DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 4502 ARLINGTON, VIRGINIA 22204-4502 IN REPLY REFER TO: Joint Interoperability Test Command (JTE) 23 Mar 09 MEMORANDUM FOR DISTRIBUTION SUBJECT: Special Interoperability Test Certification of the ION SA5600 Release 1.2 with ION Proactive Remote Integrated Intelligent Secure Management Solution (PRIISMS) Release 2.7 References: (a) DoD Directive 4630.5, “Interoperability and Supportability of Information Technology (IT) and National Security Systems (NSS),” 5 May 2004 (b) CJCSI 6212.01E, “Interoperability and Supportability of Information Technology and National Security Systems,” 15 December 2008 (c) through (f), see Enclosure 1 1. References (a) and (b) establish the Defense Information Systems Agency (DISA), Joint Interoperability Test Command (JITC), as the responsible organization for interoperability test certification. 2. The ION SA5600 Release 1.2 with ION PRIISMS Release 2.7 is hereinafter referred to as the SUT. The SUT meets all of its critical interoperability requirements and is certified as interoperable for joint use within the Defense Switched Network (DSN) as a Customer Premises Equipment Secure Modem set forth in appendix 7 of reference (c). Testing was conducted using test procedures derived from reference (d). Test discrepancies that remain open are discussed in the Certification Testing Summary (Enclosure 2) and have only minor operational impacts. No other configurations, features, or functions, except those cited within this report, are certified by the JITC, or authorized by the Program Management Office for use within the DSN. This certification expires upon changes that affect interoperability, but no later than four years from the date of this memorandum. 3. This finding is based on interoperability testing conducted by JITC, DISA adjudication of open test discrepancy reports, review of the vendor’s Letters of Compliance (LoC), and Defense Information Assurance (IA)/Security Accreditation Working Group (DSAWG) accreditation. Interoperability testing of the SUT was conducted at JITC’s Global Information Grid Network Test Facility at Fort Huachuca, Arizona, from 11 July through 15 August 2008. DISA adjudication of outstanding test discrepancy reports was completed on 17 December 2008. Review of the vendor’s LoC was completed on 5 September 2008. DSAWG grants accreditation based on the security testing completed by DISA-led Information Assurance test teams and published in a separate report (reference (e)). DSAWG accreditation was granted on 10 March 2009. Enclosure 2 documents the test results and describes the tested network and system configurations. JITC, Memo, JTE, Special Interoperability Test Certification of the ION SA5600 Release 1.2 with ION Proactive Remote Integrated Intelligent Secure Management Solution (PRIISMS) Release 2.7 4. The Functional Requirements used to evaluate the interoperability of the SUT and the interoperability statuses are indicated in Table 1. Table 1. SUT Functional Requirements and Interoperability Status Interfaces Critical Certified ISDN BRI S/T NI2 No1 Yes IEEE 802.3u EIA-232 Serial No1 No1 2-Wire Analog (GR-506-CORE) No1 Security Yes Yes Yes Yes Yes Functional Requirements Status UCR Paragraph DISR compliance as applicable (R) Met A7.5 FCC Part15/Part 68 (R) Met A7.5 In accordance with ANSI T1.605-1991 (R1999) Ethernet interfaces in accordance with IEEE 802.32002 FCC Part15/Part 68 (R) DISR compliance as applicable (R) Serial EIA-232 Interfaces in accordance with TIA232-F (C) FCC Part15/Part 68 (R) DTMF outpulsing (C) DISR compliance as applicable (R) TIA/EIA-470-B (R) Security (R) Met A7.5.3 Met A7.5 Met Met A7.5 A7.5 Met Met Met Met Met See note 2. A7.5 A7.5 A7.5, 5.4.1, 5.4.2 A7.5 A7.5.1 A7.6 NOTES: 1 