|1 TLETS terminal in JPG||1 TLETS terminal in VSD|
|2 TLETS terminals in JPG||2 TLETS terminals in VSD|
|CAD/RMS/Interfaced TLETS terminals in JPG||CAD/RMS/Interfaced terminals in VSD|
Network diagrams, i.e. topological drawings, are an essential part of solid network security. Through graphical illustration, a comprehensive network diagram provides the “big picture” – enabling network managers to quickly ascertain the interconnecting nodes of a network for a multitude of purposes including troubleshooting and optimization. Network diagrams are integral to demonstrating the manner in which each agency ensures criminal justice data is afforded appropriate technical security protections and criminal justice data is protected during transit and at rest.
The following diagrams, labeled Appendix C.1-A through C.1-E, are examples for agencies to utilize during the development, maintenance, and update stages of their own network diagrams. By using these example drawings as a guideline, agencies can form the foundation for ensuring compliance with Section 220.127.116.11 of the CJIS Security Policy.
The purpose for including the following diagrams in this policy is to aid agencies in their understanding of diagram expectations and should not be construed as a mandated method for network topologies. It should also be noted that agencies are not required to use the identical icons depicted in the example diagrams and should not construe any depiction of a particular vendor product as an endorsement of that product by the FBI CJIS Division.
There are labels contained within the following diagrams that are mentioned here, in this appendix, for the first time in the CJIS Security Policy. The definitions for each of these labels will be added to the glossary.
Appendix C.1-A is a conceptual overview of the various types of agencies that can be involved in handling of CJIS data, and demonstrates quite a few possible ways in which these interconnections might occur. This diagram is not intended to demonstrate the level of detail required for any given agency’s documentation, but it provides the reader with some additional context through which to digest the following diagrams. Take particular note of the types of network interfaces in use between agencies, in some cases dedicated circuits with encryption mechanisms, and in other cases VPNs over the Internet. This diagram attempts to show the level of diversity possible within the law enforcement community. These diagrams in no way constitute a standard for network engineering, but rather, for the expected quality of documentation.
The next four topology diagrams are of two separate types: those for strictly notional agencies, C.1-B through C.1-D, and one documenting an actual municipal law-enforcement agency’s equipment, C.1-E. For C.1-B through C.1-D, the details identifying specific “moving parts” in the diagrams by manufacturer and model are omitted, but it is expected that any agencies producing such documentation will provide diagrams with full manufacturer and model detail for each element of the diagram as is demonstrated in C.1-E. Note that the quantities of clients should be documented in order to assist the auditor in understanding the scale of assets and information being protected.
Appendix C.1-B depicts a conceptual state law enforcement agency’s network topology and demonstrates a number of common technologies that are in use throughout the law enforcement community (some of which are compulsory per CJIS policy, and some of which are optional) including Mobile Broadband cards, VPNs, Firewalls, Intrusion Detection Devices, VLANs, and so forth. Note that although most state agencies will likely have highly-available configurations, the example diagram shown omits these complexities and only shows the “major moving parts” for clarity but please note the policy requires the logical location of all components be shown. Again, the level of detail depicted should provide the reader with a pattern to model future documentation from, but should not be taken as network engineering guidance.
Appendix C.1-C depicts a conceptual county law enforcement agency. Again, a number of common technologies are presented merely to reflect the diversity in the community, including proprietary Packet-over-RF infrastructures and advanced authentication techniques, and to demonstrate the fact that agencies can act as proxies for other agencies.
Appendix C.1-D depicts a conceptual municipal law enforcement agency, presumably a small one that lacks any precinct-to-patrol data communications. This represents one of the smallest designs that could be assembled that, assuming all other details are properly considered, would meet the criteria for Section 18.104.22.168. This diagram helps to demonstrate the diversity in size that agencies handling criminal justice data exhibit.
Appendix C.1-E depicts an actual municipal police force’s topology, and demonstrates the level of detail suitable to assist an auditor. It also shows a few more common technologies in use, namely thin-client computing, advanced authentication services, and so on.