within the Division (Approx 4.3 – 4.7 Mbps per
TDMA Carrier) X # of Carriers (# carriers are determined by CENTCOM}
 TDMA modem limitation is approximately 3.0 Mbps.
6


Battalions are rate shaped to 2 Mbps for uplink (to prevent them from
hogging bandwidth). Downlink is not rate shaped.
Each FDMA link supports between 2 – 8 Mbps, depending on spectrum
allocation and network variables.
FDMA SATCOM Latency:
 One hop to TACHUB or FRHN DISN services.
 One BCT to another, or BCT to Division, is 2-hop architecture through
TACHUB or FRHN.
 Latency associated with 1 hop = 500 – 600 ms.
 Latency associated with 2 hops = 1000 – 1200 ms.
TDMA SATCOM Latency:
 Within a BCT, everybody is one hop away from each other.
 TDMA Mesh with Brigade.
 One BCT to another, or BCT to Division, is 2-hop architecture.
 Latency associated with 1 hop = 650 – 800 ms.
 Latency associated with 2 hops = 1300 – 1600 ms.
Other Comms available:
 UHF SATCOM,
 L-Band (BFT and INMARSAT), SINCGARS, IRIDIUM, MBITR, GBS, CSS,
TROJAN SPIRIT, and HF.
7
BCT/Bn Command Post
External Connectivity
Ku-Band Satellite
TCF
TDMA – IP
FDMA – IP + CKT
LOS
TACHUB
BCT CP1
SMART-T
2.4 M Ku
TSC-85/93
CPPA
BCT CP2
CPPB
SMART-T
TSC-85/93
CPPA
2.4 M Ku
CPPB
HCLOS
HCLOS
JNN
JNN
2.4 M Ku
TERMINAL
2.4 M Ku
TERMINAL
Battalion CP
Battalion CP
2.4 M Ku
TERMINAL
2.4 M Ku
TERMINAL
Battalion CP
Battalion CP
8
Battalion CP
2.4 M Ku
TERMINAL
2.4 M Ku
TERMINAL
Battalion CP
WIN-T Inc 1 Tunnel Architecture
STEP/Teleport
Terrestrial Circuits
TRC-85/93
Static Tunnel, OSPF routing
2.4 M Ku
TERMINAL
Unit Hub
Dynamic on-demand Tunnel,
no OSPF adjacencies
JNN
DMAIN
TRC-85/93
SMART-T
TRC-85/93
2.4 M Ku
TERMINAL
SMART-T
HCLOS
2.4 M Ku
TERMINAL
HCLOS
JNN
JNN
BCT Command Post
BCT Command Post
1.5 M Ku
TERMINAL
1.5 M Ku
TERMINAL
Battalion CP
Battalion CP
1.5 M Ku
TERMINAL
1.5 M Ku
TERMINAL
Battalion CP
Battalion CP
1.5 M Ku
TERMINAL
1.5 M Ku
TERMINAL
Battalion CP
1.5 M Ku
TERMINAL
Battalion CP
1.5 M Ku
TERMINAL
Battalion CP
Battalion CP
Dual hub/spoke design (JNN and Hub)
 Static “always up” tunnels from BnCPNs to JNN and Hub.
 Dynamic spoke to spoke tunnels built using DMVPN.
DMVPN enables:
 reduced hub router configuration
 dynamic spoke-spoke tunnels
 saves TDMA bandwidth
9
TDMA Tunnel Architecture
TACLANE
KG-175
TACLANE
POWER
RUN
ALARM
BATTERY LOW
POWER
RUN
KG-175
ALARM
BATTERY LOW
168 Bytes
SIPR GRE Tunnel
Necessary to route SIPR dynamically through TACLANE and support multicast.
Type 1 Encrypted TACLANE ESP Tunnel
Necessary to carry SIPR traffic over NIPR backbone.
AES Encrypted GRE Tunnel
Necessary to protect NIPR traffic, allow dynamic NIPR routing and protect
TACLANE CT headers.
10
WIN-T Inc 1 Echelon Equipment
11
Lot Differences (1)
Equipment
Block I (Sp1-7)
Block II (Lot 8-9) Block III (Lot10+)
Shelter
S-250
S-250
LMS (Up Armor)
Module Configuration
V5, V6
Workstation
NIPR/SIPR SDS Server
NIPR/SIPR SDS Server
2 ea. Go-Book (Server
2003) NIPR/SIPR
Routers
Cisco 3725 and
2651XM (BnCP)
Cisco 3825 2811
Cisco 3825 Integrated
Services Router and 2811
Perimeter Router
Ethernet Switches
Embedded ESW
Modules
External Cisco 3560Gs
48 port
External Cisco 3560Gs 48
port
WAN Optimization
Comtech TurboIP
Comtech TurboIP
Citrix WANScaler
Lot 8-9 Hardware Changes:




Ethernet switches - Cisco 3560 layer 3 switches with GBIC SFP adapters.
This upgrade enables removal of Media Converters and allows fiber
connectivity throughout JNN to components.
Netscreen 25 upgraded to Netscreen 50 Firewalls.
User access cases upgraded to Cisco 3560 Switches, GBIC and VG-224.
Decreases user access for analog phones from 48 down to 24.
INC 1a - Costing changes on NIPR for everything over IP.
Lot 10 Inc 1:
 ASA 5510 Firewall: Anti-Virus upgrade to McAffee. Replaced Netscreen
25 and 50.
 SMU: SSS(V)3 COMSEC Module
 AKDC: Automatic Key Distribution Center: MSE asset for Legacy Voice
Encryption.
 KG-175D: Taclane Micro used for TDMA Encryption.
 KIV-7m: Replaced KIV-7 and KIV-19A. Used for Trunk and Serial
Encryption.
 Citrix Wan Scaler replaced Turbo IP.
 Anti-Virus Upgrade to MacAfee.
 Redcom HGX upgraded to Redcom Slice.
 Promina 400 upgraded to NX-1000.
 Configuration changes to accommodate equipment upgrades.
12
Lot Differences
Information
Assurance
FW: Netscreen
5XT/25/50
FW: Netscreen
5XT/25/50
FW/IPS: Cisco ASA 5510
w/IPS
IDS: Realsecure
IDS: Realsecure
Antivirus FW (THN and
JNN): McAffee
Antivirus FW (THN
Only): McAffee
Antivirus FW (THN
Only): McAffee
Encryption
Taclane E100 (KG-175),
KIV-7HSB, KIV-19
Taclane E100 (KG-175),
KIV-7HSB, KIV-19a
Taclane Micro (KG-175D),
KIV-7M
BDE Transit Cases
Voice and Data Cases
Voice Gateway (VG248)
User Access Cases
Voice Gateway (VG224)
User Access Cases
Same as Battalion Node
BN Transit Cases
Bn Case A and Bn Case
B
Router Cases 2 ea.
NIPR/SIPR
w / upgraded UPS
Router Cases 2 ea.
NIPR/SIPR
w / upgraded UPS
SATCOM
Lot 9+
Lot 9+
Lot 10
NETOPS
Lot 9
Lot 9
Lot10
Software Components:
 Operating Systems
 Windows 2003 Server
 Software
 Microsoft Office
 PuTTY
 Solar Winds TFTP Server
 McAfee Antivirus
 Simple Network Management Protocol console (SNMPc)
 Cisco Call Manager 4.3
13
CPN Blocks I & III Differences
Equipment
Block I (Spiral 2-7)
Block III (Lot 10+)
Transit Cases
VPN & SIPR Cases
Router Cases (x2)
Routers
2651XM
3825 ISR
Ethernet Switches
Layer 2 2950 – NIPR
Layer 2 3750 - SIPR
Layer 3 – 3650 (x2)
VoIP Capability
CME 3.3 & 7940/7960
Phones (SIPR Only)
Call Manager 4.3 –
Laptop Based
SIPR & NIPR –
7941/7961 Phones
WAN Optimization
Comtech Turbo IP
Cisco Web Cache
Citrix WANScaler
Information Assurance
FW: Netscreen 5XT
IPS: none
FW: Cisco ASA 5510
IDS: Cisco IPS
Encryption
Taclane Classic KG175
TACLANE Micro KG175D
NETOPS
LAN Manager CF-29
(XP Based)
LAN Manager Go-Book
(Server 2003)
Hardware Upgrades:
 NIPR Router – Changes from 2600XM series to 3825.
 SIPR Router – Changes from 2600XM series to 3825.
 NIPR Switch – Changes from 2950 (10/100) to 3560G (Gigabit).
 SIPR Switch – Changes from 3750 PoE to 3560G (Gigabit).
 Hardware Changes:
 Firewall – Changes from Netscreen model to Cisco ASA with IPS module.
 IPS – Changes from none to Cisco IPS.
 NIPR VoIP – No capability to Laptop-based Cisco Call Manager 4.3.
 SIPR VoIP – From CME 3.3 to Laptop-based Cisco Call Manager 4.3.
 Configuration Changes:
 NIPR Logical Signal Flow – Changes significantly to accommodate voice
and data VLAN flows through IA stack.
 SIPR Logical Signal Flow – Changes significantly to accommodate voice
and data VLAN flows through IA stack.
 Access Lists – Change from administrative (90, 95, and 99) and traffic
filtering to administrative-only ACLs configured (traffic filtering on ASA FW
and IPS).
14
WIN-T Inc 1: Ka – Upgrade
Phase 1:
Platform Re-Cap
Phase 2:
Electronics Upgrade Kits
•TDMA Modem Upgrade Kit
STT DataPath Version:
Lot 1 thru 9
Ku capable Satcom
Linkway TDMA 2100 s
TFOCA II Interface
.IPV4 and IPV6
C130 Transportable
Lot 9 plus with 1a and 1b:
Ka and Ku capable Satcom
Linkway TDMA 2100s or S2
NCW Modem
TFOCA II Interface
IPV4 and IPV6
C130 Transportable
Lot 9 + Increment 2
Ka and Ku capable Satcom
FDMA
NCW Modem
TFOCA II Interface
IPV4 and IPV6
C130 Transportable
15
STT General Dynamics Version:
Lot 10 Increment 1 and 2
Ka and Ku capable Satcom
FDMA
NCW Modem
TFOCA II Interface
IPV4 and IPV6
C130 Transportable
Increment 3 and 4 QT-LA
Quad-Band Terminal Large Aperture
4.6 Meter Dish
C, X, Ka and Ku Band, capable Satcom
TDMA and NCW Modems
Node Management
TFOCA II Interface
IPV4 and IPV6 and Manet Routing
Local Colorless interface for WIN-T elements
Dynamic Link Management
C130 Transportable
16
System Overview
Tactical Hub Node (LOT 10)
Tactical Hub- Sat. Vans (2)
3.9M Antenna
User Access Cases
Tactical Hub- Baseband
The HUB consists of a Tactical Hub Baseband Van Vehicle and two
TDMA/FDMA Satellite Vans.
 Extends GIG Ethernet services down to Warfighter.
 Traditionally co-located with a DISN PoP.
 Designed to support 16 FDMA and 16 TDMA links.
 Configured to provide multiplexing of Voice (Black PBX), SIPR and NIPR
Data and video interfaces for transport over the FDMA network using
Cable, line-of-sight, GMF / SMART-T / PHOENIX and Ku SATCOM links.
 Provides SIPR and NIPR IP voice and data traffic to distant JNN s and
Battalion Command Posts using the Ku TDMA network.
NIPRNET, SIPRNET, and DSN are the primary services extended to the tactical
users. However, it is technically feasible to extend DRSN and DISN Video
Service – Global (DVS-G) services. The FRHN will be configured to provide two
DRSN circuits per Division enclave (via the FDMA/Promina network links). The
DVS-G is expected to have completed the migration from H.320 serial
connectivity to H.323 IP connectivity by the time the first FRHN is operational.
Therefore, serial circuits will not be planned or provisioned for H.320 based DVSG service. The IP-based DVS-II service will be carried over the NIPRNET and
SIPRNET links.
Cable can be galvanic and optical.
17
Diagram is the Spiral 2-4 HUB.
Division HUB normally supports 11 JNNs 4 BCT = 2 JNN EACH =>8
2 Aviation Bde = 1 JNN each =>2
1 Sustainment Bde = 1 JNN each => 1
8+2+1=11 JNNs, so surplus of five links which gives Planner option to task
organize other BCTs and connect to STEP/REGIONAL HUB.
The JNNs are designed for three FDMA (i.e., Promina multiplexed) links apiece.
Several factors must be taken into account by commanders and Signal planners
regarding the best location for a MRHN and/or THN. The amount of time
available for mission planning and the required proximity of the JNN-N Hub Node
to the warfighter may result in tradeoffs where DISN connectivity is not available
at the start of an operation, if at all. Ideally, all deployed JNN-N Hub Nodes will
have direct terrestrial DISN connectivity for redundant and robust
communications. However, at a minimum the FRHN will be DISN connected.
Capabilities
 Ku/Ka FDMA and TDMA SATCOM ATH
 Interface to LOS
 Interface to Centrix, Joint, SMART-T / Phoenix / TSC-85/93s
 Node Mgmt (S, SI)
 Interface to Commercial Office
 Interface to Current Force DTG
 Support for 2-Wire Analog STEs
 Supports SI and S LAN extension (for user LAN VOIP, video, or data
devices)
 User Services (, DHCP, Voice)
 Serial and Ethernet Interface to BVTC
 Initial QoS
 External Boundary Protection
 Enclave Protection
 IPv4 / v6 when HAIPE V3 is available
Baseband
 Border Router (S, N)
 Tier 2 Router (S,N)
 Ethernet Switch (S, N)
 Management Laptops (S, N)
 TCP Proxy (S, N)
 Call Control (Call Manager) (S, N)
 Terminal Server (S, N)
 HAIPE (v 1.3.5) (Quantity 2)
 Perimeter Firewall / IPS (S, N)
 Host LAN Firewall / IPS (S,N)
 Antivirus (S,N)
18












