DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549. Joint Interoperability Test Command (JTE) 27 Oct 14



Similar documents
DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 7 Jan 15

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Thanks

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND

SUBJECT: Special Interoperability Test Certification of the Avaya Call Management System (CMS) Release 16.3

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 10 Jul 14

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND

Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 13 Sep 11

How To Test A Defense Information System Network (Dihd) On A Network (Networking) Device (Netware)

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTG) 8 Nov 13

What is Unified Capabilities?

TABLE OF CONTENTS. Section 5 IPv Introduction Definitions DoD IPv6 Profile Product Requirements...

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 25 JUL 14

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 4502 ARLINGTON, VIRGINIA

UNIFIED CAPABILITIES APPROVED PRODUCTS LIST (UC APL) PROCESS GUIDE

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 14 May 2012

Polycom RealPresence Group Series Deployment Guide for Maximum Security Environments

TLS and SRTP for Skype Connect. Technical Datasheet

NOV q11. DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTOr D.C

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

DEFENSE INFORMATION SYSTEMS AGENCY JOINT INTEROPERABILITY TEST COMMAND P.O. BOX FORT HUACHUCA, ARIZONA

Solution Review: Siemens Enterprise Communications OpenScape Session Border Controller

Unified Capabilities (UC)

Video Conferencing and Security

Digital Subscriber Line (DSL) Requirements

DEPARTMENT OF DEFENSE ONLINE CERTIFICATE STATUS PROTOCOL RESPONDER INTEROPERABILITY MASTER TEST PLAN VERSION 1.0

Cisco IOS Software Release 12.4(6)XE

Universal Video Collaboration HD video for anyone, anywhere and on any device

Cisco Integrated Services Routers Performance Overview

FAST FILE TRANSFER INFORMATION ASSURANCE ASSESSMENT REPORT

Chapter 5. Data Communication And Internet Technology

Introduction to Security and PIX Firewall

ISG50 Application Note Version 1.0 June, 2011

Configuring SIP Support for SRTP

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Cisco Intercloud Fabric Security Features: Technical Overview

VPN. VPN For BIPAC 741/743GE

Network Management Card Security Implementation

Case Study for Layer 3 Authentication and Encryption

21.4 Network Address Translation (NAT) NAT concept

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

4. Objective. To provide guidelines for IS requirements and LCM support under NMCI.

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Secure Network Foundation 1.1 Design Guide for Single Site Deployments

Cisco TelePresence Video Communication Server Expressway

How To Get The Most Out Of A Pon From Commscope

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

promise of lower-cost, network-based voice communications. The shift to VoIP which in truth represents a subset of the larger convergence

Chapter 1 Personal Computer Hardware hours

Recommended IP Telephony Architecture

Implementing Cisco IOS Network Security v2.0 (IINS)

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Gigabit Multi-Homing VPN Security Router

Virtual Privacy vs. Real Security

Best Practices for Securing IP Telephony

A Model-based Methodology for Developing Secure VoIP Systems

Site to Site Virtual Private Networks (VPNs):

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Shawn Carroll Qwest Government Services, Inc. June 15, Government Services

Marine Corps. Commercial Mobile Device Strategy

Voice Over IP and Firewalls

SBC WHITE PAPER. The Critical Component

Network Access Security. Lesson 10

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There

Cisco Unified Border Element Enterprise Edition for Cisco ASR 1000 Series

Magnum Network Software DX

Brochure. Dialogic BorderNet Session Border Controller Solutions

Telepresence in an IPv6 World. Simplify the Transition

SangomaSBCs Keeping Your VoIP Network Secure. Simon Horton Sangoma

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

ADTRAN SBC and Cisco Unified Call Manager SIP Trunk Interoperability

Best Practices for deploying unified communications together with SIP trunking connectivity

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Introduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces

Leveraging A Secure Wireless Network for Automation and Control

SIP Trunking Configuration with

Pexip Infinity platform management and security features

PETER CUTLER SCOTT PAGE. November 15, 2011

CompTIA Network+ (Exam N10-005)

