ASTi has created a secure version of the Telestra 4 product suite to help customers meet the Information Assurance (IA) requirements for systems attached to a secure network. This document is intended to be a reference guide for customers who are required to comply with the Department of Defense Directive (DODD) 8500.1 which states:

• "All COTS IA or IA-enabled IT hardware, firmware, and software components or products incorporated into DOD information systems must comply with the evaluation and validation requirements National Security Telecommunications and Information System Security Policy (NSTISSP) 11, reference (w)."
• "Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase (i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period-of-time specified in the solicitation and the contract),"
• "Purchase contracts shall specify that product validation will be maintained for updated versions of modifications by subsequent evaluation or through participation in the National Information Assurance Partnership (NIAP), Assurance Maintenance Program."

For more detailed information see the Information Assurance Support Environment (IASE) website.

ASTi offers a secure version of Target's ACE software. In the secure software version, the majority of the security risks identified by DISA are eliminated by ASTi, but some customer action is required to resolve vulnerabilities that may exist at the installation site. The remainder of this section provides:

• Security Background and Enhancements
• DISA & STIGs
• Customer Responsibilities
• Telestra 4 Security and Process Details

The Telestra 4 product suite is built around Red Hat® Enterprise Linux®, providing a communications solution that runs on a fully National Information Assurance Partnership (NIAP) validated operating system. NIAP is a U.S. Government initiative created to meet the security testing needs of both information technology (IT) consumers and producers.

To the end user this means that the entire Telestra 4 product suite including the Studio development workstation and the Target platform run on an NIAP approved operating system. Couple this with ASTi's Telestra 4 Security Package for the Target platform and you have an NIAP approved OS that eliminates all CAT I and II issues¹ while locking down the platform in a known working configuration and adhering to the most current security requirements.

Standard Studio and Target security features:

• Red Hat® Enterprise Linux® version 5.x
  • NIAP Approved OS
• Minimal OS Footprint
  • Only essential OS elements are included, for example the Target platform does not include a desktop environment since it is unnecessary, this aids in eliminating functions or features that increase security risk.
• User ID and Password Authentication
  • This includes the ability to assign unique user ID and passwords to individual accounts.
• Secure Remote Access
  • Access is restricted to essential configuration and management elements required for operation.
  • All remote access is provided through secure means and the plain text remote access capabilities were removed.
  • Due to embedded nature of the Target platform, remote access cannot be completely removed.
• SELinux^TM
  • Security Enhanced Linux^TM (SELinux) provides support for MLS (Multi-Level Security) policies.
• Auditing
  • Tracks activities and modifications to the entire system, including file system operations, process system calls, user actions such as password changes, account additions/deletions/modification, use of authentication services, and configuration changes (such as time changes).
• Minimize Open Network Ports
  • All unnecessary network ports not vital for Target platform operation are closed.
• BIOS Password Protection
  • BIOS protection includes security features that restrict access to the BIOS Setup program and restrict who can boot the computer.
  • Set a supervisor password and user password for the BIOS setup program and booting the computer.
• Removable Drive
  • Standard configuration of each Target platform provides the ability to remove and secure non-volatile media.
  • Optional configuration for the Studio development workstation.
  • Diskless operation options also available.

Telestra 4 Security Package features:
Note: The Telestra 4 Security Package is an optional software package for the Target platform.

• Security Hardening Scripts
  • Includes an additional software package for the Target platform with ASTi's customized security hardening scripts.
  • Eliminates the majority of CAT I, II, III, and IV issues (see DISA section below).
• ASTi SRR Report
  • Includes a PDF report that documents the current status and actions required by the DAA.
  • Includes High-level summary and detailed sections organized by categories such as Closed, Manual Review, False Positive, Waiver, Open/Future Fix. An ASTi response is provided for all applicable PDIs.
  • Click here to see a sample report.

The Defense Information Systems Agency (DISA) develops and provides security configuration guidance for IA and IA-enabled IT products. The guidelines are outlined in DISA's Security Technical Implementation Guides (STIGS), which identify existing and potential vulnerabilities on a system. STIGS exist for a variety of operating systems and applications. Additionally, there are Security Readiness Review (SRR) scripts that automate the process of validating a system configuration against the STIG requirements. Every security software version release for the Target platform is tested against the latest versions of the UNIX STIG with UNIX SRR scripts.

Links to the STIGS can be found at: http://iase.disa.mil/stigs/stig/index.html

Links to the SRR scripts can be found at: http://iase.disa.mil/stigs/SRR/index.html

Within each STIG there are four vulnerability code definitions from category I (high vulnerability) to category IV (low vulnerability).

• Category I - Vulnerabilities that allow an attacker immediate access into a machine, allow super user access, or bypass a firewall.
• Category II - Vulnerabilities that provide information that have a high potential of giving access to an intruder.
• Category III - Vulnerabilities that provide information that potentially could lead to compromise.
• Category IV - Vulnerabilities that provide information that will lead to the possibility of degraded security.

ASTi's goal for the Target platform is to eliminate all CAT I's and CAT II's and to minimize CAT III and IV vulnerabilities. ASTi has also incorporated the UNIX SRR scripts into the production testing process so that the software is constantly updated with the most valid security enhancements¹.

The vulnerabilities are given unique labels called Potential Discrepancy Items (PDIs). Each PDI is categorized with a short description of the vulnerability it represents. Out of the hundreds of PDIs, ASTi can eliminate the majority of them; however, the customer is responsible for eliminating several PDIs.

For example, certain elements of the STIGS require that the customer:

• Set non-guessable passwords
• Review audit logs
• Maintain specific physical security requirements

As the STIGS and SRR scripts are updated, the PDI list will change. The specific PDI list is provided for each software release tested against the latest STIG/SRR versions.

Hopefully, after reading the above, it is now clear what the Telestra 4 Security provides in terms of software, features and documentation. Certain security features such as secure remote access, SELinux and user accounts are available on both Studio and the Target platform by default. Since the Target platform is typically thought of as an embedded device, it has an additional security package available for installation. This package is not available for Studio.

The Telestra 4 security software for the Target platform is a one-time delivery and after purchasing the software you receive the following:

• Telestra 4 Software Installation DVD(s)
• Telestra 4 Security Software Installation DVD
• ASTi SRR Report(s)
• Updated Options File CD

The Telestra 4 security software version for the Target platform is based on a STIG version. For example, if you order a security software update in Quarter 1 of 2007 you will receive the security software version, which was run against the November 15th, 2006 DISA UNIX and Web Server SRRs.

Future Telestra 4 security software packages/upgrades that are required to match the latest STIG requirements would require the purchase of a new security package. Future upgrades will be available as required based on customer demand. Additionally, ASTi will provide updates when a STIG update is available. Based on recent history, this means that if required we would release approximately four versions per year. However, this is subject to change based on customer demand and the DISA STIG release schedule.

ASTi highly recommends that customers have an active support contract. Given that no two customers are alike, neither are their security requirements. The various components of this process are documented; however, there are always customers with specific questions in this area requiring some level of support. Support needs will vary from the area of installation or simply understanding why certain PDIs show the responses that they do in the SRR report.

See pricing for the Telestra 4 security software package.