TACLANE Micro Inline Network Encryptor
Contents
1. Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Acronym Definition Abbr SDNS Secure Data Network System sec Seconds SKL Simple Key Loader SNMP Simple Network Management Protocol SP Security Processor SSO Site Security Officer STD Standard STP Shielded Twisted Pair SW Software TEK Traffic Encryption Key TFS Traffic Flow Security TL TACLANE TOS Type of Service UPS Uninterruptible Power Supply UTP Unshielded Twisted Pair W Watts W Width WAN Wide Area Network 1 4 U Safety Information General U FOUO The following general safety precautions must be observed during installation and operation of the TACLANE Liability U FOUO General Dynamics assumes no liability for the customer s failure to comply with these requirements Grounding U FOUO TACLANE ground A ground wire is recommended for all installations Verify that the ground wire is connected properly to an earth ground and connected properly to the TACLANE ground binding post Lightning U FOUO Do not connect or disconnect cables during periods of lightning 1 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 AC Power Safety Electrical Shock Lithium Battery Alkaline Battery 10 July 2007 U FOUO Make sure that the power rating and frequency of the2. HOME Note Ifthe fill is not completed within 5 minutes the fill operation is aborted Note ABORT cancels a fill operation in progress if the abort is issued before the DTD indicates start of fill Otherwise the ABORT is ignored Continued on next page 4 14 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Procedure UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Step Action 5 Using a fill cable connect a DTD to the TACLANE fill port 6 Configure the DTD to transmit the PPK Note The DTD must be configured to fill the PPK rather than issue it 7 Transmit the PPK from the DTD Result The following screen appears if the fill operation was successful GENERAL DYNAMICS O EET evision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State OffLine gt gt Key Management gt gt PrePlaced Key 550 Enabled Manage PrePlaced Keys In Chain Operation 8 The PrePlaced Key was filled Maintenance PrePlaced Key Chain Info Chain Id 1 Type User Security Level Confidential Algorithm BATON Effective Date Short Title Edition Segment C 02 26 2007 USEVD 00000000201 111111 A o E Delete selected and subsequent PPKs in the chain Fill PPK at end of chain Cu Note Specific values depend on the particular PPK Note Ifthe
3. MANAGE ASSIGNMENTS 6 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select the radio button next to the desired PPK Chain Id Select MANAGE ASSIGNMENTS If the PrePlaced Key type is User the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Security Level Unclassified gt gt Security gt gt PPK Assignment 550 Enabled PrePlaced Key User Assignment Operation Number 400030040048 Device State Secure Comm Maintenance PrePlaced Key Chain Info Chain Id 2 Key Management Security Level Secret 02 12 2007 RETURN TO CHAINS Network Effective Date lt lt Prev Next gt gt Remote INE CT Address 148 10 10 1 Remote INE PT Address 152 20 20 2 DELETE ENABLE DISABLE Add an Address Assignment lt lt Prev Next gt gt Select the radio button next to the desired Remote INE Address es or the Remote INE Multicast Address Select ENABLE DISABLE to enable or disable the PPK user assignment Note Remote INE Address es in italics are disabled If the PrePlaced Key type is SDD the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Serial Number A0003004004A8 Device State Secure Comm Device Name TACLANE Micro Security Level Unclassified gt gt Security gt g
4. GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State Secure Comm gt gt Security gt gt Create CIK sso rstea _ Create cik RELOAD Operation gt i Creation successful Please remove CIK 2 Maintenance T CIK Creation Progress Network n Security Cancel CIK creation ee CANCEL HOME Remove the CIK from the TACLANE Micro Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Serial Number A0003004004A8 Device State Secure Comm gt gt Security gt gt Create CIK RoE j Create CIk Operation gt C ir Please reinsert the active CIK Maintenance gt gt Key Management CIK Creation Progress Network aes Security Cancel CIK creation pan CANCEL 9 37 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY 9 3 Introduction Notes uTL 027 05 10 July 2007 6 Insert the active CIK Result The following screen is displayed GENERAL DYNAMICS e TACLANE Micro gt gt Security gt gt CIK Management 550 Enabled CIK Management Operation 9 CIK Creation successful Maintenance Key Management CIK 1 ACTIVE Network CIK 2 CREATED Sane CIK 3 EMPTY CREATE System Serial Number A000300400A48 vel None Selected Device State Initialized
5. TACLANE Micro GENERAL DYNAMICS ANE Micro Device Initialization In Progress O mcx 3 CIK is detected during startup Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Initialization In Progress 9 CIK Activated Please Wait Continued on next page 3 12 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Step Action 4 Detected KSD is blank or KSD is not a valid CIK for this TACLANE Micro Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Initialization In Progress 8 Blank KSD inserted Please insert valid CIK 5 TACLANE Micro is unable to read or write to the detected KSD Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Initialization In Progress Blank KSD inserted Please insert valid CIK A valid CIK is detected and activated Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Initialization In Progress RELOAD Hew i CIK Activated Please Wait 3 13 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Other Startup Screens Shutting Down the TACLANE UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Step Action 6 The Home page
6. U FOUO Note Remote TACLANE static routing ARP enhancements allow multiple PT or CT gateways to be supported with the only requirement that these multiple gateways support proxy ARP TACLANEs ARP for off net destinations when the PT or CT default gateway is not defined U FOUO One option is to use a false subnet mask in the TACLANEs To make this work e The configuration must consist of subnetworks that all fit within a higher level network or subnet e Router A Router B and Router C must be configured to support proxy ARP for the networks they serve U FOUO This example solution is shown in the figure below B 18 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Net ID 148 10 0 0 UNCLASSIFIED FOUO Subnet Mask 255 255 0 0 Net ID 148 10 1 0 Subnet Mask 255 255 2550 How it Works Added Router Configuration CT PT Enet TACLANE eet Heiter Enet pe A A CT PT Enet TACLANE Enet Fister Enet Be B B CT PT Enet TACLANE enet Enet Host C1 C UNCLASSIFIED FOUO UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Net ID 148 10 2 0 Subnet Mask 255 255 255 0 Net ID 148 10 3 0 Subnet Mask 255 255 255 0 Net ID 148 10 4 0 Subnet Mask 255 255 255 0 Figure B 7 2 U False Subnet Mask Configuration U FOUO In this example the backbone network and the networks served by Router A Router B and Router C all fit with the
7. U FOUO This command allows the operator to display the Event Log records on a TACLANE U FOUO Follow these steps to display the event log Step Action 1 From the MAIN MENU select Maintenance gt Logs gt Event Log Result The following screen is displayed GENERAL DYNAMICS Ni as Revision 3 3 Serial Number 400030040048 Device State Secure Comm gt gt Maintenance gt gt Logs gt gt Event Log Event Log Maintenance Displaying 1 6 of 6 Records lt lt Prev Next gt gt Key Management Audit Log OK 02 20 2007 10 49 20 Network INE Station ID 400030040048 6 System Date 02 20 2007 10 49 19 Audit Log Capacity 10504 SNMP User Name hmiSso PPK Expiring 02 19 2007 10 37 05 INE Station ID 400030040048 5 System Date 02 19 2007 10 37 05 Short Title USEYD 00000000203 111111 Segment 0 Link Up 02 19 2007 10 22 30 4 Interface Index CT Admin Status Up Oper Status Up Link Up 02 19 2007 10 22 30 3 Interface Index PT Admin Status Up Oper Status Up 2 Cold Start 02 19 2007 10 22 29 PPK Expiring 02 19 2007 10 21 24 INE Station ID 400030040048 1 System Date 02 19 2007 10 21 24 Short Title USEVD 00000000200 111111 Edition 4 Segment 0 lt lt Prev Next gt gt 2 Select NEXT to display the next page of event log records PREV to display the previous page of event log records or select the page number to display a particular page of event log
8. U TACLANE Micro KG 175D cccceecceseceseesceeseeeeeeseeeseeseeeseenseeeees U TACLANE Micro HMI Screen Format cccccccsssccessceeeeseeeenses U TACLANE Micro Mounting Information 0 ceceeseeeteceeeeeeees U TACLANE Micro KG 175D Rear Panel cccccccecesseeeeseeeeeees U TACLANE Secured IP Ethernet Network ccccccccssseceseeeeees U TACLANE Micro KG 175D Front Panel cceccecessseeeseeeeeees U TACLANE Secured IP Ethernet Network ccccccccsscessseeeesseeees U TACLANE Configurations ccs scccciccstcecsscsssncecctectiesssveteccedadensicnansivsets U TACLANE Configuration With IP Tunnels 0 ccc ceeeeseeseeeeee U TACLANE Encryption Gateway Connecting Two Networks U TACLANE Encryption Gateway Connecting Many Subnet Enclaves iosu aa a donna ta etn andiui nese ares G aakaiss U TACLANE Multiple Gateway Configuration Example U TACLANE Single Gateway Nested Configuration Example U Multiple CT Default Gateways sccissesssessakssceaseavdacsixtesaateer sdstendenrses U False Subnet Mask Configuration 0 ccecceesceeeseeeseceteceeeeeeeeeeaees U Added Router Configuration sesssseesessseeseesessseessesressessessessressesse U Manual PPK Confisaration o c3 5asute cet beats ad ein eerie ee aes U Single Ended TACLANE Redundancy with Router Redundancy U Single Ended TACLANE Redundancy without Rou
9. 10 July 2007 Concept Definition Access Control Access controls are either mandatory MAC or discretionary DAC When a FIREFLY TEK is generated TACLANE MAC checks include partition code and security level both must be the same for the initiator and responder MAC checks are always performed and cannot be disabled TACLANE DAC is in the form of an operator editable list of KMIDs When the operator enables access control see the chapter on Configuring Access Control and the Network Manager the TACLANE only allows FIREFLY TEKs to be generated with remote FIREFLY vector sets having KMIDs on the operator s access control list Security Administrator access is enforced using DAC The SSO PIN must be provided to acquire access to Security Administration configurations SNMPv3 uses shared secrets based on operator entered passwords to acquire access to any configuration or monitoring MIBs Bypass PT data that is forwarded without encryption to the CT network or CT data that is forwarded without decryption to the PT network Alarm The result of an internal failure Power can be cycled to attempt to recover from an alarm condition Tamper The result of opening the TACLANE chassis loss of battery power or removal of the battery while TACLANE is powered off 2 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027
10. Key Management Network Security System HOME TACLANE Micro Revision 3 3 Serial Number A000300400A48 Device State Secure Comm Select YES to confirm deletion of all static routes 6 23 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 12 U Configuring Security Association Introduction Notes U FOUO The SSO operator can configure the method in which the FIREFLY TEKs are automatically updated every 24 hours FIREFLY TEKs can be updated either deterministically using the ACCORDION algorithm or by performing a new IKE exchange and generating a new TEK MTEK MTEK update U FOUO The TACLANE operator configures the DAILY MTEK parameter to 1 ENABLE when enabled MTEK MTEK IKE exchange is the method used for the daily FIREFLY key update 2 DISABLE the default value when disabled local ACCORDION update is the method used for the daily FIREFLY key update The TACLANE operator can configure the status of the SA Host Administrative Timeout and the SA Timeout value U FOUO The TACLANE operator configures the SA Host Administrative Timeout to 1 ENABLE the default value when enabled the SA Host Administrative Timeout function is enabled 2 DISABLE when disabled the SA Host Administrative Timeout is inactive U FOUO When the SA Host Administrative Timeout is enab
11. Setting the Date and Time 13 Update the battery installed date See Section 10 5 Replacing the Battery for instructions 14 At this point the TACLANE is reset to factory defaults See Appendix A Factory Default Settings The configuration needs to be restored and key material needs to be filled 10 73 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 4 U Checking for a Low Battery Introduction _ U FOUO If the battery voltage depletes below acceptable levels during TACLANE operation the BATTERY status LED on the front panel is illuminated In addition the battery power level is continuously monitored Note U FOUO If the battery low status LED is illuminated the battery should be replaced See Section 10 5 Replacing the Battery Procedure U FOUO Follow this step to check for a low battery Step Action l Check whether the battery low status LED is illuminated If the battery low status LED is illuminated then the battery should be replaced Note The battery low status LED is illuminated briefly during diagnostics This is normal 10 74 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 5 U Replacing the Battery Introduction Important Battery
12. U FOUO Each TACLANE in this configuration has two possible CT Default Gateways for which to send off net CT datagrams For example TACLANE A could send off net CT datagrams to Router B or Router C Since Router A Router B and Router C can communicate with each other since all are behind TACLANEs they can exchange routing protocol information and learn where off net datagram traffic needs to be routed Although the router knows where it wants to forward the off net datagram the TACLANE cannot benefit from the router s decision and must make the decision again Since the TACLANE only supports a single CT Default Gateway the TACLANE sends all off net CT datagrams to that single CT Default Gateway whether or not it is really the correct router U FOUO It is possible to make this configuration work if each TACLANE points to a different router as its single CT Default Gateway Since the purpose of a router is to route a router attempts to forward an errant datagram to its proper destination Thus off net datagrams may need to bounce off one incorrect router and pass through pairs of TACLANEs twice before arriving at the proper destination U FOUO This section details three possible solutions that allow this configuration to work more efficiently A fourth option is also mentioned Note that these are only examples to illustrate the concepts involved There may be other configurations that are equivalent to those discussed here
13. ccccccescseceececeeecesecneeeeeeeeeseecsaeenseeseaes 7 10 7 6 U Configuring Don t Fragment DF Bit Bypass ssesessssessssseessessrsseesseeseese 7 13 7 7 U Configuring PMTU Bypass cisssecuscstecctsshetecescsdetoeedcnaccianaae oi teerioteebaetaasdoetuis 7 15 7 8 U Configuring IGMP MLD Bypass cccceecessceeceesseceseceseeeeeeeeseeceaeenseeneees 7 17 7 9 U Displaying Bypass Informations 015 lt sciscccsscdisecasccdeesavs iecdedeeidecsasedacadacciices 7 20 8 0 U CONFIGURING ACCESS CONTROL AND THE NETWORK MANAGER AA A E A T A 8 21 8 1 U Enable Disable Access MOode ccccccssccssssecssssecssscecssscecssececssscecsseseesseeeees 8 21 8 2 Gh Creating ai ACE ENY cnncta niii a o i a a a ia 8 22 8 3 U Deleting Access Mode and ACL Entries 0 ccccecccececeseceeeceeseeeseeceeenneeneees 8 24 8 4 CU Display ar ACL ENUY reie i a A eden sa E E Eas 8 25 8 5 U Configuring the Network Manager cccccccccessseesceceteceseeseeeeeeeenaeenteeeaaes 8 26 8 6 U Deleting the Network Manager ccicss cc cscasscissiteceesdesoactasste watesrdocerseivtadeiocantes 8 30 8 7 U Displaying Network Manager Information 0 ccccesceeeceeeseeeseeeeteeeeeeeeees 8 31 9 0 U MAINTAINING TACLANE o oeoooeoeoesesesesesescsesosososososososososososososososssssss 9 32 9 1 Uj Setting the D te and Tae se fae B03 csdacs cea bandla caozeds pantotzedteaiates buiedaateleass 9 32 9 2 CU Creating a COU ss tune tts vst ota
14. 550 Enabled TACLANE Secure Communication Operation amp This will enable Secure Communication Key Man mimic py Continue this operation Network RES Maintenance ZEROIZE HOME 2 Select YES to transition to secure communications Note The TACLANE is now in secure communications mode The RUN status LED is blinking indicating that the TACLANE is ready to process traffic 6 14 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 8 U Security Association Info SA Table Introduction U FOUO The operator may view modify or delete Security Associations while in offline or in secure comm mode Notes U FOUO The following notes apply to displaying SA information e TACLANE must be offline or in secure comm state to display SA information e Static routes are not displayed here one must go to static routes screens to see the static routing table Procedure U FOUO Follow these steps to display SA information Step Action 1 From the MAIN MENU select Operation gt SA Info gt SA Table Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State Secure Comm gt gt Operation gt gt Security Association Info gt gt 54 Table 550 Enabled Security Associ
15. Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Firewalls U FOUO Any firewalls in the path between communicating TACLANEs Must P i IKF a nd ESP must be configured to pass SDD IKE and ESP See Appendix A Factory Default Settings for the port numbers for these protocols 3 7 U Operating the TACLANE TACLANE U FOUO The TACLANE Micro contains the following Front Panel Front Panels omponents UNCLASSIFIED FOUO GENERAL DYNAMICS BATTERY TACLANE Micro TAMPERED KG 175D ALARM _ RUN Feroze S H amp POWER PRESS 3X 4 CIK S E UNCLASSIFIED FOUO Figure 3 7 1 U TACLANE Micro KG 175D Front Panel Component Description CONSOLE Port The HMI port is an RJ 45 Ethernet interface that connects to a PC providing the HMI interface for the TACLANE Micro This interface also supports field software upgrades POWER Button Power switch for the TACLANE ZEROIZE Button Invokes zeroize function when ZEROIZE button is pressed three 3 times in less than 10 seconds whether TACLANE is ON or OFF 3 10 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Component Description Status LEDs POWER green Illuminates when unit is powered on RUN green Illuminates continuously when in Offline state not secure user traff
16. PrePlaced Key SDD Assignment Operation Maintenance gt PrePlaced Key Chain Info Key Management Chain Id 3 ER Security Level Confidential Security Effective Date 02 12 2007 System RETURN TO CHAINS 1IPv4 Multicast Address Select DELETE to delete the PrePlaced Key assignment If deleting the PPK SDD Assignment select OK to confirm 6 9 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 5 U Entering Initialized State Introduction Notes Procedure U FOUO The operator may enter Initialized state U FOUO The following notes apply to Initialized e TACLANE must be offline or secure comm in order to enter initialized state e Transitioning to Initialized from any other state forces a device restart e Initialized state is a quiescent state that enables configurations to be set that will be applied upon state transition This is convenient because some configurations force a restart except for when they are performed in this state U FOUO Follow these steps to enter Initialized Step Action l From the MAIN MENU select Operation gt Initialize Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Serial Number 400030040048 Device State Secure Comm gt gt Operation gt gt Initialize TACLANE Initialize Ma
17. assuming proxy ARP support on all PT gateways U FOUO For optimum performance PT side hosts and routers should reduce their MTU size by 100 bytes for each matched pair of TACLANEs the traffic passes through This allows for the addition of the AH and ESP headers to each encrypted datagram without causing fragmentation U FOUO PT side hosts and routers fronted by a TACLANE with Fixed Packet Length processing enabled should set their MTU size equal to the fixed packet length of the fronting TACLANE This improves performance by avoiding fragmentation in the TACLANE prior to encryption and reduces the amount of reassembly required by destination hosts Note that if the FPL fragment discard parameter of the fronting TACLANE is set to DISCARD then PT side hosts and routers must set their MTU size no greater than the fixed packet length of the TACLANE Continued on next page B 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 General IP Ethernet Configuration Tips continued Multicast IP Datagram Support TACLANE Nesting Auto recovery PPK Takes Precedence Over FIREFLY Firewalls Must Pass SDD IKE and ESP ARP Cache Flushing U FOUO TACLANE allows PPKs to be assigned to Class D addresses in support of IP multicast U FOUO PT multicast traffic is encrypted and sent to the same multicast address U FOUO TAC
18. s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 10 U Displaying Download Servers Introduction U FOUO The operator can display FSU download servers Important U FOUO The following notes apply to displaying FSU download servers Notes e Only the SSO can access this command Procedure U FOUO Follow these steps to displaying FSU download servers The display capabilities have been integrated with the configure capabilities See section 9 8 9 45 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 11 U Configure Download TFTP Settings Introduction U FOUO The operator can configure TFTP settings for FSU These settings are used during the TFTP file transfer i e download from the download server Important U FOUO The following notes apply to configuring TFTP settings Notes e Only the SSO can access this command Procedure U FOUO Follow these steps to configure TFTP settings Step Action 1 From the MAIN MENU select Maintenance gt Field Software Upgrade gt TFTP Settings Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Field Software Upgrade gt gt TFTP Settings 2 Manage Download TET
19. 77 22 1 52 5 12 30 1 82 5 68 30 Host p1 p2 17 0 29 TACLANE S S a TACLANE p1 p2 10 16 29 Host A2 12 22 B2 10 0 21 1 10 0 12 2 10 0 22 1 GRE Tunnel 22 10 0 22 2 UNCLASSIFIED FOUO Figure B 8 3 U Using Four GRE Tunnels to Provide Double Ended TACLANE Redundancy without Router Redundancy B 28 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Partial Device Configurations UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FOUO The following table contains partial configurations for devices in this example TACLANE 11 Static Routes TACLANE 21 Static Routes Net ID Net Mask TLCT IP pl p2 11 68 255 255 255 252 1 s2 5 66 pl p2 11 76 255 255 255 252 1 s2 5 70 Net ID Net Mask TL CT IP pl p2 12 12 255 255 255 252 1 s2 5 10 pl p2 12 16 255 255 255 252 1 s2 5 14 TACLANE 12 Static Routes TACLANE 22 Static Routes Net ID Net Mask TL CT IP Net ID Net Mask TL CT IP pl p2 11 64 255 255 255 252 s1 s2 5 66 pl p2 12 10 255 255 255 252 s1 s2 5 10 pl p2 11 72 255 255 255 252 __ s1 s2 5 70 pl p2 12 18 255 255 255 252 s1 s2 5 14 Hosts A1 and A2 Hosts B1 and B2 Default gateway p1 p2 17 1 Default gateway p1 p2 10 18 Partial Device Configuration s continued U FOUO The partial configurations listed below have been tested with Cisco routers that support BGP and GRE tunnel configuration Red Router A Red Router B interfac
20. C 9 C C cr C C C C 4 11 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select the radio button next to an active or empty PPK Chain Id to which the new PPK will be associated and MANAGE KEYS IN CHAIN Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number AO00300400A8 Security Level Unclassified Device State OffLine gt gt Key Management gt gt PrePlaced Key 550 Enabled Manage PrePlaced Keys In Chain Operation gt ae 8 There are no PrePlaced Keys to display in this chain Maintenance gt PrePlaced Key Chain Info Chain Id 1 Type Security Level Algorithm RETURN TO CHAINS Effective Date Short Title Edition Segment Fill PPK at end of chain Note Selecting a PPK Chain Id is necessary to access Key Processing Commands to Manage the Keys associated with a chain 4 12 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select FILL to continue the fill operation Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A00030040048 ity Level Unclassified Device State OffLi
21. ENABLED Key Management Network Security System 7 9 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 5 U Configuring TOS DSCP Bypass Introduction Notes TOS Bypass Parameter and Processing U FOUO The TOS bypass parameter can only be configured by the SSO The 8 bit TOS field in the IP header consists of the 6 bit Differentiated Services DS field and the 2 bit Explicit Congestion Notification ECN field The six bits of the DS field are used as a code point and referred to as the Differentiated Services Code Point DSCP The TOS bypass parameter only applies to PT to CT traffic and provides the TACLANE SSO the following options Enabled bypass or copy the 8 bit TOS value from PT IP header to the CT IP header However if the PT s 6 bit DSCP value is not one of the enabled DSCP values see the Accepted DSCP Values on the HMI screen then the TOS constant value is used Disabled do not bypass or copy the 8 bit TOS value from PT IP header to the CT IP header Instead always use the operator defined TOS Constant value in the CT IP header U FOUO The following notes apply to configuring the TOS bypass parameter e Only the SSO has the privilege to configure the TOS bypass parameter e An audit log entry is generated when the TOS bypass parameter is modified U
22. FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY wTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to enter or modify the TACLANE IP addresses Step Action l From the MAIN MENU select Network gt IP Comm gt IPv4 Addresses Result The following screen is displayed TACLANE Micro Revision 3 3 Serial Number 400030040048 State OffLine GENERAL DYNAMICS Device Name TACLANE Micro Security Level Unclassified De gt gt Network gt gt IP Comm gt gt IPv4 Addresses 550 Disabled IPv4 Addresses HMI IPv4 Address 192 168 0 1 PT IP 4 Information Active Address 148 10 127 55 8 Assigned Address 148 10 127 55 8 d d d di d Gateway 0 0 0 0 d d d d CT IPv4 Information Active Address 148 10 125 89 8 Assigned Address 148 10 125 89 8 d d d djd Gateway 0 0 0 0 d d d d Security System Save Changes Note The HMI IPv4 Address is for display only Type in the desired IP addresses For the PT and CT IP Addresses include a followed by the prefix length Note All IP addresses must be unique Note The CT and PT IP addresses may be in the same or in separate networks or subnetworks Select YES to save changes 5 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 3 3
23. If the operator wishes to gain access to the Enable SSO Privileges command again the operator must select the Enable SSO Privileges command U FOUO The SSO PIN is valid for 180 days U FOUO If an SSO PIN has been entered via Enable SSO Privileges and the screen indicates that it is an expired SSO PIN then the operator is not allowed access to the SSO privileged commands without first generating a new SSO PIN U FOUO It is possible to update the SSO PIN prior to the SSO PIN expiration 9 56 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Enable SSO Privileges continued SSO Privileges Expiration Forgotten PIN Notes U FOUO After 15 minutes of no SSO operator activity the SSO access to the privileged commands expires To gain access again the SSO operator needs to reissue the Enable SSO Privileges command and enter the valid SSO PIN U FOUO If the TACLANE is ever restarted the operator will need to re enter the PIN to enable access to the SSO privileged commands U FOUO If the operator has forgotten the current SSO PIN the only way to regain SSO privileges of the TACLANE is to perform the Field Tamper Recovery see section 10 3 on the TACLANE which resets the PIN to the factory default SSO PIN 123456789 U FOUO The following notes apply to the enable SSO privileges function e Th
24. Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Step Action 1 From the MAIN MENU select Operation gt Offline Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level None Selected Device State Initialized gt gt Operation gt gt Offline TACLANE offline Operation Maintenance All traffic will be interrupted Key Management Continue the operation Network HES Security System Select YES to transition to Offline 6 7 U Entering Secure Communications State Introduction U FOUO The operator may enter Secure Communications state to process all user and management traffic PPK Takes Precedence Over FIREFLY U FOUO For SAs a PPK assignment takes precedence over generating a FIREFLY TEK 6 12 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Automated Peer TACLANE Discovery Remote TACLANE Static Routes Securing Multicast Traffic 10 July 2007 U FOUO TACLANEs support automated peer TACLANE discovery for SAs through the HAIPE IS Secure Dynamic Discovery SDD protocol as described in HAIPE IS v1 3 5 Once a peer TACLANE is identified the following occurs e PPK assignments are checked for a match based on the remote TACLANE IP addres