Promina NX-1000
KIV-7M
PBX (Redcom HDX)
CTM-100s
FECs
Pairgain Modems
Flex Mux
GPS Receive and GPS antenna
2 User Access Cases (S, N)
User Access Case
3560 Ethernet Switch
Cisco VG224 Analog Gateway
Packaging/SWAP
LMS on 5 Ton FMTV
18K ECU
10 KW Generator on FMTV with Auto Transfer
GFE/GFS
FMTV
CHS-III Components
COMSEC
Employment
Division HQ
GUIDELINES:
C17 Transportable (2 trucks per C-17)
Movable assemblages
Provide TDMA/FDMA
Fiber Interface to Baseband Vehicle.
ARCHITECTURE PARAMETERS:
Support 16 TDMA Nets per Hub
4Mbps per TDMA Net
Support 16 FDMA links w/a total aggregate b/w of 36MHz per Hub
~2Mbps to all medium/JNN nodes
~4Mbps to DMAIN medium node
19
TACHUB SATCOM Trucks
2 ea. 8x8 TDMA/FDMA SATCOM Trucks per Unit Hub
3.9M auto acquire and tracking
Fully redundant RF electronics and ECU (MAC-62)
2 X 20Kw Generators/Dual 6KVA UPS
Traffic capability (depending on loading) – WITH LINEARIZERS
TDMA – 24Mbps
FDMA –48Mbps
Modem Compliment
Redundant MRT and 8 TDMA modems
FDMA – 8 active modems; 1 hot spare
Provides Joint Interoperability
(i.e. Circuit Switch Voice / Promina Traffic)
Each SATCOM truck contains approximately 140 RU (4 ea, 5ft high, and 19-inch
racks) of equipment
MRT – Master Reference Terminal
RU – Rack unit
20
System Overview JNN (Lot 10)
STT
JNN
User Access Cases
10K TQG
Capabilities:
Ku/Ka FDMA and TDMA SATCOM ATH (STT)
Interface to LOS
Interface to Centrix, Joint, SMART-T / Phoenix / TSC-85/93s
Node Mgmt (S, SI)
Interface to Commercial Office
Interface to Current Force DTG
Support for 2-Wire Analog STEs
Supports SI and S LAN extension (for user LAN VOIP, video, or data devices)
Serial and Ethernet Interface to BVTC
Initial QoS
External Boundary Protection
Enclave Protection
IPv4 / v6 when HAIPE V3 is available
C-130 Transportable
Baseband:
Border Router (S, N)
Tier 2 Router (S, N)
Ethernet Switch (S, N)
Management Laptops (S, N)
TCP Proxy (S, N)
Call Control (Call Manager) (S, N)
21
Terminal Server (S, N)
HAIPE (v 1.3.5) (Quantity 2)
Perimeter Firewall / IPS (S, N)
Host LAN Firewall / IPS (S, N)
Antivirus (S, N)
Promina NX-1000
KIV-7M
PBX (Redcom Slice)
CTM-100s
FECs
Pairgain Modems
Flex Mux
GPS Receive and GPS antenna
User Access
User access switches (S, N)
2 wire IP Gateways (S, N)
Packaging/SWAP
LMS on 2.5 Ton FMTV or M1152HMMWV with B2 Armor Kit
18K ECU
10 KW Towed Generator
GFE/GFS
HMWWV or FMTV
CHS-III Components
COMSEC
Employment
ESB (4), Corps/Div HQ (3), SBCT/BCT (2), Bde (1)
22
Major Assemblages – The JNN
KU trailer
FDMA/TDMA
Joint Network
Node
JNN
Signal Flow between assemblages:
FDMA / TDMA
V5,V6
V5
The WINT Inc 1 JNN consists of a JNN Vehicle and a Ku Satellite Trailer.
The connection from the JNN to its STT is via a single redundant connector off
JNN using TFOCA II. Therefore, TDMA and FDMA is just a simple plug-in. The
work comes in insuring all satellite and IP components, NX-1000 or other FDMA
systems are planned out and configured correctly.
23
WIN-T Inc 1 Module Sets
A 3 UPS/TACLANE
A 14 NIPR
A 5 SIPR
HUB A 8 MODEM
A 12 TRANSMISSION
HUB A 9 ROUTER
A 13 STEP
HUB A 5 SIPR
HUB A 14 NIPR
WIN-T INC1 Assemblage Modules:





24
Equipment design is composed of a mixture from a common module set
representing functional groups.
Employs common module design between different assemblages to
enforce common internal architectures.
Module design removes most of the complex patch panel configurations
inherent in earlier designs.
JNN (v)4/5/6, SSS(v)4 and Tactical Hub built from modules to meet their
respective network requirements.
WIN-T INC1 JNNs have three versions offering specific architecture
requirements.
Performance Enhancement
Proxy (Pep)
PEP is designed to alleviate Transmission Control Protocol /Internet Protocol
bottlenecks in an impaired environment (where high delay, high bit error rate, or
both, occur) while preserving interoperability with any TCP device.
25
Antivirus Server
The McAfee Antivirus Server platform is used to screen incoming and outgoing
files between host and perimeter networks.
26
Call Manager
Call Manager is the software based call processing component-providing
signaling and call control services to IP endpoints, IP gateways, and POTS
subscribers via analog voice gateways.
27
Tier 1 Router



28
Perimeter router that provides links for connections to networks external to
the protected network.
Provides first line of defense in IA Architecture.
Access Control Lists provide security filtering.
Firewall
PERIMETER
HOST