Customer Premises Equipment required interfaces are not specified in the UCR. 2 Security is tested by DISA-led Information Assurance test teams and published in a separate report, reference (e). LEGEND: 802.3u Standard for carrier sense multiple access with collision detection at 100 Mbps A Appendix ANSI American National Standards Institute BRI Basic Rate Interface C Conditional DISA Defense Information Systems Agency DISR Department of Defense Information Technology Standards Registry DTMF Dual Tone Multi-Frequency EIA Electronic Industries Alliance EIA-232 Standard for defining the mechanical and electrical characteristics for connecting Data Terminal Equipment (DTE) and Data Circuit-terminating Equipment (DCE) data communications devices FCC Federal Communications Commission GR Generic Requirement GR-506-CORE IEEE ISDN LSSGR LSSGR: Signaling for Analog Interfaces Institute of Electrical and Electronics Engineers Integrated Services Digital Network Local Access and Transport Area (LATA) Switching Systems Generic Requirements Mbps Megabits per second NI2 National ISDN Standard 2 R Required S/T ISDN BRI 4-wire interface SUT System Under Test T1.605-1991 ISDN Basic Access Interface for S/T Reference Points and Layer 1 Specification TIA Telecommunications Industry Association TIA/EIA-470-B Performance and Compatibility Requirements for Telephone Sets with Loop Signaling UCR Unified Capabilities Requirements 5. No detailed test report was developed in accordance with the Program Manager’s request. JITC distributes interoperability information via the JITC Electronic Report Distribution (ERD) system, which uses Unclassified-But-Sensitive Internet Protocol Router Network (NIPRNet) email. More comprehensive interoperability status information is available via the JITC System Tracking Program (STP). The STP is accessible by .mil/gov users on the NIPRNet at https://stp.fhu.disa.mil. Test reports, lessons learned, and related testing documents and references are on the JITC Joint Interoperability Tool (JIT) at http://jit.fhu.disa.mil (NIPRNet), or http://199.208.204.125 (SIPRNet). Information related to DSN testing is on the Telecom Switched Services Interoperability (TSSI) website at http://jitc.fhu.disa.mil/tssi. 2 JITC, Memo, JTE, Special Interoperability Test Certification of the ION SA5600 Release 1.2 with ION Proactive Remote Integrated Intelligent Secure Management Solution (PRIISMS) Release 2.7 6. The JITC point of contact is Mr. Joseph Roby, DSN 879-0507, commercial (520) 538-0507, FAX DSN 879-4347, or e-mail to [email protected]. The JITC’s mailing address is P.O. Box 12798, Fort Huachuca, AZ 85670-2798. The tracking number for the SUT is 0830101. FOR THE COMMANDER: 2 Enclosures a/s for RICHARD A. MEADOR Chief Battlespace Communications Portfolio Distribution (electronic mail): Joint Staff J-6 Joint Interoperability Test Command, Liaison, TE3/JT1 Office of Chief of Naval Operations, CNO N6F2 Headquarters U.S. Air Force, Office of Warfighting Integration & CIO, AF/XCIN (A6N) Department of the Army, Office of the Secretary of the Army, DA-OSA CIO/G-6 ASA (ALT), SAIS-IOQ U.S. Marine Corps MARCORSYSCOM, SIAT, MJI Division I DOT&E, Net-Centric Systems and Naval Warfare U.S. Coast Guard, CG-64 Defense Intelligence Agency National Security Agency, DT Defense Information Systems Agency, TEMC Office of Assistant Secretary of Defense (NII)/DOD CIO U.S. Joint Forces Command, Net-Centric Integration, Communication, and Capabilities Division, J68 Defense Information Systems Agency, GS23 3 ADDITIONAL REFERENCES (c) (d) (e) Defense Information Systems Agency, “Department of Defense Networks Unified Capabilities Requirements,” 21 December 2007 Joint Interoperability Test Command, “Defense Switched Network Generic Switch Test Plan (GSTP), Change 2,” 2 October 2006 Joint Interoperability Test Command, “Information Assurance (IA) Assessment of ION SA5600 Release 1.2 with ION Proactive Remote Integrated Intelligent Secure Management Solution (PRIISMS) Release 2.7,” 10 March 2009 Enclosure 1 CERTIFICATION TESTING SUMMARY 1. SYSTEM TITLE. Special Interoperability Test Certification of the ION SA5600 Release 1.2 with ION Proactive Remote Integrated Intelligent Secure Management Solution (PRIISMS) Release 2.7, hereinafter referred to as the System Under Test (SUT). 