The Defense Information System Agency is exploring a so-called gray network gateway infrastructure that allows remote workers – in theater, on mobile devices, and in field offices – to quickly access classified information using encryption.
Architecturally, gray networks sit between inner and outer VPN tunnels and provide an extra layer of security for encrypted classified data as it moves across an untrusted network. While DISA stressed the urgency of the project, gray network implementation may be easier said than done – especially when it comes to monitoring the performance of network components and traffic hidden behind multiple gateways and dual-encrypted tunnels.
A DMZ for classified data in transit
Gray networks are not a new concept. DISA has been piloting a gray network approach since 2020 as part of the Commercial Solution for Classified program which the National Security Agency uses to expedite the delivery of secure cybersecurity solutions using commercial technologies and products. Nevertheless, DISA hopes to make the gray network more accessible to components to promote telework.
Gray networks are similar to jump host networks often used in the private sector to connect users to restricted data or systems via multiple authentication points. In a defense use case, however, they are inherently more secure – essentially a demilitarized zone with a double VPN as an added layer of protection. Should a malicious actor hack through the outer tunnel, the data remains secure due to the additional encryption provided by the inner tunnel of the VPN.
The gray area between security and performance
Building a gray network involves many components – and just as many potential points of failure. A single misconfiguration could have significant impact on performance and system integrity. As such, gray network architects and managers must give careful consideration to network performance and security monitoring.
Ensuring the performance of gray networks is, pardon the pun, a gray area.
Double VPN tunnels are complex – both from a security and network perspective. Depending on how the network is configured, traditional monitoring solutions may not provide the observability needed into each component and checkpoint within the infrastructure.
For instance, while these tools can shine a light on the performance of the inner and outer VPNs, digging into network health in the hardened secure enclave – from the outside in – is not so easy. If rights and access to the secure enclave are restricted, a monitoring platform will not be able to access the data it needs to understand network performance.
It may be possible to configure the secure enclave so performance data inside and outside the gray network can be monitored holistically, but this opens the network up to security risk and violates the very concept of a gray network.
Another option is to deploy additional monitoring apparatus within the gray, DMZ portion of the network. The problem is, this approach requires network analysts to manually stitch together disparate monitoring data from systems inside and outside the secure enclave to identify issues and reveal the root cause – a time-consuming and laborious process.
Monitoring encrypted traffic for malicious activity
Gray networks also complicate threat detection. While encrypted data ensures data protection and integrity, it erodes the detection of, and insights into, potentially malicious activity such as malware or traffic originating from suspicious IP addresses. Network architects should consider advanced traffic analysis strategies to segment, decrypt, and inspect encrypted traffic before re-encrypting and sending it on its way – without compromising classified information.
Achieving visibility into the performance and integrity of gray networks isn’t easy. And that’s always a challenge in federal environments due to the many permutations and use cases network architects must contend with.
When performance management is paramount – and manual intervention and workaround processes are not an option – emerging technologists at DISA and combatant commands must consider how to configure gray networks for optimal observability and actionable insights, before they emerge from the pilot phase.
Brandon Shopp is Group VP of Product at SolarWinds, a U.S. company that develops software for businesses and governments to help manage networks, systems, and information technology infrastructure.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.