Two firewalls per security domain (SIPR/NIPR) within the shelter.
Border Firewall – Positioned between T1 and T2 routers to form a
boundary between trusted network (TDMA cloud/T2 routers) and untrusted network (T1 routers/STEP).
Host Firewall – Positioned between T2 router and Host LAN to form a
boundary between host networks and the T2 route.
29
Tier 2 Router



30
Provides default gateway and routing functions for locally connected hosts
and shelter components.
NIPR T2 provides voice gateway for BLACK voice network between VoIP
and PBX.
SIPR T2 provides voice gateway for RED voice network between VoIP
and Vantage for legacy MSE connectivity.
Taclane
A3 UPS-TACLANE
MODULE


Inline network encryptor for deployment in DOD tactical and strategic
networks.
Provides security for tunneling of one network through another (i.e. SIPR
through NIPR and vice versa).
31
KIV-7M Transec/Comsec




32
National Security Agency (NSA) endorsed dual channel encryptor.
Channels individually configurable.
Different security levels per channel possible.
Compatible with different encryption equipment through personality
selection.
Terminal Server





Linux based secure console standalone unit.
32 RS232 RJ45 physical ports (NIPR module).
16 RS232 RJ45 physical ports (SIPR module).
1 Diagnostic/Management port (connected to Management Laptop Com
Port).
2 Ethernet ports (Port #1connected to the Ethernet switch).
33
NX1000

34
Replacement for Promina.
Redcom Slice
REDCOM Slice provides 2 T-1 s, 24 Plain Old Telephone Service (POTS) lines
and 2 Basic Rate Interfaces (BRI). It allows POTS phones access to the VOIP
network.
35
GPS Based-Trak 9000S GPS
Pulses Per Second
Pushbutton Keypad
Liquid Crystal Display (LCD)
Keyload (Fill
Port)
Zeroize LED
Power Switch
Diagnostic / Management Port
System Timing: GPS Based-Trak 9000S GPS
Multiplexers:
Tactical Flexible Multiplexer (FLEXMUX)
Similar to previous version Flexible Multiplexer
Ports 2-4 of MUXs 1 and 2 are brought to P/P (JNN,SSS,Hub)
Port 1 of each MUX is cabled to VANTAGE Non Return to Zero (NRZ) ports
(JNN V4,Hub only)
Forward Error Correction (FEC) Blade
4 FEC functions per blade
Configuration
Console port interface to NIPR Terminal Server
Patch Panel:
Transmission Module Patch Panel
18 Slot ADC Patchmate P/P (with RS-530 modules)
Allows patching of:
6 Transmission Module CDIM Patch Panel Ports
6 FMUX Patch Panel Ports
4 TRC URD/HSD Ports (JNN(V4), 5, SSS, Hub)
2 KIV-7M Encrypted SA Trunks (JNN(V)4, 5, SSS, Hub)
2 KIV-7M Encrypted NIPR Tier 2 Router Ports
4 KIV-7M Encrypted and FEC capable NIPR Tier 2 Router Ports
2 NIPR Tier 2 Router Ports
2 SIPR Tier 1 KIV-7M Encrypted Router Ports
2 SATCOM CDIMS (Hub only)
2 SATCOM Router KIV-7M Encrypted Serial Ports (Hub only)
3 SMU Module KIV-7M Cipher Text (CT) Ports
36
User Access Case Components
Front View
Rear View





48-port Ethernet Switch
Provides user IP connectivity
Provides Power Over Ethernet (PoE) for IP phones
VG224 Analog Voice Gateway
Provides POTS to IP conversion for 24 subscribers
37
Major Components –
User Access Case (UAC)
BLOCK DIAGRAM
FUNCTIONAL DIAGRAM
4
4
The User Access Case (UAC) provides Data, Voice over Internet Protocol
(VoIP), and Plain Old Telephone System (POTS) subscribers’ connectivity
into network
 Standardized building block design provides scalability.
 Movement of UAC to other than home JNN requires modification to
standard fielded configuration (change management IP address).
 Connect directly off the CPP (first preferred by spec/conops) and then
JNN. Allows subscriber access to JNTC-S at Brigade level. VoIP and
DATA, SIPR and NIPR choices by cabling to appropriate input.
 User access case replaces pre-LOT 8 telephony case, albeit smaller
capability. Tradeoff is less analog line capability for small transit case.
 Can be used directly off JNN or Router Case.
A Router case is part of the BnCP LOT 8, and is provided to a fielded JNN in
place of old BDE cases. A user access case can plug into router, JNN, or
TacHub.
38
HBCT JNN(V)5 (LOT 10)

Inter-connectivity of JNN resources.
39
Battalion Command Post Node
NIPR Call Manger
SIPR Call Manager
10K TQG
The BnCPN provides:
 Enhanced voice and data capabilities at support Battalions.
 SIPR/NIPR and devices and access (up to 20 data and IP telephony
users).
 Capability to interface directly to Ku/Ka satellite or Line-of-Sight radio.
 Transmission resources.
The BnCPN suite of communications equipment is housed in transit cases:
 SIPR/NIPR data interface transit case w/ TACLANE.
 Red voice interface using Cisco IP phones.
 LAN/Network management resources capabilities.
 Ku/Ka TDMA SATCOM ATH (STT).
 Interface to LOS.
 Node Mgmt (S, SI).
 Support for 2-Wire Analog STEs.
 Supports SI and S LAN extension (for user LAN VOIP, video, or data
devices).
 Serial and Ethernet Interface to BVTC.
 Initial QoS.
 Enclave Protection.
 IPv4 / v6 when High Assurance Internet Protocol Interoperability (HAIPE)
V3 is available.
 C-130 Transportable.
40
Equipment Changes:
 Replacement of Netscreen Fire/Wall (F/W) with CISCO Adaptive Security
Appliance (ASA)-5500 Series.
 Replacement of Call Manager Express (CME) with full Call Manager.
 New TACLANE micro (KG-175D), replacement of Key Interface Variable
(KIV)-19 with KIV-7M.
 Minor connector changes.
Battalion Command Post Node Equipment Allocations:
Packaging/SWAP
18K ECU
10 KW Towed Generator
GFE/GFS
CHS-III Components
COMSEC
Employment
ESB (24), Corps/Div HQ (18), SBCT/BCT (12), Bde (6)
Baseband
 Tier 2 Router (S,N)
 Ethernet Switch (S, N)
 Management Laptops (S, N)
 TCP Proxy (S, N)
 Call Control (Call Manager Laptops) (S, N)
 HAIPE (v 1.3.5) (Quantity 1)
 Host Lan Firewall / IPS (S,N)
NIPR/SIPR Router Cases:
Components:
 Micro TACLANE
 ASA 5510 Firewall
 Citrix WANScaler PEP
 Cisco 3825 Router
 Cisco 3560G Ethernet Switch
 Patch Panels
 Signal Entry Panel
 Power Entry Panel
Case Dimensions:
22.47 W x 19.40 H x 34.50 D
Estimated Case Weight: 154 lbs.
Estimated Power: 813 W
41
Additional Components:
 8 Cisco 7940G Voice over IP telephone sets with Cat5 cables.
 NetOps Package includes 1 ea. SIPR/NIPR LAN Management Go-Books.
 LOS Transit case.
 TFOCA-II – 300 Meter and 100 Meter cable reels.
 Ethernet Cables
 Console Cables.
 Equipment Grounding/Accessory Bag.
 Ground Straps
 Ground Rods
42
Major Assemblages – CP Platform
The Command Post Platform (CPP) provides the network interface to the lower
Tactical Internet (TI) Interface capability to SINCGAR, EPLRS, AN/TRC-103,
NTDR, AN/VRC-104, AN/PSC5, INMARSAT, and JTRS.