2. PROPONENT. Defense Information Systems Agency (DISA). 3. PROGRAM MANAGER. Mr. Louis Schmuckler, GS23, Room 5W23, 5275 Leesburg Pike, Falls Church, Virginia, 22041, E-mail: [email protected]. 4. TESTER. Joint Interoperability Test Command (JITC), Fort Huachuca, Arizona. 5. SYSTEM UNDER TEST DESCRIPTION. 6. SYSTEM DESCRIPTION. The SUT is a Customer Premises Equipment (CPE) Secure Modem which consists of the ION SA5600 and the ION PRIISMS server. The ION PRIISMS secure access gateway is required with the SA5600 secure appliance to meet the Information Assurance security requirements. The ION SA5600 is a series of secure appliances that are used to control, audit, and monitor remote devices. The two SA5600 devices are: the ION Enclave and ION Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) appliances. Each SA5600 device is capable of recording access events, including any keystroke logs of the remote devices. When the SA5600 devices are used in conjunction with the ION PRIISMS server, all of the event logs, audit logs, access logs, and keystroke logs are forwarded and stored in the ION PRIISMS Structured Query Language (SQL) server database. The ION PRIISMS server serves as an endpoint for an Open Secure Sockets Layer (OpenSSL) tunnel from each of the ION SA5600 appliances. The ION PRIISMS server is also used as a management interface to the ION SA5600 appliances and remote devices managed by the ION SA5600 appliances. In addition, the ION PRIISMS operates as a data and configuration backup server for the ION SA5600 appliances and ION PRIISMS data. The SUT will be used to provide a secure shell virtual private network connection between the Defense Information System Network (DISN) Network Operations Center (NOC) and remote systems over Internet Protocol (IP), 2-wire analog, and ISDN BRI dialup. The SUT interfaces to remote systems are IP or Electronic Industries Alliance (EIA)-232 serial interfaces. 6. OPERATIONAL ARCHITECTURE. The Unified Capabilities Requirements (GSCR) DSN Architecture in Figure 2-1 depicts the relationship of the SUT to the DSN switches. Enclosure 2 Proprietary Telephone PSTN Analog Telephone EO Telephone STEP/ TELEPORT SMU Tri-Tac SUT VoIP VTC ISDN BRI Gateway Trunk Gateway Trunk TS Other Networks DRSN EMSS NATO Coalition CSN PSTN Host - Remote Umbilical SMEO C B 4W Telephone VTC Analog Telephone VoIP MFS PSTN Proprietary Telephone E O PBX 2 TS RSU as an EO E O TS IST TDM/P Host-Remote Umbilical RSU as a PBX Telephone ISDN BRI IAS PSTN MFS IST TDM/P IST TDM/P ISDN BRI Telephone VTC PBX 1 Analog Telephone RSU Proprietary Telephone Host-Remote EO Access Trunk Umbilical Analog Telephone Gateway Trunk EO Access Trunk VoIP SUT COI Trunk EO VTC PBX 1 PBX 2 SMEO PSTN Telephone ISDN BRI PBX 1 IAS STEP/ TELEPORT Nailed-Up Connection PBX 2 IAS Proprietary Telephone Analog Telephone SUT Analog Telephone VTC Proprietary Telephone LEGEND: 4W 4-Wire BRI Basic Rate Interface CB Channel Bank COI Community of Interest CSN Canadian Switch Network DRSN Defense Red Switch Network DSN Defense Switched Network DVX Deployable Voice Exchange EMSS Enhanced Mobile Satellite System EO End Office IAS Integrated Access Switch ISDN Integrated Services Digital Network IST Interswitch Trunk MFS