SIP SECURITY JULY 2014

WAN Routing Configuration Examples for the Secure Services Gateway Family

Cisco WRVS4400N Wireless-N Gigabit Security Router: Cisco Small Business Routers

Voice over IP (VoIP) Basics for IT Technicians

Top-Down Network Design

An ADTRAN White Paper. Seven Guidelines for Your SMB Network

Virtual Private Networks

WHITE PAPER COMBATANT COMMAND (COCOM) NEXT-GENERATION SECURITY ARCHITECTURE USING NSA SUITE B

Fundamentals of the Internet 2009/ Explain meaning the following networking terminologies:

Lab Organizing CCENT Objectives by OSI Layer

Cisco Networking Professional-6Months Project Based Training

Session Border Controllers in Enterprise

TABLE OF CONTENTS NETWORK SECURITY 2...1

Cisco Which VPN Solution is Right for You?

SIP Trunking with Microsoft Office Communication Server 2007 R2

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Voice over IP Basics for IT Technicians

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Advanced Network Security Testing. Michael Jack

Transcription:

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549 IN REPLY REFER TO: Joint Interoperability Test Command (JTE) 27 Oct 14 MEMORANDUM FOR DISTRIBUTION SUBJECT: Extension of the Joint Interoperability Certification of the Cisco 29XX and 39XX Series Integrated Services Router (ISR) Generation 2 (G2) with Internetwork Operating References: (a) Department of Defense Instruction 8100.04, "DoD Unified Capabilities (UC)," 9 December 2010 (b) DoD CIO, Memorandum, "Interim Guidance for Interoperability of Information Technology (IT) and National Security Systems (NSS)," 27 March 2012 (c) through (f), see Enclosure 1. Certification Authority. References (a) and (b) establish the Joint Interoperability Test Command (JITC) as the Joint Interoperability Certification Authority for the UC products. 2. Conditions of Certification. The Cisco 3945 ISR G2 with IOS 15.2(4)M5; hereinafter referred to as the System Under Test (SUT), is certified for joint use as a Session Border Controller (SBC). The SUT meets the critical requirements of the Unified Capabilities Requirements (UCR), Reference (c), and is certified for joint use as a SBC with the conditions described in Table 1. The Cisco 3945 ISR G2 was the system tested; however, the components listed in Table 3 utilize the same software and similar hardware and JITC analysis determined them to be functionally identical for interoperability certification purposes and they are also covered under this certification. The SUT is certified only to front a Cisco Session Controller (SC), which does not rely on SIP OPTION pings for failover. This certification expires upon changes that affect interoperability, but no later than (1 July 2017), which is three years from the date of the UC APL memorandum. Desktop Review (DTR) 1 was requested to update the SUT from IOS 15.2(4)M5 to IOS 15.2(4)M7. See paragraph 4 test details. Table 1. Conditions None. None. Condition UCR Waivers Conditions of Fielding Operational Impact