25. PT or CT side of the TACLANE with which the remote manager interfaces IP address of the remote manager Port number defaulted to 162 U FOUO A TACLANE can be managed from either its Plaintext PT or Ciphertext CT interface CT side management traffic is encrypted between the TACLANE fronting the GEM X and the managed TACLANE PT side management traffic is not encrypted it is intended to be used only to manage the TACLANE fronting the GEM X U FOUO The following notes apply to the network managers e The TACLANE supports up to 9 network managers e ManagerX where X equals the current number of SNMP managers currently configured for the ECU plus one is the default manager name for each SNMP manager e The TACLANE will not have default Network Managers e The local HMI operator needs to configure at least 1 Network Manager to enable remote management The same Network Manager Name and password must be defined at a Security Manager Workstation before the TACLANE can be managed by that Network Manager from the Security Manager Workstation Continued on next page 8 26 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring the Network Manager continued Secure Remote Management Using SNMP Notes U FOUO TACLANEs can be managed by GEM X using SNMPv3 using the portions of the standard MIBs listed belo
26. S l O S P O L l O S I O S l O S P PING Configuration l O S SSO R I O S SA Info Static Routes SA Table Field Software Route Management O S Upgrade I O S Servers Delete All Routes l O S SSO I O S TFTP Settings raffic Flow Securit y Legend l O S SSO Upgrade IS Secure Comm Management Fixed Packet Length Cryptography Active l O S SSO l O S P Mode Bypass I O S P PSEQN Check lI O S P Logs O Offline Mode Event Log LO S Audit Log I O S Initialized Mode L In Security Level P Contains Additional Functionality for SSO Privileged Operator Delete Audit Log I O S SSO R Restart Occurs ISSO SSO Privileges Required to Access this Page 3 16 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide 4 0 4 1 DTD SKL Obtaining DTDs and SKLs Through Military Supply Obtaining DTDs Through COMSEC Utility Program CUP Obtaining DTDs and SKLs from Manufacturer UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FILLING AND MANAGING KEYS U Obtaining DTDs SKLs and Keys U FOUO The Data Transfer Device DTD AN CYZ 10 V3 and the Simple Key Loader SKL can be used to fill TACLANEs with FIR
27. Security Level Unclassified Device State OffLine gt gt Key Management gt gt FIREFLY Vector Set Manage FIREFLY Vector Set Operation Martenance gt KMID 000000000001004 Key Management y Classification u fee A Capability EFF Gane US Type Operational Universal Id 1311 Universal Edition 01 Next Edition Current FFYS Expires On 12 31 2005 Next FFYS Expires On Oroes alet System 2 Select DELETE to delete the FIREFLY vector set 4 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 4 5 U Displaying the FIREFLY Vector Set Information Introduction U FOUO The operator can display the information associated with the operational FIREFLY vector set Procedure U FOUO Follow these steps to display the FIREFLY vector set information Step Action l From the MAIN MENU select Key Management gt FIREFLY Vector Set Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Device Name TACLANE Micro 5 umber A000300400A8 Security Level Unclassified Device State OffLine gt gt Key Management gt gt FIREFLY Vector Set 550 Disabled Display FIREFLY Vector Set Operation Maintenance KMID 000000000001002 Key Management Classification u Nee Capability BFF EFF Security Type Operational System Universal Id 1311 Universal Edition 0i Next Edition
28. TACLANE Micro Revision 3 3 U Deleting a CIK U FOUO The SSO operator can delete a User CIK U FOUO The following notes apply to deleting a CIK e Only the SSO has the privilege to delete a CIK e A CIK may not delete itself e The active CIK cannot be deleted 9 38 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to delete a CIK Step Action 1 From the MAIN MENU select Security gt CIK Management Result The following screen is displayed GENERAL DYNAMICS soe Revision 3 3 Device Name TACLANE Micro Serial Number 4000300400A8 Security Level None Selected Device State Initialized gt gt Security gt gt CIK Management 550 Enabled CIK Management Operation E Cik 1 ACTIVE Key Management CIK 2 CREATED Network CIK 3 EMPTY 2 Select DELETE next to the CIK to be deleted 9 4 U Displaying CIK Information Introduction U FOUO The operator can display the CIK configuration information Procedure U FOUO Follow these steps to display the CIK information The display capabilities have been integrated with the create capabilities See section 9 2 9 39 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide 9 5 U Restarting the TACLANE Introduction Note Procedure UNCLASSIFIED F
29. The default setting for this parameter is Disabled U FOUO ICMP messages received through the PT interface and not destined for the TACLANE s PT IP address are encrypted and treated as user traffic Continued on next page 7 15 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring PMTU Bypass continued Procedure U FOUO Follow these steps to configure the PMTU Bypass parameter Step Action l From the MAIN MENU select Security gt Traffic Flow Security gt Bypass Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 gt gt Security gt gt Traffic Flow Security gt gt Bypass 550En bsd Configure Bypass Operation Maintenance J Don t Fragment Bit Bypass Key Management Bit Setting pal J PMTU Bypass J IGMP MLD Bypass MV TOS Bypass TOS Constant 00000000 binary HOME Accepted DSCP Values Glick element to enable or disable DSCP value cso csi cs2 cs3 CS4 css CS6 cs 000001 001001 010001 011001 100001 101001 110001 111001 000010 AF11 AF21 AF31 AF41 101010 110010 111010 000011 001011 010011 011011 100011 101011 110011 111011 000100 AF12 AF22 AF32 AF42 101100 110100 111100 000101 001101 010101 011101 100101 101101 110101 111101 000110 AF13 AF23 AF33 AF43 EFPHB 110110 111110 000111 001111 010111 011111 100111 101111 110111 111111 SET
30. U Modifying the TACLANE MTU Size Introduction U FOUO The operator may modify the TACLANE Maximum Transfer Unit MTU size The MTU size is the length in bytes of the largest IP datagram the TACLANE sends without fragmenting the IP datagram MTU and U FOUO For optimum performance when FPL is enabled PT side hosts FPL and routers may require modifications to their MTU settings See section B 3 of Appendix B for more information Notes U FOUO The following notes apply to modifying the MTU size e TACLANE defaults the MTU size to 1500 bytes The maximum possible MTU size is 1500 bytes The minimum possible MTU size is 68 bytes e TACLANE disregards the Don t Fragment DF bit in the IP header because ESP increases the packet size which can create packets that require fragmentation to comply with MTU 5 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to modify the TACLANE MTU size Step Action 1 From the MAIN MENU select Network gt IP Comm gt MTU Result The following screen is displayed GENERAL DYNAMICS am maaan evision 3 3 gt gt Network gt gt IP Comm gt gt MTU Operation gt Maintenance By cmu 1500 68 1500 Key Management gt Save Changes Device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State
31. e The operator must delete any existing FIREFLY vector set before filling a new FIREFLY vector set See Section 4 7 Deleting the FIREFLY Vector Set or must allow a new FIREFLY vector set to supersede an existing FIREFLY vector set 4 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to fill the FIREFLY vector set Step Action 1 From the MAIN MENU select Key Management gt FIREFLY Vector Set Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number AO00300400A8 Security Level Unclassified Device State OffLine gt gt Key Management gt gt FIREFLY Vector Set 2 se Manage FIREFLY Vector Set Operation 8 There are currently no FIREFLY Vector Sets to display Maintenance Key Management KMID Network Classification Capability Security Type Universal Id System Universal Edition Next Edition Current FFYS Expires On Next FFYS Expires On FILL Note _If there is an existing FFVS the current values are displayed on the screen 4 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select FILL to begin fill Result The following screen is displayed GENERAL DYNAMICS TA
32. 05 10 July 2007 2 3 U Capabilities TACLANE Micro Capabilities Periods Processing at Multiple Levels U FOUO TACLANE Micro supports IP datagram encryption over an Ethernet 10 100Base TX or 100Base FX physical interface e 200 Mbps aggregate throughput full duplex e HAIPE IS v1 3 5 compliant IP encryption e 512 security associations supported for user traffic one security association protects all user traffic between a given pair of TACLANEs e Automated peer TACLANE discovery for security associations using Secure Dynamic Discovery SDD e PPK or dynamically generated FIREFLY TEK for each security association e Enhanced FIREFLY EFF support e Up to 16 PPK chains to be used for user traffic and SDD with up to eleven changeover PPKs in each PPK chain e IP TFS controls Fixed Packet Length PSEQN Checking Type of Service DSCP Bypass DF Bit bypass IGMP Bypass PMTU Bypass e Auto Negotiating 10Base T vs 100Base TX Ethernet interface e Static multicast with PPK e Remote TACLANE static routes e Over the Network Software Download and Field Software Upgrade e Up to 9 simultaneous network managers U FOUO TACLANE can communicate at multiple security levels one level at any given time The SSO privileged operator selects the security level TACLANE products no longer support multilevel FIREFLY Vector Sets The classification level of the vector set must match the operating level of the TACLANE to be ac
33. 10 July 2007 B 5 U Connecting Networks Using a Different IP Encryptor Introduction U FOUO In this example there are users behind TACLANEs and users behind different IP encryptors that need to intercommunicate TACLANE U FOUO A solution is to provide a TACLANE encryption gateway Such repel ie a gateway consists of a TACLANE and a different IP encryptor connected either back to back directly or back to back via a PT side router There are two basic scenarios The first scenario is connecting two networks where one network uses TACLANE and the other network uses a different IP encryptor The second scenario is connecting many subnet enclaves where some subnets use TACLANE and some subnets use a different IP encryptor Lome ane U FOUO To directly connect two networks the TACLANEs are connected wo Networks back to back directly This solution is shown in the diagram below Router A and Router B represent the connection between the two networks UNCLASSIFIED FOUO CT Router enet TACLANE i Router Device UNCLASSIFIED FOUO Figure B 5 1 U TACLANE Encryption Gateway Connecting Two Networks onner anig U FOUO To connect many subnet enclaves where some subnets use Meng ene TACLANE and some subnets use a different IP encryptor a TACLANE encryption gateway is needed that can be reached from anywhere in the network This solution is shown in the figure below Note that routers do not need to be configu
34. 2007 SA Messages The device was unable to delete the Static Route because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes No Static Routes to display starting from the specified address Select different address range to view possible static routes The device was unable to process the operation because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The device was unable to delete all of the Static Routes Resubmit the desired changes The device was unable to update the Security Association Configuration settings because another manager was modifying the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The Security Association Configuration settings were not updated Resubmit the desired changes The device was unable to delete the Security Association because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The device was unable to delete the selected host because another manager was updating the device at the same time Another mana
35. 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State OffLine gt gt Security gt gt Traffic Flow Security gt gt PSEQN Check 2 550 Enabled Configure Payload Sequence Number Check Operation Maintenance JV PSEQN Checking Key Management a 2 Save Changes n es Security System 2 Select the checkbox next to PSEQN Checking If the box is checked a checkmark is present in the box then PSEQN Checking is enabled If the box is empty no checkmark present in the box then PSEQN Checking is disabled 3 Select YES to save the changes 7 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 4 U Displaying Payload Sequence Number Check Information Introduction U FOUO The operator can display the payload sequence number check information Procedure U FOUO Follow these steps to display the payload sequence number check information Step Action 1 From the MAIN MENU select Security gt Traffic Flow Security gt PSEQN Check Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 e TACLANE Micro S mber A00030040048 Unclassified tate Secure Comm gt gt Security gt gt Traffic Flow Security gt gt PSEQN Check Display Payload Sequence Number Check Operation Maintenance PSEQN Checking
36. 3 4 1 U TACLANE Micro Mounting Information 3 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO HOLE CHART HOLE Ba COUNT DESCRIPTION NOTES f4 40 UNC 188 DEEP f4 40 UNC 188 DEEP UNC 188 DEEP 50 55 SQ R 12 MAX RADIUS CORNERS EACH HOLE CODED A HAVE A STAINLESS STEEL HELICAL INSERT GENERAL REQUIREMENT FOR HARDWARE SELECTION 1S 4 40 UNC SCREW SUCH THAT THE REACH OF THE SCREW INTO THE HOLE DOES NOT EXCEED 157 THE THRU HOLE THROUGH THE PANEL IS SUGGESTED TO BE 140 156 NOTES REF FOR GENERAL DYNAMICS TRAY PRODUCT GENERAL DUTY THE TRAY THICKNESS IS 093 MAX 100 FLATHEAD SCREWS USABLE WITH THIS TRAY PRODUCT ARE MS24693 1 3 167L MS24693 2 1 47L WHEN PUNCH METHOD IS USED FOR SUPPORTING SURFACE THE HOLES CODED B MAY BE SHARP CORNER THE FOUR SQUARE HOLE FEATURES ARE REQUIRED TO SEAT THE TACLANE MICRO DEVICE 3 FASTENING TACLANE MICRO WITH DEVICE RESTING ON THE FOUR RAISED FEET 1 E GAP BETWEEN MOUNTING SURFACE AND TACLANE MICRO S BOTTOM COVER I5 NOT RECOMMENDED 4 FOR TACTICAL ENVIRONMENT PAN HEAD SCREWS WITH LOCKING HARDWARE RECOMMENDED UNCLASSIFIED FOUO 3 5 U Installing TACLANE Cables Rear Panel U FOUO Refer to the diagram below when installing TACLANE cables 3 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSI
37. 5 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 5 2 U Entering Modifying the TACLANE IP Addresses Introduction U FOUO TACLANE requires an IP address for IP communication with the PT side of the TACLANE and a CT IP Address for IP communication with the CT side of the TACLANE TACLANE supports a PT default gateway for routing packets exiting the PT interface that are not on the local PT network also known as off network Likewise TACLANE supports a CT default gateway for routing packets exiting the CT interface that are not on the local CT network Notes U FOUO The following notes apply to entering modifying the TACLANE IP addresses e The CT and PT IP addresses must include the prefix length e The Active Address values displayed are the current values used on the interfaces The Assigned Address values will take effect after the next restart e The Gateway address becomes active upon saving changes to IP addresses without a need to restart e The Gateway address must be consistent with the corresponding Active Address e g PT Gateway must be consistent with the PT Active Address e The TACLANE can be configured with its CT and PT IP addresses in the same or in different subnets e The CT and PT IP addresses must be unique such that no host or remote device e g another TACLANE uses these IP addresses 5 4 UNCLASSIFIED
38. Action 1 Restart the TACLANE See Section 9 5 Restarting the TACLANE 10 76 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide 10 7 UNCLASSIFIED FOR OFFICIAL USE ONLY U Troubleshooting General Problems General Problems software version U FOUO The table below describes general TACLANE problems their causes and solutions Also see applicable Release Notes for the TACLANE removal during CIK write Problem Cause Solution TACLANE does not power up No power Check power source and connections TACLANE keeps asking for a Invalid CIK Check that a valid CIK is valid CIK to be inserted inserted CIK damaged or corrupted by A damaged or corrupted CIK cannot be recovered Another valid CIK copy can be used if available If no valid CIK copy is available the TACLANE needs to be serviced Cannot create CIK Error CIK device is bad Try different CIK reading from CIK Remove CIK Cannot create CIK Error CIK device is bad Try different CIK writing to CIK Remove CIK 10 77 UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Interface amp Operator s Guide 10 8 UNCLASSIFIED FOR OFFICIAL USE ONLY U Troubleshooting Filling and Managing Keys Problems with U FOUO The table below describes TACLANE problems with filling and Manes P managing keys their causes and solutions Also see applic
39. CIK U FOUO One CIK is provided when a TACLANE Micro arrives from the factory A Key Storage Device a blank CIK is also included with the TACLANE General Dynamics recommends that the operator use this KSD to create a second CIK for the unit One of the two CIKs should then be tagged and kept in a safe place while the other CIK is used for normal TACLANE operation 3 11 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Starting Up the TACLANE 10 July 2007 U FOUO Follow these steps to startup the TACLANE Note These steps assume that the operator PC has been configured as described in section 2 4 with the web browser application running with the address of the TACLANE Micro Console port entered in the address window of the web browser Step Action 1 Turn on the TACLANE Note It is recommended that the CIK be inserted before turning on the TACLANE Micro If it is not when the CIK is required to continue the startup sequence will pause prompt the operator to insert the CIK and continue after the CIK has been inserted see step 2 Note Do not remove the CIK during startup or restart Doing so may invalidate the CIK because of a CIK write error Note Do not power down the TACLANE during the power up sequence Doing so may invalidate the CIK 2 CIK not inserted in the TACLANE Result The following screen is displayed
40. CIK creation failed Tamper Recovery continuing Read of CIK is successful write fails during the creation of the Recovery CIK during Field Tamper Recovery Field Software Upgrade Messages The device was unable to configure the Download Servers because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The Download Server entry could not be deleted because a download is in process Wait for the download to complete before deleting the download server The device was unable to update the selected Download Server entry Resubmit the desired changes The device was unable to update the selected Download Server entry because a download is in process Wait for the download to complete before deleting the download server The selected Download Server is not configured Select a download server that is configured before performing the operation The device was unable to modify the Download Servers because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The device was unable to configure the TFTP settings because another manager was updating the device at the same time Another manager has updated the device Check the data for possible upd
41. Class B network 148 10 0 0 Although every other component in the network is configured to use the proper 24 bit subnet mask the TACLANEs are configured with the standard Class B mask This solution fools the TACLANEs into thinking everything is on the same network When a TACLANE relays an ARP from the CT to PT side the router proxy ARP replies if the IP address is located behind it U FOUO Another option is to place extra routers on the CT side of each TACLANE placing each TACLANE in its own IP subnet This example solution is shown in the figure below B 19 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO CT PT Router TACLANE Router A2 A A CT PT Router TACLANE B2 B CT PT TACLANE C UNCLASSIFIED FOUO Figure B 7 3 U Added Router Configuration How it Works U FOUO This solution provides one destination IP address for each TACLANE to forward off net CT datagrams to Each added router becomes a CT Default Gateway for each respective TACLANE The added routers take care of routing datagrams to the proper destination Manual PPK U FOUO Another option is to manually configure each TACLANE with IP Configuration ppg assignments including each remote host IP address that is reachable behind every other TACLANE This example solution is shown in the figure below B 20 UNCLASSIFIED FOR OFFIC
42. FOUO TACLANE software incorporates IP Traffic Flow Security features in accordance with version 1 3 5 of the HAIPE IS Traffic Flow Specification These features prevent reduce compromise of sensitive information due to certain types of attacks Configuration of IP TFS parameters is restricted to the SSO it is only possible to modify IP TFS parameters when the SSO privileges are enabled The IP TFS features include e Fixed Packet Length FPL for outgoing CT encrypted traffic e Payload Sequence Number PSEQN checking for incoming CT encrypted traffic e Type of Service including DSCP bypass control e Don t Fragment DF Bit bypass control e IGMP bypass control e PMTU bypass control U FOUO Please see the chapter on Configuring IP Traffic Flow Security Parameters for more information U FOUO The full functionality of the TACLANE Micro can be remotely managed by GEM X or an equivalent SNMPv3 Network Manager configured to use the GenDyn EmbeddedProducts Enterprise MIB and portions of the HAIPE MIB Enterprise MIB and standard MIBs listed below e GDC4S ASSIGNMENTS MIB Enterprises 1 3 6 1 4 1 576 e GDC4S ENCRYPTION PRODUCTS MIB e TACLANE MICRO COMMON MIB e TACLANE MICRO VERSION ONE MIB e GDC4S ENCRYPTION PRODUCTS COMMON MIB e NETWORKENCRYPTOR ENTERPRISE MIB e GDC4S EXPERIMENTAL TACLANE MICRO MIB e GDC4S HAIPE ASSIGNMENTS MIB e GDC4S HAIPE FEATURE HIERARCHY MIB e GDC4S HAIPE MANAGEMENT MIB e GDC4S HAIPE NETWOR
43. Management 6 20 6 22 Security gt Static Routes gt Route Management 6 23 Security gt Traffic Flow Security gt Bypass 7 13 Security gt Traffic Flow Security gt Fixed Packet Length 7 5 Security gt Traffic Flow Security gt PSEQN Check 7 9 Security gt Traffic Flow Security gt Bypass 7 15 7 17 7 20 Security gt PPK Assignment 6 8 Select security level 4 20 System gt Audit Log Threshold 9 34 System gt Info 9 25 System gt Network Managers 8 8 Zeroize 9 23 UNCLASSIFIED FOR OFFICIAL USE ONLY
44. OffLine aeoe _ MTU 2 Type in the desired MTU size 3 Select YES to save changes 5 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 5 4 U PING Configuration Introduction U FOUO The operator may configure PING processing on the PT side and the CT side Notes U FOUO The following notes apply to PING configuration e TACLANE defaults the PT PING and CT PING to enabled e TACLANE ignores PINGs for its PT IP Address Received on the CT Interface e TACLANE ignores PINGs for its CT IP Address Received on the PT Interface Procedure U FOUO Follow these steps to modify the PING configuration Step Action 1 From the MAIN MENU select Network gt IP Comm gt PING Configuration Result The following screen is displayed TACLANE Mi cil ee Revision 33 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State OffLine gt gt Network gt gt IP Comm gt gt PING Configuration PING Configuration Operation Maintenance IV PT PING Enabled Key Management IV CT PING Enabled Save Changes Network Security System 2 To enable PT interface PING responses select the checkbox next to PT PING Enabled If the box is checked a checkmark is present in the box then PT PING processing is enabled If the box is empty no checkmark present
45. Removal Note Lithium Battery Notes U FOUO The operator can replace the battery The lithium battery has an estimated life of two years Exposure to extreme temperatures will reduce the lifetime However the lithium battery will last at least one year over all supported temperature ranges It is recommended to change the battery every 12 months or when the BATTERY LOW status LED is illuminated U FOUO The battery may be changed while the device is plugged in or while the device is not plugged in U FOUO It is recommended that the battery be changed while the device is plugged in because when the device is NOT plugged in there is a 30 second time limit to change the battery In the unplugged situation if the battery is not changed within 30 seconds TACLANE will TAMPER Therefore it is important that the operator has the new 3 6 V Lithium battery ready before starting U FOUO It is very important that the new battery be placed in correct polarity If the battery is inserted backwards there is a risk that the device will be damaged U FOUO When changing the battery with the device unpowered the TACLANE Micro will illuminate the Battery LED for five seconds upon battery replacement to indicate to the operator the battery is in correctly U FOUO TACLANE contains a lithium battery U CAUTION Do not incinerate lithium batteries because of the risk of explosion U FOUO The following notes apply
46. Routing Protocol Packets U FOUO Each GRE tunnel connects the client red router Router A and TACLANE with a different red router and TACLANE at the gateway enclave The routing protocol running on the red routers periodically sends keep alives or Hellos through the GRE tunnels to the routers on the other end A router will detect that a GRE tunnel is down when it ceases to receive routing protocol keep alives from the router at the other end of the tunnel The failure unavailability of a gateway TACLANE disables one GRE tunnel and causes the client red router to route packets for the gateway enclave or off base SIPRNET subnets through the other GRE tunnel gateway TACLANE router pair until the disabled GRE tunnel is again available The SIPRNET Router exchanges routing information with the gateway red routers and will route all packets for the client SIPRNET subnet to the gateway red router that continues to report a route GRE tunnel path to the subnet when the other gateway red router or its connected TACLANE fails or becomes unavailable U FOUO Note The interval between keep alives and the amount of time that the routing protocol will wait for a keep alive before declaring a tunnel down can be set so that failover occurs in a few seconds U FOUO The client router Router A and the SIPRNET Router automatically balance the load of packets they send to the two GRE tunnels gateway TACLANE router pairs when the cost of the
47. Software Upgrade gt Servers 9 12 9 13 Maintenance gt Field Software Upgrade gt TFTP Settings 9 15 Maintenance gt Field Software Upgrade gt Upgrade Management 9 17 9 20 Maintenance gt Logs gt Audit Log 9 36 Maintenance gt Logs gt Delete Audit Log 9 35 Maintenance gt Logs gt Event Log 9 37 Maintenance gt Security Administration gt Disable SSO Privileges 9 30 Maintenance gt Security Administration gt Enable SSO Privileges 9 29 uTL 027 05 10 July 2007 Maintenance gt Security Administration gt Generate SSO PIN 9 32 Modify static routes 6 22 Network gt Dynamic Discovery 6 1 Network gt Ethernet Comm 5 3 Network gt IP Comm gt IPv4 Addresses 5 5 Network gt IP Comm gt MTU 5 7 Network gt IP Comm gt PING Configuration 5 8 Operation gt Initialize 6 10 Operation gt Offline 6 12 Operation gt Restart 9 9 Operation gt SA Info gt SA Table 6 15 Operation gt Secure Comm 6 14 Operation gt Security Level 4 20 4 21 Parallel Detection 5 2 SA Host Administrative Timeout 6 25 SA Timeout 6 25 Security gt Access Control List 8 3 Security gt Access Mode 8 1 Security gt CIK Management 9 4 9 8 Security gt PPK Assign 6 6 Security gt PPK Assignment 6 3 Security gt SA Configuration 6 26 Security gt Static Routes gt Delete All Routes 6 24 Security gt Static Routes gt Route
48. TACLANE Micro power Kone GENERAL DYNAMICS ZEROIZE PRESS 3X E AMSBLIVEe CONSOLE UNCLASSIFIED FOUO Figure 2 4 1 U TACLANE Micro HMI Screen Format 2 12 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Screen Area Description Header Area U FOUO Within the Header Area of the TACLANE Micro HMI the following information is displayed Programmed Image Version System Name operator entered Device Serial Number same on unit HMI ESN and Station ID Device Security level e Device State Menu Area U FOUO The Menu Area contains button icons which provide HTML links to the web pages used to manage the TACLANE Micro The root menu is always displayed and contains the following menu items e Operation Maintenance Key Management Network Security System When the operator moves the on screen cursor over one of these root menu items the next lower level set of menu items pops up and in a similar fashion each successive lower level in the menu tree is displayed with an additional pop up Menu items have been added when necessary to support the increased functionality of the TACLANE Micro over earlier versions of the TACLANE The Menu Area also includes button icons for instant access to the Zeroize command and to command the display return to the Home screen Information Content