Multifunction Switch NATO North Atlantic Treaty Organization PBX PBX 1 PBX 2 PSTN RSU SMEO SMU STEP SUT TDM/P Tri-Tac TS VoIP VTC Private Branch Exchange Private Branch Exchange 1 Private Branch Exchange 2 Public Switched Telephone Network Remote Switching Unit Small End Office Switched Multiplexer Unit Standardized Tactical Entry Point System Under Test Time Division Multiplex/Packetized Tri-Service Tactical Communications Program Tandem Switch Voice over Internet Protocol Video Teleconferencing Figure 2-1. DSN Architecture 2-2 DVX 7. REQUIRED SYSTEM INTERFACES. Requirements specific to the SUT and interoperability results are listed in table 2-1. These requirements are derived from the UCR Interface and Functional Requirements and were verified through JITC testing. Table 2-1. SUT Functional Requirements and Interoperability Status Interfaces ISDN BRI S/T NI2 IEEE 802.3u EIA-232 Serial 2-Wire Analog (GR-506CORE) Security Critical 1 No No1 No1 Certified Yes Yes Yes 1 No Yes Yes Yes Functional Requirements Status UCR Paragraph DISR compliance as applicable (R) Met A7.5 FCC Part15/Part 68 (R) Met A7.5 In accordance with ANSI T1.605-1991 (R1999), “ISDN Basic Access Interface for S and T Reference Points and Layer 1 Specification.” Met A7.5.3 Ethernet interfaces in accordance with IEEE 802.3-2002 FCC Part15/Part 68 (R) DISR compliance as applicable (R) Serial EIA-232 Interfaces in accordance with TIA-232-F (C) FCC Part15/Part 68 (R) DTMF outpulsing (C) DISR compliance as applicable (R) TIA/EIA-470-B (R) Security (R) Met A7.5 Met Met A7.5 A7.5 Met A7.5 Met A7.5 A7.5, 5.4.1, 5.4.2 A7.5 A7.5.1 A7.6 Met Met Met See note 2. NOTES: 1 Customer Premise Equipment required interfaces are not specified in the UCR. 2 Security is tested by DISA-led Information Assurance test teams and published in a separate report, reference (e). LEGEND: 802.3u Standard for carrier sense multiple access with collision detection at 100 Mbps A Appendix ANSI American National Standards Institute BRI Basic Rate Interface C Conditional DISA Defense Information Systems Agency DISR Department of Defense Information Technology Standards Registry DTMF Dual Tone Multi-Frequency EIA Electronic Industries Alliance EIA-232 Standard for defining the mechanical and electrical characteristics for connecting Data Terminal Equipment (DTE) and Data Circuit-terminating Equipment (DCE) data communications devices FCC Federal Communications Commission GR Generic Requirement GR-506-CORE LSSGR: Signaling for Analog Interfaces IEEE Institute of Electrical and Electronics Engineers ISDN Integrated Services Digital Network LSSGR Local Access and Transport Area (LATA) Switching Systems Generic Requirements Mbps Megabits per second NI2 National ISDN Standard 2 R Required S/T ISDN BRI 4-wire interface SUT System Under Test T1.605-1991 ISDN Basic Access Interface for S/T Reference Points and Layer 1 Specification TIA Telecommunications Industry Association TIA/EIA-470-B Performance and Compatibility Requirements for Telephone Sets with Loop Signaling UCR Unified Capabilities Requirements 8. TEST NETWORK DESCRIPTION. The SUT was tested at JITC’s Global Information Grid Network Test Facility. Testing of the system’s required functions and features was conducted using the test configuration depicted in Figures 2-2, and 2-3 which accurately emulates the DSN operational environment. 