Four shelter versions: V1, V2, V3, and V4
V2 contains C2 assembly, SIPR, TOCNET
V4 contains C2 assembly, SIPR, NIPR, TOCNET
Option to provide small network capability when stand-alone (w/o JNN).
43
Satellite Transportable Terminal (STT)
The Satellite Transportable Terminal (STT) is a satellite terminal system
providing two-way digital communications in support of the WIN-T architecture.
The STT is located at the Corp/Division and Brigade Combat Team (BCT) level.
The terminal consists of a 2.4 meter Ku antenna mounted on a trailer. The
electronic components that provide two-way digital communications are mounted
in two electronic equipment racks located in a cooled electronics equipment
compartment on the rear of the trailer.
The STT is designed to provide voice and data connectivity from worldwide
forward locations for intra/inter-theater operations. The terminal has many
features that make it ideal for either short or long-term deployment, providing
high capacity reach-back services. The terminals can be operated in continuous,
uninterrupted operations either manned or unmanned as required.
The STT uses Time Division Multiple Access (TDMA) and Frequency Division
Multiple Access (FDMA) transmission technology to support a high throughput
data handling capability for the Army’s IP based data networks. Two versions of
the STT are used:
The STT version 1 supports the JNN and provides both TDMA and FDMA
satellite communication.
The STT version 2 supports the BnCPN and only operates in the TDMA mode.
44
The difference in the two versions is the additional equipment (satellite modem)
mounted in version 1 necessary to implement the FDMA communications
capability.
Ku RF/Modem Specifications:
EIRP:79 dBW (min. saturated)
G/T: 31.0 dB/K (min.)
SATCOM Transmit Frequency: 14.0-14.50 GHz
SATCOM Truck Receive Frequency: 10.95-12.75 GHz
FDMA Modem
TX/RX Frequency: 950 MHz – 2050 MHz
Data Rate:
9.6 kbps – 10 Mbps
Modulation:
BPSK / QPSK / 8PSK
CODEC:
Reed Solomon and Turbo Code
TDMA Modem
TX Frequency:
950-1525 MHz
RX Frequency:
950-1750 MHz
Symbol Rate:
312, 625, 1250, 2500, 5000 ksps
Modulation:
BPSK / QPSK
CODEC:
Reed Solomon, Viterbi
45
CWAN Components
Server Case
P/N 022800994-2
Router Case
P/N 02-2801535-2
User Access Case
P/N 02-2800994-2
UPS Case
P/N 02-2800986-1
CWAN Interconnection Diagram
Host LAN FW - 5510
Admin
43X
FW Mgt.
IPS Mgt.
44X
E0/1.58 VLAN 58
E0/1.222 VLAN 222
E0/1.224 VLAN 224
E0/1.233 VLAN 233
233
233
ROUTER CASE
Tier 2 Switch
E0/1
Trusted
47X
802.1q Trunk 58,
222, 224, 233,…
224
E0/2
222
MGT
322
58
VOICE
358
224
DATA
324
59
233
IA
333
SPARE
Loopback
L3
E0/3
E0/0
E0/0.358 VLAN 358
E0/0.322 VLAN 322
E0/0.324 VLAN 324
E0/0.333 VLAN 333
Untrusted
58
46X
CALL MANAGER
LAPTOP
41X
802.1q Trunk 322,
324, 333, 358,…
48X
802.1q Trunk 322, 324, 333, 358,…
G0/0
G0/1
TACLANE
46X
802.1q Trunk 475
CT
PT
175
aPB.1
222
49-52X
User Access Case
49-52X
222
VG-224
58
59
(24X)
Admin
222
45X
Primary
aPA.2
aPB.1
40X
(47X)
Element Manager
Generic Server
Server Case
46
aPB.2
Citrix WAN Scaler
T2
Router
NIPR Firewalls With VLANS
SIPR Firewalls With VLANS
47
This Page Intentionally Left Blank
48
STT Overview
50
Warning (1)
Warning- 240 Volts- Contact
may cause electrical shock and
injury. Disconnect power
before servicing.
Warning- RF radiationRemain clear of region
between antenna feed and
reflector while radiating.
Warning- Establish and
maintain proper earth
ground.
Warning- Extended antenna
hazard- Antenna must be
lowered prior to vehicle
operation.
51
Warning (2)
Warning- Do not connect
power cables until
equipment is grounded.
Warning- Electric shock hazard- Main disconnect
switch does not remove UPS output power. Turn
off UPS before servicing.
Warning- Radio frequency radiation- This unit
operates at high voltage.
Personnel should not be exposed to the microwave energy that may radiate from
the device.
All input and output RF connections, waveguide flanges and gaskets must be
leakproof.
Never operate this device without a microwave energy-absorbing load attached.
Never look into an open wave-guide of antenna while the device is energized.
52
Danger
Danger- Tip over hazard- Stow antenna
if wind speed may exceed 60 MPH.
Danger- Tip over hazard- Jacks must be
properly installed and deployed before
system operation.
Danger- Crush hazard- Parking brakes
must be enabled before system
operation.
Danger- RF power and High Voltage
15,000 volts service by authorized
personnel only.
53
Attention
Attention- Do not overdrive- Do not exceed 45 watts
rated output power. Input frequency 950 MHz to
1450 MHz overdriving or wrong frequency input may
permanently damage amplifier.
Attention- Air intake and exhaust clearance 4 inches
minimum.
54
Attention- Dangerous Voltage.
Do not handcrank antenna clockwise or counter
clockwise past 130 degrees from the center of
travel!
Caution
Caution: Hearing Protection required when the
generator is operating with panels opened.
55
Purpose and Types of STT (1)
The STT is a Ku or Ka band satellite terminal used to support the BnCPN with
connectivity into the Warrior Information Network-Tactical Increment 1 Node
Network (WIN-T Inc 1 Node-N).
The STT comes in two versions:
1. Version 1 (V1) supports the WIN-T Inc 1 Node using TDMA and FDMA.
2. Version 2 (V2) supports the BnCPN with TDMA only.
Both versions of the STT can be supported by the Master Reference Terminal
(MRT) used to control the TDMA network.
56
Purpose and Types of STT (2)
The STT is a satellite terminal system providing two-way digital communications
in support of the WIN-T architecture. The STT functionally fits in the WIN-T Inc 1
Node at the Corp/Division and Brigade Combat Team (BCT) level.
The terminal consists of a 2.4M Ku/Ka Antenna mounted on a trailer. The
electronic components that provide communications are mounted in two racks
located in a cooled electronics equipment compartment on the rear of the trailer.
57
Purpose and Types of STT (3)
The STT is designed to provide voice and data connectivity from worldwide forward
locations for intra/inter-theater operations. The terminal has many features that make
it ideal for either short or long term deployment, providing high capacity reach-back
services. The terminals can be operated in continuous, uninterrupted operations
either manned or unmanned as required.
The STT uses Multi-Frequency Time Division Multiple Access (MF-TDMA) and
Frequency Division Multiple Access (FDMA) transmission technology to support a
high throughput data handling capability for the IP based data networks.
58
STT Components - Roadside
Composite
Antenna
Reflector
Straight Feed Boom
Cable Drive
Helicopter Lift
Points
Access
Panel
Modular Feed
System / High
Power
Amplifier (HPA)
Electronic
Enclosure Units
(EEU)
GenSet
Battery
Fire Extinguisher and
Stabilizer mounting
Main Storage
Box
59
STT Components - Curbside
Generator
Fuel Nozzle
And Tank
Power
Distribution
Assembly
I/O Panel /
TFOCA-II
Connectors
7.5 kW
Onan
Generator
Shore Power
Input
Heli Lift Point
Fork Lift Access
Point
60
STT Components (1)
Fluxgate
Compass
GPS
Antenna
Weatherstation
61
STT Components (2)
Stow
Pads
HPA
Drive motors
Cable Drive
Straight
Feed
Boom
62
EEU Rack 1 Components
System Patch Panel
Rack Mount Reference
(RMR)
Antenna Control Unit (ACU)
Ethernet Switch
Power Drive Unit (PDU)
Environmental Control Unit
(ECU) Controller
Monitor & Control (M&C)
Laptop
63
Uninterruptible Power Supply
Space for MRT
UPS Front
Panel
64
EEU Rack 2 Components
Ethernet Fiber Optic
Converters
CTM-100C Protocol
2811 AES IP router
FDMA Modem (not installed
in V2)
TDMA Modem
EEU Rack 2, located in the trailer’s rear equipment compartment, houses
the components used for the TDMA traffic processing, routing, fiber optic
conversion, FDMA traffic processing.
65
ECU
The ECU is used to cool the components during adverse temperature
conditions.
66
M&C Computer
The M&C is used to remotely configure, control, troubleshoot, and operate
equipment.
67
Input / Output Panel
J1
J2
The TFOCA-II fiber optic cable connectors are located on the curbside of the
trailer.
These provide the connection point for the supported WIN-T Inc 1 Node or
BnCPN node.
68
Shore Power Input
The primary power input to the STT.
69
Power Distribution Assembly (PDA)
On the curbside, the PDA has the circuit breakers and indicators for
Voltage and power draw, fuel level, generator temperature as well as
Oil temperature.
70
Automatic Transfer
Switch ITS-50R
•
Provides automatic switchover between commercial power and Genset.
•
Located behind PDA (hidden).
71
Oil-Mate and Battery
Oil-Mate
12VDC
generator
battery with
cover removed.
•
Oil-Mate injects used generator oil into the diesel fuel tank and injects an
equal amount of fresh oil into the generator every 36 minutes to extend time
between servicing.
•
The Alternate Power Unit (APU) battery is used to provide power to the
starter to start the 7.5 KW Genset.
72
Main Storage Box - Roadside
TFOCA-II Reels
Grounding bag
AC Power cable and
Static ground cable
Ku HPA (Ka pallet goes back
into transit case)
Storage for stabilizer feet
73
Grounding Bag
Ground Kit
Hammer
Grounding cables with clamps.
74
Lift Points
Secure all tie downs when not in use.
Front Curbside
Rear Curbside
Front Roadside
Rear Roadside
75
Fuel Tank - Curbside
Filler tube and
cap.
The STT will
run for 48-52
hours on a 26
gallon tank of
fuel.
76
External Fuel Connection
External fuel quick connection (capped).
External fuel filter / water
separator.
77
Global Positioning System (GPS)
•
The GPS antenna mounted at the base of the antenna is connected via
coaxial cable to the GPS receiver module in the ACU.
•
The GPS receiver modules function is to locate three or more GPS
satellites, figure out the distance to each, and use this information to
triangulate the terminal latitude and longitude position.
78
Flux Gate Compass
The Fluxgate Compass mounted on the rear of the antenna reflector is
used to obtain the terminal’s heading by sensing the orientation of the
trailer in relation to the earth's magnetic field.
79
Weatherstation
Reports:
•Wind direction &
speed
•Humidity
•Dewpoint
80
Chassis Components
Heavy duty tie down points
Hand brakes
Trailer
electrical
cable for
signal
lights
Tongue jack
with swivel
81
Specifications
Ku Transmit Frequency: 14.00 – 14.50 GHz
Ku Receive Frequency: 10.95 – 12.75 GHz
Ka Transmit Frequency: 30.00 – 31.00 GHz
Ka Receive Frequency: 20.20 – 21.20 GHz
TDMA Data Rates:
FDMA Data Rates:
4.6 Mbps / 5 Msps
2.4 Kbps - 52 Mbps
TDMA (De)Modulation: QPSK, 8PSK
FDMA (De)Modulation: BPSK, QPSK, QPSK, OQPSK, and 8PSK
Power:
82
Commercial Power and onboard generator
power
Receive Block Diagram
The highlighted path in red arrows depicts the receive signal from a remote site
to the locally connected WIN-T Inc-1 Node.
83
Transmit Block Diagram
The highlighted path in red arrows depicts the transmit signal from the locally
connected WIN-T Inc-1 Node to a remote site STT or Hub truck.
84
Equipment Overview
and
Architecture
86
ESB BnCPN Network Example
X Band
EHF Band
Ku Band
Step Site
DISA
TDMA
FDMA
JNN
ESB Hub Node
SSS
TSC-85 STT
V3
ESB Heavy Signal Platoon
TDMA
TDMA
STT
TDMA
FDMA
STT
Signal Platoon Element
TSC-93
STT JNN
Signal Platoon Element
TDMA
HCLOS
LOS
Back-Up Link
TDMA
STT
HCLOS
V3
ESB Expeditionary Signal Platoon
STT
Signal Platoon Element
V1
Signal Platoon Element
The above figure is an example of an Area Signal posture and the basic interconnectivity of Signal assets.
Mission Statement:
Warfighter Information Network – Tactical (WIN-T) is the Army’s current and
future tactical network that will provide seamless, assured, mobile
communications for the warfighter along with advanced network management
tools to support implementation of commander’s intent and priorities –
incrementally. Increment 1 provides “Networking At-The-Halt” capability down to
battalion level with a follow-on “Enhanced Networking At-The-Halt” (Inc 1b) to
improve efficiency and encryption to divisions, brigades and battalions. WIN-T
Increment 1 components reside at the division, brigade, and battalion levels.
Description
 State of The Art COTS/GOTS For The Current Force.
 Connects The Warfighter To The Global Information Grid.
 DISN Connectivity Down To Battalion Level.
 Enhanced Mobility And Communications At The Quick Halt.
 Joint And Coalition Connectivity.
 Provided Interface To Legacy Systems.
 Encrypted SIPRNET Traffic Through the NIPRNET.
 SATCOM & Terrestrial Termination.
 Autonomous Brigade Operations.
87
Benefits/Capabilities
 Supports Modularity by allowing a Brigade Combat Team to have selfsustaining reach back communications.
 Provides internet infrastructure connectivity directly to the Battalion level.
 Transitions Army Networks from proprietary protocols to “EVERYTHING
OVER IP” (EOIP).
 Allows independent mobility of command posts and centers unconstrained
by Line of Sight radio ranges.
 Incorporates industry standards for network operations and intrusion
detection.
The Bn CPN has a single radio link into the JNN network via the TDMA satellite.
Permanent or static VPNs are built into the JNNs and Hub Node.
Dynamic VPNs are built on demand to other Bn CPN systems. The
establishment of these demand VPNs are based on user requirements to transfer
information between Bn CPNs.
Establishing VPNs between CPNs on an as needed basis decreases the amount
of satellite resources required to support the network.
The THN is a Division asset that provides connectivity to the Defense Information
Systems Network (DISN) and the Global Information Grid (GIG). The THN
utilizes both FDMA and TDMA satellite connectivity. The THN also serves as the
master hub node for TDMA mesh networks of the BCTs and their associated Bn
CPN.
The JNN is located at the Brigade Combat Team (BCT) element. It serves as
both a distribution point for the various systems within the BCT and provides
direct network services for the Brigade headquarter elements. The JNN can
utilize both TDMA and FDMA satellite connectivity and has a single FDMA link
that is usually reserved for connectivity to the THN.
Regional Hub Node
The RHN is the largest of the four JNN-N Hub Node types, and can provide the
following capabilities:
 Provide primary hub node connectivity (FDMA and TDMA) and services
for tactical users during reception, staging, onward movement, and
integration (RSOI) operations.
 Provide TDMA management support enabling intra-theater Brigade-toBrigade level routing and network services.
 Provide continuity of operations (COOP) for MRHNs and THNs.
 Provide primary hub node connectivity and services to expeditionary units
(e.g., BCT) not deploying with a THN.
 Provide support to Expeditionary Signal Battalions (ESBs)/Integrated
Theater Signal Battalion-Joint Network Node (ITSB-J) that are task
organized to support Division and below units.
 Provide a server sanctuary supporting the delivery of theater level
services and a stable location for Division or Brigade units to host services
for their tactical users.
88