49. The following screen is displayed GENERAL DYNAMICS TAGCANE MIIO evision 3 3 e TACLANE Micro Serial Number 4000300400A8 vel Unclassified Device State OffLine gt gt Security gt gt Traffic Flow Security gt gt Fixed Packet Length ss0 Enabled Configure Fixed Packet Maintenance Mode ON FRAGMENT z hass Abb eae LS Length s00 aj Network Save Changes Security 2 Use the Mode pull down menu to select the mode ON FRAGMENT ON DISCARD or OFF options 3 Use the Length pull down menu to select the fixed packet length The minimum value is 176 and the maximum value is 1424 in increments of 48 4 Select YES to save changes 7 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 2 U Displaying Fixed Packet Length Information Introduction U FOUO The operator can display the fixed packet length information Procedure U FOUO Follow these steps to display the fixed packet length information Step Action l From the MAIN MENU select Security gt Traffic Flow Security gt Fixed Packet Length Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State Secure Comm gt gt Security gt gt Traffic Flow Security gt gt Fixed Packet 550 Disab
50. a particular chain Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 e TACLANE Micro vel Unclassified gt gt Key Management gt gt PrePlaced Key _ 550 disabled Display PrePlaced Keys In Chain Operation e State OffLine Maintenance PrePlaced Key Chain Info Chain Id 1 nagement Type User Security Level Confidential Algorithm BATON Effective Date Short Title Edition Segment 02 26 2007 USEVD 00000000201 111111 4 0 03 01 2007 USEYD 00000000201 111111 B 0 04 01 2007 USEYD 00000000201 111111 C 0 05 01 2007 USEYD 00000000201 111111 D 0 Note Specific values depend on the particular PPK 4 8 U Deleting a PrePlaced Key Introduction U FOUO The SSO operator can delete a PrePlaced Key PPK Note U FOUO The following notes apply to deleting a PPK e Only the SSO can delete a PPK e Deleting a PPK deletes that PPK and all PPKs following it in the chain along with associated assignments 4 17 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to delete a PPK Step Action 1 From the MAIN MENU select Key Management gt PrePlaced Key Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 ne TACLANE Micr
51. are generated by the EKMS CF and are uniquely identified by the following information 1 Short Title 2 Edition 3 Segment When filled each PPK is associated with an effective date DTD DTDs are used to fill FIREFLY vector sets and PPKs SKL SKLs are used to fill FIREFLY vector sets and PPKs PPK PPK changeover replaces an old PPK with a new PPK The new Changeover changeover PPKs are filled in advance and each changeover is accomplished based on the effective date of the new changeover PPK Zeroize A panic zeroize deletes all keys U FOUO Below are basic TACLANE security concepts Concept Definition Secure Virtual TACLANE protected enclaves at one security level Network communicating across a base network at a different security level Secure Device state in which TACLANE secures user traffic Communication s Security An IP datagram tunnel secured by a TACLANE There is at most Association one set of active security associations between a given pair of TACLANEs at any time The set includes 1 duplex SA and one multicast SA All user IP datagram traffic passed between a pair of TACLANEs is protected using the same security association Initiator TACLANE at origin of security association Responder TACLANE at destination of security association 2 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05
52. be enabled because a Security Association for this address may already exist Verify that a FIREFLY vector set does not already exist to the same remote INE or that the same PPK SA is not in the process of being disabled while trying to enable the same PPK assignment The PrePlaced Key Assignment could not be added Verify that the assignment does not already exist or the CT address does not match an existing entry The device was unable to configure SDD PrePlaced Key Assignment information because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The device was unable to configure User PrePlaced Key Assignment information because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes Secure Dynamic Discovery configuration data was not saved Resubmit the desired changes The device was unable to process Secure Dynamic Discovery configuration because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes C 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July
53. be sent 3 Select YES to save changes 9 64 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 20 U Delete Audit Log Introduction Notes Procedure U FOUO This command allows the SSO operator to delete all Security Audit Log records on a TACLANE U FOUO The following notes apply to the Delete Audit Log function e Only the SSO can access this command U FOUO Follow these steps to delete audit log Ste Action 1 From the MAIN MENU select Maintenance gt Logs gt Delete Audit Log Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Logs gt gt Delete Audit Log 2 550 Enabled Delete Audit Log Operation AIE ER All records will be removed from the Audit Log Key Management Delete Audit Log Network ZEROIZE HOME 2 Select YES to delete the audit log 9 65 UNCLASSIFIED FOR OFFICIAL USE ONLY Device Name TACLANE Micro Serial Number 400030040048 Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 21 U Display Audit Log Introduction U FOUO This command allows the operator to display the Security Audit Log records on a TACLANE Notes U FOUO The following notes
54. can be skipped and overwritten with earlier minor releases in the same major release General Dynamics will specify major and minor TACLANE software releases in their release notes U FOUO The TACLANE Micro s first release Release 3 3 is a major release U FOUO Note Image decryption will fail for a release that is not permitted as an upgrade to a currently installed TACLANE software release U FOUO Before beginning an FSU download make sure that you have the following e A configured FSU download server containing the FSU file to be downloaded e TFTP server configured and running on the download server Continued on next page 9 47 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Download a FSU File continued TFTP File U FOUO Before beginning an FSU download the TFTP server on the ad download server that will be used for the download must be configured and ettings running e TFTP Port 69 e Base Directory location of FSU file on server e Server Interface IP address of server Tip U FOUO If an error occurs during the procedure such as a tamper condition or continuous alarm state Field Tamper Recovery may be used to reset the unit and generate a new User CIK See Section 10 3 Performing a Field Tamper Recovery for instructions Then return to this section and retry the Field Software Upgrade Proc
55. data for possible updates Resubmit the desired changes The provided TFS PSEQN Options cannot be set Resubmit the desired changes The device was unable to update the TFS Fixed Packet Configuration settings because another manager was modifying the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The provided TFS Fixed Packet Options cannot be set Resubmit the desired changes C 8 UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY Assign PPK 6 3 Configure Ethernet physical parameters 5 3 Configure IP Addresses 5 5 Configure MTU 5 7 Configure Pings 5 8 Configure SDD 6 1 Configure static routes 6 19 Delete FIREFLY vector set 4 7 Delete host form SA 6 17 Delete PPK 4 17 Delete PPK Assignment 6 8 Delete SA 6 16 Delete static routes 6 23 Disable PPK Assignment 6 6 Display FIREFLY vector set 4 8 Display Hosts on SA 6 16 Display PPK 4 16 Display SA Info 6 15 Enable PPK Assignment 6 6 Ethernet Auto negotiation 5 2 Exit security level 4 21 Fill FIRFELY vector set 4 4 Fill PPK 4 11 Key Management gt FIREFLY Vector Set 4 4 4 7 4 8 Key Management gt PrePlaced Key 4 11 4 16 4 18 Maintenance gt Battery 9 10 Maintenance gt Date Time 9 2 Maintenance gt Field
56. eal Wace se itd heh nl rete isthe 9 34 9 3 CU STs i a CIK Toe aer e eM edeate gas ae n dt ena aeaca igs aaa EE 9 38 9 4 U Displaying CIK Information 5 23 0 sic2 sccreeis sass ocak chsda hadieaesouceaeastenTaldiengtits 9 39 9 5 U Restarting the TACLANE s casos icicle inet nnna a aera 9 40 9 6 U Configure Battery Configurations s 2 sccsdaxe castecsatehiasiaadssavessasdaxssaauaatecsoneisasd 9 41 9 7 U Displaying Battery Installed Date and Type ou cee eeeecceesteceteceteeeeeeeeaees 9 42 9 8 U Configuring Download Servers cccccesccesscessceessecesecessecesecseceeeseecnaeceseessaes 9 42 9 9 U Delete Download Servers oct Sill cel hen uaa lins 2 aca ance eaaasetivan nneynateduetaeae 9 44 9 10 U Displaying Download Servers ecccescescesseeesseceseceeeceeeeeeseecsseceeeeeeeeensees 9 45 9 11 U Configure Download TFTP Settings cceeccecsseesseceseceeeeeeeeeeseecseeeteenees 9 46 9 12 COODownload amp FSU Piles cena sacchadstuseae a E i AE AE aia 9 47 v UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 13 AEDE vices it ke al aod Gl oh I meee een eat een nee git re DE Mem ee eT ee 9 50 9 14 U Zerorzine the TAGLANE visited 12 castes a tals oaseadnes taus voce E 9 52 9 15 U Systemi Inform tica iusto 5 sors caste a aer E e E EEEREN 9 54 9 16 U Enable SSO Privileges innne e e a A a E a a i a E 9 56 9 17 UL Disable SSO Privi
57. fill operation was unsuccessful due to a FIREFLY Vector Set being loaded instead of a PPK a PPK Fill Failed entry is placed in the audit log with reason DS 101 Parity Error 8 Disconnect the fill cable from the TACLANE fill port 4 15 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 4 7 U Displaying PrePlaced Key Information Introduction U FOUO The operator can display the information associated with a PrePlaced Key PPK Procedure U FOUO Follow these steps to display PPK information Step Action l From the MAIN MENU select Key Management gt PrePlaced Key Result The following screen is displayed ENERAL DYNAMICS TACLANE Micro Revision 3 3 vak Uia gt gt Key Management gt gt PrePlaced Key 550Dissblsd Display PrePlaced Key Chains Operation Maintenance Chain Id Type Security Level Short Title Edition C 1 User Confidential USEYD 00000000201 111111 A 2 C 3 cl 4 O 5 e o z JE 8 C 9 u 12 e a 2 14 oO 15 C 16 4 16 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 2 Select the radio button next to the PPK Chain Id and DISPLAY ENTIRE CHAIN to display a list of all the PPKs in
58. gt Enable 550 Privileges 550 Disabled Enable Site Security Officer Privileges Operation Maintenance PIN hy Key Management Submit PIN 2 Enter the valid SSO PIN and then select YES to submit this PIN for validation 9 59 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 17 U Disable SSO Privileges Introduction U FOUO This command allows the SSO operator to disable access to the SSO privileged HMI commands on a TACLANE Notes U FOUO The following notes apply to the disable SSO privileges function e Only the SSO can access this command Procedure U FOUO Follow these steps to disable SSO privileges Step Action l From the MAIN MENU select Maintenance gt Security Administration gt Disable SSO Privileges Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Security Administration gt gt Disable 550 Privileges Disable Site Security Officer Privileges Maintenance Disable Site Security Officer privileges Key Management YES Network Security System ZEROIZE HOME 2 Select YES to disable the current SSO privileges 9 60 UNCLASSIFIED FOR OFFICIAL US
59. is Check that the underlying PPKs blackout for periods of experiencing periodic temporary network is operating correctly time failures TACLANE date time between Check that all communicating communicating TACLANEs is TACLANEs have their date time more than 55 minutes apart set within 55 minutes of each other to ensure that no communications blackout periods occur 10 82 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Appendix A U FACTORY DEFAULT SETTINGS A 1 U Factory Default Settings and Port Numbers TACLANE U FOUO The table below identifies the TACLANE factory default settings Pary for various parameters The operator may change these parameters Settings TACLANE Parameter Factory Default Setting IP MTU 1500 MEDIUM COPPER ETHERNET COMM MODE AUTO NEGOTIATE MTEK UPDATE DISABLE SA HOST ADMINISTRATIVE TIMEOUT ENABLED SA HOST ADMINISTRATIVE VALUE 720 FIXED PACKET MODE ON FRAGMENT FIXED PACKET LENGTH 800 PSEQN CHECK ENABLED DSCP BYPASS DISABLED DF BIT BYPASS DISABLED PMTU BYPASS DISABLED IGMP MLD BYPASS DISABLED DISCRETIONARY ACCESS CONTROL OFF ENABLE SSO PRIVILEGES DISABLE SSO PIN 123456789 IKE and ESP Port Numbers UNCLASSIFIED FOR OFFICIAL USE ONLY U FOUO Below are the port numbers for SDD IKE and ESP The operator may not change these parameters Protocol Port or Protocol ID D
60. port on the TACLANE front panel so that the flat side of the connector is on top and centered on the red dot on the top of the fill port Zs Apply firm pressure to the cable connector then slightly rotate the cable connector clockwise until it stops Note If the cable connector is difficult to attach apply a small amount of silicone lubricant to the rubber O ring inside the cable connector 3 Remove pressure so the cable can set into locked position Result The fill cable is locked onto the fill port Procedure U FOUO Follow these steps to remove the fill cable Step Action l Apply firm pressure to the cable connector then slightly rotate the cable connector counter clockwise until the flat side of the connector is on top 2 Pull to remove the fill cable connector Result The fill cable is released from the fill port 4 3 U Filling the FIREFLY Vector Set Introduction U FOUO The SSO operator can fill TACLANE using a DTD with one operational current or current and next FIREFLY vector set The FIREFLY vector set allows pairwise FIREFLY TEKs to be dynamically set up between an initiator and responder TACLANE Enhanced U FOUO The TACLANE supports both the Enhanced FIREFLY EFF as FIREFLY and well as the Basic FIREFLY Basic FIREFLY Notes U FOUO The following notes apply to filling the FIREFLY vector set e Only the SSO can fill a FIREFLY vector set
61. preceding the shutdown e Security associations reestablish automatically without operator intervention U FOUO The TACLANE Micro Real Time Clock is accurate to better than 27 5 minutes per year under operating environmental conditions TACLANE date and time should be checked for accuracy at least once every six months and adjusted if needed See the chapter on Maintaining TACLANE 3 15 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 3 8 U HMI Menu Tree HMI Menu U FOUO Below is the TACLANE Menu Tree for the version 1 3 5 Tree for TACLANE Micro The Main Menu choices are centered and in bold Lower TACLANE l eee Micro level menu items appear left justified below the Main Menu choices with increasing levels of indenture corresponding to lower levels in the Menu Tree Menu items available only in a specific mode or modes are noted by letters in parentheses Key Management Network Security System Restart I O S R Security FIREFLY Vector Set Dynamic Discovery Access Mode Audit Log Threshold E Administration I O S P l O S SSO Security Level Enable SSO Ethernet Comm I O S SSO Privileges L O S P I O S Access Control List R if in sec level I O S es l O S P itiali aa pom f Management Network Managers O S R 1 0 S SSO l O S P l O S P l S l O S SSO l O
62. re negotiate assuming it was configured to auto negotiate when it detects network changes e g link speed duplex clocking e If the negotiation fails because a link partner is set to a constant bandwidth or does not support auto negotiation then the speed is sensed using Parallel Detection Since Parallel Detection does not determine full or half duplex the interface will automatically use half duplex This is the correct behavior according to the standard although it sometimes produces unsatisfactory results since Parallel Detection cannot sense the remote device s duplex setting Parallel detection is only used for 10 100BASE T equipment Other Notes U FOUO The following additional notes apply to configuring the Ethernet physical parameters e The PT and CT physical interface settings are independent For example it s possible to have a Micro configured with its CT interface at 100 F and its PT interface set to Auto Negotiate e A manual interface speed setting should be used if the TACLANE interfaces with network equipment that doesn t support auto negotiation e If the Ethernet Configuration is changed from Fiber and Copper or vice versa in the Off Line or Secure Comms state then there will be a period up to about 5 seconds where all packets will be dropped 5 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Pro
63. secure because even if the router routes traffic incorrectly the traffic is discarded and or unintelligible if it reaches the wrong TACLANE Continued on next page B 14 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Connecting Networks at Different Security Levels continued Supporting Three or More Levels Single Gateway Nested Configuration U FOUO This example configuration works when two different security levels are involved To support interconnection of networks where three or more security levels are involved nested TACLANE configurations as described below need to be added to support the additional security levels U FOUO Note TACLANE nesting has been tested in configurations of up to three pairs deep Due to the encryption overhead imposed by each additional level it is recommended that nesting be kept to a minimum U FOUO In this example there is a Secret IP network and an Unclassified IP network There are Unclassified hosts homed on the Secret network that need to communicate with the Unclassified network and there are Top Secret hosts homed on the Secret network that need to communicate with Top Secret hosts homed on the Unclassified network U FOUO To provide the needed connectivity one TACLANE is configured between the routers within its own IP network TACLANE D There is no need to is
64. sent to destination hosts for reassembly e This receive processing is the same for all TACLANE software versions U FOUO Note Fixed Packet Length processing applies to all ESP IP datagrams including IP multicast datagrams Control messages such as ARP are not affected by FPL processing Continued on next page 7 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring Fixed Packet Length Parameters continued Caveats FPL and MTU U FOUO The following caveats apply to Fixed Packet Length parameters e When using TACLANEs in a nested configuration the fixed packet mode of the inner TLs must not be set to ON DISCARD so that the encrypted traffic from the outer TLs is not discarded Nesting may fail if the mode for an inner TL is set to ON DISCARD To ensure that user data packets are not discarded in a nested configuration either e set the fixed packet lengths for the inner TACLANEs at least 96 bytes two 48 byte increments longer than the fixed packet lengths of the outer TACLANEs or e set the fixed packet mode for the inner TLs to ON FRAGMENT While this does not provide optimal performance it will ensure that packets are not discarded U FOUO When configuring the FPL and MTU parameters it is important to consider their effects on TACLANE processing Improper configurations can cause excessive fragmentation
65. that any firewalls allow and or ESP traffic SDD IKE and ESP traffic See the section on Factory Default Settings and Port Numbers for the port numbers When using PPKs TACLANE Check that all communicating date time between TACLANEs have their date time communicating TACLANEs is set within 55 minutes of each more than 55 minutes apart other to ensure that no communications blackout periods occur when using PPKs Continued on next page 10 80 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY U Troubleshooting Security Associations continued uTL 027 05 10 July 2007 Security Association Problems continued Problem Cause Solution Cannot secure IP SAs IP communications fail continued The local and remote TACLANE are at different security levels Check that the local and remote TACLANE are at the same security level When using PPKs the local and remote TACLANE do not have the same PPK filled at the same security level under the same PPK ID Check that the local and remote TACLANE have the same PPK filled at the same security level under the same PPK ID When using FIREFLY TEKs the local or remote FIREFLY vector set is not usable at the current security level Check that the local and remote FIREFLY vector sets are valid at the current security level When using FIREFLY T
66. under warranty that are returned to General Dynamics must be in their original packing material 3 2 U Equipment Checklist System U FOUO The following table lists the TACLANE equipment part numbers Components including separately available equipment Item Qty Description 1 l TACLANE Micro Part number MC 10901 2 2 2 CIKs 1 initialized CIK 1 blank spare and 2 CIK tags shipped separately Part number MC 101A SST16Kb 3 1 FTR CIK Recovery CIK 1 3 6V AA lithium battery inside battery compartment NSN 6135 01 301 8776 5 1 External power supply with power cable Part number MC 103A 6 3 CAT 5 cables one for console one for PT interface and one for CT interface Available separately Part number MC 102A not included with unit 7 2 Duplex Multimode LC connector Fiber pair cables one for PT data interface and one for CT data interface Available separately Part number MC 104A not included with unit 8 1 Operator s Manual for TACLANE Micro included on CD ROM 3 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Recovery CIK Rack Mount for TACLANE Micro Additional Equipment Required Important CIK Note 10 July 2007 U FOUO A Recovery CIK needed to perform Field Tamper Recovery is included when ordering a TACLANE The Recovery CIK can be used to recover its associated
67. valid CIK is inserted When a valid CIK is inserted the TACLANE Micro resumes the power up sequence returning to the device state in which it was operating immediately before the CIK was removed Auto Recovery U FOUO TACLANE is NSA certified to provide Type 1 encryption and decryption for information classified TOP SECRET codeword and below When a valid CIK is inserted the TACLANE is classified at the highest classification level of the key it contains When the CIK is removed the TACLANE is UNCLASSIFIED but remains a Controlled Cryptographic Item CCT and the CIK is UNCLASSIFIED U FOUO The TACLANE software supports local and remote Field Software Upgrade FSU and local Field Tamper Recovery FTR capabilities FSU allows a Site Security Officer SSO to upgrade the software in a TACLANE Micro from an UNCLASSIFIED encrypted image ona CD FTR enables a SSO to recover a TACLANE Micro from a benign tamper using a classified SECRET Recovery CIK Both features help reduce downtime since units no longer need to be sent to the depot for software upgrades or tamper recoveries Please see the sections on Performing a Field Software Upgrade and Performing a Field Tamper Recovery for more information 2 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 IP Traffic Flow Security Remote Management Supported SNMP MIBs 10 July 2007 U
68. which will have a negative impact on performance U FOUO When FPL processing is enabled the fixed packet length affects the size of packets prior to encryption When necessary fragmentation is performed on plaintext datagrams Since each fragment is encrypted separately no reassembly is performed by the destination TACLANE Each fragment is decrypted and sent to its PT destination host Reassembly of fragments created because of FPL processing is performed by destination hosts U FOUO In contrast the TL MTU determines which packets are fragmented following encryption Since MTU fragmentation is performed on encrypted packets the fragments must be received and reassembled by the destination TACLANE before each packet can be decrypted If the MTU is not set to at least 60 bytes more than the FPL then every packet will be fragmented on the CT side causing severe performance degradation For information on configuring the TL MTU size see Section on Modifying the TACLANE MTU Size Continued on next page 7 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring Fixed Packet Length Parameters continued Procedure U FOUO Follow these steps to configure the Fixed Packet Length parameters Step Action 1 From the MAIN MENU select Security gt Traffic Flow Security gt Fixed Packet Length Result
69. 00 RFC 2597 AF33 011110 RFC 2597 AF41 100010 RFC 2597 AF42 100100 RFC 2597 AF43 100110 RFC 2597 EFPHB 101110 RFC 3246 UNCLASSIFIED FOR OFFICIAL USE ONLY 7 11 Continued on next page Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring TOS DSCP Bypass continued Procedure U FOUO Follow these steps to configure the TOS bypass parameter Step Action 1 From the MAIN MENU select Security gt Traffic Flow Security gt Bypass Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 _ Device Name TACLANE Micro 5 umber A0003004004A8 Security Level Unclassified Device State OffLine gt gt Security gt gt Traffic Flow Security gt gt Bypass 2 Configure Bypass Operation Maintenance J Don t Fragment Bit Bypass Key Management Bit Setting Jo Network J PMTU Bypass j IGMP MLD Bypass J TOS Bypass TOS Constant 00000000 binary Accepted DSCP Values Glick element to enable or disable DSCP value cso csi c52 c53 cs css C56 cs 000001 001001 010001 011001 100001 101001 110001 111001 000010 AF11 AF21 AF31 AF41 101010 110010 111010 000011 001011 010011 011011 100011 101011 110011 111011 000100 AF12 AF22 AF32 AF42 101100 110100 111100 000101 001101 010101 011101 100101 101101 110101 111101 000110 AF13 AF23 AF33 AF43 EFPHB 110110 111110 000111 001111 010111 011111 10
70. 0111 101111 110111 111111 SET ALL CLEAR ALL Save Changes 2 Select the checkbox next to TOS Bypass If the box is checked a checkmark is present in the box then TOS Bypass is enabled If the box is empty no checkmark present in the box then TOS Bypass is disabled 3 If TOS Bypass is disabled enter the 8 bit binary constant in the TOS Constant field 4 If TOS Bypass is enabled Select the accepted DSCP values by clicking on the applicable DSCP boxes within the table Boxes that are highlighted are the acceptable DSCP values SET ALL and CLEAR ALL are provided to simplify operator selection 5 Select YES to save changes 7 12 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 6 U Configuring Don t Fragment DF Bit Bypass Introduction Notes DF Bit Bypass Parameter and Processing U FOUO When the TACLANE processes a packet on the PT side it must determine whether to send the packet fragment the packet or discard the packet If the packet is sent or forwarded it must determine what to set for the DF bit for the CT IP header The DF Bit bypass parameter can be configured by the TACLANE SSO operator to be Disabled always sets the DF bit in the CT IP header to the Bit Setting parameter value Enabled bypasses or copies the incoming DF bit value to the CT IP header DF bit
71. 13 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Automatic Scrolling UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FOUO In some cases the amount of information displayed extends beyond the bottom of the Information Content Area In those cases the operator may use the elevator on the right hand of the browser window to scroll down to see the remainder of the screen Side to side scrolling is never required to view the TACLANE Micro screen when using a display with VGA 640 x 480 resolution or greater Screen Area Description Screen Updates U FOUO The time variable information displayed in the Header Area of the TACLANE Micro HMI screens is updated periodically through a polling process under the control of the web browser application This ensures that the displayed Device Security Level and Device State are current U FOUO The fields in the fourth area of the Information Content Area containing TACLANE Micro configuration status or log data are not updated dynamically Information is displayed as of the time a function is selected i e the date time screen does not change dynamically These data fields can be updated by selecting the RELOAD button icon or selecting the screen from the menu U FOUO In the event another operator changes configuration data for a particular TACLANE Micro between the time when the first operator last updated the scr