2-3 Sunrise Test Set EIA-530 Serial T10 Sunrise Test Set EIA-530 Serial T10 VTC Adtran 512U VTC ISDN BRI (3) Adtran 512U ISDN BRI (3) ISDN BRI (3) Siemens EWSD T1. ISDN BRI (3) Nortel CS2100 61 a PRI DSN 9 DS1 ISDN PRI 23B + D DS1 ISDN PRI 23B + D TELESYNC TSI-1569 TELESYNC TSI-1569 IP ION SA5600 DSN or PSTN ISDN BRI or 2W Analog EIA-232 Serial ISDN BRI or 2W Analog ISDN BRI or 2W Analog IP ` ISDN BRI or 2W Analog IP ` ION PRIISMS ION SA5600 ` ` ION PRIISMS Administrative Terminal Administrative Terminal LEGEND: 2W 2-Wire B Bearer Channel BRI Basic Rate Interface CS Communication Server D Data Channel DCE Data Circuit-terminating Equipment DS1 Digital Transmission Link Level 1 (1.544 Mbps) (2.048 Mbps European) DSN Defense Switched Network DTE Data Terminal Equipment EIA Electronic Industries Alliance EIA-232 Standard for defining the mechanical and electrical characteristics for connecting DTE and DCE data communications devices EIA-530 EWSD ISDN IP Mbps PRI PRIISMS PSTN SUT VTC Standard for 25-position interface for DTE and DCE employing serial binary data interchange Elektronisches Wählsystem Digital Integrated Services Digital Network Internet Protocol Megabits per second Primary Rate Interface Proactive Remote Integrated Intelligent Secure Management Solution Public Switched Telephone Network System Under Test Video Teleconferencing Figure 2-2. SUT Test Configuration with Telesync 2-4 MFS/EO T1, E1 CAS, PRI, SS7 VTC VTC POTS STU-III STE SWT Modem Fax POTS STU-III STE SWT Fax Modem DTX-600 MFS/EO T1, E1 DTX-600 MFS/EO T1, E1 CAS, PRI, SS7 T1, E1 T1, E1 CAS, PRI, SS7 IP SA5600 Baseline T1, E1 DTX-600 POTS, BRI ATM VTC POTS Fax STU-III STE /SWT Modem T1, E1 ITU-T V.35* IP, FR, ATM Router Promina SX-12 Satellite Simulator Data Traffic Generator DSN ITU-T V.35* IP, FR, ATM IP DSN Telemetry Network IP PRIISMS IP ADIMSS xMS Router NOTE: The electrical physical interface tested was ITU-T V.35 in accordance with ITU-T V.36/V.37. LEGEND: ADIMSS ATM BRI CAS DSN E1 EO Fax FR IP ITU-T kbps kHz Mbps MFS POTS PRI Advanced Integrated Management Support System Asynchronous Transfer Mode Basic Rate Interface Channel Associated Signaling Defense Switched Network European Basic Multiplex Rate (2.048 Mbps) End Office Facsimile Frame Relay Internet Protocol International Telecommunication Union Telecommunication Standardization Sector kilobits per second kilohertz Megabits per second Multifunction Switch Plain Old Telephone Service Primary Rate Interface PRIISMS Proactive Remote Integrated Intelligent Secure Management Solution SS7 Signaling System 7 STE Secure Terminal Equipment STU-III Secure Telephone Unit-3rd generation SUT System Under Test SWT Secure Wireline Terminal T1 Digital Transmission Link Level 1 (1.544 Mbps) V.35 Standard for data transmission at 48 kbps using 60108 kHz group band circuits V.36 Modems for synchronous data transmission using 60108 kHz group band circuits V.37 Synchronous data transmission at a data signaling rate higher than 72 kbps using 60-108 kHz group band circuits VTC Video Teleconferencing xMS DTX-600 Management System Figure 2-3. SUT Test Configuration with Veraz DTX 600 9. SYSTEM CONFIGURATIONS. Table 2-2 provides the system configurations, hardware, and software components tested with the SUT. The SUT was tested in an operationally realistic environment to determine interoperability with a complement of DSN switches noted in Table 2-2. Table 2-2 lists the DSN switches, which depict the tested configuration, and is not intended to identify the only switches that are certified with the SUT. The SUT is certified with switching systems listed on the Unified Capabilities (UC) Approved Products List (APL) that offer the same certified interfaces. 