PacStar IQ-Core® Software CSfC Plug-in

Imagined. Engineered. Delivered.

PacStar IQ-Core Software CSfC Plug-in can overcome the added complexity and training burden imposed by the two layers of encryption by simplifying the setup, configuration, and management of the underlying equipment used in CSfC solutions. IQ-Core Software base capabilities:

• Enable the deployment of CSfC solutions, with attendant benefits, while reducing the amount of added complexity and training

• Provide a unified interface (“a single pane of glass”) to underlying equipment from multiple vendors

• Provide means to monitor multiple sets of equipment, in fixed/branch offices and deployed settings, enabling lightly trained operators to manage the equipment

IQ-Core Software CSfC Plug-in adds the following CSfC specific functionality:

• VPN setup wizards• VPN configuration at a glance• VPN monitoring/troubleshooting• Certificate management

VPN Setup WizardsIQ-Core Software VPN setup and certificate generation wizards reduce the complexity of providing the correct information to the CSfC devices by providing step-by-step wizards, insulating lightly trained users from dealing with the command line interfaces and multiple UIs across the underlying devices.

The National Security Agency (NSA) has launched the Commercial Solutions for Classified (CSfC) program enabling organizations to transmit classified information (up to Top Secret) using commercial-grade encryption solutions. CSfC solutions, which must include two layers of Suite B cryptography from two different platforms, enable access to classified information using inexpensive, commercial technologies – benefiting warfighters by:

• Reducing equipment costs• Simplifying equipment handling/security procedures • Simplifying key management • Enabling US coalition partners to access classified information

without taking possession of controlled cryptographic items • Enabling wireless access to classified information without

expensive, slow, end-of-life hardware products

However, these systems can be complex to set up and maintain.

Fig. 1. & 2. View of simple step-by-step wizard-based setup screens

PacStar | 15055 SW Sequoia Parkway | Suite 100 | Por tland, Oregon | 97224 | pacstar.com | Toll Free 888.872.1512

VPN Configuration at a GlanceIQ-Core Software CSfC Plug-in displays the configuration settings in an IPSec gateway, incorporating information about Trustpoints, IKE Proposals and IPSec Parameters. Included in the status is an indicator of the maximum classification the configuration settings can support under CSfC rules.

The display in Fig 3 on the right provides an “at a glance” summary of IPSec parameters for a VPN capable of transmitting information up to “Secret” on a correctly configured Cisco 5915 ESR serving as a CSfC inner tunnel IPSec gateway. In the event the parameters do not match CSfC rules, the “Class” indicator will automatically revert to UNCLASSIFIED, indicating the system is improperly configured.

VPN Monitoring/TroubleshootingIQ-Core Software VPN monitoring capabilities include the ability to display, in real time, the connection status of one or more VPN endpoints connected to the device under management. Within the status is an indicator of the active authentication and bulk encryption settings in use as well as the maximum classification the connection is able to support under CSfC rules.

The display in Fig 4 shown on the right shows an active VPN tunnel capable of transmitting information up to “Secret” on a correctly configured Cisco 5915 ESR serving as a CSfC inner tunnel IPSec gateway.

Certificate ManagementThe IQ-Core Software CSfC Plug-in automates the process of managing device certificates, a process that is error prone and requires extensive training. Reducing the opportunity for errors in this process helps ensure communications uptime and allows security administrators to focus on more important tasks. IQ-Core Software capabilities related to CSfC certificates include: • Generation of certificate signing requests• Display of certificate details and expiration dates, including

expiration alerts• Encrypted transmission of certificate signing requests• Management of the signing process at either the deployed

systems or at the NOC• Management/monitoring of certificate authorities

Available Winter 2015The initial release of the IQ-Core Software CSfC Plug-in will support the previous capabilities for CSfC certified components including Aruba Mobility Controllers and Cisco IOS-based IPSec Gateways.

The NSA CSfC program office has specified that PacStar IQ-Core Software may be included in any CSfC solution without further CSfC certification. IQ-Core Software may be used for the management of red, gray and black network equipment when individual copies are installed and configured in each network in accordance with requirements for other management tools.

011316

Future Enhancements PacStar closely follows the development of NSA CSfC capability packages and will provide additional plug-in features to support package requirements. Planned enhancements include the ability to audit system usage and ensure common security issues are detected.

PacStar continually adds new devices under management of IQ-Core Software, at customer request, and is happy to consider any of the following:

• Additional IPSec Gateway• TLS protected servers• CSfC IDS/IPS systems• CSfC end users devices (EUDs)

Fig. 4. View of CSfC active tunnel IPSec gateway

Fig. 3. View of IPSec parameters

PacStar | 15055 SW Sequoia Parkway | Suite 100 | Por tland, Oregon | 97224 | pacstar.com | Toll Free 888.872.1512