72. 2 About the TACLANE 2 1 3 Installing and Operating the TACLANE 3 1 4 Filling and Managing Keys 4 1 5 Configuring IP Ethernet 5 1 6 Configuring Managing Security Associations 6 1 7 Configuring IP Traffic Flow Security Parameters 7 1 8 Configuring Access Control and the Network Manager 8 1 9 Maintaining TACLANE 9 1 10 Troubleshooting TACLANE 10 1 Appendix A Factory Default Settings A 1 Appendix B IP Ethernet Configuration Tips B 1 Appendix C Status Messages C 1 1 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Terminology U FOUO Throughout this manual the term operator describes Operator vs individuals who control the TACLANE The term user describes ee individuals who control equipment on the PT side of the TACLANE that is protected by the TACLANE Screen U FOUO Screen snapshots for displaying information are shown in the Snapshots SSO disabled mode If the operator is SSO enabled the screen will be slightly different 1 2 U Reference Documents Related U FOUO Additional information about TACLANE can be found in the TACLANE following documents Documents Document Title Rev ADRL Date Classif Number or CDRL U C S TACLANE Micro U Interface Control Document uTL 016 02 Key Management Plan for PMO03 1 18 07 S TACLANE Micro uTL 031 01 Se
73. 2007 USEVD 00000000201 111111 TACLANE Micro Revision 3 3 Serial Number A0003004004A8 Device State OffLine Edition Segment 4 0 USEVD 00000000201 111111 C C 03 01 2007 c USEVD 00000000201 111111 B 04 01 2007 G C 05 01 2007 USEVD 00000000201 111111 D 0 oj o Delete selected and subsequent PPKs in the chain Fill PPK at end of chain FILL return to the previous screen 4 Select the radio button next to the PPK and DELETE to delete a PPK and all PPKs that follow it in the chain or select RETURN TO CHAINS to 4 19 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 4 9 U Selecting a Security Level Introduction Notes Procedure U FOUO The SSO operator must select a security level for the TACLANE to fully operate Certain menu choices such as selecting secure communications mode are only available when a security level is selected U FOUO The following notes apply to selecting a security level e Only the SSO can access this command e The FIREFLY vector set may only be used to generate FIREFLY TEKs if the selected security level matches one of the classification levels supported by the FIREFLY vector set e PPKs may only be used at the security level matching the PPK classification U FOUO Follow these steps to select a securi
74. 5 U Displaying the FIREFLY Vector Set Information 00 ccecceesceeeeeereeeees 4 8 4 6 U Filling a PrePlaced Key scan iiee asc ct ants tty ines Selena ia coe ea a aby 4 9 4 7 U Displaying PrePlaced Key Information 0 ccccccccceceseceeeceeeeeesseeeteeeeeeeees 4 16 4 8 UW Deleting a PrePlaced Key vies fisslestssestiasseeditessatdodeasiavdetiaeveniadshaievtietiaadataedad 4 17 4 9 U Selecting a Security Level tscosycccconeelaen gee i vchioshiiaedamen eee tyces 4 20 4 10 U Exiting a Security evel 4 5 2isccoss ccs ematce ctrgeateanaatantouneslaatsaendeemscuaateahaeenaaes 4 21 5 0 U CONFIGURING IP ETHERNET csscsscssssscssssccsssscssessecsessecsersesees 5 1 5 1 U Configuring the Ethernet Media and Physical Parameters c ceeeeeee 5 1 5 2 U Entering Modifying the TACLANE IP Addresses cccesesseeseeereeeeeeeees 5 4 5 3 U Modifying the TACLANE MTU SiZe ccccecccsecsseeseeseeeseceseeseeeseeseesseeesees 5 6 5 4 LD PING Configuratio insis nceann anra ira a aA 5 8 6 0 U CONFIGURING MANAGING SECURITY ASSOCIATIONG 6 1 iv UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 1 U Enable Disable Secure Dynamic Discovery ccccccceeseeeeeeteeesseeeteceteeeeees 6 1 6 2 U Assigning a PPK to an IP Address os cec2 cstelachataceeessatdsatetousecssaadeatalacmvuetin 6 2 6 3 U En
75. ALL CLEAR ALL Save Changes 2 Select the checkbox next to PMTU Bypass If the box is checked a checkmark is present in the box then PMTU Bypass is enabled If the box is empty no checkmark present in the box then PMTU Bypass is disabled 3 Select YES to save changes 7 16 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 8 U Configuring IGMP MLD Bypass Introduction Notes U FOUO The Internet Group Management Protocol IGMP Multicast Listener Discovery MLD is the protocol used by IPv4 systems to report their IP multicast group memberships to neighboring multicast routers IGMP messages provide IP multicast message delivery to host group IP addresses 224 0 0 0 to 239 255 255 255 U FOUO The TACLANE s IGMP MLD Bypass parameter configurable as Enabled or Disabled determines whether the TACLANE will regenerate IGMP traffic for user multicast traffic U FOUO The following notes apply to configuring the IGMP MLD bypass parameter e Only the SSO has the privilege to configure the IGMP bypass parameter e An audit log entry is generated when the IGMP bypass parameter is modified 7 17 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 IGMP Bypass Parameter and Processing 10 July 2007 U FOUO When the IGMP MLD Bypass i
76. AMPERED status LED is illuminated GENERAL DYNAMICS TACLANE Micro Revision 3 3 TAMPER DETECTED Field and Depot Tamper Recovery are available Select Tamper Recovery type FIELD TAMPER RECOVERY DEPOT TAMPER RECOVERY U FOUO Note All keys are automatically deleted when a tamper condition is detected Depot Tamper Recovery is a factory level option and not discussed in this manual U FOUO A tampered unit can be recovered in the field See Section 10 3 Performing a Field Tamper Recovery for more information 10 69 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 3 U Performing a Field Tamper Recovery Introduction Important Note New CIK Field Tamper Recovery CIK Battery Replacement U FOUO The operator can perform a Field Tamper Recovery FTR using a Recovery CIK to recover a TACLANE that has become tampered FTR can also be used 1 to create CIK1 if there are no valid CIKs 2 to reset the SSO PIN and 3 may help recover a TACLANE from a continuous alarm state In cases where the unit is not already tampered first tamper the unit by removing the battery with the power off Then follow the Field Tamper Recovery procedure below U FOUO Before performing a Field Tamper Recovery the TACLANE operator must determine if the tamper was benign e g depleted battery The unit must be visu
77. Area U FOUO The Information Content Area is divided into four functional areas as applicable to the active screen each running the width of the screen e Across the top is displayed the path through the menu tree used to access the currently displayed screen This path is referred to as the breadcrumb e The Screen Title a RELOAD button icon and a HELP button icon are displayed in the second area The Screen Title identifies the current screen The RELOAD button icon when selected causes the data fields on the screen to be refreshed reloaded with the data held by the TACLANE Micro This is helpful when some of the displayed data items have been edited but not saved and the operator wishes to return to the saved values The HELP button icon launches another instance of the web browser application which displays the portion of the Help file relevant to the current screen e The third functional area displays a status message relating to the current screen or TACLANE Micro response to a previously issued command The fourth area depending on the particular screen displayed contains fields for displaying TACLANE Micro configuration status or log data or entering TACLANE Micro configuration data In addition depending on the particular screen button icons are also displayed to navigate to related screens cancel the present screen or initiate the command or enter the configuration data changes made on the displayed screen 2
78. CLANE Micro Revision 3 3 e TACLANE Micro Serial Number A0003004004A8 el Unclassified Device State OffLine gt gt Key Management gt gt FIREFLY Vector Set Manage FIREFLY Vector Set Operation 8 FIREFLY Vector Set fill in progress Maintenance z 7 Connect fill device to fill port and initiate fill device operation or press ABORT to cancel fill Key Management NOTE The Abort operation can only be performed until the load is initiated at the DTD HOME Note If the fill is not completed within 5 minutes the fill operation is aborted Note ABORT cancels a fill operation in progress if the abort is issued before the DTD indicates start of fill Otherwise the ABORT is ignored 4 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure continued Step Action 3 Using a fill cable connect a DTD to the TACLANE fill port 4 Configure the DTD to transmit the operational FIREFLY vector set Note The DTD must be configured to fill the FIREFLY vector set rather than issue it Transmit the operational FIREFLY vector set from the DTD Result The following screen appears if the fill operation was successful GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A00030040048 Security Level Unclassified Device State OffLine g
79. CLANE is recovered from tamper 2 Power off the tampered TACLANE 3 If a CIK is inserted remove the CIK 4 Turn on the TACLANE Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 TAMPER DETECTED Field and Depot Tamper Recovery are available Select Tamper Recovery type FIELD TAMPER RECOVERY DEPOT TAMPER RECOVERY Note Ifthe HMI displays only the DTR button then the Recovery CIK has been used five times Once the Recovery CIK has been used five times the TACLANE must be returned to the depot 5 Select the FTR button on the HMI display Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Field Tamper Recovery FTR started Insert valid Recovery CIK to continue Continued on next page 10 71 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Performing a Field Tamper Recovery continued Procedure continued 6 Insert the Recovery CIK Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Field Tamper Recovery 9 Recovery CIK updated Remove Recovery CIK to continue Note Ifthe HMI displays Not Recovery CIK and restarts then an invalid CIK is inserted Remove the invalid CIK and start from the beginning of this procedure 7 Remove the Recovery CI
80. COMSEC count s to order and receive FIREFLY vector sets SDNS communications key via EKMS and indicate e Order is for TACLANE device e Open or closed partition e Key Type of operational e Key Application of test or operational e Classifications Obtaining U FOUO Obtaining PPKs EPES e Coordinate with Controlling Authority for Short Title e Coordinate with COMSEC Account s to order and receive traditional keys via EKMS and indicate e Order is for TACLANE FASTLANE type traditional keys e Classification of traditional keys cryptonet e Whether traditional keys are test or operational e Number of editions crypto period is one month e In place and implementation date e Regular re supply or as needed e Short Title if reordering 4 2 U Attaching a Fill Cable Introduction U FOUO A DTD connected using a fill cable is used to fill the TACLANE with a FIREFLY vector set and or PPKs See the DTD User s Manual for more information on DTD operation Note U FOUO The fill cable is only needed when filling a key The same procedure applies whether attaching the fill cable to the TACLANE or the DTD the cable connectors at each end are the same 4 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to attach the fill cable Step Action l Line up the fill cable connector with the fill
81. Current FFYS Expires On 12 31 2005 Next FFYS Expires On Note The current FFVS is displayed Note Specific values depend on the particular FIREFLY vector set 4 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 4 6 U Filling a PrePlaced Key Introduction Notes PPK Format Supported U FOUO The SSO operator can fill a TACLANE using a DTD with up to 16 active PPKs or PPK Chains PPKs are used to create security associations between an initiator and responder TACLANE U FOUO The following notes apply to filling PPKs e Only the SSO can fill a PPK e A total of 16 PPK chains may be filled ina TACLANE A PPK chain consists of the one active PPK and up to 11 changeover PPKs During normal operation each PPK has a 1 month crypto period the 11 changeover PPKs allow an operator to only have to fill the PPKs once per year e Each PPK chain is assigned to a PPK ID or slot number The PPK IDs slot numbers range from 1 16 and are available at any security level All 16 PPK chains may be filled at one security level or several PPK chains may be filled at different security levels up to a total of 16 PPK chains As an example one PPK chain may be filled under PPK ID 01 at the UNCLASSIFIED level and another PPK chain may be filled under PPK ID 02 at the SECRET level There are two uses of PPKs User PPKs and
82. D 00000000201 111111 WON DO nf wl N 16 MANAGE ASSIGNMENTS 6 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 2 Select the radio button next to the desired PPK Chain Id Select MANAGE ASSIGNMENTS If the PrePlaced Key type is User the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro gt ber A000300400A8 Security Level Unclassified vi te Secure Comm gt gt Security gt gt PPK Assignment 2T ss PrePlaced Key User Assignment Operation Maintenance PrePlaced Key Chain Info Chain Id 2 Key Management Security Level Secret 02 12 2007 RETURN TO CHAINS Network Effective Date Security System HOME lt lt Prey Next gt gt Remote INE CT Address 148 10 10 1 Remote INE PT Address 152 20 20 2 lt lt Prey Next gt gt 3 Select the radio button next to the desired Remote INE Address es or the Remote INE Multicast Address Select DELETE to delete the PrePlaced Key assignment 4 If the PrePlaced Key use is SDD the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Ser r A000300400A48 Security Level Unclassified Device State Secure Comm gt gt Security gt gt PPK Assignment
83. Ds These KMIDs are associated with remote FIREFLY vector sets Procedure U FOUO Follow these steps to delete an ACL entry Step Action 1 From the MAIN MENU select Security gt Access Control List Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 ACLANE Micro Serial Number A000300400A8 vel Unclassified Device State Secure Comm gt gt Security gt gt Access Control List oes Access Control List Operation gt Sy Access Mode DISABLED seem Total KMIDs 5 lt lt Prey Next gt gt Maintenance nagement Firefly Yector Set KMIDs 000000000001000 s 000000000002000 9 ooo000000003000 Cc 000000000004000 9 000000000005000 lt lt Prev Next gt gt 2 Select the radio button next to the ACL entry to be deleted 3 Select DELETE to delete the ACL entry 8 24 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 8 4 U Display an ACL Entry Introduction U FOUO The operator can display Access Control List ACL entries The ACL consists of a list of up to 256 KMIDs see previous section for how to create these ACL entries The KMIDs are associated with remote FIREFLY vector sets Notes U FOUO Displaying the ACL information is not limited to the SSO The ACL information may be displa
84. E Micro HMI by the local operator U FOUO It is recommended that the controlling PC s Ethernet address should be on the 172 16 network to enable communication with the TACLANE Micro 172 16 0 1 console interface U FOUO The HMI console Ethernet is designed for full duplex operation where the console is directly connected to the TACLANE Micro Note Use of a Hub on the console interface may result in receive buffer lockups caused by Ethernet errors Recovery requires TACLANE Micro to be restarted U FOUO The operator interface flows were sustained to enable existing TACLANE GigE Mini Classic E100 operators to use TACLANE Micro without retraining The larger screen area of the VGA display allows the presentation of descriptive command names status messages and data labels in addition to on screen help This improved display provides an intuitive HMI for new operators 2 10 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Web Browser Based HMI Terminal Requirements Enhanced HMI Display 10 July 2007 U FOUO The TACLANE Micro console interface is Unclassified It is trusted to prohibit exposure of classified information to a connected PC Therefore a PC is not required to be dedicated to this activity unless local policy requires However the PC should not be connected to a network while connected to the TACLANE to ensure adequate security R
85. E ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 18 U Generate SSO PIN Introduction SSO PIN Expiration Factory Default SSO PIN U FOUO This command allows the SSO operator to generate update the 9 digit SSO PIN fora TACLANE The SSO PIN is a 9 digit machine generated PIN When generating a PIN the PIN is displayed and it must be acknowledged by the operator before it overwrites the previous SSO PIN U FOUO It is critical that the operator saves the SSO PIN Forgetting the SSO PIN will require that the TACLANE unit undergo a Field Tamper Recovery in order to access the privileged commands U FOUO The SSO PIN is valid for 180 days U FOUO If an SSO PIN has been entered via Enable SSO Privileges and the screen indicates that it is an expired SSO PIN then the operator is not allowed access to the SSO privileged commands without first generating a new SSO PIN U FOUO It is possible to update the SSO PIN prior to the SSO PIN expiration U FOUO The TACLANE Micro delivered from the factory has the following default SSO PIN 123456789 U FOUO If over 180 days have passed since the TACLANE unit has left the factory then the PIN Expired screen will appear after the operator first enters the Enable SSO Privileges command with the expired factory default PIN In this case the PIN Expired screen will include a new SSO PIN that the operator
86. EFLY vector sets and PPKs Operation of the SKL is similar to the DTD This manual describes key fill operation using a DTD Refer to the SKL manual for specific directions for the SKL operation U FOUO Obtaining DTDs through military supply e Only available to DoD e National Stock Number NSN 5810 01 393 1973 U FOUO Obtaining SKLs through military supply e Only available to DoD e National Stock Number NSN 7010 01 517 3587 Note U S Army personnel must order the AN CYZ 10 V3 and AN PVQ 10 C through the Army Item Manager only Call DSN 879 8176 or commercial 520 538 8176 for additional information U FOUO Obtaining DTDs through CUP e Available to DoD civil agencies and foreign allies e POC Rose Bechtold or Susan Carter NSA e POC Phone Number 410 854 6154 U FOUO Obtaining DTD from Sypris Electronics LLC formerly GroupTech Tampa FL e Available to all including contractors e POC Melissa Pruss e POC Phone Number 813 972 6234 U FOUO Obtaining SKL from Sierra Nevada Corporation e Available to all including contractors e POC Nicholas Balestrino e POC Phone Number 732 427 4469 4 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 ee U FOUO Obtaining FIREFLY vector sets Vector Sets e Coordinate with Controlling Authority for closed partitions if needed e Coordinate with
87. EKs the local or remote FIREFLY vector set is expired Check that the local and remote FIREFLY vector sets are not expired When using FIREFLY TEKs the local and remote FIREFLY vector sets are identical Check that the local and remote FIREFLY vector sets are unique Each FIREFLY vector set has a unique KMID When using FIREFLY TEKs the local and remote FIREFLY vector sets are in different partitions or universal editions Check that the local and remote FIREFLY vector sets are in the same partition and universal edition PPKs have been expired and automatically deleted Automatically deleted PPKs cannot be recovered and must be refilled Check the entered date time carefully before confirming to ensure the entered date time is accurate Access Control Mode is ENABLED at either both the local remote TACLANE and the KMID associated with the local remote FIREFLY vector set is not in the local remote ACL When using Access Control Mode check that all desired communicating remote TACLANEs have their respective KMIDs entered in the local ACL 10 81 Continued on next page UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Troubleshooting Security Associations continued Security Association Problems continued Problem Cause Solution Security Associations using The underlying network
88. FICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to configure FSU download servers Step Action 1 From the MAIN MENU select Maintenance gt Field Software Upgrade gt Servers Result The following screen is displayed GENERAL DYNAMICS T ASE enES Miers Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level None Selected Device State Initialized gt gt Maintenance gt gt Field Software Upgrade gt gt Servers J 550 Enabled Manage Download Servers Operation Maintenance Glick up or down arrow fo move selected server Key Management Priority IP Address Side Filename Network Security System Es foo 2 Select the radio button next to the desired download server Select MODIFY to configure the FSU download server Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Devi e TACLANE Micro 5 er A000300400A8 Security Level None Selected Je ate Initialized gt gt Maintenance gt gt Field Software Upgrade gt gt Servers 21550 Enabled Modify Download Server RELOAD Operation gt Pe Priority 1 Network Ma Side CPT CCT C Console Securit gt Bosley Filename System gt Save Changes 3 Enter the IP Address of the download server the side with which the download server interface
89. FIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO 10 100 10 100 Xx E TX CIPHER TEXT TEEM O o IN OUT og REMOTE ZEROIZE INPUTS 6 7 GND 1 UNCLASSIFIED FOUO Figure 3 5 1 U TACLANE Micro KG 175D Rear Panel Warning U FOUO A grounding stud is provided for additional grounding of the chassis e A short low RF impedance ground strap is recommended when using the ground stud for chassis grounding Grounding is required to ensure TEMPEST and EMI compliance Attaching the U FOUO The ground lug should have a 138 in minimum ID to fit on the Ground Strap 46 ground binding post Example MS25036 102 for 18 AWG ground wire U FOUO Follow these steps to install the TACLANE ground wire Step Action 1 Attach a ground wire to an earth ground 2 Loosen or remove the nut from the GND ground binding post on the TACLANE as needed 3 Attach the ground wire to the GND ground binding post on the TACLANE and tighten the nut 3 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Attaching the Power Supply Cable Attaching Fiber Cables Attaching a Twisted Pair Copper Ethernet Cable Ethernet Cable Installation for TEMPEST E MI Compliance 10 July 2007 U FOUO Follow these steps to install the TACLANE power cable Step Action 1 Make sure t
90. FOUO The TACLANE supports a Path Maximum Transfer Unit PMTU discovery function that if enabled can help to avoid fragmentation over the CT network The TACLANE s Path Maximum Transfer Unit PMTU Bypass parameter can be configured by the SSO to be either Enabled or Disabled U FOUO If the TACLANE s PMTU Bypass parameter is set to Enabled when the TACLANE receives an ICMP Destination Unreachable message indicating fragmentation is needed on its CT interface the TACLANE will update its PMTU U FOUO If the TACLANE s PMTU Bypass parameter is set to Disabled when the TACLANE receives an ICMP Destination Unreachable message indicating fragmentation is needed on its CT interface the TACLANE will discard the message U FOUO The PMTU bypass parameter can only be configured by the SSO U FOUO The following notes apply to configuring the PMTU Bypass parameter e Only the SSO has the privilege to configure the PMTU bypass parameter e An audit log entry is generated when the PMTU bypass parameter is modified U FOUO If the PMTU Bypass is Enabled when the TACLANE receives an ICMP Destination Unreachable message indicating fragmentation is needed on its CT interface the TACLANE will update its PMTU U FOUO If the PMTU Bypass is Disabled when the TACLANE receives an ICMP Destination Unreachable message indicating fragmentation is needed on its CT interface the TACLANE will discard the message U FOUO
91. FOUO The TOS bypass parameter can be configured as either Enabled or Disabled The default setting for this parameter is Disabled U FOUO When TOS bypass is set to Enabled the TOS value from each PT IP header is compared against the operator defined Accepted DSCP Values If the DSCP value is one of the accepted DSCP values then it is copied to the CT IP header If the DSCP value is not one of the accepted values then the TOS constant value is used Note that the bypass is from PT to CT but not in the opposite direction U FOUO When TOS bypass is set to Disabled all eight bits of the TOS field in each CT IP header are set to the TOS Constant value U FOUO The default setting for this parameter is Disabled Continued on next page 7 10 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Table of Standard DSCP Values UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring TOS DSCP Bypass continued U FOUO The following table lists the 21 standard DSCP values Name DSCP Value Reference CSO 000000 RFC 2474 CS1 001000 RFC 2474 CS2 010000 RFC 2474 CS3 011000 RFC 2474 CS4 100000 RFC 2474 CS5 101000 RFC 2474 CS6 110000 RFC 2474 CS7 111000 RFC 2474 AFI1 001010 RFC 2597 AF12 001100 RFC 2597 AF13 001110 RFC 2597 AF21 010010 RFC 2597 AF22 010100 RFC 2597 AF23 010110 RFC 2597 AF31 011010 RFC 2597 AF32 0111
92. GRE tunnels The red routers will detect that a GRE tunnel is down when they cease to receive routing protocol keep alives from the red router at the other enclave through the tunnel The failure unavailability of a TACLANE at one enclave will disable two GRE tunnel paths and cause each red router to route all the packets for the private host subnet of the other enclave through the two remaining GRE tunnels The overlapping failure unavailability of a TACLANE at the opposite enclave will disable a third GRE tunnel path and cause each red router to route all the packets for the private host subnet of the other enclave through the one remaining GRE tunnel The BGP 4 router configurations shown will failover in 15 seconds U FOUO In the figure the PT interface of each TACLANE connects to a different interface of the red router at each enclave The PT interfaces of the two TACLANEs could connect to a single red router interface at an enclave if a total of four IP addresses one primary plus three secondary were assigned to the router interface This would reduce the number of static routes required at the other red router from four to two B 30 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Analysis 10 July 2007 U FOUO The four GRE tunnel configuration is more robust that a two GRE tunnel configuration With only two tunnels the probability is 0 5 that the overla
93. Host aan T A2 and Host B1 represent the protected PT IP network TACLANE A fronts continued Host A1 Router A and Host A2 TACLANE B fronts Host B1 U FOUO The TACLANEs secure IP datagram traffic traveling between them B 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 B 3 U General IP Ethernet Configuration Tips Introduction Single CT Default Gateway Single PT Default Gateway Optimum PT IP MTU Size U FOUO Listed below are some general TACLANE IP configuration tips U FOUO Any outgoing CT IP datagrams that have a destination IP address that is off the local IP network subnetwork are statically routed to the CT default gateway if configured U FOUO If the optional CT default gateway is not configured the TACLANE ARPs for all destination IP addresses for outgoing CT IP datagram traffic With this configuration ARP enhancements allow multiple CT gateways assuming proxy ARP support on all CT gateways U FOUO Any outgoing PT IP datagrams that have a destination IP address that is off of the local IP network subnetwork are statically routed to the PT default gateway if configured U FOUO If the optional PT default gateway is not configured the TACLANE ARPs for all destination IP addresses for outgoing PT IP datagram traffic With this configuration ARP enhancements allow multiple PT gateways
94. IAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 How it Works IP Tunnel Configuration How it Works 10 July 2007 UNCLASSIFIED FOUO PPK TL B Host B1 CT PT PPK TL C Host C1 TACLANE Router A A PPK TLA Host Al CT PT PPK TL C Host C1 TACLANE B PPK TL A Host A1 CT PT PPK TL B Host B1 TACLANE C UNCLASSIFIED FOUO Figure B 7 4 U Manual PPK Configuration U FOUO This lets the source TACLANE know the IP address of the destination TACLANE ahead of time so it does not have to rely on the CT Default Gateway or automated peer TACLANE discovery messages to find the correct destination TACLANE U FOUO Another option is to configure Router A Router B and Router C to use IP tunnels to encapsulate IP datagram traffic traveling between them See IP Routing Workarounds for a description U FOUO To the TACLANEs this option makes all IP datagram traffic appear to be destined for on net destinations the routers B 21 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 B 8 U Redundancy Configurations Introduction U FOUO Several user communities require TACLANE redundancy Usually the requirement is for failover redundancy at a single high value TACLANE protected enclave e g WAN gateway or server farm but redundancy can be implemented at an
