Security Enhanced Version of Telestra Platform

Introduction

ASTi has created a secure version of the Telestra platform to help customers meet the Information Assurance (IA) requirements for systems attached to a secure network. This document is intended to be a reference guide for customers who are required to comply with the Department of Defense Directive (DODD) 8500.1 which states:

"All COTS IA or IA-enabled IT hardware, firmware, and software components or products incorporated into DOD information systems must comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy (NSTISSP) 11, reference (w)."
"Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase (i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period-of-time specified in the solicitation and the contract)."
"Purchase contracts shall specify that product validation will be maintained for updated versions of modifications by subsequent evaluation or through participation in the National Information Assurance Partnership (NIAP), Assurance Maintenance Program."

For more detailed information see the Information Assurance Support Environment (IASE) website.

ASTi offers a certifiable secure version of Telestra software. In the secure software version, the majority of the security risks identified by DISA are eliminated by ASTi, but some customer action is required to resolve vulnerabilities that may exist at the installation site. The remainder of this section provides:

Security Background and Enhancements
DISA & STIGs
Customer Responsibilities
Secure Telestra Platform and Process Details

Security Background and Enhancements

One of the most critical components on the Telestra is the ASTi Operating System (ASTiOS). ASTi uses a specialized OS for a several reasons. ASTiOS is a specialized single purpose product due to the market's demanding requirements that exceed the capabilities of a desktop OS. ASTiOS's low latency and jitter, with highly deterministic functionality are combined to create an embedded solution that successfully addresses the markets requirements. Other modifications include ASTi's patent (pending) kernel, which is modifiable to ensure "hard real time" performance.

The Secure Telestra features:

Minimal OS Footprint
- Only essential Linux elements are included to form the ASTiOS, which aids in eliminating functions or features that increase security risk.
User ID and Password Authentication
- This includes the ability to assign unique user ID and passwords to individual accounts.
Secure Remote Access
- Access is restricted to essential configuration and management elements required for operation.
- All remote access is provided through secure means and plain text remote access capabilities have been removed.
- Due to the embedded nature of the Telestra, remote access cannot be completely removed.
Pluggable Authentication Module (PAM) Configuration
- Allows setup and configuration of login restrictions, lockout features and other security features supported via PAM.
Minimize Open Network Ports
- All unnecessary network ports not vital for Telestra operation are closed.
BIOS Password Protection
- BIOS protection includes security features that restrict access to the BIOS Setup program and restrict who can boot the computer.
- A supervisor password and user password can be set for the BIOS setup program and booting the computer.
Removable Drive
- Standard configuration with each Telestra provides the ability to remove and secure non-volatile media.
- Diskless operation options also available.
Disabling of USB Ports
- Only ASTi audio distribution modules will operate with USB ports on the Telestra.
Auditing Software (SNARE)
- System software provides audits and event log management for Linux.
- Provides intrusion-detection and system resource access logging allowing users to inspect the system for security attacks or violations.
Security Hardening Scripts
- Includes an additional software package for the Secure Telestra platform with ASTi's customized security hardening scripts.
- Eliminates majority of CAT I, II, III and IV issues (see DISA section below)
ASTi SRR Report
- Includes a PDF report that documents the current status and actions required by the DAA.
- Includes High-level summary and detailed sections organized by categories such as Closed, Manual Review, False Positive, Waiver, Open/Future Fix. An ASTi response is provided for all applicable PDIs.
- Click here to see a sample report.

DISA & STIGS

The Defense Information Systems Agency (DISA) develops and provides security configuration guidance for IA and IA-enabled IT products. The guidelines are outlined in DISA's Security Technical Implementation Guides (STIGS), which identify existing and potential vulnerabilities on a system. STIGS exist for a variety of operating systems and applications. Additionally, there are Security Readiness Review (SRR) scripts that automate the process of validating a system configuration against the STIG requirements. Every secure version release of the Telestra is tested against the latest versions of the following STIGS:

UNIX STIG with UNIX SRR scripts
Web Server STIG with UNIX Web SRR script

Links to the STIGS can be found at: http://iase.disa.mil/stigs/stig/index.html

Links to the SRR scripts can be found at: http://iase.disa.mil/stigs/SRR/index.html

Within each STIG there are four vulnerability code definitions from category I (high vulnerability) to category IV (low vulnerability).

Category I - Vulnerabilities that allow an attacker immediate access into a machine, allow super user access, or bypass a firewall.
Category II - Vulnerabilities that provide information that have a high potential of giving access to an intruder.
Category III - Vulnerabilities that provide information that potentially could lead to compromise.
Category IV - Vulnerabilities that provide information that will lead to the possibility of degraded security.

ASTi's goal in the secure version of the Telestra is to eliminate all CAT I's and CAT II's and to minimize CAT III and IV vulnerabilities. ASTi has also incorporated the UNIX SRR scripts into the production testing process so that the Telestra is constantly updated with the most valid security enhancements⁽¹⁾.