Table 1. Conditions (continued) Condition Open Test Discrepancies The SUT does not support V.150.1 protocol properly. It does not allow the V.150 SPRT media packets to pass though without manipulating the UDP payload causing the V.150 protocol, and thus secure calls, to fail. The SUT does not support a VVoIP IDS/IPS capability that can monitor all VVoIP signaling and media traffic in decrypted form, or support the capability to present all signaling and bearer traffic to an external VVoIP IDS/IPS in a secure manner. The SUT does not support the capability to generate and transmit an alarm to the NMS when the VVoIP IDS/IPS identifies a threat. The SUT does use SSHv2, but HMAC-SHA1-96 with 160-bit key length isn't the default. The SUT does not default to HMAC-SHA1-96 with 160-bit key length for data integrity with SSHv2. While HMAC-SHA1-96 is not default, the client can configure HMAC-SHA1-96 with 160-bit key length. The SUT is not capable of setting Diffie-Hellman-Group14-SHA1 as the preferred key exchange mechanism for SSH. The SUT supports Diffie-Hellman-Group14-SHA1, but does not prefer it. The SUT uses AES128 as an encryption cipher as an encryption cipher for SNMPv3 instead of the required Data Encryption Standard-Cipher Block Chaining (DES-CBC) (usmdesprivprotocol), as specified in RFC 3414. Operational Impact Minor See note 1. The SUT does not support the encryption algorithm AES128-CBC for SSH sessions. The SUT does not provide the same or equivalent functions in IPv6 as in IPv4. Minor See note 2. 1. DISA has accepted and approved the vendor s POA&M and adjudicated this discrepancy as having a minor operational impact. 2. DISA has adjudicated this discrepancy as having a minor operational impact and stated the intent to change this requirement from required to not for interoperability testing in the next version of the UCR. Therefore, there is no operational impact. AES Advanced Encryption Standard RFC Request for Comments DISA Defense Information Systems Agency SHA Secure Hashing Algorithm HMAC Hash-Based Message Authentication Code SSH Secure Shell IDS Intrusion Detection System SNMPv3 Simple Network Management Protocol version 3 IPS Intrusion Prevention System SPRT Simple Packet Relay Transport IPv4 Internet Protocol version 4 SUT System Under Test IPv6 Internet Protocol version 6 UCR Unified Capabilities Requirements NMS Network Management System UDP User Datagram Protocol POA&M Plan of Action and Milestones VVoIP Voice and Video over Internet Protocol 3. Interoperability Status. Table 2 provides the SUT interface interoperability status and Table 3 provides the Capability Requirements (CR) and Functional Requirements (FR) status. Table 4 provides the UC APL product summary. Interface (See note 1.) Threshold CR/FR Requirements (See note 2.) Table 2. Interface Status Status ASLAN/WAN Interfaces 10BaseT (R) 1, 2, 3, 4, 5, 6, 8, and 9 Met The SUT met the critical CRs and FRs for the IEEE 802.3i interface. 100BaseT (O) 1, 2, 3, 4, 5, 6, 8, and 9 Met The SUT met the critical CRs and FRs for the IEEE 802.3u interface. 1000BaseT (O) 1, 2, 3, 4, 5, 6, 8, and 9 Met The SUT met the critical CRs and FRs for the IEEE 802.3ab interface. 10GBaseT (O) 1, 2, 3, 4, 5, 6, 8, and 9 Not Tested The SUT does not support this optional interface. 2

Interface (See note 1.) Threshold CR/FR Requirements (See note 2.) Table 2. Interface Status (continued) Status Network Management Interfaces 10BaseT (C) 2, 7, 8 Met The SUT met the critical CRs and FRs for the IEEE 802.3i interface. 100BaseT (C) 2, 7, 8 Met The SUT met the critical CRs and FRs for the IEEE 802.3u interface. 1000BaseT (C) 2, 7, 8 Met The SUT met the critical CRs and FRs for the IEEE 802.3ab interface. 1. The SUT must provide a minimum of one 10BaseT interface for the ASLAN and WAN side interfaces. 2. The SUT s high-level capability and functional requirement ID numbers depicted in the CRs/FRs column can be cross-referenced in Table 3. 802.3ab 1000BaseT Gbps Ethernet over twisted pair at 1 Gbps (125 Mbps) 802.3i 10BaseT Mbps over twisted pair 802.3u Standard for carrier sense multiple access with collision detection at 100 Mbps ASLAN C CR FR CR/FR ID Assured Services Local Area Network Conditional Capability Requirement Functional Requirement Gbps ID IEEE Mbps O R SUT WAN Gigabits per second Identification Institute of Electrical and Electronics Engineers Megabits per second Optional Required System Under Test Wide Area Network Table 3. SUT Capability Requirements and Functional Requirements Status UCR Requirement (High-Level) (See note 1.) UCR 2013 Reference Status 1 SC and SS Failover and Recovery (R) 2.6 Met 2 Product Interface (R) 2.7 Met 3 AS-SIP Gateway Media Interworking (R) 2.11.2/3 Met 4 Enclave Fronting SBC Functionality (R) 2.12.4 Not Tested 5 Remote Media Gateway (C) 2.16.13 Not Tested 6 Session Border Controller (R) 2.17 Partially Met (See note 2.) 7 Management of Network Appliances (R) 2.19 Partially Met (See note 3.) 8 Interoperability Related Information Assurance (R) 4.2 Partially Met (See note 2.) 9 Internet Protocol version 6 (R) Table 5.2.1 Partially Met (See note 4.) 1. The annotation of 'required' refers to a high-level requirement category. The applicability of each sub-requirement is provided in Reference (d), Enclosure 3. 2. The SUT met the requirements with the exceptions noted in Table 1. DISA adjudicated these exceptions as minor. 3. The SUT met the interoperability related Information Assurance requirements with the minor exceptions noted in Table 1. In addition, security is tested by DISA-led IA test teams and the results published in a separate report, Reference (f). 4. The SUT partially met this requirement with the vendor's LoC with the exceptions noted in Table 1. In addition, JITC does not currently have an end-to-end IPv6 architecture because the LSCs do not yet support IPv6 end-to-end. Therefore, the IPv6 requirements were not tested and the SUT is not certified for use with end-to-end IPv6. AS-SIP Assured Services Session Initiation Protocol JITC Joint Interoperability Test Command C Conditional LoC Letter of Compliance CR Capability Requirement R Required DISA Defense Information Systems Agency SBC Session Border Controller FR Functional Requirement SC Session Controller IA Information Assurance SS Softswitch ID Identification SUT System Under Test IPv6 Internet Protocol version 6 UCR Unified Capabilities Requirements 3