95. ICIAL USE ONLY uTL 027 05 10 July 2007 8 0 U CONFIGURING ACCESS CONTROL AND THE NETWORK MANAGER 8 1 U Enable Disable Access Mode Introduction Notes Procedure U FOUO TACLANE access mode can be enabled or disabled by the SSO operator The access mode check only applies to security associations using FIREFLY TEKs U FOUO When disabled all security associations using FIREFLY TEKs that pass mandatory access control checks are allowed U FOUO When enabled this additional access mode check is performed Only security associations using FIREFLY TEKs created using remote FIREFLY vector sets with KMIDs on the Access Control List ACL are allowed See Creating an ACL Entry U FOUO The following notes apply to enable or disable access mode e Only the SSO has the privilege to configure the access mode e Access mode is disabled by default U FOUO Follow these steps to enable or disable access mode Step Action l From the MAIN MENU select Security gt Access Mode Result The following screen is displayed GENERAL DYNAMICS O Revision 3 3 Device Name TACLANE Micro Security Level Unclassified gt gt Security gt gt Access Mode 2 Access Mode Opera Serial Number 400030040048 Device State OffLine Maintenance gt I Access Control List Enabled eoe Save Changes Network m Security System 8 21 UNCLASSIFIED FOR OFFICIA
96. In addition CT side management traffic is encrypted between the TACLANE fronting the Remote Management Workstation and the managed TACLANE U FOUO Information on configuring TACLANE for remote management is in the section titled Configuring the Network Manager Please refer to the appropriate GEM X Operator s Manual for more information on configuring the HAIPE device fronting the GEM X and for more information on the GEM X Remote Management software 2 9 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 2 4 U Web based Human Machine Interface HMI Web Browser Based HMI U FOUO The Human Machine Interface HMI in the TACLANE Micro provides the local operator a web browser based replacement to the simple menu interface common to previous TACLANE models This new HMI requires a PC running a web browser application be connected to the TACLANE Micro via the Console port on the front panel of the TACLANE Micro The HMI is designed for Microsoft Corp s Internet Explorer version 5 5 or later running with Windows 95 98 Me 2000 or XP operating system although other browsers running under other operating systems may provide satisfactory performance U FOUO The IPv4 address for the TACLANE Micro Console HMI interface port is 172 16 0 1 This address is entered in the address window of the web browser to allow access to the TACLAN
97. K GENERAL DYNAMICS TACLANE Micro Revision 3 3 Field Tamper Recovery Creating initial CIK Insert blank CIK KSD to continue 8 Insert CIK This can be a CIK that was used for the TL before this FTR operation The CIK inserted at this point will become CIK1 for this TACLANE Do not use a CIK that is associated with another TACLANE as that will make the CIK invalid for that other TACLANE If the HMI displays Error Creating CIK Tamper Recovery Failed and the TACLANE restarts the CIK is damaged Remove the CIK and attempt the FTR with a different KSD 9 The Recovery CIK tag contains five numbered lines for recording tamper recoveries At this time initial and date the first available line indicating that a Field Tamper Recovery has been performed Continued on next page 10 72 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Performing a Field Tamper Recovery continued Procedure continued Step Action 10 The TACLANE indicates that Field Tamper Recovery is complete Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Field Tamper Recovery 9 Tamper Recovery complete Press RESTART to restart RESTART 11 Select RESTART to continue The TACLANE will restart and return to the INITIAL state 12 Set the date and time See Section 9 1
98. K should be tagged and kept in a safe place The second user CIK should then be used instead of the original user CIK for normal TACLANE operation U FOUO The CIK snaps into place when inserted It is recommended that the CIK not have additional weight such as a key ring connected to it when installed in the TACLANE U FOUO The following notes apply to creating a CIK e Only the SSO has the privilege to create a CIK e Up to two additional CIKs may be created three total e CIKs already associated with this TACLANE Micro will be detected so that they will not be destroyed Warning CIKs associated with other TACLANE Micros will be overwritten if used to create a CIK e The operator has five minutes to complete the CIK creation If the CIK creation is not completed within five minutes the TACLANE resets automatically 9 34 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to create a CIK Step Action 1 From the MAIN MENU select Security gt CIK Management Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State Secure Comm gt gt Security gt gt CIK Management EL CIK Management Operation Maintenance CIK 1 ACTIVE CIK 2 Empty gt g
99. KING MIB e GDC4S HAIPE NETWORKING DISCOVERY MIB e GDC4S HAIPE TRAFFIC PROTECTION MIB e RFC 3418 System and SNMP Traps e RFC 2863 Interfaces and IF e RFC 2790 Host Resources MIB e RFC 3014 Notification Log MIB e RFC 3414 SNMP USER BASED SM MIB e RFC 3415 SNMP VIEW BASED ACM MIB e RFC 3413 SNMP TARGET MIB e RFC 3411 SNMP FRAMEWORK MIB e RFC 3412 SNMP MPD MIB e RFC 3636 MAU MIB 2 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Remote Management Features Remote Management Security 10 July 2007 U FOUO The TACLANE Micro is designed such that up to nine remote security managers have the same management capabilities as are provided to the local manager These capabilities include e PPK Assignment Table management e Security Audit Log and Event Log management e Static Routing Table management e Device Date and Time management e Device State management e Trap management e Device statistics management e Firmware Download and Installation management e TFS management e Security Association Host Table management e Discretionary Access Control management e Interface IP Address management U FOUO TACLANE Micro can be managed from the Plaintext PT or Ciphertext CT side Regardless of whether the Remote Manager is on the CT side or the PT side SNMPv3 privacy and authentication protection is provided to all management traffic
100. L USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Enable Disable Access Mode continued Procedure continued Step Action 2 Select the checkbox next to Access Control List Enabled If the box is checked a checkmark is present in the box then ACL is enabled If the box is empty no checkmark present in the box then ACL is disabled 3 Select YES to save changes 8 2 U Creating an ACL Entry Introduction _ U FOUO The SSO operator can create Access Control List ACL entries The ACL consists of a list of up to 256 KMIDs These KMIDs are associated with remote FIREFLY vector sets When discretionary access control is enabled only security associations associated with remote FIREFLY vector sets with KMIDs on the ACL are allowed See Enable Disable Access Mode There is one ACL and it applies to all security levels Notes U FOUO The following notes apply to creating an ACL entry e Only the SSO has the privilege to configure an ACL entry e There is one ACL and it applies to all security levels e The ACL is limited to a maximum of 256 entries 8 22 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to create an ACL entry Step Action 1 From the MAIN MENU select Security gt Access Co
101. LANE does not support the use of the TTL field to limit the scope of multicast IP datagram traffic U FOUO TACLANE nesting up to three pairs deep is supported for IP over Ethernet Nested configurations using three pairs of TACLANEs have been tested but three is not a hard limit U FOUO If the TACLANE is turned off or prime power fails while processing user traffic the TACLANE performs autorecovery when power is restored and automatically returns to processing user traffic e Security associations reestablish automatically without operator intervention U FOUO For security associations a PPK assignment takes precedence over generating a FIREFLY TEK U FOUO Any firewalls in the path between communicating TACLANEs must be configured to pass SDD IKE and ESP See the Operator s Manual section on Factory Default Settings and Port Numbers for the port numbers for these protocols U FOUO If the TACLANE was inserted into an existing IP Ethernet configuration flush the ARP caches on hosts and routers before putting the TACLANE online To flush TACLANE s ARP cache reset the TACLANE Continued on next page B 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 General IP Ethernet Configuration Tips continued Automated Peer TACLANE Discovery PT Proxy ARP Support U FOUO TACLANEs support auto
102. LASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 3 3 U Handling and Environmental Conditions PUNE U FOUO Below are important TACLANE Micro handling and 1cro Handling and environmental specifications Environmental Specifications Specification Remarks Size 1 61 in H x 5 5 in W x 10 85 in D without external power supply Weight 4 25 lbs Power e Primary power input voltages to the external supply are auto ranging with the following ranges 90 246 VAC e TACLANE Micro input frequency is 47 63 Hz e Output of the external power supply is 12 VDC e Dissipation 30 watts max within its operating temperature range Temperature e Non operating 40 C to 71 C e Operating no warm up 40 C to 60 C Humidity e Up to 95 non condensing Altitude e Operating 0 to 15 000 IAW MIL STD 810F e Transport 0 to 40 000 IAW MIL STD 810F TEMPEST NSTISSAM TEMPEST 1 92 Level 1 NSTISSAM TEMPEST 1 93 and CNSSAM TEMPEST 01 02 proper grounding and shielded twisted pair Ethernet cable when using copper are required EMI MIL STD 461E for Army ground platforms proper grounding and shielded twisted pair Ethernet cable when using copper are required Vibration e Operable in wheeled XM1097 HHMMWYV vehicle e Operable in tracked XM1068 vehicle with external isolation system required apn U FOUO The battery may be changed while the device is powered on or a
103. NCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring Fixed Packet Length Parameters continued Fixed Packet Length Processing U FOUO When the fixed packet mode is set to ON FRAGMENT default setting e Incoming PT IP user data packets longer than the fixed packet length are fragmented All fragments will be equal to the fixed packet length with fragments being padded if necessary See the SFUG for more details on fragmentation Fragmentation will be performed regardless of the value of the Don t Fragment DF bit in the IP header e Incoming PT IP user data packets shorter than the fixed packet length are padded to the fixed packet length U FOUO When the fixed packet mode is set to ON DISCARD e Incoming PT IP user data packets longer than the fixed packet length are discarded If the DF bit is set a destination unreachable message is sent to the originator e Incoming PT IP user data packets shorter than the fixed packet length are padded to the fixed packet length U FOUO When the fixed packet mode is set to OFF e No fixed packet processing is done The length and fragment discard parameters are ignored U FOUO Once the CT traffic is decrypted by the receiving TACLANE e Any padding that was added by the encrypting TL is discarded e No reassembly of plaintext fragments is done All decrypted fragments are
104. NE System Location the up to 255 character user configurable system location U FOUO The operator can modify the following TACLANE system information TACLANE System Name TACLANE System Contact TACLANE System Location Procedure U FOUO Follow these steps to display and or configure the TACLANE system information 9 54 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide uTL 027 05 10 July 2007 UNCLASSIFIED FOR OFFICIAL USE ONLY Step Action l From the MAIN MENU select System gt Info Result The following screen is displayed GENERAL DYNAMICS 3 TACLANE Micro evel Unclassified gt gt System gt gt Info System Information TACLANE Micro Revision 3 3 Serial Number 400030040048 Device State Secure Comm Date Time 02 20 2007 10 40 d System Description GD TACLANE Micro System Name Maximum 255 characters TACLANE Micro System Contact Maximum 255 characters General Dynamics System Location Maximum 255 characters Needham MA Save Changes Enter data into the System Name System Contact and or System Location text boxes Select YES to save changes 9 55 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 16 U Enable SSO Privileges Introduction Factory Default SSO PIN Enable SSO Privil
105. OR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FOUO The operator can restart the TACLANE Restarting the TACLANE will cause the TACLANE to perform a series of diagnostic tests U FOUO All security associations are lost on a restart U FOUO Follow these steps to restart the TACLANE Step Action 1 From the MAIN MENU select Operation gt Restart Result The following screen is displayed GENERAL DYNAMICS Device Name TACLANE Micro Security Level None Selected gt gt Operation gt gt Restart 550 Disabled TACLANE Restart Operation Maintenance Perform Restart Key Management Network Security System HOME TACLANE Micro Revision 3 3 Serial Number 400030040048 Device State Initialized 2 Select YES to perform the restart 9 40 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 6 U Configure Battery Configuration Introduction U FOUO The operator can configure the type of battery used in the TACLANE Micro Procedure U FOUO Follow these steps to configure the battery Step Action l From the MAIN MENU select Maintenance gt Battery Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 e TACLANE Micro umber A000300400A8 Level Unclassified State OffLine gt gt Maintenance gt gt Bat
106. OUO Note Each of the redundancy configurations described in this section can be implemented with either PrePlaced Key PPK or FIREFLY vector sets B 22 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Single Ended Redundancy Single Ended Redundancy with Router Redundancy 10 July 2007 U FOUO Two examples of single ended redundancy configurations are presented here each showing encrypted SIPRNET traffic tunneled through the NIPRNET The first example provides router redundancy as well as TACLANE redundancy the second example provides only TACLANE redundancy FIREFLY or PrePlaced Key Security Associations can be used between TACLANESs in either example U FOUO The TACLANE operator must choose how to configure the TLs One option is to assign the CT and PT IP addresses to a single black NIPRNET subnet In this case the red SIPRNET and black NIPRNET address spaces are separated at the router on the PT side of each TACLANE Another option is to assign each TL a black NIPRNET CT IP address and a red SIPRNET PT IP address and configure each TL with static routes U FOUO The figure below is a two enclave illustration of a base network where TACLANE redundancy is configured only at a gateway enclave in this case a gateway to the global SIPRNET Up to 253 SIPRNET enclaves on the base network represented by the enclave on the left can be fu
107. P Settings Operation Maintenance Timeout s 1 30 secs Key Management Save Changes Security Enter the Timeout value in seconds Select YES to save changes 9 46 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 12 U Download a FSU File Introduction Important Notes Major and Minor Releases Requirements U FOUO The operator can download an FSU file via the PT CT or Console port to load a new software release into the TACLANE The port on which the file is downloaded is determined by the download server configuration U FOUO The following notes apply to performing an FSU download e A stable power environment must be maintained throughout the procedure Use of an uninterruptible power supply UPS is recommended e Only the SSO can access this command e Path information included in the filename field will be ignored e The base directory on the TFTP server must be set to the directory where the FSU file resides because this is where the TACLANE Micro will look for it e If you are using FIREFLY a new FIREFLY vector set will be needed after FSU is performed U FOUO The version of TACLANE software being loaded cannot digress beyond a previous major release because it will not be compatible Major releases must be upgraded consecutively and cannot be skipped Minor releases
108. R OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 19 U Audit Log Threshold Introduction U FOUO This command allows the SSO operator to configure the warning threshold on the TACLANE Micro audit log Once this threshold is reached the operator is notified Notes U FOUO The following notes apply to the Audit Log Threshold function e Only the SSO can access this command Procedure U FOUO Follow these steps to enter an audit log threshold Step Action 1 From the MAIN MENU select System gt Audit Log Threshold Result The following screen is displayed GENERAL DYNAMICS a ee rox Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State OffLine gt gt System gt gt Audit Log Threshold Audit Log Warning Threshold Maintenance ey jV Enable Warning Threshold Notification Key Management Warning Threshold Percentage Network F Save Changes ecuri System 2 Select the checkbox next to Enable Warning Threshold Notification If the box is checked a checkmark is present in the box then Enable Warning Threshold Notification processing is enabled a notification is sent to the operator when the audit log threshold is reached If the box is empty no checkmark present in the box then Enable Warning Threshold Notification processing is disabled Enter the Warning Threshold Percentage value Note If the threshold is set to zero no warning will
109. SSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring IGMP MLD Bypass continued Procedure U FOUO Follow these steps to configure the IGMP bypass parameter Step Action l From the MAIN MENU select Security gt Traffic Flow Security gt Bypass Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 gt gt Security gt gt Traffic Flow Security gt gt Bypass 2 550 Enabled Configure Bypass Operation Maintenance Don t Fragment Bit Bypass Key Management Bit Setting Jos J PMTU Bypass J IGMP MLD Bypass MV TOS Bypass TOS Constant 00000000 binary HOME Accepted DSCP Values Glick element to enable or disable DSCP value cso csi cs2 cs3 CS4 css CS6 cs 000001 001001 010001 011001 100001 101001 110001 111001 000010 AF11 AF21 AF31 AF41 101010 110010 111010 000011 001011 010011 011011 100011 101011 110011 111011 000100 AF12 AF22 AF32 AF42 101100 110100 111100 000101 001101 010101 011101 100101 101101 110101 111101 000110 AF13 AF23 AF33 AF43 EFPHB 110110 111110 000111 001111 010111 011111 100111 101111 110111 111111 SET ALL CLEAR ALL Save Changes 2 Select the checkbox next to IGMP MLD Bypass If the box is checked a checkmark is present in the box then IGMP MLD Bypass is enabled If the box is empty no checkmark present in the box then IGMP MLD Bypas
110. Secure Dynamic Discovery SDD PPKs The User PPKs secure user traffic while the SDD PPKs are used to encrypt the SDD messages e When filling a PPK the operator is prompted to enter the Effective Date of the PPK the Use of PPK User vs SDD and the cryptography Algorithm BATON or MEDLEY e When the operator fills a PPK into a slot that already contains an active PPK i e it is not an empty slot then this filled PPK is saved as a changeover PPK In this case the use and algorithm are not prompted for in filling the changeover PPK since these parameters are inherited from the slot s active PPK e Note that for proper operation within a cryptonet using PPKs all TACLANEs in the cryptonet must have the PPK configured with the same effective date use and algorithm U FOUO The TACLANE Micro supports the DS 100 1 PPK format Continued on next page 4 9 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 PPK Changeover PPK Update U FOUO TACLANE PPK changeover occurs on the same day every month as defined by the effective date is centered around 12 00 AM witha plus or minus 55 minute window to allow for clock drift that starts at 11 05 PM and ends at 12 56 AM U FOUO For a security association a TACLANE starts using the changeover PPK to encrypt user traffic at 12 00 AM A TACLANE is able to decrypt user traffic using e
111. TACLANE from a benign tamper a maximum of five times without returning it to the depot The Recovery CIK is classified SECRET and must be shipped separately from the TACLANE If the TACLANE is sent to a COMSEC account then the Recovery CIK will be sent to that account s classified mailing address If the TACLANE is sent to a DoDAAC the Recovery CIK will be sent upon receipt of a valid classified mailing address for the receiving activity U FOUO Recovery CIKs are TACLANE unit specific Please make sure to note the serial number of the TACLANE associated with the Recovery CIK Do not attempt to use Recovery CIKs in TACLANE units other than the one with which it is associated U FOUO The TACLANE Micro can be placed on a shelf in a 19 rack and screwed in from the bottom Three TACLANE Micros will fit on a single shelf U FOUO The following items not supplied with the TACLANE are required for configuring the unit e PC or notebook e Web Browser Software Microsoft Internet Explorer version 5 5 or higher or equivalent e Category 5 RJ45 to RJ45 Ethernet Patch Cord U FOUO The following items not supplied with the TACLANE are required for filling key e DTD AN CYZ 10 V3 NSN 5810 01 393 1973 e SKL AN PYQ 10 NSN 7010 01 517 3587 e Fill cable for DTD U FOUO The Key Storage Devices are 16 Kbit storage devices 3 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNC
112. Target Address Enable Vv Side prC ct Type IPv4 Address 148 10 127 55 Port 162 Save Changes 3 Enter or update the Manager Name and Password Note the Manager name cannot be changed when modifying a Network Manager 4 Notification Target is a term used to describe a management station that will receive traps from this ECU To configure TACLANE to send TRAPs to this manager select to enable the Notification Target Address this is the default select the interface communicating to the network manager and enter the Notification Target IP Address Optionally the UDP port that TRAPS will be sent to may be changed from the standard 162 to an alternate port 5 Select YES to save changes 8 29 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 8 6 U Deleting the Network Manager Introduction U FOUO The operator can delete the network manager configuration information Notes U FOUO The following notes apply to deleting the network manager e Only the SSO can perform this function Procedure U FOUO Follow these steps to delete the network manager Step Action 1 From the MAIN MENU select System gt Network Managers Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Se
113. Time UTC Operation Date DD Month 26 Eg 02 Feb I 2007 Time HH MM 55 zo a 19 I 33 Warning Setting time in the past may cause PPK deletion See manual for details gt Maintenance gt Key Management gt Net gt TACLANE will restart upon acceptance of time change Save Changes 2 Select the desired day month and year from the pull down menus Select the desired hour minute and seconds from the pull down menus Note Changing the time ahead may expire and automatically delete PPKs Changing the time backwards may cause a PPK to not be used until the date catches up with the PPK s update count 3 Select YES to save changes Note This will cause the TACLANE to restart 9 33 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 2 U Creating a CIK Introduction Create CIK Make a Copy Important CIK Notes Notes U FOUO A CIK is a Crypto Ignition Key used to unlock wrapped key stored within the TACLANE A TACLANE from the factory comes with one valid user CIK shipped separately as well as one spare CIK The operator can use the Create CIK function to create up to two additional CIKs U FOUO A spare blank CIK is included with the TACLANE General Dynamics recommends that the operator use this spare CIK to create a second user CIK The original user CI
114. Tips Procedure U FOUO Follow these steps to assign a PPK for establishing Security Associations with a specified remote INE Step Action l From the MAIN MENU select Security gt PPK Assignment Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State Secure Comm gt gt Security gt gt PPK Assignment 550 Enabled PrePlaced Key Chain Selection Operation Maintenance ChainId Type SecurityLevel Short Title Edition Segment EA Cc 1 User Unclassified USEVD 00000000200 111111 A o E c 2 User Secret USEVD 00000000202 111111 A 0 Security C 3 SDD Confidential USEVD 00000000201 111111 A o System 4 5 6 fi 8 9 10 11 12 13 14 15 16 6 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select the radio button next to the desired PPK Chain Id Select MANAGE ASSIGNMENTS If the PrePlaced Key type is User the following screen is displayed gt gt Security gt gt PPK Assignment 550 Enabled PrePlaced Key User Assignment Operation gt 9 There are currently no User Assignments to display Maintenance Key Management PrePlaced Key Chain Info Fe Chain Id 2 S
115. UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 TACLANE Micro Inline Network Encryptor MOA No GDC4S CCEP 061 04 U Interface amp Operator s Guide For TACLANE Micro Release 3 3 ADRL PM09 04 10 July 2007 Prepared for NATIONAL SECURITY AGENCY 9800 SAVAGE ROAD FT GEORGE G MEADE MD 20755 Prepared by GENERAL DYNAMICS C4 Systems 77 A STREET NEEDHAM MA 02494 2806 Not releasable to the Defense Technical Information Center per D O D Directive 3200 12 Distribution limited to U S Government Agencies only This document contains NSA information 10 July 2007 Request for this document must be referred to the Director NSA Government Purpose Rights MOA CCEP 061 04 General Dynamics Government Systems Corporation 77 A Street Needham MA 02494 2806 Expiration Date 27 June 2007 The Government s rights to use modify reproduce release perform display or disclose this software are restricted by paragraph b 2 of the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation clause contained in the above identified contract No restrictions apply after the expiration date shown above Any reproduction of the software or portions thereof marked with this legend must also reproduce the markings UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U THIS PAGE INTENTIONALLY LEFT BLANK i
116. able Disable a PPK Assignment s csccs5 sccseaecsdcaiseaiseeesiaghatdacsdsceaciasessealents 6 6 6 4 U Delete a PPK Assi OTmMent lt 25 9255 s Catarecsavaceasaceacensstescn voceeestaaseataciosaceasesatae 6 8 6 5 CU teria Tita Zed Stat ss inire aini ang aae arna EE E a o aa ah 6 10 6 6 UL Entering OfflineState srnce niern ia i a 6 11 6 7 U Entering Secure Communications State cccecccecsceceseceeeeeeeeeeneeeeeeeseeneees 6 12 6 8 U Security Association Info SA Table cece ecccessecsteceseceeeeeeeeesseeeseesnes 6 15 6 9 U Configuring Remote TACLANE Static Routing ssessesseseeeseesseesreseesseese 6 16 6 10 U Modifying Remote TACLANE Static Routes cccecceeceeeseeseesteeeseeeeees 6 21 6 11 U Deleting Remote TACLANE Static Routes cceccecceeseeseceteceeeeeeeeennees 6 22 6 12 U Configuring Security Association ccccecceeceesceesseceeceeeceeseeessecsaeeeeenees 6 24 6 13 U Displaying the SA Configuration Information ee eeseeeteeneeeeeeeeeneenee 6 26 7 0 U CONFIGURING IP TRAFFIC FLOW SECURITY PARAMETERSG 7 1 7 1 U Configuring Fixed Packet Length Parameters cccceesceesseesceeeteeeseeeeeee 7 1 72 U Displaying Fixed Packet Length Information cc eeceeeeseeeeereeeeeeeeeeeees 7 6 7 3 U Configuring Payload Sequence Number Checking ccceccesceeeteeeeeeeeees 7 6 7 4 U Displaying Payload Sequence Number Check Information 7 9 7 5 U Configuring TOS DSCP Bypass
117. able Release Keys Notes for the TACLANE software version Problem Cause Solution Cannot fill FIREFLY vector set Keying material not filled The fill process timed out Check the fill cable connection between the DTD and the TACLANE Check that the DTD is set to the DS101 protocol Cannot fill FIREFLY vector set TACLANE resets during transfer The DTD was set to issue the FIREFLY vector set Check that the DTD is configured to fill the FIREFLY vector set rather than issue it Cannot fill PPK Keying material not filled The fill process timed out Check the fill cable connection between the DTD and the TACLANE Check that the DTD is set to the DS101 protocol 10 78 UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 9 U Troubleshooting IP Ethernet IP Ethernet U FOUO The table below describes TACLANE IP Ethernet configuration fone problems their causes and solutions Also see applicable Release Notes for the TACLANE software version Problem Cause Solution Cannot ping TACLANE IP TACLANE not in secure Put TACLANE online addresses communications mode IP configuration incorrect or Check that the IP Ethernet incomplete configuration is complete and correct Ethernet cable transceiver Check that the Ethernet cables problem and t