Provide JNN-N Hub Node connectivity and services for mounted battle
command on the move (MBCOTM) users.
Support up to three JNN-N equipped Divisions, or reconfigurable to
support two JNN-N equipped Divisions, four BCTs, and one separate
(non-BCT) mission.
Extend DISN voice, data, and video services to the warfighters.
Provide assured, low latency reachback to the TNCCs for Top
Secret/Sensitive Compartmented Information (TS/SCI) users using JNNs
or CPNs as their transport connection to the RHN.
The RHN system is designed to support 3 separate JNN-enabled Army
Divisions and up to 4 stand alone BCTs through satellite connectivity to
other JNN Network systems: the THN, the JNN, and the Bn CPN.
The RHN will support both Frequency Division Multiple Access (FDMA)
and Time Division Multiple Access (TDMA) satellite links. Equipment is
grouped into enclaves within the FHRN facility as shown.
Each enclave will operate independently of the others.
89
(WIN-T Inc 1) Systems
Architecture Overview
NIPR Call Manger
SIPR Call Manager
10K TQG
90
NIPR/SIPR Router Case
Front View
Rear View
NIPR/SIPR Router Cases:
Components:
 Micro TACLANE
 ASA 5510 Firewall
 Citrix WANScaler PEP
 Cisco 3825 Router
 Cisco 3560G Ethernet Switch
 Patch Panels
 Signal Entry Panel
 Power Entry Panel
Case Dimensions:
 22.47 W x 19.40 H x 34.50 D

Estimated Case Weight: 154 lbs.

Estimated Power: 813 W
91
BnCPN Signal Flow
LOS CASE
To LOS
This diagram illustrates component connections.
The VPN Case provides direct connectivity to the Ku Satellite trailer for
connectivity into the TDMA satellite network. The VPN Case can be configured
to support NIPR users though this is not part of the standard configuration.
The LOS case is intended to provide connectivity for the Bn CPN to a legacy
system with a TRI-TAC CDI interface such as an MSE LOS system.
When using the LOS Case, DMVPN operation is not possible. The Router Case
directly supports the SIPR user, data and voice and is connected to the VPN
Case via fiber.
The BnCPN provides direct network access to users within a Battalion element
for secure data and voice services.
It utilizes only Time Division Multiple Access (TDMA) satellite connectivity.
Line of sight inter-connectivity is provided through the use of the LOS Transit
Case.
It has permanent links to the THN and JNN and can establish on demand
connections to other CPNs within the meshed network.
The BnCPN provides LAN and WAN firewall protection.
92
Routing & Switching
ROUTING & SWITCHING:
Two 3825 Routers
1. SIPR Router
2. NIPR Router.
Cisco Catalyst 3650 Ethernet Switch:
 The switch terminates IP Phones, and Computers.
 The switch can be stacked with other switches.
 Provides 48 ports with Power Over Ethernet (POE), for VOIP Telephones.
93
ASA 5510 Firewall
ASA 5510 Firewall:
94

Console port, for connecting to serial terminal emulation programs such as
HyperTerminal.

A modem port, used for remote console sessions using dial-up
connections.

Four Ethernet ports, for connecting the ASA 5510 device to your LAN or
local workstation and to the internet.
TACLANE Micro Model KG-175D
TACLANE MICRO Model KG-175D:



The TACLANE provides encryption over DOD IP networks and ATM
networks (ATDNET & WIN-T).
The TACLANE provides security over legacy tactical IP networks (MPN)
and strategic IP networks (SIPRNET).
The SVNs support the logical grouping of users at a common security
level in a common community of interest.
Although multiple SVNs can operate at different security levels, they can share
common transmission and switching elements because they are isolated from
each other via cryptography. SVNs encrypt data prior to passing it over the Ku
network.
95
TACLANE Micro Capabilities:
 Supports IP datagram encryption over Ethernet 10/100 Base-TX or 100
Base-FX physical Interface.
 200 Mbps aggregate throughput, full duplex.
 HAIPE IS v1.3.5 compliant IP encryption.
 512 security associations supported user traffic.
 One security association protects all user traffic between a pair of
TACLANEs.
 Automated peer TACLANE discovery using SDD (Secure Dynamic
Discovery).
 PPK and FFVS for each security association.
 Up to 16 PPK Chains.
 Up to 11 changeover PPKs in each chain.
 IP TFS controls.
 Over the Network Software Download and Field Software Upgrade.
 Up to 9 simultaneous network managers.
Other Characteristics:
 TACLANE can communicate at multiple security levels, one level at any
given time. The operator selects the security level.
 The CIK protects one FIREFLY vector set and up to 48 PPKs, all filled
using a DTD.
 An operator can create 2 user CIKs, for a total of 3 CIKs, to allow shift
operators access to the same key material.
 Physical access control is provided by removing the CIK, which locks the
TACLANE.
 TACLANE is NSA-certified to provide Type 1 encryption and decryption for
information classified TOP SECRET codeword and below.
 When a valid CIK is inserted, the TACLANE is classified at the highest
classification level of the key it contains (but never less than
UNCLASSIFIED/CCI).
 When the CIK is removed, the TACLANE is UNCLASSIFIED/CCI and the
CIK is UNCLASSIFIED.
96
Citrix WANScaler
Citrix WANScaler:
The WANScaler appliance will optimize WAN links, which gives the network
maximum throughput at any distance, making the WAN behave like a LAN.
This appliance works transparently on your network; there is no need to
reconfigure servers, clients, applications, or your network infrastructure. The
WANScaler becomes a virtual gateway that controls the TCP traffic on the link.
Normally, TCP is controlled by the endpoint devices, which have no visibility into
the state of the link or the amount of other traffic on the link. This situation
makes TCP less than advantageous over WAN links.
The WANScaler appliance supplies the intelligence that is missing in the network
and the TCP connections. It is configured as a virtual gateway with only one
parameter – the bandwidth limit – that configures the link speed.
By overcoming the inherent limitations of TCP/IP over impaired links (high delay
and/or high error), it improves performance of TCP/IP based applications
such as web browsing (HTTP), file transfer (FTP), etc.
97
Uninterruptible Power Supply (UPS)
Front View
Rear View
The UPS will provide emergency power for 12 minutes to the cases in the event
of a prime power loss.
Power Output:
Amps:
Backup Time With Full Load:
Total Number of Outputs:
Surge Suppression:
Transfer Time:
Operating Temperature:
Automatic Shutdown
Audible Alarm
98
1005 Watts
13 at 115VAC / 6.5 at 230VAC
12 Minutes
4
480 Joules
Zero, True online design
0oC to 40o C
JNN/CPN/STT Network
Overview
100
STT Network Overview
The AN/TSC-167B (V) Satellite Transportable Terminal (STT) is a Satellite
terminal system providing two-way digital communications in support of the WINT network architecture. The STT functionally fits in at the Corp/Division and
Brigade Combat Team (BCT) level.
The STT uses Multi-Frequency Time Division Multiple Access (MF-TDMA) and
Frequency Division Multiple Access (FDMA) transmission technology to support
a high throughput data handling capability for the Army’s IP based data networks.
Two versions of the STT are used:
1. The STT version that supports the JNN provides both TDMA and FDMA
satellite communication.
2. The STT version that supports the BnCPN only operates in the TDMA
mode.
The difference in the two versions is the additional equipment (satellite modem
and fiber-optic modem) on the JNN version necessary to implement the FDMA
communications capability.
101
BCT CP
X-Band Satellite
–
–
UHF TACSAT
TDMA
FDMA
Ku-Band Satellite
STEP/Teleport
EHF-Band Satellite
IP
IP + CKT
EHF via SMART - T
-X Band via GMF
UHF TACSAT
LOS
Surrogate Teleport
Other Comms available:
UHF SATCOM,
L-Band (BFT & INMARSAT),
SINCGARS, IRIDIUM, MBITR, GBS,
CSS, TROJAN SPIRIT, and HF
2.4 M Ku
TERMINAL
2.4 M Ku
TERMINAL
TSC-85/93
Battalion CP
Battalion CP
SMART-T
2.4 M Ku
TERMINAL
HCLOS
JNN
BDE Command Post
2.4 M Ku
TERMINAL
2.4 M Ku
TERMINAL
Battalion CP
External Connectivity
Battalion CP
The STT is designed to provide voice and data connectivity from worldwide
forward locations for intra/inter-theater operations. The terminal has many
features that make it ideal for either short or long-term deployment, providing
high capacity reach-back services.
The terminals can be operated in continuous, uninterrupted operations either
manned or unmanned as required. The voice and data connectivity as part of
the Global Information Grid (GIG) can be in the form of NIPR (Non-secure
Internet Protocol), Secure Internet Protocol (SIPR), VTC (Video
Teleconferencing), VoIP (Voice over IP), ISDN (Integrated Service Digital
Network (ISDN), Defense Service Network (DSN), Private Branch exchange
(PBX),
102
External Connectivity
Battalion External Connectivity
ESB
TDMA – IP
UHF TACSAT
FDMA – IP + CKT
EHF via SMART - T
X-Band Satellite
Ku-Band Satellite
X-Band via GMF
UHF TACSAT
LOS
STEP/Teleport
Other Comms available:
UHF SATCOM,
L-Band (BFT & INMARSAT),
SINCGARS, IRIDIUM, MBITR, GBS,
CSS, TROJAN SPIRIT, and HF
TRC-85/93
2.4 M Ku
TERMINAL
Surrogate Teleport
HCLOS
JNN
EHF-Band Satellite
UEx MAIN
SMART-T
SMART-T
SMART-T
UA Command Post
UA Command Post
The connection to the GIG/DISN (Defense Information Services Network) or
commercial assets can be located at a STEP (Standardized Tactical Entry Point)
site or a Regional Hub Node.
103
Overview
Sanctuary
TDMA
37-40 Shared
FDMA
16-20 Mbps
Fixed
3.9m
GIG/DISN
Division Hub
Node
3.9m
TDMA
37-40 Shared
FDMA
16-20 Mbps
Fixed
Baseband
Existing Equipment
JNN Network Equipment
Brigade
DIV (TAC 1&2)
Node
BDE (Multiple per Div)
Ku
Fixed Regional Hub
Node
FDMA – IP + CKT
TDMA – IP
2.4m
Red Voice
SIP
R
LOS TRC
-190 V(3)
SMART-T
1.544 Mbps
NIPR
Black Voice
NET OPS
PKGS
WAN
LAN
DPEM
(NIPR) (NIPR) (Planning)
(SIPR) (SIPR)
BN (Multiple per BDE)
TDMA
Shared Among Bns
Battalion
Command Post
Node
Ku
2.4m
LAN MGT
NIPR
SIPR
Each STT consists of a 2.4M SM-LT Ku antenna mounted on a trailer. The
electronic components provide 2-way digital communications via two racks of
equipment located in a cooled electronic equipment compartment on the rear of
the trailer. In each example, the trailer connects to some form of data package
either in transit cases or CPNs (Command Post Nodes) or BSN (Brigade
Subscriber Node).
104
JNN System - Components
A complete JNN system consists of several subcomponents:
 JNN shelter mounted on HMMWV.
 Ku satellite trailer towed by JNN shelter HMMWV.
 Two HMMWV support vehicles each towing 10 kw generators.
 AN/TRC-190(V)3 HCLOS system consisting of:
- AN/TRC-190(V)3 shelter
- HMMWV (shelter carrier) towing 10 kw generator.
- HMMWV support vehicle towing support trailer.
 BVTC/BITS transit case.
 Three each SIPR data transit cases.
 Two each NIPR data cases.
 Two each red voice transit cases.
 Two each black voice transit cases.
 Three each SIPR & NIPR laptops for Nodal, LAN, & WAN management.
 UNIX Tadpole computer for WAN planning.
 Two JNN spares cases.
 One NMS transit case.
105
Typical JNN Interfaces
The above diagram depicts the various interfaces on the JNN shelter and typical
devices that may be interfaced to the connections.
106
BnCPN Signal Flow
JNN
SEP
MC1
CT
KG-175
TACLANE
PT
VLAN 175
PORTS -142 FOR USER ACCESS
GE 0/45
VLAN
VLAN VLAN 58
175
6
59
CISCO 3560
ETHERNET SW
* Ports 46
-52 for access cases
GE 0/44
GE 0/43
VLAN 6 * + 175
VPN
RTR
VLAN 59
VLAN 58
PORT 1
GE 0/0
NETSCREEN 50
dot1q TRUNK
SERIAL
PORT
TO SIPR TACLANE
PORT 3
CISCO 3825
ROUTER
VLAN 59
GE 0/1
VPN
RTR
SEP
MC
GE 0/49
SFP 1
GE 0/51
SFP 2
PORTS 1 - 42 FOR USER ACCESS
SIPR
dot1q
TRUNK
VLAN
6
TURBO IP
SEP
MC
STT
TRAILER
WAN
LAN
VLAN
175
CISCO 3560
ETHERNET SW
VLAN
58
59
* Ports 46 -48,50, and 52 for user case
GE 0/44
GE 0/43
VLAN 6 + 175
GE 0/45
VLAN 59
VLAN 58
ALT. to TACLANE
(optional)
LOS CASE
HCLOS
LOS
PORT 1
NETSCREEN 50
GE 0/0
PORT 3
dot1q TRUNK
CISCO 3825
ROUTER
LAN
VLAN 59
GE 0/1
WAN
TURBO IP
NIPR
Signal flows through the LOS cases, BnCPN cases, STT to the Satellite in orbit
eventually to the JNN networked equipment. Notice that the LOS cases are
supported by the LOS (v) series shelters either by legacy or by HCLOS.
107
WIN-T Network Architecture
Hub Node
(Div/Corps)
Regional Hub
Node
DISN/GIG
(cable)
DISN/GIG
JNN
Ku TDMA
BN CPN
BN CPN
(Battalion level unit)
Ku FDMA
Currently, WIN-T Inc 1 and legacy JNN Hub Nodes using commercial Ku and Kaband satellite capabilities are providing the transport using Time Division
Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA)
technologies.
The WIN-T network architecture (Figure 1-1) is composed of four primary nodes
that provide support to various elements within the Army and Joint Forces:
1.
2.
3.
4.
Regional Hub Node (RHN)
Unit Hub Node (UHN)
Joint Network Node (JNN)
Battalion Command Post Node (BnCPN)
The UHN is a Division asset that provides connectivity to the Defense
Information Systems Network (DISN) and the Glob al Information Grid (GIG).
The UHN utilizes both FDMA and TDMA satellite connectivity. The UHN also
serves as the master hub node for TDMA mesh networks of the Brigades and
their associated BnCPNs.
The JNN is located at the Brigade element. It serves as both a distribution point
for the various systems within the Brigade and provides direct network services
for the Brigade headquarter elements. The JNN can utilize both TDMA and
108
FDMA satellite connectivity and has a single FDMA link that is usually reserved
for connectivity to the UHN.
The BnCPN provides direct network access to users within a Battalion element.
It utilizes only TDMA satellite connectivity. It has permanent links to the UHN
and JNN and can establish on demand connections to other CPNs within the
Brigade.
The RHN enables the deployment of WIN-T Inc 1 and legacy JNN equipped units
into a theater where they can immediately begin to draw their satellite services
from a fully provisioned hub node operating in sanctuary. RHNs allow satellite,
voice, and data services to be provisioned and pre-positioned to support
deploying forces as they flow into a theater of operation. The RHN will activate
satellite carriers prior to the flow of forces into the theater, as well as provide
connectivity for deployed force access to national networks. The RHN is the
primary hub node when a UHN is not in-theater, or it can provide backup
services in support of a Division, even if their UHN is operational.
Five Regional Hub Nodes will be deployed at fixed operational base locations to
provide near worldwide coverage. They will be located in the European,
Southwest Asia, and Western Pacific theaters, as well as on the United States
east and west coasts.
The RHN can be divided logically into three subcomponents: satellite
communications, baseband services, and network operations and user services.
The RHN is the largest of the four WIN-T Increment 1 and legacy JNN Hub Node
types, and can provide the following capabilities:
 Provide primary hub node connectivity (FDMA and TDMA) and services
for tactical users during reception, staging, onward movement, and
integration (RSOI) operations.
 Provide TDMA management support enabling intra-theater Brigade-toBrigade level routing and network services.
 Provide primary hub node connectivity and services to expeditionary units
not deploying with a UHN.
 Provide support to Echelon Above Corps (EAC), such as Expeditionary
Signal Battalion (ESB), or Echelon Corps and Below (ECB), which are
task organized to support the entire entity.
 Provide a server sanctuary supporting the delivery of theater level
services and a stable location for Division or Brigade units to host services
for their tactical users.
 Provide WIN-T Inc 1 and legacy JNN Hub Node connectivity and services
for mounted battle command on the move (MBCOTM) users.
 Extend DISN services to the tactical user.
109
Transit Cases
BnCPN Transit Cases
The BnCPN is contained in three transit cases:



Router Case
VPN Case
LOS Case
The above diagram shows the interconnectivity between the cases.
The Router Case directly supports the SIPR user, data and voice and is
connected to the VPN Case via fiber through media converters.
The VPN Case provides direct connectivity to the Ku Satellite trailer for
connectivity into the TDMA satellite network.
The VPN Case can be configured to support NIPR users though this is not part of
the standard configuration.
The LOS case is intended to provide connectivity for the BnCPN to a legacy
system with a TRI-TAC CDI interface such as an MSE LOS system.
When using the LOS Case, DMVPN operation is not possible.
110
Line of Sight Case
(LOS)
112
BnCPN LOS Case
Front View
Rear View
Diphase Modem Line Of Sight Interface Case:
The LOS case is intended to be used in conjunction with either the Battalion
Command Post NIPR case or the Battalion Command Post SIPR case.
It accepts a serial interface from the NIPR or SIPR case and applies Forward
Error Correction (FEC), encrypts via KIV-7M, and modulates signals using a
CTM-100C diphase modem.
It supports 2 LOS links.
113
CTM-100/C
CTM-100/C:
The CDIMs have two modem functions:








114
Converts data between Non Return to Zero (NRZ) and Conditioned
Diphase signaling types [Cat5 and CX-11230 cables].
Converts between Fiber Optic and NRZ [TFOCA-II and Cat5 cables].
The purpose of the dual port CDIMs is to convert the NRZ data into CDI or
fiber.
Allows interfaces to be extended from the shelter using either CX-11230
cable or fiber optic cable.
Supports rates up to 4608 kb/s using CX-11230, 18720 using fiber.
Transports data up to 2 miles using CX-11230 depending on the
transmission rate.
Transports data up to 10 miles using fiber optical cable for all data rate.
Can support loopbacks on the NRZ, CDI, or fiber side of the selected port.
CDIM
A> ALARMS
*
>> A,B
• The purpose of the dual port CDIM is to convert NRZ (RS-530)
data into CDI or fiber
• Allow interfaces to be extended from the shelter using either
CX-11230 cable or fiber optic cable
• Support rates up to 4608 Kbps using CX-11230, 18720 Kbps
using fiber
The major engineering goal of the optional CTM-100/C multiplexer mode was to
interface THSDN Digital Trunk Groups (DTGs). The CTM-100/C can break out
the voice and data circuits of a High Speed DTG. This allows for Small
Extension Node, SEN-like capabilities to be performed in a much smaller form
factor. The basic operation is that the CTM-100/C receives the High Speed DTG
and breaks out the separate voice and data streams. The voice portion of the
DTG is delivered to an RMC or LTU and the data portion of the DTG is delivered
to a router.
The CTM-100/C can move circuits at distances up to 16 km and rates up to
18720 kbs utilizing tactical fiber cable such as CX-13295, or at distances up to
3.2 km and at rates up to 4608 kbs via legacy copper cables such as CX-11230.
The CTM-100/C optical transceivers can drive circuits 16km over single or
multimode cable.
The loopbacks are digital loopbacks, which allow the data to pass through the
CTM-100/C internal circuitry before being looped back.
 Transport data up to 2 miles using CX-11230 depending on the
transmission rate.
 Transport data up to 10 miles using fiber optical cable for all data rates.
 Can support loopbacks on the NRZ, CDI, or Fiber side of the selected
port.
115
J-1 TERM
Interface to Terminal Server and for external configuration.
PORT
Select the desired port (A/B).
ENTER
Accepts entered selection such as data rate.
ESC
Returns to the default top-level menu (alarms display).
Up and down arrows scroll through menu options available.
LCD
Left and right arrows scroll through available menu option settings.
Status and configuration display.
Upon power-up, the CDIM will display software version and then the system level
Alarms status.
From the alarms status, the user can configure the CDIM using the panel
buttons.
Configurations are automatically saved in NVRAM (Non Volatile Random Access
Memory) after eight seconds of no menu activity.
Three types of available commands:
1. Normal: Contain options selectable by the user
Different options available for Fiber and CDI
2. Status Only: Statuses that can not be changed
3. Re-Settable: Status items that may be reset
116
CDIM Rear Panel
Controls & Indicators
J3/J7
DB-50 female connectors for ports A and B, used for CDI
signals.
J4/J8
DB-25 female connectors, used for NRZ signals
J5/J9
Port A and B fiber optic transmit connections
J6/J10 Port A and B fiber optic receive connections
117
CDIM Tests and Loops
CDIM Test
CDIM Loopback
Tests and loopbacks will help troubleshoot the CDIM links whenever they are not
working properly.






118
CDIM tests can be applied on any of the CDIM ports.
Port selection will be done through the Test Mode menu option.
Different ports will be available depending on what CDIM mode is
selected.
For tests to function, the network device will have to be put in loopback.
CDIM loops can also be put on any of the CDIM ports.
Port selection will be done through the loops menu option.
(HSFEC)
HSFEC:




High Speed Forward Error Correction card- corrects Bit Error rates.
Automatically senses data rates.
Located in the LOS Interface case, inside the FEC box.
Houses 1 HSFEC-5 card.
119
(HSFEC)
Controls and Indicators
1
2
3
4
1 M (MODE) LED:
Green
Yellow
Red
FEC ON + INTERLEAVER ON
FEC only
No FEC
2 B (BER) LED:
Red
The bit error rate is higher than 2x10-6 (only BER Test Mode or
Loopback Mode)
The bit error rate is lower than 2x10-6 (only BER Test Mode or
Loopback Mode)
Green
3 S (SYNC) LED:
Red
Green
Off
The FEC cards on the sending and receiving end are out of sync
The FEC cards on the sending and receiving end are in sync
FEC is turned off.
4 HOT SWAP LED
Red
Card can be removed and reinserted without shutting off power
HSFEC Loopback Test
• This procedure loops back the HSFEC network element in a NIPR Tier 1 serial channel. The HSFEC card in
the FLEXMUX front panel toggle switches are used to set the loopback.
– Check the mode (M) LED for the channel under test on the HSFEC front panel. If the LED is green or
yellow, the HSFEC circuit is activated: proceed with this procedure. If the LED is red, the HSFEC
function is bypassed and loopback testing does not apply.
– Set the channel’s Loopback-Normal-BER Test switch to the Loopback position.
– Check the port status using SNMPc and verify that the port is Up indicating a successful loopback test.
– Set the Loopback-Normal-BER Test switch back to the Normal position when the test is complete.
120
KIV-7M
KIV-7M:

Provides digital data encryption/decryption.

