The inbound port blocking will commence approximately 13 April 2003, (60 days following the release of the implementation message by STRATCOM, which was released on 13 February 2003).
The JTF-CNO will start with ports 1024-1000 on approximately 13 April 2003. The
remainder of ports will be based on the success of the first block closures. It
is intended to increase the number of ports closed into larger blocks in order
to facilitate completing the process.
Inbound transport layer protocol blocking will begin following the initial port blocking effort.
Only inbound requests for ports in the range 0 – 1024
A few selective ports are blocked if they represent a clear and present danger to DoD networks. Blocking all of the high ports would cause the TCP/IP protocol suite to fail resulting in the NIPRNET failing to operate.
The Ports and Protocols Program only deals with inbound requests at this time. Outbound requests are not addressed.
No! Reassigning an application or service port number from its ‘normal’ well known port number to another port number is call ‘port redirection’. In accordance with the DoD NIPRNET Ports, Protocols, and Services (PPS) Security Technical Guidance, section 4.4; “… recognized data services should operate on their accepted well known (system) ports… they should not be redirected.” For a complete listing of well known port numbers and associated services, please visit http://www.iana.org/assignments/port-numbers .
DoD Component-authorized POCs designated to the JTF-CNO will be issued a logon ID and Password. The Primary POC for each Component may add or remove secondary POCs as necessary. If you have any questions on Registration System access contact DISA at baseld@ncr.disa.mil.
The PnP Points of Contact are posted on the introduction page.
A Microsoft Excel spreadsheet was developed that mirrors the requirements for the Registration System. Component POCs will complete the spreadsheet with the information required for submitting a waiver request. The POC will email this completed spreadsheet to baseld@ncr.disa.mil. This information will be entered into the DoD PNP Registration System. Queries on a PNP request status and copies of the spreadsheet may be obtained by contacting baseld@ncr.disa.mil (703) 882-1553.
1) As the authorized Component POC, you will be provided with an ID and Password based upon the information provided to the JTF-CNO
2) You will receive an E-Mail with your Login and Password information and procedures on the SIPRNET.
3) Enter the information into the Login screen on pnp.cert.smil.mil (if you do not have access to the SIPRNET, see above FAQ entry).
4) Enter ports and protocol requests information into the registration system.
5) Ensure your system is
accredited IAW the DoD Information Technology Security Certification and
Accreditation Process (DITSCAP)
DODI 5200.40.
6) Check back later to verify request status.
Yes! Should the other Component remove the request, or the DSAWG later revoke the request, and no other port/protocol request are contained within the registration system, the JTF-CNO would order the port/protocol blocked.
The component should go through normal process to debug the problem, usually working through the DISA GNOSC. If it is discovered that the problem is a closed port, the component or GNOSC will contact the JTF-CNO watch officer and inform the watch officer of the port. The JTF-CNO watch officer will order the port opened. The DISA GNOSC will direct the port opened. Be advised, it will take at least 2 hours to open a port.
The JTF-CNO will direct either to open only that port, or rollback the entire router access control list (ACL). This decision will be based on the criticality of the service or application.
A Component POC will have 30 days to submit a formal request using the process specified in this document. Should the Component fail to submit the request the port will be closed. Should the Component submit a request for a service/application that was denied by the CCB, the JTF-CNO will not open that port.
IAW the DoD NIPRNET Ports, Protocols, and Services (PPS) Security Technical Guidance, section E5.2, to obtain approval, a DoD Information System-related port or protocol must:
· Demonstrate a need to exist.
· Not conflict with other ports or protocols.
· Not increase security risks associates with specific ports and protocols
· Comply with DoD instructions and the prescribed approval process.
· Use approved ports and protocols in a manner approved by a designated authority (the DoD CCB).
· Comply with required testing and/or vulnerability assessment procedure for new DoD information systems prior to approval.
A port/protocol will be opened only if the DSAWG determines that the port/protocol is being used by a DoD mission critical and properly registered Automated Information System (AIS). It is the responsibility of the Component Ports and Protocols POC to express the importance of the port/service/application in the DoD Accreditation System. Additionally, it is the responsibility of the components to ensure all port/protocol requests are associated with an accredited AIS.
No. Once the DSAWG determines that a Port is being used by a legitimate mission critical application or service, the port will be open for all.
The Commander JTF-CNO (CJTF) will constantly reevaluate the PNP initiative based on DoD operational tempo (OPTEMPO). Should the CJTF decide that continued implementation of the PNP initiative might have detrimental effects on current operations it will order a strategic pause until operations slow. The JTF-CNO will contact all POCs if this action is necessary.
The DoD Ports and Protocols Program pertains to all DoD Internet access points – all points connected to the Internet. All routers connected to the Internet must be as secure as directed by the DoD Ports and Protocols program.
The information on this web page will be updated frequently. Additional information can be obtained on the SIPRNET at http://pnp.cert.smil.mil. Finally, there is a DoD Ports and Protocol Workshop for DoD Component POCs on 28 March 2003. Contact the JTF-CNO POC for more information.
The JTF-CNO will not
direct a port/protocol blocked if a there is a pending request from any DoD Component for
a system that utilizes that port or protocol.
Requests are consolidated by the Technical Applications Group (TAG) and passed to the PNP Configuration Control
Board (CCB). The CCB will process requests by automated information system (AIS),
in IP ranges as specified by the JTF-CNO. Any system that utilizes a port in
that IP range will be reviewed by the CCB.
The CCB, utilizing the TAG, will contact the
system owners as specified in the PNP Registration System (typically the program
manager or designated approval authority). The CCB will verify that the system
is accredited, has a valid operational necessity, and will review operational
impact if denied. Finally, the CCB will provide a recommendation to the DSAWG
to approve or disapprove the request. The DSAWG will then make a decision on
approving or disapproving the port utilization by the system in question.
The DSAWG will approve or disapprove the system, and in some
cases validate the decision with the DISN Flag Panel. The DSAWG will
forward the results to the CCB. The CCB will forward the decision by email to the
relevant Component POC and the JTF-CNO. Finally the CCB will update the
status of the request in the PnP Registration System to "Approved" or
"Disapproved". Each decision will be valid for a specified period of time,
normally 12 months.
One of two actions may occur:
1. If the DSAWG approves the request, the ports/protocols used by that request will
remain open for the time specified by the DSAWG. Before the exception approval
expires the Component POC must resubmit the request to ensure the ports/protocols remain
opened. Such resubmissions will be processed following the same
registration process.
2. If the DSAWG disapproves a request, a Component POC has 30 days from the
date of the DSAWG decision to submit an appeal to the DISN Flag Panel (see
below). After 30 days, should an appeal not be submitted and no outstanding
requests exist that utilizes those ports, the JTF-CNO will order the DISA GNOSC
and all components that maintain Internet gateways to deny the port(s)/protocol(s). Once
an appeal is submitted, the
JTF-CNO will not take action until the DISN Flag Panel adjudicates the appeal.
Should a Component wish to present an appeal to the DISN Flag Panel, they should contact the DSAWG Chair directly, and, if appropriate, inform their representative on the DSAWG. More information on the DSAWG can be found at http://iase.disa.mil. Under most circumstances the Component POC will be required to present an appeal in person to the DISN Flag Panel. IAW the direction of the ASD-C3I, as the DoD CIO, the decision of the DISN Flag Panel is final. Additional details on the appeals process will be added soon.
No. The DoD PnP Program only affects the DoD Internet access points - all points connected to the Internet. All routers connected to the Internet must be as secure as directed by the DoD Ports and Protocols program.
CLASSIFICATION: UNCLASSIFIED