118. able SDD select the checkbox next to Enable SDD Processing If the box is checked a checkmark is present in the box then Enable SDD Processing is enabled If the box is empty no checkmark present in the box then Enable SDD Processing is disabled 3 If SDD Processing is enabled enter the Maximum PROBE retries 1 5 4 If SDD Processing is enabled enter the PROBE retransmit timeout 1 30 in seconds 5 Select YES to save changes 6 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 2 U Assigning a PPK to an IP Address Introduction Determining the Remote TACLANE IP Address Multicast PPK Assignment U FOUO PPKs can be used to secure Security Associations SA The operator must assign a PPK to a remote TACLANE IP address to apply the PPK to that SA U FOUO When a remote TACLANE IP address is assigned to a PPK all secure IP traffic destined to that remote TACLANE uses the assigned PPK U FOUO In order to determine the applicable remote TACLANE IP address the TACLANE can be configured to use static routing and or automated peer TACLANE discovery via Secure Dynamic Discovery SDD The static routing table is searched first If no match is found in the routing table the TACLANE will try SDD U FOUO Once the remote TACLANE is identified PPK assignments are checked for a match based on t
119. agrams to the same multicast IP address e Received CT ESP IP datagrams destined for the specified multicast IP address are decrypted and the PT IP datagrams are sent to the same multicast address e Multicast IP datagram traffic is not supported for FIREFLY 6 13 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Notes Procedure 10 July 2007 U FOUO The following notes apply to entering secure comm e TACLANE must be offline with a security level selected in order to enter secure communications mode e TACLANE must have a valid IP Ethernet configuration e All communicating TACLANEs must be at the same security level e If FIREFLY TEKs are used each communicating TACLANE must have a unique valid operational FIREFLY vector set and the FIREFLY vector sets must be valid for the current security level e If PPKs are used all communicating TACLANEs must have valid PPK assignments with the same PPK at the same security level with the same effective date under the same PPK ID U FOUO Follow these steps to enter secure communications mode Step Action l From the MAIN MENU select Operation gt Secure Comm Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 e TACLANE Micro Serial Number A000300400A8 Level Unclassified Device State OffLine gt gt Operation gt gt Secure Comm
120. ally inspected ensuring that the tamper seals are intact Evidence of physical tampering must be reported to NSA in accordance with TACLANE doctrine U FOUO Obtain a CIK before beginning this procedure This CIK will become CIK1 for this TACLANE Do not use a CIK that is required for another TACLANE as that will make it invalid for the other TACLANE U FOUO A Recovery CIK is unique to its associated TACLANE The Recovery CIK should be tagged with the serial number of the associated TACLANE It can be used to recover its associated TACLANE from tamper a maximum of five times After it has been used five times a Recovery CIK is no longer valid The tag attached to the Recovery CIK should be used to identify its associated TACLANE and to keep a record of the number of times that Recovery CIK is used for tamper recovery The Recovery CIK is classified SECRET and must be handled according to NSA doctrine U FOUO A benign tamper is typically due to a depleted battery It is recommended that the battery be replaced during a Field Tamper Recovery 10 70 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to perform a Field Tamper Recovery Step Action 1 Replace the TACLANE s battery See Section 10 5 Replacing the Battery Note The battery installed date cannot be updated until the TA
121. apply to the Display Audit Log function e When the Audit Log reaches the maximum records 5663 the oldest block of the Audit Log is removed 809 records to allow additional events to be logged Procedure U FOUO Follow these steps to display the audit log Ste Action 1 From the MAIN MENU select Maintenance gt Logs gt Audit Log Result The following screen is displayed GENERAL DYNAMICS Doei Revision 3 3 Device Name TACLANE Micro Serial Number A00030040048 Security Level Unclassified Device State Secure Comm gt gt Maintenance gt gt Logs gt gt Audit Log Audit Log Operati Maintenance Displaying 1 2 of 2 Records lt lt First lt Prev 1 Next gt Last gt gt Key Management Ber PIN Activity 02 20 2007 10 51 28 PIN Activity Action Disable Privileges Audit Log OK 02 20 2007 10 51 28 INE Station ID 400030040048 526 System Date 02 20 2007 10 51 28 Audit Log Capacity 10504 SNMP User Name hmiSso lt lt First lt Prev 1 Next gt Last gt gt 2 Select NEXT to display the next page of audit log records PREV to display the previous page of audit log records or select the page number to display a particular page of audit log records if available 9 66 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 22 U Display Event Log Introduction Procedure
122. ase is a subset of the four tunnel case U FOUO Double ended redundancy can be implemented by configuring all the TACLANEs for static routing or by configuring all the TACLANEs for same subnet operation using dynamic discovery As with single ended redundancy either FIREFLY or PrePlaced Key Security Associations can be used between the TACLANEs Also TACLANEs can be used in any combination Double Ended U FOUO The figure below depicts a two enclave network where failover Seay redundancy is provided at both enclaves by configuring four GRE tunnels and GRE Tunnels 2 routing protocol between the red routers at the two enclaves Remote TACLANE static routing is used in this example the red private and black SIPRNET address spaces are separated at each TACLANE Subnets beginning with p1 p2 are private and subnets beginning with s1 s2 are SIPRNET subnets UNCLASSIFIED FOUO 10 0 11 1 GRE Tunnel 11 10 0 11 2 10 0 12 1 10 0 21 2 PT CT cT PT Host TACLANE TACLANE Host A1 11 21 B1 s1 s2 5 8 30 s1 s2 5 64 30 2 13 10 SIPRNET 66 69 20 p1 p2 12 8 29 i p1 p2 11 64 29 LAN 4 Red N 14 109 Black GRE Tunnel 21 Black 70P 665 Red N 1g LAN Switch Router Router Router Router gt Switch A A 22p 188 13 A B lt 69 78p 748 B B p1 p2 12 16 29 GRE Junnel 12 p1 p2 11 72 29 3 21 PT CT 14 70 CT PT
123. ates Resubmit the desired changes C 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 The device was unable to initiate the Download Another manager has because another manager was updating the device at updated the device the same time Check the data for possible updates Resubmit the desired changes The device was unable to start the installation because Another manager has another manager was updating the device at the same updated the device time Check the data for possible updates Resubmit the desired changes The device was unable to discard the download Another manager has because another manager was updating the device at updated the device the same time Check the data for possible updates Resubmit the desired changes The device was unable to perform the selected action Another manager has because another manager was updating the device at updated the device the same time Check the data for possible updates Resubmit the desired changes The FSU Command failed Resubmit the desired changes IP Error Messages The system was unable to update the IPv4 Addresses Another manager has because another manager was updating the system at updated the device the same time Check the data for possible updates Resubmit the desired changes The device was unable to process the opera
124. ations RELOAD HELP Operation Maintenance Total number of S s 1 lt lt Prey Next gt gt Remote INE CTs from voc CE 170 0 0 1 VIEW MODIFY lt lt Prev Next gt gt Key Management Network Note The full IP CT address of the first remote INE in the SA table is displayed in the Remote INE CTs from entry box 2 Enter an IP CT Address in the Remote INE CTs from entry box for direct access to an SA Select GO to display the SA Table starting with the entered Remote INE CT 3 Select the radio button next to the desired address 6 15 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select VIEW MODIFY Result The following screen is displayed GENERAL DYNAMICS gt TACLANE Micro ty Level Unclassified gt gt Operation gt gt 54 Info gt gt SA Table TACLANE Micro Revision 3 3 Serial Number A00030040048 Device State Secure Comm 550 Enabled Security Association Info RELOAD Operation Maintenance Address Type IPv4 Key Management Remote CT Address 170 0 0 1 Network Remote PT Address 10 1 0 1 Security Local CT Address 170 0 0 2 System Local PT Address 10 2 0 1 PT PMTU 1424 SRE Short Title USEWD 00000000200 111111 Edition Segment 0 DISPLAY HOSTS DELETE SA BACK TO SA TABLE Select DELETE SA to delete this Security Associati
125. can accept or reject In this example the specific sequence would be 1 Operator attempts to enable privileges Enable Privileges command by entering the factory default PIN 123456789 2 The HMI then displays the PIN EXPIRED screen that includes a new PIN and prompts the operator as to whether to accept the PIN or not 3 Operator records the PIN value and accepts the new PIN 4 Operator then must return to the Enable Privileges command and enter the new PIN value in order to access the SSO privileged mode U FOUO If a TACLANE is ever tampered the SSO PIN will be reset back to its default PIN 123456789 9 61 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Forgotten PIN U FOUO If the operator has forgotten the current SSO PIN the only way to regain SSO privileges of the TACLANE is to perform the Field Tamper Recovery on the TACLANE see section 10 3 which resets the PIN to the factory default SSO PIN 123456789 Notes U FOUO The following notes apply to the generate SSO PIN function e Only the SSO can access this command e After generating a new PIN the operator is not yet in the SSO privileged mode The operator must select the Enable Privileges command and enter the PIN in order to be in the SSO privileged mode e The TACLANE supports one SSO PIN After the SSO PIN is updated the previous SSO PIN is
126. ced by half in some networks where the redundancy and latency requirements and the number of enclaves allow failover to a partial mesh of enclave tunnels where some enclave pairs can only be connected through the red router of a third enclave B 31 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Appendix C C 1 TACLANE Status Messages U STATUS MESSAGES U Status Messages UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FOUO The table below identifies TACLANE Micro status messages and actions to be taken when the status message is received Status Message Action General Messages The device was unable to process the operation because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes RELOAD button on the page or the REFRESH button on the tool bar to update the display If that is unsuccessful ensure that the device is currently powered on The device encountered an internal error and was Reload page unable to process the request Please try again The browser was unable to perform a request to Check the LEDs on the dynamically refresh the display This is typically TACLANE The caused in Internet Explorer by having ActiveX TACLANE may be disabled Please manually refresh the page using the restarting Check browser settings t
127. cedure U FOUO Follow these steps to configure the Ethernet physical parameters Step Action 1 From the MAIN MENU select Network gt Ethernet Comm Result The following screen is displayed GENERAL DYNAMICS ag erty aa evision 3 3 e TACLANE Micro Serial Number A000300400A8 evel Unclassified Device State OffLine Network gt gt Ethernet Comm Ethernet Comm Maintenance PT Side Link Status Up Key Management Network Operating At 100Mbps Full Duplex Security System Manual 100Mbps Full Duple Auto Negotiate CT Side Link Status Down Operating At unknown Manual 100Mbps Full Duple Auto Negotiate PT CT Advertised Speeds Modes JV 10Mbps Full Duplex J 100Mbps Full Duplex V 10Mbps HalF Duplex J 100Mbps Half Duplex Save Changes 2 For both of the PT and CT sides the current link status speed and mode that the interfaces are operating at is displayed 3 For the PT side select the radio button next to manual and select the speed and mode from the pull down menu or select the radio button next to auto negotiate 4 For the CT side select the radio button next to manual and select the speed and mode from the pull down menu or select the radio button next to auto negotiate 5 Select the desired PT CT advertised speed mode by selecting the checkboxes next to the appropriate choices 6 Select YES to save the changes
128. cesescsosocsosoesssesosocsosse 2 1 2 1 ED VOC GL Hci od ee herd E ate ae T a A GNA 2 1 2 2 FG OMICS PES EEEE a EAEE E EAE EEE AEE E Te ase theo 2 2 2 3 UJ Capabilities annin E E te E ER T A E A E E tate 2 5 2 4 U Web based Human Machine Interface HMI s ssssssesssessesssssressesssseesseeseese 2 10 3 0 U INSTALLING AND OPERATING THE TACLANE cscssssssssees 3 1 3 1 AES LOTMA NANO EEEE E EE E E AAA A 3 1 3 2 UJ Equipment CHECKIISES sirsat soian naia aE aE oR RARESA eee 3 1 3 3 U Handling and Environmental Conditions s ssssssesseseesseessrsseessessrssresseesess 3 3 3 4 US INTO UTD en nean e Ea E A 3 4 3 5 U Installing TACLANE Cables ico o sac cents ae sa Booted Gare dicate oa cect taaes 3 6 3 6 U Configuring the IP Network iss ccs cssccusevesncsvecdss cacvasisccesccrsevechavecasd cava chaviadaseanens 3 9 3 7 Uj Operating the TACEANE sss sscactadybatdanessieii sev baahedtaeansbaasiatinaiastee aaae Aaaa 3 10 3 8 UJHMI Mrentt Treenerina ete ate a E E a RE 3 16 4 0 U FILLING AND MANAGING KEYS oeoesossesescscsocsoscesesccosocsoscesesesosocsosse 4 1 4 1 U Obtaining DTDs SKLs and Keys ceeeeceecceesseceteceseeeeeeeeeeeeeseecsseeneeneaes 4 4 2 U Attaching a Fil Cablen a ea a ii a iiaa 4 2 4 3 U Filling the FIREFLY Vector Set ss nneeseesssesessseessesersseessessrssressessrssresseeseese 4 3 4 4 U Deleting the FIREFLY Vector Set eseseessesessseessesesseessessrssressessessresseeseese 4 7 4
129. control access to the functionality of the TACLANE and protect the encryption keys that have been filled into the TACLANE An SSO privileged operator can create up to two additional CIKs These three CIKs can be used to allow multiple operators independent one at a time access toa TACLANE Micro An SSO privileged operator can delete any CIK except the active CIK the CIK inserted when the TACLANE Micro most recently started or restarted 2 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Access Control NSA Certified Type 1 Field Software Upgrade and Field Tamper Recovery 10 July 2007 U FOUO The Mandatory Access Control function checks e Partition code of FIREFLY vector set e Current security level of TACLANE Micro Before initiating FIREFLY TEK generation These must be the same for the initiator and the responder TACLANE U FOUO The operator selectable Discretionary Access Control function checks the operator editable Access Control List which contains a list of KMIDs FIREFLY TEKs are only generated with remote FIREFLY vector sets having KMIDs on the ACL U FOUO Functional access control is provided through the use of the CIK When the CIK is removed the TACLANE Micro resets causing all security associations traffic and management connections to be lost The TACLANE Micro then proceeds through a power up sequence pausing until a
130. curity Features Users PM13 2 16 07 S Guide for TACLANE Micro Other U FOUO The following table lists information on other documents Referenced referenced in this manual Documents Document Title Rev ADRL or Date Classif Number CDRL U C S CNSSI No Operational Systems N A 27 Mar U 3029 Security Doctrine for 2003 TACLANE Micro KG 175D 0N477430 DTD User s Manual latest N A latest rev U rev Not available Simple Key Loader U https rdit army mil com msc for AN PYQ 10 C 1 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 GEM X GEM X U Operator s Manual Related IP U FOUO Additional information about related network interfaces is Roe provided in the IETF STDs and RFCs for IP networking 1 3 U Acronyms and Abbreviations Acronyms and U FOUO The following acronyms and abbreviations are used in this Abbreviations manual Acronym Definition Abbr AC Alternating Current ACL Access Control List AH Authentication Header ARP Address Resolution Protocol AWG American Wire Gauge BGL Bad Guy List CC Crypto Card CCI Controlled Cryptographic Item CD Compact Disc CF Central Facility CIK Crypto Ignition Key COMSEC Communications Security CSESD Communications Security Equipment System D
131. curity Level Unclassified Device State OffLine gt gt System gt gt Network Managers 550 Enabled Network Management Operation Maintenance Manager Name Notification Target Address Side Key Management Manager1 148 10 127 55 162 PT Reta 3 Entries displayed in ats are currently disabled Oui Add a new Network Manager System 2 Select the radio button next to the desired Network Manager and select DELETE 8 30 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 8 7 U Displaying Network Manager Information Introduction U FOUO The operator can display the information associated with the network manager configuration Procedure U FOUO Follow these steps to display the network manager information Step Action 1 From the MAIN MENU select System gt Network Managers Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Devi e TACLANE Micro Serial Number 400030040048 5 vel Unclassified Device State Secure Comm gt gt System gt gt Network Managers 550 Dissbesd Display Network Management Operation gt Maintenance gt Manager Name Notification Target Address Side E Manageri 148 10 127 55 162 PT Key Management Ababa al Entries displayed in italics are currently disabled gt gt gt gt HOME Note Specific values de
132. d Minor releases can be skipped and overwritten with earlier minor releases in the same major release General Dynamics will specify major and minor TACLANE software releases in their release notes U FOUO The TACLANE Micro s first release Release 3 3 is a major release U FOUO Note Image decryption will fail for a release that is not permitted as an upgrade to a currently installed TACLANE software release On failure of an install the release that was in effect prior to the start of the FSU install remains in effect U FOUO If an error occurs during the procedure such as a tamper condition or continuous alarm state Field Tamper Recovery may be used to reset the unit and generate a new User CIK See Section 10 3 Performing a Field Tamper Recovery for instructions Then return to this section and retry the Field Software Upgrade Continued on next page 9 50 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Install a FSU File continued Procedure U FOUO Follow these steps to perform a Field Software Upgrade Step Action 1 From the MAIN MENU select Maintenance gt Field Software Upgrade gt Upgrade Management Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 TACLANE Micro Serial Number A000300400A8 Level None Selected Device State Initialized gt g
133. d interval Note This initiates a panic zeroize whether TACLANE is powered ON or OFF 2 To initiate a panic zeroize from the display select the ZEROIZE button from the MAIN MENU Result The following screen is displayed GENERAL DYNAMICS pepe Revision 3 3 Device Name TACLANE Micro Serial Number 4000300400A8 Security Level Unclassified Device State OffLine Operation gt Zeroizing will stop all traffic Maintenance 3J All keying material will be zeroized Key Management Zeroize this device 3 Select YES to zeroize and restart the TACLANE Note When the TACLANE starts up the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 This device is zeroized Press OK to continue Select OK to acknowledge the message display indicating the device has been zeroized 9 53 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 15 U System Information Introduction U FOUO The operator can display the following TACLANE system information which identifies the particular TACLANE unit TACLANE System Description the up to 255 character user configurable system description TACLANE System Name the up to 255 character user configurable system name TACLANE System Contact the up to 255 character user configurable system contact information TACLA
134. e OffLine gt gt Security gt gt Traffic Flow Security gt gt Bypass Operation Maintenance Don t Fragment Bit Bypass Key Management Bit Setting Jos Network J PMTU Bypass Security ae J IGMP MLD Bypass J TOS Bypass TOS Constant binary HOME Accepted DSCP Values Glick element to enable or disable DSCP value cso csi cs2 cs3 CS4 css CS6 cs 000001 001001 010001 011001 100001 101001 110001 111001 000010 AF11 AF21 AF31 AF41 101010 110010 111010 000011 001011 010011 011011 100011 101011 110011 111011 000100 AF12 AF22 AF32 AF42 101100 110100 111100 000101 001101 010101 011101 100101 101101 110101 111101 000110 AF13 AF23 AF33 AF43 EFPHB 110110 111110 000111 001111 010111 011111 100111 101111 110111 111111 SET ALL CLEAR ALL Save Changes 2 Select the checkbox next to Don t Fragment Bit Bypass If the box is checked a checkmark is present in the box then Don t Fragment Bit Bypass is enabled If the box is empty no checkmark present in the box then Don t Fragment Bit Bypass is disabled 3 If Don t Fragment Bit Bypass is disabled select the Bit Setting value from the Bit Setting pull down menu 4 Select YES to save changes 7 14 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 7 U Configuring PMTU Bypass Introduction Notes PMTU Bypass Parameter and Processing U
135. e Version General Software Versions U FOUO The TACLANE Micro programmable image version is comprised of the software and FPGA images needed to perform the TACLANE Micro feature set U FOUO The TACLANE Micro programmable image version 3 3 is the initial release of these products The first TACLANE Micro release supports HAIPE IS v1 3 5 compliant IP encryption 1 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 1 7 U Customer Support and Contacts TACLANE U FOUO For technical support and installation questions please contact Help Desk the General Dynamics C4 Systems Help Desk at Phone 877 230 0236 E mail infosecsupport gdc4s com TACLANE U FOUO TACLANE product registration is recommended Contact the and TACLANE Help Desk to register a TACLANE unit Registration egistration i ie information includes e TACLANE unit serial number e Operational location e User Representative POC TACLANE U FOUO For TACLANE sales support inquiries please contact the Sales Support TACLANE Sales Support group at Phone 888 TYPE1 4 U 888 897 3148 E mail infosec gdc4s com TACLANE U FOUO General Dynamics offers a TACLANE Operator Training Course Training that teaches how to install configure and maintain TACLANE encryptors in an operational environment This course is for network engineers operators a
136. e able to use the same TACLANE protected network This is secure because of the TACLANE nesting The Unclassified TACLANEs isolate Unclassified traffic from the Secret network and the Top Secret TACLANESs isolate traffic from the Unclassified network B 16 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 B 7 U Multiple Gateways from Network Introduction U FOUO In this example there is one backbone network and three TACLANE protected networks off of the backbone network Each TACLANE protected network is at the same security level This configuration is illustrated in the figure below U FOUO Note Remote TACLANE static routing ARP enhancements allow multiple PT or CT gateways to be supported with the only requirement that these multiple gateways support proxy ARP TACLANEs ARP for off net destinations when the PT or CT default gateway is not defined UNCLASSIFIED FOUO T PT TACLANE Router A A CT PT TACLANE i Router B B T PT TACLANE C UNCLASSIFIED FOUO Figure B 7 1 U Multiple CT Default Gateways Continued on next page B 17 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Multiple Gateways from Network continued Introduction continued Four Example Configurations False Subnet Mask Configuration
137. e tunnel 11 ip address 10 0 11 1 255 255 255 0 tunnel source p1 p2 12 14 tunnel destination p1 p2 11 70 interface tunnel 12 ip address 10 0 12 1 255 255 255 0 tunnel source p1 p2 12 10 tunnel destination p1 p2 11 78 interface tunnel 21 ip address 10 0 21 1 255 255 255 0 tunnel source p1 p2 12 18 tunnel destination p1 p2 11 66 interface tunnel 22 ip address 10 0 22 1 255 255 255 0 tunnel source p1 p2 12 22 tunnel destination p1 p2 11 74 router bgp 1 maximum paths 4 timers bgp 5 15 neighbor 10 0 11 2 remote as 2 neighbor 10 0 12 2 remote as 2 neighbor 10 0 21 2 remote as 2 neighbor 10 0 22 2 remote as 2 network p1 p2 17 0 255 255 255 248 ip route p1 p2 11 64 255 255 255 252 p1 p2 12 21 ip route p1 p2 11 68 255 255 255 252 p1 p2 12 13 ip route pl p2 11 72 255 255 255 252 p1 p2 12 21 ip route p1 p2 11 76 255 255 255 252 p1 p2 12 13 interface tunnel 11 ip address 10 0 11 2 255 255 255 0 tunnel source p1 p2 11 70 tunnel destination p1 p2 12 14 interface tunnel 12 ip address 10 0 12 2 255 255 255 0 tunnel source p1 p2 11 78 tunnel destination p1 p2 12 10 interface tunnel 21 ip address 10 0 21 2 255 255 255 0 tunnel source p1 p2 11 66 tunnel destination p1 p2 12 18 interface tunnel 22 ip address 10 0 22 2 255 255 255 0 tunnel source p1 p2 11 74 tunnel destination p1 p2 12 22 router bgp 2 maximum paths 4 timers bgp 5 15 neighbor 10 0 11 1 remote as 1 neighbor 10 0 12 1 remote as 1 neighb
138. ecurity Level Secret Effective Date 02 12 2007 Add an Address Assignment Select ADD to add a new user address assignment Result The following screen is displayed GENERAL DYNAMICS bt Revision 3 3 Device Name TACLANE Micro Serial Number AG00300400A8 Security Level Unclassified De State Secure Comm gt gt Security gt gt PPK Assignment TACLANE Micro 2 ssofnatled Add PrePlaced Key User Assignment Operation Maintenance Address Type IPv4 a ene Assignment Type Unicast Address Multicast Address Network CT Address area Add User PrePlaced Key Assignment Continued on next page 6 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Assigning a PPK to an IP Address continued Step Action 4 Select the radio button next to the desired Assignment Type Enter the CT Address and the PT Address Note Ifthe Multicast Address radio button is selected only the CT Address is an enterable text field 5 Select YES to save changes 6 If the PrePlaced Key type is SDD the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 TACLANE Micro Serial Number A00030040048 el Unclassified Device State Secure Comm gt gt Security gt gt PPK Assignment 550 Enabled PrePlaced Key SDD Assignment Operation Maintenance PrePlaced Key Chain In
139. edure U FOUO Follow these steps to perform a Field Software Upgrade Step Action l From the MAIN MENU select Maintenance gt Field Software Upgrade gt Upgrade Management The TACLANE will display the currently configured download servers Result The following screen is displayed GENERAL DYNAMICS Device Name TACLANE Micro Security Level None Selected TAC ANF Micro Revision 3 3 Serial Number A00030040048 Device State Initialized Upgrade Management gt gt Maintenance gt gt Field Software Upgrade gt gt Upgrade Management 550 Enabled Operation Maintenance Key Management Configured Download Servers MODIFY SERVERS Network Priority IP Address Side Filename 1 192 168 0 38 Console sed out Security System DOWNLOAD Continued on next page 9 48 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY U Download a FSU File continued uTL 027 05 10 July 2007 Procedure continued Step Action Select DOWNLOAD to initiate the transfer operation Once the transfer operation has successfully completed the following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level None Selected Device State Initialized gt gt Maintenance gt gt Field Software Upgrade
140. eeceeeeeeeeensees 10 80 Appendix A U FACTORY DEFAULT SETTINGS ccccccceeeeeeeeeeeeeeeeeeeeeeeeeees A 1 A l U Factory Default Settings and Port NumberS 0 ccceccceeseeeseeeseeeteeeteeeeee A 1 Appendix B U IP ETHERNET CONFIGURATION TIPG ccceeeeeeeeeeeeeeeeeees B 1 B 1 U TOC HOH asiana a aa a Shae a a an B 1 B 2 Uj Example Secure IP Network nics sativa cent n a ni ia B 2 B 3 U General IP Ethernet Configuration T ipsiiccciccsas ae uienicasaenshaens B 3 B 4 U IP Routing W Or Kar OUI a cise ees cesensen saleses gatas ee caunasedueaes sabdoase woscahies tues B 7 B 5 U Connecting Networks Using a Different IP Encryptor 0 0 0 0 eeeeeeeeeeeeee B 10 B 6 U Connecting Networks at Different Security Levels 0 0 0 0 ecceeseeeseeeeeeeeee B 12 B 7 U Multiple Gateways from Network cccccceccceescessceesseceseceeeeeeeeeeseecnseenseensaes B 17 B 8 U Redundancy Configurations 2 524 c5s0i ec scatss wisi staectncner sens cteulucnis teed ivan B 22 Appendix C U STATUS MESSAGE ccccccceeeeeeeeeeeeeeeeeeesseeeseeeeeseeeeeeseesseeess C 1 C 1 CU StAtUs WIESS AGES essiri a esos aco Sits eae Reece atone a7 C 1 vi UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY Figure 2 1 1 2 4 1 3 4 1 3 5 1 3 6 1 3 7 1 B 2 1 B 4 1 B 4 2 B 5 1 B 5 2 B 6 1 B 6 2 B 7 1 B 7 2 B 7 3 B 7 4 B 8 1 B 8 2 B 8 3 U List of Figures Title