Table 4. UC APL Product Summary Product Identification Product Name Cisco 29XX and 39XX Series ISR G2 Software Release IOS 15.2(4)M7 (See note 1.) UC Product Type(s) Session Border Controller Product Description The SUT performs voice firewall and back-to-back user agent functions. Product Components (See note 2.) Component Name (See note 3.) Version Session Border Controller 3945 ISR G2, 2911 ISR G2, 2921 ISR G2, 2951 ISR G2, 3925 ISR G2, 3925E IOS 15.2(4)M5 See notes 1 and 4. Combined Session Border Controller with Interworking Gateway ISR G2, 3945E ISR G2 3945 ISR G2, 2911 ISR G2, 2921 ISR G2, 2951 ISR G2, 3925 ISR G2, 3925E ISR G2, 3945E ISR G2 IOS 15.2(4)M5 See notes 1 and 4. 1. The SUT was updated from IOS 15.2(4)M5 to IOS 15.2(4)M7 with DTR 1. 2. The detailed component and subcomponent list is provided in Reference (d), Enclosure 3. 3. Components bolded and underlined were tested by JITC. The other components in the family series were not tested, but are also certified for joint use. JITC certifies those additional components because they utilize the same software and similar hardware and JITC analysis determined them to be functionally identical for interoperability certification purposes. 4. The combined SBC and IWG is an integrated configuration within Cisco IOS software that runs on the Cisco 2900/3900 Integrated Service Routers Generation 2 series. Both SBCs utilize the same IOS and software applications. However, the combined SBC and IWG IOS is configured differently than the non-combined version. APL Approved Products List DTR Desktop Review G2 Generation 2 IOS Internetwork Operating System ISR Integrated Services Router IWG JITC SBC SUT UC Interworking Gateway Joint Interoperability Test Command Session Border Controller System Under Test Unified Capabilities 4. Test Details. The extension of this certification is based upon DTR 1. The original certification, documented in Reference (d), is based on interoperability testing, review of the vendor's Letters of Compliance (LoC), DISA adjudication of open test discrepancy reports (TDRs), and DISA Certifying Authority (CA) Recommendation for inclusion on the UC Approved Products List (APL). The Cisco SBC was previously tested and certified with IOS 15.2(4)M3 under UC Tracking Number 0922204. Additionally, the SUT 3945 with IOS 15.2(4)M5 has been installed in the test network architecture since October 2013 fronting the Cisco UCM 8.6 with no interoperability issues. The SUT has been tested rigorously throughout this time. The SUT test window included open TDRs from previous testing and the requirements that were not previously tested. Testing was conducted at JITC's Global Information Grid Network Test Facility at Fort Huachuca, Arizona, from 26 February through 5 March 2014 using test procedures derived from Reference (e). Review of the vendor's LoC was completed on 19 February 2014. DISA adjudication of outstanding TDRs was completed on 9 April 2014. Information Assurance (IA) testing was conducted by DISA-led IA test teams and the results are published in a separate report, Reference (f). This DTR was requested to update the SUT from IOS 15.2(4)M5 to IOS 15.2(4)M7. The IOS 15.2(4)M7 release corrects an interoperability issue that was identified between the SUT and the Verizon Internet Service Provider (ISP). This update to IOS 15.2(4)M7 was tested at DISA Headquarters (HQs) to validate it corrected the interoperability issue. The IA posture of the SUT was also determined not to be affected by this software update to IOS 15.2(4)M7. Therefore, the original IA approval applies to this DTR and JITC approves this DTR. 4