Customer Responsibilities

The vulnerabilities are given unique labels called Potential Discrepancy Items (PDIs). Each PDI is categorized with a short description of the vulnerability it represents. Out of the hundreds of PDIs, ASTi can eliminate the majority of them; however, the customer is responsible for eliminating several PDIs.

For example, certain elements of the STIGS require that the customer:

Set non-guessable passwords
Review audit logs
Maintain specific physical security requirements

As the STIGS and SRR scripts are updated, the PDI list will change. Thr specific PDI list is provided on a per Telestra software release tested against the latest STIG/SRR versions.

Secure Telestra Platform and Process Details

Hopefully after reading the above, it is now clear what the Secure Telestra platform provides in terms of software, features and documentation.

The Secure Telestra software is a one-time delivery, when the software is purchased you will receive the following:

Telestra 3.x Software Installation CD-ROM
Telestra 3.x Security Software Installation CD-ROM
ASTi SRR Report(s)
Updated Options File CD
Secure Telestra 3.0 Installation and User Guide (DOC-01-TELS-SEC-3)

The Secure Telestra software version is based on a STIG version. For example, if you order a secure software update in Quarter 1 of 2007 you will receive the secure software version which was run against the November 15th, 2006 DISA UNIX and Web Server SRRs.

Future software packages/upgrades that are required to match the latest STIG requirements would require the purchase of a new security package. Future upgrades will be available as required based on customer demand. Additionally, ASTi will provide updates when a STIG update is available. Based on recent history, this means that if required we would release approximately four versions per year. However, this is subject to change based on customer demand and DISA STIG release schedule.

ASTi highly recommends that customers have an active support contract. Given that no two customers are alike, neither are their security requirements. The various components of this process are documented; however, there are always customers with specific questions in this area requiring some level of support. Support needs will vary from the area of installation or simply understanding why certain PDIs show the responses that they do in the SRR report.

⁽¹⁾ As the DISA STIG CAT I and II vulnerabilities change in future STIG releases it is impossible to predict future issues. While ASTi will make every reasonable attempt to remove all CAT I and II issues we cannot guarantee removal of all these issues. The CAT I and II issues are constantly changing over time. If removal of an issue is not feasible we will work with the customer to obtain a waiver as required. This will be documented in the accompanying ASTi SRR Report.

See the links in the right-hand sidebar for more information on Telestra hardware and software.



