The Army Aims to Gain Network Flexibility
The Army’s pilot program, which CDW is managing, kicked off in March 2020, but the Army started to field it as an actual solution for users over the course of last summer as the pandemic continued to unfold.
The pilot originally was designed to allow government to access multiple networks through a single end-user computing device, initially at a government office. That would allow users to access classified and unclassified networks from the same device. As that capability was being developed, the Army pushed to have a mobile version and then a wireless version installed.
The Army reasoned that when users are brought back into offices, they will still need to practice social distancing and have the flexibility to have a mobile workforce in the building. However, because most classified systems and associated devices are connected via fiber-optic communications, those devices and network locations cannot be easily moved. The new solution enables users to wirelessly connect to those classified systems remotely.
The Army is testing the wireless capability now. The pilot is operating in four buildings and it will expand to all of the dormitories on the base. That will be especially useful if users need to quarantine or if some buildings became too crowded; they can still access the data they need far away from offices or classrooms on the base.
The Technology Behind a New Kind of Network
How is this possible? Essentially, the technology the pilot is taking advantage of creates VPN tunnels inside of VPN tunnels. Depending on the network users are trying to access, additional VPNs branch off the preceding one. Users access networks and data via virtual machines. None of the data they access is stored locally on their devices, and once they turn off the virtual machine, the information disappears.
On the wireless side of the pilot, access points from Aruba Networks connect to a wireless controller, which is physically connected to another controller in a daisy chain. Users are authenticated along the pathway from controller to controller. Depending on what the user is trying to access, he or she is dropped onto the appropriate network once authenticated.
To log into the back-end networks, users will first need to use their secret-level public key infrastructure token. After authenticating to their client, the user will utilize the token that is applied to the appropriate classification level of their intended environment. For example, if the user wanted to access their unclassified-level desktop they would utilize their CAC’s certificates. When a user logs on, a virtual desktop infrastructure provides the user access, ensuring that all data remains secure in a remote datacenter…
The Army is looking to expand the pilot this year, and the Air Force and Energy Department are looking to deploy the solution in pilots as well.
Such a solution could be useful for any agency that has remote users or multiple kinds of networks. For example, agencies with networks specifically devoted to research and development or acquisition could use this solution to grant users access to multiple networks from a single device. An agency such as the Energy Department could use this solution to give users access to one network with raw data and another with a supercomputer producing models based on the data.
If an agency has more than one network it uses to support its mission, this solution would bolster its ability to work remotely as well as in the office.
The pandemic has shown that necessity is indeed the mother of invention, and agencies will likely benefit from this way of networking far into the future.