Enable breadcrumbs token at /includes/pageheader.html.twig

Complex Connections Demand New Processes

Technology has improved, but extended training lags behind.

Spc. Dillon Anton, USA, and Spc. Matthew Perry, USA, 601st Aviation Support Battalion, 1st Infantry Division, Combat Aviation Brigade, set up and validate a Combat Service Support Very Small Aperture Terminal (CSS-VSAT) in preparation of Combined Support Exercise at Storck Barracks, Germany.

For more than a decade, the U.S. Army has been improving the Logistics Information Systems Network, which is specifically designed to sustain and maintain warfighters deployed across the globe. However, although the technology has far exceeded the service’s goals, today’s management practices are almost identical to those used when the network was created in 2004. With the increase in cybersecurity policies and advances in capabilities, the need for highly trained, designated network and systems administration personnel has become abundantly clear, and the requirement for better management processes even more evident.

It took less than 12 months after Operation Iraqi Freedom began for the Army to realize it needed a network explicitly devised to support sustainment operations. During the first part of the conflict, managing logistics and processing requisitions entailed soldiers driving across the battlefield to deliver a disc containing requisitions data and making additional trips to check the status of the requests or correct their submissions. This gap was filled in March 2004 when Project Manager Defense Wide Transmission Systems fielded the Combat Service Support Very Small Aperture Terminal (CSS-VSAT), which was a game changer for the sustainment community because it not only improved efficiency but also saved lives by keeping soldiers off the roads.

While this was an improvement for the sustainment community, the terminal created a new challenge for Sustainment Automation Support Management Office (SASMO) technicians assigned to manage and support these networks. Each terminal is connected to the Internet via a satellite link to the integrated network operations center; the center connects to the Internet and the Department of Defense Information Network. Because the CSS-VSATs are designed to operate as independent systems, it is difficult to manage and troubleshoot these networks from a remote location.

Initially, users could connect directly to the VSAT using the public Internet protocol (IP) space, and the SASMO could manage remotely. However, because of the growing number of client systems and limited number of routable IP addresses available on each terminal, each one was equipped with an advanced security appliance. This created a private local area network and used network address translation to allow multiple clients to connect to the Internet using a single IP address that could be routed publicly. Creating these private local area networks increased the complexity of the system and eliminated the ability to manage them remotely.

Over the past few years, starting with the 2nd Infantry Division in Korea, systems administrators across the force have been experimenting with Internet protocol security virtual private network (VPN) tunnels to move from multiple independent local area networks to a single manageable wide area network (WAN). Once the WAN is in place, SASMO administrators can remotely support their customers anywhere in the world using the remote desktop protocol to manage client computers and a secure shell to manage network devices.

Creating these VPN links also enables administrators to use simple network management protocol to monitor networks and end users’ devices in real time from across the globe, reducing network and system downtime. The technicians can see network issues before the customers report them and even correct some problems before the customers know they exist.

The 1st Infantry Division Combat Aviation Brigade uses VPN connections to assist remote users daily. While headquartered in Germany, the brigade’s SASMO manages and supports customers of 17 CSS-VSAT networks and more than 300 client computers throughout Europe.

The capability also addresses mundane issues such as forgotten passwords, particularly when a user is at a remote site. In the past, sending a technician to the site or the computer to the SASMO were the only two options for resolving this issue. Now, because of the site-to-site VPNs, technicians can centralize account management using Active Directory. They can create a domain infrastructure and give each user a unique username and password that is stored on a domain controller connected to the CSS-VSAT. A SASMO representative can reset a password or unlock a computer without leaving the office.

The VPNs also enable users to log into any computer in a unit connected to a VSAT using their personal credentials. The username and password are sent to the domain controller, which acknowledges the request and authorizes access.

In addition, the domain infrastructure allows the SASMO to centralize the management of group policies and user rights. By creating separate organizational units and user groups, systems administrators can assign users to specific groups based on their access requirements.

For example, users can be granted or denied entry into certain folders on the share drive based on their duty position. User rights, such as software installations and disc burning, also can be restricted based on need, significantly increasing the security of the network.

VPN links and a domain infrastructure also facilitate automated updates. With Microsoft System Configuration Center Manager and/or Windows System Update Service, systems administrators can consolidate updates they receive from program managers and push them to their respective systems over the network. They can identify which systems receive which updates and schedule the updates to run in the evenings or over the weekend to minimize the impact on the mission. This technique dramatically reduces the time and resources required to manually update systems.

While this type of network design features many advantages, one serious constraint exists. This network is much more complicated than the current infrastructure, so it takes more planning and work to stand up initially. For this network design to be implemented and managed effectively, the SASMO needs to be staffed with a well-trained signal soldier, preferably at the warrant officer level. Without a competent technician, this entire network could collapse and cause more problems than it solved.

The logistics information systems network has come a long way over the past 16 years, but the management practices have not evolved to keep up with the technology, which seriously limits the network’s capability. Traveling to remote locations to perform basic troubleshooting procedures takes time away that could be better used developing improved ways to conduct business and support customers. Using site-to-site VPN connections to create a manageable WAN and providing the SASMO with the right soldiers to manage it would dramatically increase productivity, decrease network down times and boost the level of support the SASMO provides.

Chief Warrant Officer 2 Cory Jodon, USA, is the officer in charge, 1st Infantry Division, Combat Aviation Brigade, Sustainment Automation Support Management Office. He is currently on rotation to Europe in support of Operation Atlantic Resolve.