Home Store News Products Pricing Support Installations Corporate Contact ASTi
Security Enhanced Version of Telestra Platform Introduction ASTi has created a secure version of the Telestra platform to help customers meet the Information Assurance (IA) requirements for systems attached to a secure network. This document is intended to be a reference guide for customers who are required to comply with the Department of Defense Directive (DODD) 8500.1 which states: "All COTS IA or IA-enabled IT hardware, firmware, and software components or products incorporated into DOD information systems must comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy (NSTISSP) 11, reference (w)." "Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase (i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period-of-time specified in the solicitation and the contract)." "Purchase contracts shall specify that product validation will be maintained for updated versions of modifications by subsequent evaluation or through participation in the National Information Assurance Partnership (NIAP), Assurance Maintenance Program." For more detailed information see the Information Assurance Support Environment (IASE) website. ASTi offers a certifiable secure version of Telestra software. In the secure software version, the majority of the security risks identified by DISA are eliminated by ASTi, but some customer action is required to resolve vulnerabilities that may exist at the installation site. The remainder of this section provides: Security Background and Enhancements DISA & STIGs Customer Responsibilities Secure Telestra Platform and Process Details Security Background and Enhancements One of the most critical components on the Telestra is the ASTi Operating System (ASTiOS). ASTi uses a specialized OS for a several reasons. ASTiOS is a specialized single purpose product due to the market's demanding requirements that exceed the capabilities of a desktop OS. ASTiOS's low latency and jitter, with highly deterministic functionality are combined to create an embedded solution that successfully addresses the markets requirements. Other modifications include ASTi's patent (pending) kernel, which is modifiable to ensure "hard real time" performance. The Secure Telestra features: Minimal OS Footprint Only essential Linux elements are included to form the ASTiOS, which aids in eliminating functions or features that increase security risk. User ID and Password Authentication This includes the ability to assign unique user ID and passwords to individual accounts. Secure Remote Access Access is restricted to essential configuration and management elements required for operation. All remote access is provided through secure means and plain text remote access capabilities have been removed. Due to the embedded nature of the Telestra, remote access cannot be completely removed. Pluggable Authentication Module (PAM) Configuration Allows setup and configuration of login restrictions, lockout features and other security features supported via PAM. Minimize Open Network Ports All unnecessary network ports not vital for Telestra operation are closed. BIOS Password Protection BIOS protection includes security features that restrict access to the BIOS Setup program and restrict who can boot the computer. A supervisor password and user password can be set for the BIOS setup program and booting the computer. Removable Drive Standard configuration with each Telestra provides the ability to remove and secure non-volatile media. Diskless operation options also available. Disabling of USB Ports Only ASTi audio distribution modules will operate with USB ports on the Telestra. Auditing Software (SNARE) System software provides audits and event log management for Linux. Provides intrusion-detection and system resource access logging allowing users to inspect the system for security attacks or violations. Security Hardening Scripts Includes an additional software package for the Secure Telestra platform with ASTi's customized security hardening scripts. Eliminates majority of CAT I, II, III and IV issues (see DISA section below) ASTi SRR Report Includes a PDF report that documents the current status and actions required by the DAA. Includes High-level summary and detailed sections organized by categories such as Closed, Manual Review, False Positive, Waiver, Open/Future Fix. An ASTi response is provided for all applicable PDIs. Click here to see a sample report. DISA & STIGS The Defense Information Systems Agency (DISA) develops and provides security configuration guidance for IA and IA-enabled IT products. The guidelines are outlined in DISA's Security Technical Implementation Guides (STIGS), which identify existing and potential vulnerabilities on a system. STIGS exist for a variety of operating systems and applications. Additionally, there are Security Readiness Review (SRR) scripts that automate the process of validating a system configuration against the STIG requirements. Every secure version release of the Telestra is tested against the latest versions of the following STIGS: UNIX STIG with UNIX SRR scripts Web Server STIG with UNIX Web SRR script Links to the STIGS can be found at: http://iase.disa.mil/stigs/stig/index.html Links to the SRR scripts can be found at: http://iase.disa.mil/stigs/SRR/index.html Within each STIG there are four vulnerability code definitions from category I (high vulnerability) to category IV (low vulnerability). Category I - Vulnerabilities that allow an attacker immediate access into a machine, allow super user access, or bypass a firewall. Category II - Vulnerabilities that provide information that have a high potential of giving access to an intruder. Category III - Vulnerabilities that provide information that potentially could lead to compromise. Category IV - Vulnerabilities that provide information that will lead to the possibility of degraded security. ASTi's goal in the secure version of the Telestra is to eliminate all CAT I's and CAT II's and to minimize CAT III and IV vulnerabilities. ASTi has also incorporated the UNIX SRR scripts into the production testing process so that the Telestra is constantly updated with the most valid security enhancements⁽¹⁾. Customer Responsibilities The vulnerabilities are given unique labels called Potential Discrepancy Items (PDIs). Each PDI is categorized with a short description of the vulnerability it represents. Out of the hundreds of PDIs, ASTi can eliminate the majority of them; however, the customer is responsible for eliminating several PDIs. For example, certain elements of the STIGS require that the customer: Set non-guessable passwords Review audit logs Maintain specific physical security requirements As the STIGS and SRR scripts are updated, the PDI list will change. Thr specific PDI list is provided on a per Telestra software release tested against the latest STIG/SRR versions. Secure Telestra Platform and Process Details Hopefully after reading the above, it is now clear what the Secure Telestra platform provides in terms of software, features and documentation. The Secure Telestra software is a one-time delivery, when the software is purchased you will receive the following: Telestra 3.x Software Installation CD-ROM Telestra 3.x Security Software Installation CD-ROM ASTi SRR Report(s) Updated Options File CD Secure Telestra 3.0 Installation and User Guide (DOC-01-TELS-SEC-3) The Secure Telestra software version is based on a STIG version. For example, if you order a secure software update in Quarter 1 of 2007 you will receive the secure software version which was run against the November 15th, 2006 DISA UNIX and Web Server SRRs. Future software packages/upgrades that are required to match the latest STIG requirements would require the purchase of a new security package. Future upgrades will be available as required based on customer demand. Additionally, ASTi will provide updates when a STIG update is available. Based on recent history, this means that if required we would release approximately four versions per year. However, this is subject to change based on customer demand and DISA STIG release schedule. ASTi highly recommends that customers have an active support contract. Given that no two customers are alike, neither are their security requirements. The various components of this process are documented; however, there are always customers with specific questions in this area requiring some level of support. Support needs will vary from the area of installation or simply understanding why certain PDIs show the responses that they do in the SRR report. ⁽¹⁾ As the DISA STIG CAT I and II vulnerabilities change in future STIG releases it is impossible to predict future issues. While ASTi will make every reasonable attempt to remove all CAT I and II issues we cannot guarantee removal of all these issues. The CAT I and II issues are constantly changing over time. If removal of an issue is not feasible we will work with the customer to obtain a waiver as required. This will be documented in the accompanying ASTi SRR Report. See the links in the right-hand sidebar for more information on Telestra hardware and software.	Telestra System Platform Overview Telestra Software USB Hardware Security Options
Home Store News Products Pricing Support Installations Corporate Contact ASTi
Copyright 1997-2008 ASTi \| Legal Stuff