Ports and Protocols and Services

The ASD-C3I announced the Department of Defense (DoD) Ports and Protocol Program (PNP) with the release of the 28 January 2003 memorandum entitled DoD Ports, Protocols, and Services Increasing Security at the Internet/DISN Boundary. This program represents a fundamental change in the DoD Computer Network Defense (CND) philosophy, replacing the current CND philosophy of "Deny by exception" with "Permit by exception". While the memorandum identifies only NIPRNET, DREN has maintained a comparable security posture and intends to maintain a security posture which will be comparable with the NIPRNET security posture, while continuing to support the Science and Technology community.

Program Plan

The High Performance Computing Modernization Program (HPCMP) has designated a point of contact (POC) to the Joint Task Force - Computer Network Operations (JTF-CNO). The POC is responsible for consolidating a list of automated information systems (AIS) required to support the Research and Development, Test and Evaluation, Modeling and Simulation and other Science and Technology Communities, including the protocols and/or ports utilized, as well as the technical necessity. This information will be uploaded into a DoD PNP Registration System. This information is provided to the DISN Security and Accreditation Working Group (DSAWG). The DSAWG will either approve or disapprove a system and its associated protocols and/or ports. If a request was not submitted, or the HPCMP POC disapproves, or the DSAWG disapproves the request and is not further adjudicated at a higher level, the JTF-CNO will direct HPCMP to deny any inbound packets over that port and/or protocol at the Internet Network Access Points (NAPs).

Program Execution

The timeline for the initiative began with the USSTRATCOM memorandum entitled Increasing Security at the Internet-Niprnet Boundary (Ports and Protocol Program) released February 13, 2003.

The DSAWG will evaluate requests prior to the implementation of any port/protocol blocks. The JTF-CNO will query the PnP Registration System for any requests that were submitted relevant to upcoming port ranges or protocol blocks. A port/protocol will be blocked if

    • No requests for a port/protocol was submitted to the DoD PNP Registration System.
    • HPCMP POC disapproves port/protocol due to conflict with existing port Blocking action.
    • A request was submitted but was denied by the DSAWG.

Should the DSAWG approve a request then the associated ports/protocol will remain open for 12 months and will be reevaluated after that time. Component must ensure that the PNP registration system is maintained, to ensure that, should another combatant command, service, agency, or field activities request be disapproved at a later date, their mission critical ports/protocols are not closed.

Timeline

  • 28 January 2003 - ASD-C3I release memorandum
  • 12 February 2003 - ASD-C3I suspense to Components to provide JTF-CNO with PNP POCs
  • 13 February 2003 - USSTRATCOM releases memorandum
  • 13 March 2003 - Suspense or Component submitting PNP Waiver Requests to DoD PNP database
  • 16 April 2003 - JTF-CNO directs blocking initial ports (1024 - 1000)
  • Schedule bimonthly JTF-CNO directs additional port blocks based on success of initial blocks.

References

DoD Ports, Protocols and Services Security Technical Guidance

Firewall Guidance

Ports and Protocols Registration Contact Information

DREN Operations
Commercial Phone:     703-812-4400
E-Mail:     dren-ops [at] hpc.mil

Ports, Protocols and IP Address Exception Requests:

DREN Port and Protocol Exception Request Form (updated 01/05/2017)

Submit Exception Request to dren-ops [at] hpc.mil 

Registration and adjudication questions:

 

DREN Operations
Commercial Phone:     703-812-4400
E-Mail:     dren-ops [at] hpc.mil

HPCMP Security Action Officer

Commercial Phone:     703-812-4400