141. een and when that first operator sends edits to the TACLANE Micro an error message and updated data will be returned to the first operator and the first operator will have to reenter the edits SSO i U FOUO These commands are noted in the HMI menu tree in section 3 8 pauneeee HMI Menu Tree Commands Access to U FOUO Many HMI commands can be accessed by an operator but Ssilege d contain additional functionality for an SSO This means that a user without HMI SSO privileges enabled can display the data for the command but a user that Commands has SSO privileges enabled has access to configure data via the command SSO privileges are enabled by entering the valid SSO PIN after obtaining functional access to the TACLANE Micro Refer to sections 9 16 9 17 and 9 18 of this Operator s Manual for information on how to Enable SSO Privileges Disable SSO Privileges and Generate the SSO PIN respectively 2 14 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 3 0 U INSTALLING AND OPERATING THE TACLANE 3 1 U Unpacking Unpacking U FOUO Before opening the package containing the TACLANE inspect the package for shipping damage Notify the carrier if the package shows signs of shipping damage Important U FOUO Keep all original packing material as it may be needed for storing or transporting the TACLANE TACLANEs
142. efer to the NSA Doctrine for specifics on connecting a PC to the KG 175D console interface U FOUO The minimum hardware requirements for a PC connected to the console Ethernet interface to access the TACLANE Micro HMI are e Unclassified PC or notebook or similar device with o Network Adapter 10BaseT Ethernet capable o Display Adapter supporting VGA 640 X 480 or higher resolution o Video Display supporting VGA 640 X 480 or higher resolution o Keyboard o Pointing Device Mouse Trackball Touchpad etc o CD ROM for TACLANE Micro Software Download only U FOUO A keyboard only mode of operation is provided principally to maintain HMI functionality in the event of a pointing device failure U FOUO The TACLANE Micro HMI is compatible with Microsoft Internet Explorer version 5 5 or later running with Windows 95 98 Me 2000 or XP operating system Other compatible browsers and operating systems also work U FOUO Figure 2 4 1 below shows the TACLANE Micro HMI screen format 2 11 UNCLASSIFIED FOR OFFICIAL USE ONLY UNCLASSIFIED FOR OFFICIAL USE ONLY wTL 027 05 Interface amp Operator s Guide 10 July 2007 UNCLASSIFIED FOUO GENERAL DYNAMICS ok Aee Device Name TACLANE Micro Serial Number A000300400A8 Security Level None Selected Device State Initialized gt gt Home Operation pone Internet Profocgy rA an BO ity Maintenance Qs a ey Key Management ZEROIZE
143. eges Denied SSO PIN Expiration U FOUO This command allows the TACLANE Micro SSO operator to gain access to the SSO privileged HMI commands through entering the valid 9 digit SSO PIN U FOUO The TACLANE Micro delivered from the factory has the following default SSO PIN 123456789 U FOUO If over 180 days have passed since the TACLANE unit has left the factory then the PIN Expired screen will appear after the operator first enters the Enable SSO Privileges command with the expired factory default PIN In this case the PIN Expired screen will include a new SSO PIN that the operator can accept or reject In this example the specific sequence would be 1 Operator attempts to enable privileges Enable Privileges command by entering the factory default PIN 123456789 2 The HMI then displays the PIN EXPIRED screen that includes a new PIN and prompts the operator as to whether to accept the PIN or not 3 Operator records the PIN value and accepts the new PIN 4 Operator then must return to the Enable Privileges command and enter the new PIN value in order to access the SSO privileged mode U FOUO If a TACLANE is ever tampered the SSO PIN will be reset back to its default PIN 123456789 U FOUO If the operator fails to enter a valid SSO PIN after 5 consecutive attempts the TACLANE automatically restarts After the TACLANE restarts the operator is able to access all the non privileged HMI functions
144. erface as well as an auto sensing 10 100 Mbps electrical interface U FOUO The Type 1 encryption provided by the TACLANE is part of the Department of Defense Defense in Depth strategy and is only one portion of the overall defense in depth A comprehensive network Information Assurance strategy involving Defense in Depth is required to ensure secure and reliable protection for sensitive and classified information UNCLASSIFIED FOUO GENERAL DYNAMICS BATTERY TACLANE Micro a See TAMPERED KG 175D FAULT _ ALARM RUN L N ZEROIZE E PREss3x fl 4 CIK w UNCLASSIFIED FOUO Figure 2 1 1 U TACLANE Micro KG 175D 2 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide 2 2 U Concepts IP Network Concepts Keying Concepts UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FOUO Below are some basic IP network concepts useful in understanding TACLANE Concept Definition IP Network Interconnected fabric of routers and user equipment hosts etc supporting the connectionless transmission of data using IP datagrams IP datagrams are variable length with a typical maximum size of 1500 bytes for IP Ethernet An IP address IPv4 is 4 octets long and is configured either manually or automatically IP networks provide an unreliable data service and upper layer protocols are relied upon to provide reliable data transport IP address
145. es are mapped to underlying network physical addresses for IP datagram transmission over the underlying network For example in IP Ethernet IP addresses are mapped to Ethernet MAC addresses using ARP U FOUO Below are basic keying concepts useful in understanding TACLANE Concept Definition CIK A CIK is a Crypto Ignition Key used to unlock wrapped key stored within the TACLANE A valid CIK is needed to operate the TACLANE FIREFLY FIREFLY Vector Sets FFVS are used to dynamically generate Vector Set pairwise FIREFLY Traffic Encryption Keys TEKs between communicating TACLANEs FIREFLY Vector Sets are generated by the EKMS CF Each FIREFLY vector set has a unique Key Material ID KMID Universal ID and Universal Edition assigned by the EKMS CF In addition a vector set may be ordered in a particular partition which shows up as a partition code assigned to the vector set TACLANE supports both the basic FIREFLY vector set and the enhanced FIREFLY EFF vector set 2 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide TACLANE Security Concepts UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Concept Definition TEK Traffic Encryption Keys TEKs are used to encrypt and decrypt IP traffic TEKs can be cooperatively generated FIREFLY TEKs or manually filled PPKs traditional TEKs PPK PPKs are manually filled traditional TEKs PPKs
146. escription IKE UDP port 500 IKE is used to setup FIREFLY TEKs ESP IP Protocol ID 50 ESP is used to send encrypted IP traffic A 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Appendix B U IP ETHERNET CONFIGURATION TIPS B 1 U Introduction Purpose U FOUO The purpose of this appendix to the TACLANE Operator s Manual is to provide additional information on sample configurations and configuration tips useful to install operate and configure the General Dynamics TACLANE Micro KG 175D U FOUO This appendix serves as a TACLANE cookbook by offering tips for effectively using TACLANEs in various configurations that resemble typical user environments The configurations described here are examples to illustrate the concepts involved There may be other configurations that are equivalent to those described in this appendix B 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 B 2 U Example Secure IP Network Example U FOUO The diagram below shows an example IP network secured with Secure IP TACLANEs Network UNCLASSIFIED FOUO TACLANE A Ener CT PT Router TACLANE B UNCLASSIFIED FOUO Figure B 2 1 U TACLANE Secured IP Ethernet Network Example U FOUO Router B represents the CT IP network Router A Host Al
147. f TFS parameters Although the design permits this there is a slight chance that a false alarm may be detected when traffic loading is over 10 Mbps Therefore it is recommended not to change TFS parameters during high traffic periods Ifthe false alarm is detected the TACLANE Micro will restart and recover with the new configuration 7 1 U Configuring Fixed Packet Length Parameters Introduction U FOUO Fixed Packet Length FPL parameters can be configured only by the SSO The purpose of Fixed Packet Length processing is to obscure the sizes of plaintext IP packets before they are encrypted and transmitted on the CT network When FPL processing is enabled all user data packets including IP multicast datagrams received on the PT side of the TACLANE are padded to a fixed length if shorter than the configured fixed length or fragmented or optionally discarded if longer than the configured fixed length Fixed Packet Length parameters do not affect the processing of IP packets received on the CT side All the TACLANE software versions correctly discard the padding added by FPL processing Fixed Packet Length configuration has no impact on interoperability FPL parameters can be configured independently at each TACLANE 7 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Notes U FOUO The following notes apply to configuring Fixed Packet Lengt
148. fferent e A longest match search of the table based on network ID is used to determine the remote TACLANE to which the IP traffic should be sent e GEM X can also configure the routing table One routing table can be generated by the GEM X and distributed to all the TACLANEs U FOUO The operator can define one default route entry for the TACLANE by setting the network ID and prefix length to 0 0 0 0 0 U FOUO When a default static route is defined the TACLANE will never try to use the SDD dynamic discovery 6 17 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Static Routing Features Sequence to Identify the Remote TACLANE PT Proxy ARP Support PT Default Gateway or ARP Used to Deliver PT IP Traffic UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U FOUO Remote TACLANE static routing e Eliminates the need for the CT network to have knowledge of routes to the PT networks behind TACLANEs and vice versa e Eliminates the need for router tunnel and NAT workarounds e Allows the CT and PT interfaces of the TACLANE to operate in two different IP networks subnetworks e Supports proxy ARP for destinations covered by routing table entries e ARP for off net destinations if PT and or CT gateway is not defined U FOUO The TACLANE is capable of both static routing and SDD When processing user traffic TACLANE follows a particular sequence in order to ide
149. figured to route IP destined for 148 12 0 0 via the 140 4 0 0 network and to default route to the 104 5 0 0 network Note that all routes between the CT and PT side of any TACLANE are static routes U FOUO This example is shown in the figure below B 13 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO Host 188 2 0 0 D1 Unclas Secret Host At 148 12 0 0 Secret Unclas 140 4 0 0 Enet 190 5 0 0 Unclas 148 10 0 0 140 5 0 0 Route 188 2 via 140 5 Route 148 12 via 140 4 Default route via 140 4 Default route via 140 5 Traffic for 188 2 goes to TACLANE C Traffic for 148 12 goes to TACLANE B Other traffic goes to TACLANE B Other traffic goes to TACLANE C UNCLASSIFIED FOUO Figure B 6 1 U TACLANE Multiple Gateway Configuration Example How it Works U FOUO All IP traffic from the Secret network to the Secret enclave on the Unclassified network is routed through the Secret TACLANE TACLANE C All other traffic from the Secret network is routed through the Unclassified TACLANE TACLANE B Similarly all IP traffic from the Unclassified network to the Unclassified enclave on the Secret network is routed through the Unclassified TACLANE TACLANE B All other traffic from the Unclassified network is routed through the Secret TACLANE TACLANE C Note that this is
150. fix length to 0 0 0 0 0 Example static routing table entries Entry 1 Network ID Prefix Length 0 0 0 0 0 TL CT IP 148 10 2 1 default route Entry 2 Network ID Prefix Length 200 12 0 0 16 TL CT IP 148 10 4 11 Entry 3 Network ID Prefix Length 200 12 3 0 24 TL CT IP 148 10 3 10 For the target host IP address 200 12 2 43 Entry 2 is the longest match so data for 200 12 2 43 will be encrypted and sent to 148 10 4 11 For the target host IP address 200 12 3 25 Entry 3 is the longest match so traffic for 200 12 3 25 will be encrypted and sent to 148 10 3 10 For the target host IP address 10 24 105 26 neither Entry 2 nor Entry 3 is a match so Entry 1 the default route is used Traffic for 10 24 105 26 will be encrypted and sent to 148 10 2 1 3 Enter the Network ID Prefix Length Remote CT Address and Remote PT Address 4 Select YES to save changes 6 20 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 10 U Modifying Remote TACLANE Static Routes Introduction U FOUO The operator can modify the remote TACLANE routing table See the section Configuring Remote TACLANE Static Routing for more information Procedure U FOUO Follow these steps to modify remote TACLANE static routes Step Action 1 From the MAIN MENU select Security gt Static Routes gt Route Management Result The following
151. fo Chain Id 3 Key Management Security Level Confidential 02 12 2007 RETURN TO CHAINS Network Security Effective Date System 7 Enter the multicast address 8 Select ADD to add the assignment 6 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 3 U Enable Disable a PPK Assignment Introduction Procedure U FOUO The operator can enable or disable a PPK assignment This involves enabling or disabling an assigned remote TACLANE IP address to a PPK This capability allows an assignment to be disabled temporarily without destroying the associated address entry U FOUO Follow these steps to enable or disable a PPK assignment Step Action 1 From the MAIN MENU select Security gt PPK Assignment Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro umber A000300400A8 Security Level Unclassified State Secure Comm gt gt Security gt gt PPK Assignment 550 Enbe PrePlaced Key Chain Selection Operation Chain Id Type Security Level Short Title Unclassified USEYD 00000000200 111111 Maintenance Key Management Secret USEVD 00000000202 111111 Network C SDD Confidential USEYD 00000000201 111111 A
152. ger has updated the device Check the data for possible updates Resubmit the desired changes Access Control setting is not updated Resubmit the desired changes The device was unable to update the Access Control List because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes C 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY The KMID cannot be deleted from the Access Control List Another manager has updated the device Check the data for possible updates Resubmit the desired changes The device was unable to add this KMID to the Access Control KMID list Another manager has updated the device Check the data for possible updates Resubmit the desired changes TFS Messages The device was unable to update the TFS Bypass Configuration settings because another manager was modifying the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The provided TFS Bypass Options cannot be set Resubmit the desired changes The device was unable to update the TFS PSEQN Configuration settings because another manager was modifying the device at the same time Another manager has updated the device Check the
153. gt gt Upgrade Management 2 ses Upgrade Management 8 The Image Download has completed Configured Download Servers MODIFY SERVERS Priority IP Address Side Filename 1 192 168 038 Downloaded Image Information IP Address 192 168 0 38 Filename swdout O00000 O DISCARD 3 Select INSTALL to install the new file See Section 9 13 Install a FSU File 4 Select DISCARD to delete the FSU file 9 49 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 13 U Install a FSU File Introduction Important Notes Major and Minor Releases Tip U FOUO The operator can install a new software release a previously transferred FSU file into the TACLANE U FOUO The following notes apply to performing an install FSU e Only the SSO can access this command e The install process can take four minutes to write the image to flash e If the installation process is interrupted the TACLANE Micro will continue to use the previous image FSU will not complete and will need to be redone e If you are using FIREFLY a new FIREFLY vector set will be needed after FSU is performed U FOUO The version of TACLANE software being loaded cannot digress beyond a previous major release because it will not be compatible Major releases must be upgraded consecutively and cannot be skippe
154. guration l O S SA Info SA Table Field Software Route Management O S Upgrade I O S Servers Delete All Routes l O S SSO I O S TFTP Settings raffic Flow Security I O S SSO Legend Upgrade S Secure Comm Management Fixed Packet Length Cryptography Active l O S SSO l O S P Mode Bypass I O S P PSEQN Check I O S P O Offline Mode Logs Event Log I O S Audit Log l O S Initialized Mode L In Security Level P Contains Additional Functionality for SSO Privileged Operator R Restart Occurs Delete Audit Log I O S SSO ISSO SSO Privileges Required to Access this Page Continued on next page 9 58 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Enable SSO Privileges continued Procedure U FOUO Follow these steps to enable SSO privileges Step Action l From the MAIN MENU select Maintenance gt Security Administration gt Enable SSO Privileges Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Security Administration gt
155. h parameters e Only the SSO has the privilege to configure FPL parameters e Audit log entries are generated when FPL parameters are modified Fixed Packet U FOUO The following two Fixed Packet Length parameters can be Length configured by the SSO Parameters e Mode The fixed packet mode can be set to ON FRAGMENT ON DISCARD or OFF When the mode is set to ON FRAGMENT FPL processing is performed with the incoming PT user data packets fragmented if they are longer than the configured fixed packet length All fragments will be equal to the fixed packet length with the last fragment being padded if necessary When the mode is set to ON DISCARD FPL processing is performed with the incoming PT user data packets discarded if they are longer than the configured fixed packet length When the mode is set to OFF no FPL processing is done The default value for this parameter is ON FRAGMENT e Length This is the IP packet length both the IP header and the payload in bytes to which all incoming PT user data packets are padded or fragmented The IP packet length can be set to any one of 27 values ranging from 176 to 1424 in increments of 48 The default length is 800 bytes Note that the specified length is prior to encryption The resulting CT encrypted IP packets will be at least 60 bytes longer due to the addition of the AH and ESP headers this assumes no fragmentation due to the TACLANE MTU size Continued on next page 7 2 U
156. hat the TACLANE is powered off 2 Connect the power cable to the power connector on the TACLANE 3 Plug the power supply cable into a standard 110 VAC power outlet Obtain an appropriate adapter for 220 VAC operation U FOUO Follow these steps to attach the fiber cables Note that General Dynamics cable assy 09 2802527 1 is equipped with rain and sand protection boot Step Action l Connect the fiber cable originating at the user PT port to the PT port on the TACLANE 2 Connect the fiber cable originating at the network CT port to the CT port on the TACLANE U FOUO Follow these steps to attach a twisted pair copper Ethernet cable Note that the IEEE recommended cable distance limit for Category 5 UTP Category 5e UTP and Category 6 UTP is 328 ft 100 m Step Action l Connect the Ethernet cable to the PT or CT RJ 45 jack on the TACLANE U FOUO TEMPEST and EMI compliance requires use of double shielded signal cables The Plaintext PT and Ciphertext CT cables must be separated by a minimum of two 2 inches For long cable lengths greater than 10 feet SFTP foil and braid shield is preferred and the PT cable shall be routed such that it is separated by a minimum of six inches from the AC power cable In addition it is required that a ground strap shall be connected between the binding post on the rear of the chassis labeled GND and earth grou
157. he remote TACLANE IP address If a match is found the corresponding PPK is used in the security association U FOUO A multicast Class D address may be entered instead of the remote TACLANE address U FOUO When a multicast assignment is made both the CT and PT IP addresses must be assigned to the same multicast address Continued on next page 6 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Assigning a PPK to an IP Address continued Notes U FOUO The following notes apply to assigning a PPK to an IP address e Only the SSO can assign a PPK to an IP Address e TACLANE Micro supports 1024 PPK assignments Assignments are pooled for use by any PPK or at any security level e For SAs using PPKs all communicating TACLANEs must have the same PPK at the same security level with the same effective date under the same PPK ID e All communicating TACLANEs must have their respective TACLANE IP addresses assigned as the remote TACLANE IP address to the same PPK ID at each respective TACLANE Both TACLANEs must point to each other e Both the CT and PT remote TACLANE IP addresses must be entered e If one of the remote TACLANE IP addresses is unicast then both IP addresses must be unicast e When a PPK address is assigned it is enabled by default e For PPK configuration tips see Appendix B IP Ethernet Configuration
158. i UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Document Revision History UNCLASSIFIED FOUO Document Revision Number Dated Description of Revision First release 26 February 2007 Release of TACLANE Micro Version 1 for HAIPE IS 1 3 5 Version 2 30 April 2007 Qual testing PTRs Appendix C Version 3 16 May 2007 Added Figure for Mounting Information fixed typos UNCLASSIFIED FOUO iii UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Table of Contents Section Title Page 1 0 U INTRODUCTION ss ccsivacescenstcs vcenatecececa ociesunicaicte nel siciaesccutieesssdateddiuatestieane 1 1 1 1 CY Abo t the Manual years a ae eo ne bu aa once bak AT as deol ae agencies Aaah 1 1 1 2 UX Reference DOC MENtS an ana a a on ite 1 2 1 3 U Acronyms and Abbreviations cccccecssecesecsseceeceeescecesecesaecnseceseeenseeesaeenes 1 3 1 4 U Safety nforma fone achat Jal EE E duh N ong 1 6 1 5 U Land Ware Versions no ana a A a A Aa etek kl aa a Na 1 7 1 6 U Programmable Image Version essa siae sacssst aaa isteiacapsatsdacnsavaeasseviacanariadoredets 1 8 1 7 U Customer Support and Contacts s sseeseesseeseeseosssesetsseessesseesressessesseesseesess 1 9 2 0 U ABOUT THE TACLANE esesossesossesescscsocsoscesescecsocsos
159. ic management SA can operate Flashes on off once per second when in Secure Communications state processing secure traffic Prime power must be applied and the device must be powered on ALARM yellow Illuminates continuously when an alarm condition is detected in the INE Prime power must be applied and the device must be powered on TAMPERED yellow Indicates if unit is tampered Prime power must be applied and the device must be powered on BATTERY yellow Illuminates continuously when the battery power drops below the acceptable threshold Prime power must be applied and the device must be powered on ZEROIZE yellow Illuminates continuously when unit is zeroized and powered on illuminates for five seconds when unit is zeroized and powered off FILL Port The DS 101 Fill port provides the ability to load key information using a Data Transfer Device DTD or Simple Key Loader SKL CIK Port DataKey Electronics Slimline SR4210 serial memory CIK port Battery For the TACLANE Micro the battery is located on the front panel of the device Battery power is provided by a 3 6 volt size AA lithium battery or a 1 5 volt size AA alkaline battery Important CIK Notes U FOUO Use care when inserting and removing especially the first few times a CIK is inserted and removed U FOUO If a CIK is inserted do not remove the CIK during TACLANE startup or restart to avoid write errors on the
160. in the box then PT PING processing is disabled 3 To enable CT interface PING responses select the checkbox next to CT PING Enabled If the box is checked a checkmark is present in the box then CT PING processing is enabled If the box is empty no checkmark present in the box then CT PING processing is disabled 4 Select YES to save changes 5 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 0 U CONFIGURING MANAGING SECURITY ASSOCIATIONS 6 1 U Enable Disable Secure Dynamic Discovery Introduction U FOUO The operator can enable or disable Secure Dynamic Discovery SDD processing Notes U FOUO The following notes apply to enabling or disabling SDD processing e Only the SSO can edit parameters using this command Procedure U FOUO Follow these steps to enable or disable SDD processing Step Action l From the MAIN MENU select Network gt Dynamic Discovery Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Security Level Unclassified gt gt Network gt gt Dynamic Discovery 550 Enabled Secure Dynamic Discovery Configuration Operation Maintenance JV Enable SDD Processing Key Management Maximum PROBE retries s Network PROBE retransmit timeout seconds Security f Save Changes 2 To en
161. intenance Setting the device to the initialized state will cause a restart all traffic will be interrupted and Remote Same Management will be blocked Perform Restart Key Management 2 Select YES to transition to Initialized which will restart the TACLANE 6 10 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 6 U Entering Offline State Introduction PPK SA Establishment IKE SA Processing Notes Procedure U FOUO The operator may enter Offline state to secure local traffic U FOUO Upon transition to the Offline state with security level set from the Initialized state SAs for properly configured PPK Assignments will be established U FOUO If configured the SDD SA will be setup in the Offline state with security level set U FOUO Upon transition to the Offline state from the Initialized state the INE will configure and activate the PT and CT Ethernet links The CT link is activated only if a security level is defined U FOUO The following notes apply to entering Offline e TACLANE must be initialized or secure comm in order to enter offline e The IP addresses are required to be configured on the PT and CT interfaces before transitioning to offline U FOUO Follow these steps to enter offline mode 6 11 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp
162. ions U FOUO In this example there are two base networks one Secret and one Unclassified In order to share network infrastructure and provide flexibility administrators need to deploy Secret hosts on the Unclassified network deploy Unclassified hosts on the Secret network and allow all hosts to communicate with their respective base networks U FOUO Note Remote TACLANE static routing eliminates the need for static routes to PT networks on CT routers and vice versa and may greatly simplify the configurations described in this section U FOUO This section describes two example configurations of TACLANE protected gateways between networks at different security levels The first example uses multiple TACLANEs between two networks and the second uses a single TACLANE between two networks making use of nested TACLANEs to obtain the needed isolation U FOUO Note that these are only examples to illustrate the concepts involved There may be other configurations that are equivalent to those discussed here All of the example IP networks are Class B networks U FOUO Note Remote TACLANE static routing eliminates the need for static routes to PT networks on CT routers and vice versa and may greatly simplify the configurations described in this section Continued on next page B 12 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 J