5. Additional Information. JITC distributes interoperability information via the JITC Electronic Report Distribution (ERD) system, which uses Sensitive but Unclassified IP Data (formerly known as NIPRNet) e-mail. Interoperability status information is available via the JITC System Tracking Program (STP). STP is accessible by.mil/.gov users at https://stp.fhu.disa.mil/. Test reports, lessons learned, and related testing documents and references are on the JITC Joint Interoperability Tool (JIT) at https://jit.fhu.disa.mil/. Due to the sensitivity of the information, the Information Assurance Accreditation Package (IAAP) that contains the approved configuration and deployment guide must be requested directly from the Unified Capabilities Certification Office (UCCO), e-mail: disa.meade.ns.list.unifiedcapabilities-certification-office@mail.mil. All associated information is available on the DISA UCCO website located at http://www.disa.mil/services/network-services/ucco. 6. Point of Contact (POC). The JITC point of contact is Mr. Joseph Schulte, commercial telephone (520) 538-5100, DSN telephone 879-5100, FAX DSN 879-4347; e-mail address joseph.t.schulte.civ@mail.mil; mailing address Joint Interoperability Test Command, ATTN: JTE (Mr. Joseph Schulte) P.O. Box 12798, Fort Huachuca, AZ 85670-2798. The UCCO tracking number for the SUT is 1326803. FOR THE COMMANDER: Enclosure a/s for RIC HARRISON Chief Networks/Communications and UC Portfolio Distribution (electronic mail): DoD CIO Joint Staff J-6, JCS USD(AT&L) ISG Secretariat, DISA, JTA U.S. Strategic Command, J665 US Navy, OPNAV N2/N6FP12 US Army, DA-OSA, CIO/G-6 ASA(ALT), SAIS-IOQ US Air Force, A3CNN/A6CNN US Marine Corps, MARCORSYSCOM, SIAT, A&CE Division US Coast Guard, CG-64 DISA/TEMC DIA, Office of the Acquisition Executive NSG Interoperability Assessment Team DOT&E, Netcentric Systems and Naval Warfare Medical Health Systems, JMIS IV&V HQUSAISEC, AMSEL-IE-IS UCCO 5

ADDITIONAL REFERENCES (c) Office of the Department of Defense Chief Information Officer, "Department of Defense Unified Capabilities Requirements 2013, Errata 1," 1 July 2013 (d) Joint Interoperability Test Command, Memo, JTE, Joint Interoperability Certification of the Cisco 29XX and 39XX Series Integrated Services Router (ISR) Generation 2 (G2) with Internetwork Operating, 25 April 2014 (e) Joint Interoperability Test Command, "Session Border Controller (SBC) Test Procedures for Unified Capabilities Requirements (UCR) 2013," Draft (f) Joint Interoperability Test Command, "Information Assurance Findings Summary For Cisco 29xx/39xx Integrated Services Router (ISR) Generation (G)2 Release (Rel.) 15.2(4)Maintenance (M)5, Tracking Number 1326803," Draft Enclosure

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information