Operates in full duplex synchronous operation employing identical key
generators for transmission and reception.
121
KIV-7M Functions
The KIV-7M is a Type-1 encryption device which will be used in the SSS for the
purpose of encrypting DTG links between the SMU and other circuit switches,
encrypting SA-TRK links between Prominas, and for encrypting router to router
links. Each KIV-7M will have two independently configurable channels that may
be keyed at different security levels if needed. They will operate in one of four
modes or personalities. Which mode we use will depend on what the
distant end COMSEC equipment is.
One of the modes we use will be the KIV-7 mode that will communicate with
older KIV-7 models. This mode will probably be used for encrypting router
circuits. The second mode we will use is the KG-194 mode that will be
compatible with KIV-19 and KG-194 type encryptors. We will probably use this
mode for encrypting SMU DTGs, Promina SA-TRK links, and even some routerto-router links. The final mode that we will be using is the Suite-A mode. This
mode will be used for communicating between two KIV-7Ms.
You can store up to four configurations per each channel. These are handy if
you interface to different equipment that requires different settings in your device.
One example is that you set up the KIV with certain settings for communication
with another KIV-7 M, store that config in one of the four storage locations, and
store a config for communication with a legacy KG-194 in another location.
These two configs can be stored on the same channel and recalled into use as
necessary. This will be the normal operations for us during training.
122
The KIV will be able to run at speeds of up to 2048 Kb when we re using it in
KIV-7 mode. If we use it in KG-194 mode then we can run up to 13.5 Mb but
most of the equipment we will be interfacing does not go that high. Suite-A can
go even higher, but we will probably be using the EIA-530 connectors for all
communications.
To break it down again, the KIV-7M is a dual channel encryptor. These two
channels are independently configurable. They can be set up in one of four
modes for use with differing distant end encryption devices. The fact that the two
channels are independently configurable means you can set up one of the
channels as a KG-194 with a secret key and the other channel as a Suite-A
device with a top-secret key if needed. The possible data rates depend on
device configuration as far as mode and data connector type.
123
Controls and Indicators (1)
Channel
Display
Command and
Status Display
Before starting to configure the KIV, we need to familiarize with the controls and
indicators of the device. The fill port on the front panel will be used for loading
COMSEC keys into the KIV. We will go over how to load keys later. This port
will normally be configured as a DS-102 port that will make it compatible with
KYK-13s, KYX-15s, and AN/CYZ-10s.
The CIK port is where the CIK or Crypto Ignition Key is inserted for operating the
KIV. The KIV will not function without a CIK or with an incorrect CIK. Only one
valid CIK may be existing for each KIV. If the CIK that was prior initialized for the
device is lost or damaged, then a new CIK may be initialized. However, since
only one valid CIK may exist, the old CIK, which was lost or damaged, is no
longer valid. Not a problem if it was damaged, but if it was lost and then found, it
will no longer work with this or any other KIV. Be sure to properly label and store
CIK keys when not in use.
The purpose of the CIK key is to encrypt keys that are loaded in the KIV. Once a
CIK is installed and initialized, it will be valid only in the KIV for which it was
initialized. During operations, any COMSEC keys that are loaded into the KIV
will only be valid as long as the associated CIK is installed. The CIK may be
removed and stored without zeroing the KIV. If the CIK is lost, then the keys that
are loaded in the KIV will not be operational. If a new CIK is installed and
initialized in the KIV, then any loaded keys will be zeroized since they were only
valid with the prior initialized CIK.
124
The channel display will be used to notify the operator that is the current valid
channel on the KIV. On the other hand, more precisely, it will notify the operator
of which channel is currently being displayed and configured on the KIV. There
will either be a 1 for channel one, a 2 for channel two, or a – signifying that
system or KIV itself is being configured and not either of the channels.
The command and status display will be used for displaying statuses of the KIV.
We will also use it for scrolling through commands and options of the KIV and
then selecting the desired command and/or setting/option.
FILL Connector: Used for loading keys into the KIV-7M.
Programmable by personality as either DS-101 for DTD type devices, DS-102 for
common fill devices, or RS-232.
CIK Port: Used for Crypto Ignition Key insertion which is used to initialize the
KIV-7M. If no CIK key, then the KIV-7M is inoperable.
Channel Display: Single character display that signifies which channel of the
KIV-7M is currently being configured. If a – is displayed then you are in system
configuration.
Command and Status Display: Displays command options and status
messages to the operator.
125
Controls and Indicators (2)
The CH button will be used for selecting which channel of the KIV to configure.
Pressing this button will cause the channel display to scroll between either
channel 1, 2, or – for system configuration.
The up and down arrow buttons will scroll through the commands and options of
the KIV for the selected channel or system. The commands will display at the
command and status display screen. When accessing the command menu from
a status display, it may be necessary to first press the down arrow before the
command menu displays.
The INIT button will be used to initiate an action, depending on the operational
status of the KIV. This action may be to select the current command, select the
current setting for the command, to load a key, to update or resync a key. The
ESC button will be used to back up one level in the menu tree.
The ON LINE button will place the selected channel into an on-line or operational
status. The channel will only go on-line as long as valid keys have been loaded
for the channel. The channel may also be brought off-line with this button.
126
When the INIT and ESC buttons are pressed simultaneously, the KIV will be
zeroized. All keys will be zeroed and the CIK will be initialized to a blank state. If
this is done, it will be necessary to reset the KIV. This may be accomplished by
removing and reinserting the CIK key or by cycling power to the KIV.
CH Button
Used to select channel to configure. Either 1, 2, or – for system.
▲ Button
Scrolls up through the command and status messages in the
command/status display.
INIT Button Initiates an action for the requested channel, depending on
operational state of the KIV-7M. Examples are command initialization, option
selection, or crypto synchronization.
▼ Button
Scrolls down through the command and status messages in the
command/status display.
ESC Button Back up one level in the menu tree.
ON LINE Button Transfers the selected channel from off-line to on-line and
reverse. Also initiates header bypass when enabled.
127
Controls and Indicators (3)
The HDR BYP indicator will indicate when the selected channel is in header
bypass mode. We will probably not ever use header bypass but it can be used to
transmit up to 512 bits of data from the connected data device to any equipment
between your KIV and the distant end KIV or to the distant end, data device
before secure operations is established. This data will not be encrypted even if
keys are loaded in the KIV. After the 512 bits of data are transmitted, the KIV will
go to secure on-line operations and start encrypting.
The ALARM indicator will indicate when an alarm with the selected channel or
system has occurred. If the alarm and zeroize indicators are steadily lit at the
same time and the display reads “LOAD JK0”, then the device must be turned in
for re-initialization.
The PARITY indicator will light continuously whenever there is a parity error with
the key or there are no keys loaded. It will flash momentarily when the operation
such as key loading was successful.
The ZEROIZE indicator will indicate when the KIV is completely zeroized or
when it is being zeroized. If completely zeroed, the LED will be constantly lit. It
will flash when a key or keys are being zeroed.
128
The ON LINE indicator will indicate when the selected channel is operational and
encrypting/decrypting data. It will flash when the channel is trying to sync or
resync.
HDR BYP indicator Green LED indicates when the selected channel is
bypassing header data. When channel indicates “–” LED illuminates if either
channel in header bypass mode.
ALARM indicator Red LED indicates an alarm with the selected channel or with
the system.
PARITY indicator Red LED lights continuously if parity error during key loading,
selection, transfer, or OTAR operations or no keys are loaded. Indicator blinks if
operation successful.
ZEROIZE indicator Red LED lights when KIV-7M zeroized. Blinks during
zeroization.
ON LINE indicator, Green LED indicates when selected channel is operational
and encrypting/decrypting data. Off if channel is in standby or header bypass.
Blinks during synchronization. Lights up if either channel operational when
channel indicates “–”.
129
KIV-7M Connectors
One thing to point out is the HCI. This port would normally allow configuring the
KIV through a web interface. However, NSA does not allow connecting of the
KIVs to a LAN.
HAIPE = High Assurance Internet Protocol Encryptor.
RED CHANNEL 1 J3
68-pin connector for RED Plain Text channel 1 data.
RED CHANNEL 2 J5
68-pin connector for RED Plain Text channel 2 data.
BLACK CHANNEL 1 J4
68 pin connector for BLACK Cipher Text channel 1
data.
BLACK CHANNEL 2 J6
68 pin connector for BLACK Cipher Text channel 2
data.
+5V DC J1
7 pin DC power input and ground
HCI J2
RJ-45 Host Control Interface for remote connection to
the device. Not connected in SHELTER.
RED CH 3 J8
High Assurance Internet Protocol Encryptor (HAIPE)
port. Not used.
BLACK CH 3 J7
HAIPE port. Not used.
130
DED Operations
DED (Dedicated Encryption Device) operations are how we refer to setting up a
KIV-7M for communicating with a KIV-7 family device or the older KG-84 family
of devices. As the diagram shows, we will mostly be using this mode of
operations for encrypting router circuits. However, this is only a representation of
one of the possible scenarios for using this mode and what is shown here will not
always be the case. The X-MSN may be any of the transmission or modem
devices in the CPN such as a CDIM.
We already saw how to set a personality for a channel earlier. We will now start
configuring the channels for operations. We are first going to go over how to set
up a channel for operation as a DED or KIV-7. Remember than in order to do
this we must have the channel select set to either one or two.
What we see on the slide is pretty much, what needs to be done in order to
communicate between a KIV-7M and a KIV-7. There are many settings
associated with SETUP A through C. We will go over these and the
recommended settings in a few slides. The key selection and loading is also
very important since you need to have the same key loaded at both ends in order
to talk.
131










132
Select correct channel personality
KIV-7
Set Security Level
Configure port options for personality
SETUP A
SETUP B
SETUP C
Load Keys
Select Keys to use
Bring channel on-line for link communications
TED OperationS
The TED mode or personality is used for communicating with the KIV-19 and/or
KG-194 family of encryptors. This mode will allow us to encrypt SMU, router,
and Promina SA-TRK links.
We just went over most of the configurations for a channel set up with a KIV-7
personality. There were many options available and the same is the case for the
KG-194 mode. We are now going to go over the KG-194 personality options for
the channels of a KIV-7M. This shown on the slide is what we need to do to
configure the KIV-7M channel to operate as a KG-194. Main thing of course is to
select the personality.








Select correct channel personality
KG-194
Set Security Level
Configure port options for personality
SETUP A
SETUP B
Load Keys
Bring channel on-line for link communications
133
Suite-A Operations
We will be using the Suite-A personality for communicating with other KIV7M devices. Since only SSS (V) 3 shelters currently have these KIV-7Ms, we
will mostly be using this personality for communicating with other SSS (V) 3
shelters such as during our training. Setting all these personalities is mostly the
same. There are some differences in the options available, but if you can set
one personality, you should be able to set them all. The main thing is to follow
the menu trees and there will be some cut sheets (more or less) at the end of the
lesson. With cut sheets and a menu tree for understanding where to go for
configuring desired options, the students should not have a problem.
We will now go over the Suite-A mode.









134
Select correct channel personality
Suite A
Set Security Level
Configure port options for personality
SETUP A
SETUP B
SETUP C
Load Keys
Bring channel on-line for link communications
For comments or suggestions on this book, please email us at:
itfsb.cecom@us.army.mil
Subject Line: Books
Related documents
Communication Systems Exam Questions: ISDN, TDMA, FDMA
Communication Systems Exam Questions: ISDN, TDMA, FDMA
Tutorial sheet -1 1.Discuss the concept of spread spectrum
Tutorial sheet -1 1.Discuss the concept of spread spectrum
206-A - St.Joseph's College
206-A - St.Joseph's College
Download
advertisement