Security Policy, Version 1.5
April 15, 2013
VT iDirect Secure Satellite Broadband Solutions
Page 37 of 41
© 2013 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
3
Secure Operation
The Secure Satellite Broadband Solutions meet overall Level 1 requirements for FIPS 140-2. The sections
below describe how to place and keep the module in FIPS-approved mode of operation.
3.1 Crypto-Officer Guidance
The Crypto-Officer is responsible for installing, configuring, and monitoring the modules. On receiving
the modules, the Crypto-Officer must ensure that the modules are properly secured as per the information
provided in Section 2.5. The CO shall periodically check the modules for tamper evidence by looking for
scratches and cracks in the conformal coating. Should the CO suspect that a module has been tampered
with, they should contact VT iDirect support teams:
·
For iDirect Government Technologies (iGT) customers, at +1 703 648-8111 or
http://tac.idirectgt.com.
·
For VT iDirect Customers, +1 703-648-8151 or http://tac.idirect.net.
The Crypto-Officer can access the modules locally over the console port or remotely over a secured
session. Remote secured sessions are provided via TLS, SSH, or the satellite channel.
3.1.1 Initialization
While the modules are shipped with the Linux OS configured for single user mode, they must be
configured for use in a TRANSEC-enabled network using a TRANSEC-enabled Protocol Processor and the
iBuilder application. All network elements that subsequently created under a TRANSEC-enabled protocol
processor will become part of the TRANSEC-compliant network.
This process involves configuring each respective module in iBuilder (entering the device type, serial
number, Satellite and LAN
23 IP addresses, db threshold, etc.), uploading the resulting "options file", issuing
the Certificate Authority (CA) via the CA Foundry utility in the Network Management Server (NMS), un-
checking the "Disable Authentication" option in iBuilder and finally re-uploading the new options file and
resetting each module. The resulting TRANSEC-enabled network operates in the FIPS-Approved mode.
Note that, while operating in the FIPS-Approved mode of operation, no bypass services are supported. In-
depth and detailed guidance for configuring, operating, and maintaining an iDirect satellite network is
detailed in the iDirect Network Management System iBuilder's User Guide.
The Crypto-Officer should monitor the modules' status by regularly checking the Statistics log information.
If any irregular activity is noticed or the module is consistently having errors, then iDirect Technologies
customer support should be contacted.
3.1.2 Management
According to FIPS 140-2 requirements, the operating system of the modules must be configured in the
single user mode. For a Linux operating system to be in the single user mode, it must meet the following
requirements:
· All login accounts except "root" should be removed.
· Network Information Service (NIS) and other named services for users and groups need to be
disabled.
· All remote login, remote command execution, and file transfer daemons should be turned off.
iDirect follows the following procedures to configure Linux operating system in single user mode:
1.
Log in as the "root" user.
23 LAN Local Area Network