2-5 Table 2-2. Tested System Configurations System Name Hardware/Software Release Siemens EWSD (MFS, EO, SMEO, PBX 1, PBX 2) 19d with Patch Set 46 Nortel Networks CS2100 (MFS, EO, SMEO, PBX 1, PBX 2) Succession Enterprise (SE) 09.1 Polycom HDX 9004 2.0.0_J Adtran 512-U Version CS.0, Cksum10b2 TELESYNC® TSI 1569 2.23, Firmware Version V1.39.06 Veraz DTX-600 JITC022.1 MARCONI ATM switch ASX-1000 and ASX-200BX Versions 6.2 and 7.1 NET Promina 800/400 4.x.2.02 Version 92.45 Tower PC with Pentium IV, 1.7 GHz, 512 Mb RAM Administrative Terminals ION Management Client SUT ION PRIISMS Rel. 2.7 and ION SA5600 Rel. 1.2 ION PRIISMS MultiTech Systems ION Secure Modem MultiTech Systems IWay Hopper 128Kbps 2B+D ISDN ION Enclave appliance (SA5630G2-RW) ION ISDN BRI appliance (SA5630I-RW) LEGEND: ATM Asynchronous Transfer Mode B Bearer Channel BRI Basic Rate Interface CS Communication Server D Data Channel EO End Office EWSD Elektronisches Wählsystem Digital GHz Gigahertz HTTPS Hyper Text Transfer Protocol Secure IIS Internet Information Services ISDN Integrated Services Digital Network Mb Megabyte MFS Multifunction Switch NA Not Applicable 7B0GQC1 Windows 2000 Microsoft Windows XP SP2 SSH v2, HTTPS, RDP ST520 Token PRIISMS Management Software Rel. 2.7, Microsoft Windows 2003 SP2, IIS 6.0 SQL Server 2005 SP2 MTA5634ZBA NA MTA128ST NA 6080537082 Release 1.2 6080537083 Release 1.2 PBX 1 PBX 2 PC PRIISMS RAM RDP SMEO SP2 SQL SSH SUT VTC Private Branch Exchange 1 Private Branch Exchange 2 Personal Computer Proactive Remote Integrated Intelligent Secure Management Solution Random Access Memory Remote Desktop Protocol Small End Office Service Pack 2 Structured Query Language Secure Shell System Under Test Video Teleconferencing 10. TESTING LIMITATIONS. None. 11. TEST RESULTS. The following paragraphs describe the test results of the certification testing. a. Discussion. The SUT provides a secure shell virtual private network data only connection between a NOC and remote equipment. Since the SUT does not transport voice, testing was conducted to verify the SUT’s ability to perform remote Network Management functions via a simulated DSN voice and telemetry network with no degradation of performance. Testing of the SUT was conducted in three transport configurations which included switched ISDN BRI, 2-wire analog, and IP as shown in Figures 2-2, and 2-3. The SUT IP interface is a 10/100 BaseT Ethernet interface; 2-14 however, when generating IP load traffic via the SUT with the Ixia Explorer and Chariot applications the following discrepancies were noted regarding packet loss: • • • When traffic generated was 0-6% of the total bandwidth, 1 percent packet loss was recorded. When traffic generated was 7-8% of the total bandwidth, 20 percent packet loss was recorded. When traffic generated was 9-100% of total bandwidth, 21 to 100 percent packet loss was recorded. These discrepancies were adjudicated by DISA and due the SUTs fielded applications within the DoD, they were determined to have a minor operational impact. b. Test Summary. The SUT meets all of its critical interoperability requirements and is certified as interoperable for joint use within the DSN as a CPE Secure Modem as set forth in appendix 7 of reference (c). The SUT, which consists of the PRIISMS and SA5600, provides a secure shell virtual private network data only connection between a NOC and remote equipment. 12. TEST AND ANALYSIS REPORT. No detailed test report was developed in accordance with the Program Manager’s request. JITC distributes interoperability information via the JITC Electronic Report Distribution (ERD) system, which uses Unclassified-But-Sensitive Internet Protocol Router Network (NIPRNet) e-mail. More comprehensive interoperability status information is available via the JITC System Tracking Program (STP). The STP is accessible by .mil/gov users on the NIPRNet at https://stp.fhu.disa.mil. Test reports, lessons learned, and related testing documents and references are on the JITC Joint Interoperability Tool (JIT) at http://jit.fhu.disa.mil (NIPRNet), or http://199.208.204.125 (SIPRNet). Information related to DSN testing is on the Telecom Switched Services Interoperability (TSSI) website at http://jitc.fhu.disa.mil/tssi. 2-15