163. ir flow to facilitate conductive natural cooling or provide air flow to the heatsinks at the rear of the EIA mounting tray The temperature at the root of the central heatsink area should not exceed 82 C U FOUO For desk top usage there is a mounting stand for holding the TACLANE Micro on its side This is included See Handling and Environmental Conditions Use of the mounting stand is recommended but not required U FOUO Do not stack units because it will block airflow Cable U FOUO Make sure there is approximately a 4 clearance to the rear of the Clearance TACLANE so as not to excessively bend and damage the cables Rack U FOUO When rack mounting make sure that the rack is secure and not in Warning danger of tipping over Also make sure that heavier equipment is mounted low on the rack to prevent a hazardous condition in which a rack could tip over 3 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO 5 50 TACLANE MI CRO FOOTPRINT r a 1 590 A A 9 2x oA 10 87 5 650 TACLANE M1 CRO FOOTPRINT v ZX rare H 8 A A o 2 I 2X 2 541 FRONT ZAM 632 QF t UNIT la n sa acai tevin TS LIOZ5 ay _ 3 350 H 3545 p m pee 343 2x 1 750 j 1 314 j 2x 1 750 UNCLASSIFIED FOUO Figure
164. is command is only accessible if currently not in the SSO privileged mode e Refer to section 9 18 Generate SSO PIN for more information on how to generate an SSO PIN e Following a depot tamper recovery and then attempting to enable SSO privileges by entering the default PIN the restart progress bar may be displayed at the console if an interface timeout occurs The TACLANE Micro may not be restarting The operator can reload the screen or reopen the browser Continued on next page 9 57 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Enable SSO Privileges continued SSO U FOUO The table below lists the various TACLANE Micro HMI Pee commands Use the legend to identify the privileged commands that require Commands SSO privileges to access Key Management Network Security System Restart I O S R Security FIREFLY Vector Set Dynamic Discovery Access Mode Audit Log Threshold ease Administration I O S P l O S SSO Security Level Enable SSO Ethernet Comm I O S SSO Privileges L O S P Access Control List R if in sec level I O S Pex l O S P Disable SSO jeges CIK Management Network Managers IVI 1 0 S P I O S P ey I O S SSO I S I O S SSO I O S l O S P O L l O S O S P Static Routes I O S PING Confi
165. is displayed after successful startup GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level None Selected Device State Initialized gt gt Home Operation pont Internet Protocol fy Maintenance ea Key Management Network Security System ZEROIZE HOME Note Ifa different screen is displayed see Other Startup Screens GENERAL DYNAMICS TACLANE Micro oO KG 175D ZEROWE preessxx W FILL U FOUO The table below describes other startup screens that may appear Screen Description TACLANE Alerts the operator that a panic zeroize previously occurred After zeroized the operator presses OK to continue the message does not appear again until the next panic zeroize occurs Tamper See the chapter on Maintaining TACLANE detected or Depot tamper recovery in progress U FOUO The TACLANE Micro is shutdown by turning off the power Please refer to the chapter on Maintaining TACLANE 3 14 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Auto recovery U FOUO If the TACLANE is turned off or prime power fails while Clock Drift processing user traffic the TACLANE performs auto recovery when power is restored and automatically returns to the operational state it was in immediately
166. istrative Timeout Key Management Host Administrative Timeout in Minutes 1 1440 Network JV Daily MTEK update Security 2 Save Changes wail vs HOME 2 Select the checkbox next to Host Administrative Timeout to ENABLE or DISABLE the parameter If the box is checked a checkmark is present in the box then Host Administrative Timeout is enabled If the box is empty no checkmark present in the box then Host Administrative Timeout is disabled 3 Enter the Timeout value in minutes if the Host Administrative Timeout is enabled 4 Select the checkbox next to Daily MTEK Update to ENABLE or DISABLE the parameter If the box is checked a checkmark is present in the box then Daily MTEK Update is enabled If the box is empty no checkmark present in the box then Daily MTEK Update is disabled 5 Select YES to save changes 6 25 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 13 U Displaying the SA Configuration Information Introduction U FOUO The operator can display the SA Configuration information which includes the TACLANE s Host Administrative Timeout setting and the MTEK Update setting Procedure U FOUO Follow these steps to display the SA Configuration information Step Action l From the MAIN MENU select Security gt SA Configuration Result The following screen is displa
167. ither the current or changeover PPK within the T 11 05 PM 12 56 AM At the end of the window the current PPK is deleted U FOUO TACLANE PPK update performed each day is centered around 2 00 AM with a plus or minus 55 minute window to allow for clock drift that starts at 1 05 AM and ends at 2 56 AM e For a security association a TACLANE starts using the updated PPK to encrypt user traffic at 2 00 AM A TACLANE is able to decrypt user traffic using either the pre update or post update PPK within the window 1 05 AM 2 56 AM At the end of the window the pre update PPK is deleted 4 10 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to fill a PPK Step Action 1 From the MAIN MENU select Key Management gt PrePlaced Key Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State OffLine gt gt Key Management gt gt PrePlaced Key 0 crates Manage PrePlaced Key Chains Operation 1 There are no PrePlaced Key chains to display Maintenance K nagement Chain Id Type Security Level Short Title Edition Segment Network 5 Security e 2 System c 3 C 4 c 5 C 7 c 8
168. k Manager continued Procedure U FOUO Follow these steps to configure the network manager Step Action 1 From the MAIN MENU select System gt Network Managers Result The following screen is displayed GENERAL DYNAMICS oo Revision 3 3 Device Name TACLANE Micro Serial Number 4000300400A8 Security Level Unclassified Device State OffLine gt gt System gt gt Network Managers ans Network Management Operation Maintenance Manager Name Notification Target Address Side Manager1 148 10 127 55 162 PT Entries displayed in stalicr are currently disabled Add a new Network Manager Key Management Continued on next page 8 28 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring the Network Manager continued Procedure continued Step Action 2 To define the network manager select ADD To modify the network manager select the radio button next to the desired network manager and select EDIT Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State OffLine gt gt System gt gt Network Managers 550 Enabled Network Management Maintenance Network Manager Security Confirm Password sseesesesesese System Notification
169. k the data for possible updates Resubmit the desired changes Timeout occurred during PrePlaced Key fill The DTD must be connected to the fill port and the fill must be initiated from the DTD within five minutes Error occurred during PrePlaced Key fill Check the Audit Log for the PPK Fill Failed entry Note that if the reason DS 100 1 Parity Error check the fill cable and verify that a fill of an FFVS was not attempted The device was unable to initiate the fill operation because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes Audit and Event Log Messages C 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 The device was unable to delete the Audit Log because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes The device was unable to update the configuration for the Audit Log Warning Threshold data because another manager was configuring the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes PPK Assignments Messages The PrePlaced Key Assignment could not
170. l state that preceded the FSU installation and the new release will be in effect 9 14 U Zeroizing the TACLANE Introduction Notes U FOUO The TACLANE supports three types of zeroization 1 Panic zeroize which deletes all keys in the TACLANE 2 Selective zeroize which deletes a particular key for details see sections 4 4 and 4 8 of this document and 3 tamper zeroize which is the result of a tamper condition of the unit and all keys are deleted U FOUO This section describes how the operator can invoke a panic zeroize An operator can initiate a panic zeroize either from the TACLANE front panel zeroize button or from the HMI Zeroize command U FOUO The following notes apply to panic zeroizing the TACLANE e A panic zeroize deletes all keys e TACLANE may be filled with keys again immediately after a panic Zeroize e On startup after a panic zeroize TACLANE displays a TACLANE zeroized screen to alert the operator that a panic zeroize occurred After the operator presses OK to continue the message does not appear again until the next panic zeroize occurs 9 52 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to initiate a panic zeroize Step Action 1 To initiate a panic zeroize from the front panel depress and release the ZEROIZE button three times within a ten secon
171. led the TACLANE operator configures the SA Host Administrative value to 1 1440 the default value 720 U FOUO The following notes apply to configuring the security association e Only the SSO has the privilege to configure the security association e The SA Host Administrative Timeout specifies the maximum time that a host can be associated with a specific SA before requiring a refresh Upon timeout the host is removed from the SA Host table It is refreshed upon receipt of traffic to stimulate association with an SA The SA Timeout is the maximum Time that an SA can remain without being reestablished Both of these timers support dynamically changing networks They should be set long enough to minimize volatility of configuration and short enough to facilitate adequate response to network changes 6 24 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring Security Association continued Procedure U FOUO Follow these steps to configure the security associations setting Step Action l From the MAIN MENU select Security gt SA Configuration Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 gt 31 TACLANE Micro Serial Number A000300400A8 Device State Secure Comm gt gt Security gt gt 5A Configuration Security Association Configuration Maintenance IV Host Admin
172. led Display Fixed Packet Operati Maintenance Mode ON FRAGMENT Key Management Length 800 Network Security System ZEROIZE 7 3 U Configuring Payload Sequence Number Checking Introduction U FOUO Payload Sequence Number PSEQN checking can only be configured by the SSO The purpose of sequence numbers is to facilitate identification and rejection of replayed encrypted packets TACLANE includes a unique sequence number within each ESP datagram that it sends When PSEQN checking is enabled at the receiving TACLANE each sequence number is checked packets with sequence numbers that have already been received or are so old that it cannot be determined whether they were already received are discarded Notes U FOUO The following notes apply to configuring PSEQN checking e Only the SSO has the privilege to configure PSEQN parameters e An audit log entry is generated when the PSEQN check parameter is modified 7 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 PSEQN Processing PSEQN Check Parameter 10 July 2007 U FOUO TACLANE assigns a unique Payload Sequence Number to each outgoing ESP datagram The PSEQN is located in the encrypted part of the ESP datagram so that it cannot be altered during transit A PSEQN is always included regardless of the setting of the PSEQN check parameter Each Security Association con
173. leges oann nensis aneen EE ENa Aia aat 9 60 9 18 U Generate SSO Pl lNanirennenieh a a i a teed 9 61 9 19 U Audit Log Threshold ssssensneeeensseeseseesseesesresseessesrsseessessesseessessesseesseeseese 9 64 9 20 U Delete Adit Log rrera a E E E A a RE 9 65 9 21 UO Display Audit Lop ienien ninama ko eee dete ie aes 9 66 922 U Display Event LOG 2s a desicctermateavaesduesiattsseaserotiadaesdacttattandssaunagetaadetaaedates 9 67 10 0 U TROUBLESHOOTING TACLANE csscsscsssscssssessscecsessnssessesees 10 68 10 1 CLI ANAT cde cie aeitc dy tettalameg toned a a a a dude a a a 10 68 10 2 U Vanni p eh seisscrecsnswecede spe ccata cca a Cali doa iia wats Caden h tava dane anatase abe ED 10 69 10 3 U Performing a Field Tamper Recovery ccccccecsseceseceseeeeseeeeeeeeeeenseeeeeneeee 10 70 10 4 U Checking for a Low Battery 2 c a cns incised aad 10 74 10 5 UJ Replacing the Battery ineen iai a a ones 10 75 10 6 U Performing Diagnostics ss sseseseseeseesessresseserssresseestssresseeseeseesseeseesersseesee 10 76 10 7 U Troubleshooting General Problems 2 sic gcasscc 2ccesiedectssnsstoiesdideaecanteeeincins 10 77 10 8 U Troubleshooting Filling and Managing KeyS ccccescceeseeeseeesseeeteeeteeneees 10 78 10 9 U Troubleshooting IP Ethernet 1ics cc 422s4ccteasdcotacssiervesdacti atest deedlasbandemeaeciecss 10 79 10 10 U Troubleshooting Security Associations cccceccesceseceeceessec
174. ll time clients of the gateway enclave An unlimited number of enclaves can be part time clients The SIPRNET hosts in a client enclave are able to access the global SIPRNET through either of the two TACLANE router pairs at the gateway enclave U FOUO Failover redundancy is provided by configuring e two GRE tunnel interfaces Tunnel 1 and Tunnel 2 at the client router Router A e a GRE tunnel interface at Router B1 terminating Tunnel 1 e a GRE tunnel interface at Router B2 terminating Tunnel 2 e the same routing protocol e g BGP EIGRP OSPF or RIP at the client router Router A and gateway routers Router B1 and Router B2 to advertise routes to SIPRNET subnets via the GRE tunnels B 23 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO Q GRE Tunnel 1 Router A lt gt Router B1 Host Edge Switch A Edge NIPRNET ATM Switch Backbone Q GRE Tunnel 2 Router A lt gt Router B2 TN Enet Router lt B2 gt UNCLASSIFIED FOUO Figure B 8 1 U Single Ended TACLANE Redundancy with Router Redundancy Continued on next page B 24 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Redundancy Configurations continued How it Works Load Balancing Note on Multicast
175. lt gt Router B Nz Enet CT PT Z TACLANE B2 Figure B 8 2 U Single Ended TACLANE Redundancy without Router Redundancy NIPRNET ATM Backbone Host A1 Enet UNCLASSIFIED FOUO Continued on next page B 26 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Redundancy Configurations continued Single Ended U FOUO Failover redundancy is provided by configuring Redundancy e a secondary IP address assigned to the TACLANE interface of the ao client red router Router A R edun dant e two GRE tunnel interfaces Tunnel 1 and Tunnel 2 at Router A one continued using the primary address and the other using the secondary address e two GRE tunnel interfaces at Router B terminating Tunnel 1 and Tunnel 2 the same routing protocol e g BGP EIGRP OSPF or RIP at the client router Router A and gateway router Router B to advertise routes to SIPRNET subnets via the GRE tunnels How it Works U FOUO The secondary address at the client red router Router A allows the gateway red router Router B to distinguish between the client ends of the two GRE tunnels to forward packets for the client end of GRE Tunnel 1 to TACLANE B1 and to forward packets for the client end of GRE Tunnel 2 to TACLANE B2 A secondary IP address is not required for Router B since it uses a separate physical interface with a u
176. mated peer TACLANE discovery for security associations through the HAIPE IS Secure Dynamic Discovery SDD protocol Once a peer TACLANE is identified the following occurs e PPK assignments are checked for a match based on the remote TACLANE IP address Ifa match is found the corresponding PPK is used to secure the IP traffic e Existing security associations using FIREFLY TEKs are checked for a match based on the remote TACLANE IP address Ifa match is found the corresponding existing security association using a FIREFLY TEK is used to secure the IP traffic U FOUO If there is no matching PPK assignment or security association using a FIREFLY TEK and an operational FIREFLY vector set is usable at the current security level the following occurs e A new security association is created and the initiator and responder peer TACLANEs cooperatively generate a FIREFLY TEK using their FIREFLY vector sets U FOUO Automated peer TACLANE discovery may be inhibited using PPKs See the chapter on Configuring Managing Security Associations U FOUO If automated peer TACLANE discovery is not desirable remote TACLANE static routes can be defined See the section in the Operator s Manual titled Configuring Remote TACLANE Static Routing U FOUO TACLANE proxy ARP replies to an ARP request received by the PT interface when the target address is covered by a static routing table entry TACLANE will not proxy ARP reply
177. mber A000300400A8 Security Level None Selected Device State Initialized gt gt Operation gt gt Security Level Select Security Level RELOAD VED Operation Maintenance Security Level None x Key Management Set Selected Level Network ZEROIZE 2 Select None from the pull down list 3 Select YES to exit the current security level 4 Select OK to confirm the action which will restart the TACLANE Note This confirmation is displayed to alert the operator that existing communications include communication with a Network Manager will be lost if this change is made 4 21 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 5 0 U CONFIGURING IP ETHERNET 5 1 U Configuring the Ethernet Media and Physical Parameters Introduction Supported TACLANE Micro Physical Settings U FOUO The TACLANE s PT and CT physical interface parameters are configurable by the operator Specifically the Ethernet interface speed duplex mode and media can all be configured to accommodate the characteristics of the networks to which a TACLANE is connected U FOUO The TACLANE supports both an auto negotiation interface as well as manual configuration settings 1 e speed duplex combinations The auto negotiation option automatically chooses the highest bandwidth that is compatible with the devices link part
178. mote TACLANE static routes Step Action l From the MAIN MENU select Security gt Static Routes gt Route Management Result The following screen is displayed GENERAL DYNAMICS TCL ewe eS Revision 3 3 ne TACLANE Micro Serial Number 400030040048 vel Unclassified Device State Secure Comm gt gt Security gt gt Static Routes gt gt Route Management 6 No Static Routes to display starting from the specified address Maintenance Key Management lt lt Prev Next gt gt Network Routes from SEXES A System lt lt Prev Next gt gt 6 19 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uw TL 027 05 10 July 2007 2 Select CREATE Result The following screen is displayed GENERAL DYNAMICS Revision 3 3 TACLANE Micro Serial Number AO00300400A8 el Unclassified Device State Secure Comm gt gt Configuration gt gt Security gt gt Static Routes gt gt Create Configure Static Route Operation Maintenance Address Type IPv4 Key Management NET ID Prefix Length eT etwork Remote CT Address Save Changes YES Note The routing table entry with longest matching network ID and prefix length combination will be determined to select the remote TACLANE to send the IP traffic to Note For IPv4 one default route TACLANE table entry can be defined by setting the NET ID and pre
179. nd Optional cables 09 2792090 1 have been tested to comply with TEMPEST AND EMI requirements and equipped with rain and sand protection boot 3 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 STP vs UTP U FOUO TACLANE can be used with shielded twisted pair STP or aaa unshielded twisted pair UTP Ethernet cable However STP Ethernet cable is required in order to meet EMI TEMPEST specifications Straight vs U FOUO Each TACLANE Ethernet interface auto senses the Ethernet cub cable type so crossover or straight through cables can be used Cable interchangeably Lisa U FOUO The following characteristics apply to the TACLANE Micro Or ea c 100Base FX fiber interfaces e 1300 nm short reach optics e Duplex LC fiber connectors S 3 6 U Configuring the IP Network a U FOUO Figure 3 6 1 below depicts a typical IP network secured with ecure Network TACLANE Micros UNCLASSIFIED FOUO Switch Router HAIPIS Compliant Encryptor Switch TACLANE Router TACLANE Single Host Micro Micro UNCLASSIFIED FOUO Figure 3 6 1 U TACLANE Secured IP Ethernet Network 3 9 UNCLASSIFIED FOR OFFICIAL USE ONLY
180. nd security and system administrators who will be installing configuring and operating TACLANE encryptors Course attendance requires a U S Government Secret Clearance COMSEC briefed This interactive four day course combines classroom presentations and hands on exercises to give you practical operator experience To register or to get more information on the course contact Training Coordinator General Dynamics C4 Systems 1190 Winterson Rd Suite 300 Linthicum MD 21090 Phone 410 487 0220 Fax 410 850 5005 E mail infosectraining gdc4s com Web www gdc4s com NSA U FOUO Refer to the Operational Systems Security Doctrine for Government TACLANE Micro KG 175D Approval Office 1 9 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 2 0 U ABOUT THE TACLANE 2 1 U Introduction What is the U FOUO The TACLANE Micro KG 175D is part of the TACLANE TACLANE family of in line network encryptor INE devices developed by General Dynamics C4 Systems GDC4S to secure the transfer of Internet Protocol IP datagram traffic for network applications The TACLANE family of products provides low cost key agile in line network encryption for deployment in tactical and strategic networks U FOUO The TACLANE Micro provides 10 100 Mbps secure communication over fast IP networks The TACLANE Micro supports a 100 Mbps optical int
181. ne gt gt Key Management gt gt PrePlaced Key 550Enabed Confirm PrePlaced Key Fill Operation Maintenance Chain Id 1 Key Management Security Level TBD Network Effective Date 02 26 2007 MM DD YYYY Security Type User z POE Algorithm Baton l Fill selected PrePlaced Key ves ro Note Ifthe PPK ID is empty slot does not have a Current PPK assigned additional data entry boxes are displayed for Effective Date Use and Algorithm If itis an active PPK ID Current PPK is already assigned the security Level Use and Algorithm are displayed with the configuration values of the active PPK ID 4 13 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Enter the Effective Date Type and Algorithm if this is the first key in slot Select YES to fill the PrePlaced key Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 ie TACLANE Micro vel Unclassified gt gt Key Management gt gt PrePlaced Key 21 Manage PrePlaced Key Operation 1 PrePlaced Key fill in progress Please Wait Maintenance a 3 Connect fill device to fill port and initiate fill device operation or press ABORT to cancel fill Key Management Network NOTE The Abort operation can only be performed until the load is initiated at the DTD Security System
182. nection with a remote TACLANE has its own series of sequence numbers starting with 1 U FOUO Audit log entries are generated for received ESP datagrams with invalid PSEQNs U FOUO Note Payload sequence numbers are not checked for IP multicast packets U FOUO The PSEQN check parameter can only be configured by the SSO It can be either Enabled or Disabled U FOUO It is important to note that the PSEQN check setting only affects the receive processing of encrypted traffic CT to PT It has no affect on the encryption and transmission of ESP datagrams U FOUO When the PSEQN check parameter is Enabled packets received undergo PSEQN checking and only valid non replayed traffic will be accepted U FOUO When the PSEQN check parameter is set to Disabled no PPEQN checking is done In this case all ESP datagrams are considered valid regardless of PSEQN value U FOUO The default setting for this parameter is Enabled Continued on next page 7 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring Payload Sequence Number Checking continued Procedure U FOUO Follow these steps to configure the PSEQN check parameter Step Action l From the MAIN MENU select Security gt Traffic Flow Security gt PSEQN Check Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3
183. ners on the respective network interface U FOUO The TACLANE Micro supports the following user configurable Ethernet physical settings copper interfaces Auto Negotiate 100 F 100 H 10 F 10 H fiber interfaces 100 F U FOUO The default medium for both the PT and CT interfaces is copper U FOUO The default setting for a TACLANE Micro copper interface is Auto Negotiate U FOUO The default and only possible setting for a TACLANE Micro with a fiber interface is 100 F Continued on next page 5 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Auto U FOUO The following notes apply when the Ethernet physical parameter R ae is set to Auto Negotiate e If the physical parameter is set to Auto Negotiate a two stage negotiation process is carried out First each interface auto negotiates with its link partner offering all the advertised bandwidths Then the Micro selects the highest bandwidth that is within the capabilities of both link partners and auto negotiates with both devices again offering only the selected bandwidth e Auto negotiation should take between 2 6 seconds depending on the network speed capabilities e If the auto negotiation fails the TACLANE will continue to try auto negotiation until a response is received e The TACLANE s network interface will automatically
184. network that is in the router s routing table When a CT default gateway is defined it is recommended that a route for the local TL protected network also be included in the static routing table B 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 B 4 U IP Routing Workarounds Introduction U FOUO This example illustrates several workarounds to configuring static IP routes on CT routers The CT network represented by Router C knows about the two directly connected networks However Router C does not know about the networks served by Router A and Router B The typical solution to this problem is to use static IP routes between PT CT routers for the networks they serve U FOUO Note Remote TACLANE static routing eliminates the need for static routes to PT networks on CT routers and vice versa and also eliminates the need for the IP routing workarounds described in this section Host A2 ne UNCLASSIFIED FOUO Host Al ne Enet Router A Router B UNCLASSIFIED FOUO CT PT TACLANE A CT PT TACLANE B Figure B 4 1 U TACLANE Configuration U FOUO However there are scenarios where this is not desirable e User does not control the CT network e g the administrators of Router C may not allow the configuration of Router C to be changed e User networks are not routable over the CT netw
185. nique IP address for each GRE tunnel gateway TACLANE U FOUO The two PT interfaces of TACLANE B1 and TACLANE B2 could be connected to a single interface of Router B through a hub or switch by assigning a secondary address to the router interface assigning TACLANE B1 to the primary subnet of the interface and assigning TACLANE B2 to the secondary subnet of the interface This causes the client TL TACLANE A to discover that TACLANE B1 fronts the gateway end of GRE Tunnel 1 and that TACLANE B2 fronts the gateway end of GRE tunnel 2 U FOUO Failover redundancy functions in this example as it was described in the previous example except that the gateway red router selects the GRE tunnel gateway TACLANE that carries a packet to the client SIPRNET subnet Recall that it was the SIPRNET Router that selected the GRE tunnel in the first example by forwarding the packet to one of the gateway red routers B 27 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Double Ended U FOUO As the name implies double ended redundancy provides Redundancy redundancy at both ends of a connection between two high value enclaves Double ended redundancy between two TACLANE protected enclaves can be implemented by configuring either two or four GRE tunnels between the red routers of the enclaves Only the four tunnel case is illustrated here as the two tunnel c
186. no longer valid e It is critical that the operator saves the SSO PIN Forgetting the SSO PIN requires that the TACLANE unit undergo a Field Tamper Recovery Procedure U FOUO Follow these steps to update the SSO PIN Step Action l From the MAIN MENU select Maintenance gt Security Administration gt Generate SSO PIN Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 4000300400A8 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Security Administration gt gt Generate 550 PIN 550 Enabled Generate Site Security Officer PIN Operation Mantenence New PIN 868063060 Key Management Accept PIN Network Security System 9 62 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 2 Select YES to accept the PIN Note 1 The operator must accept the PIN within five minutes of being prompted otherwise the PIN generation fails Note 2 It is very important that the operator record this new PIN value and save it This PIN is needed to enter the SSO privileged mode Note 3 In order to enter the privileged mode the operator must select the Enable SSO Privileges command and enter this new PIN 9 63 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FO
187. nother option is to configure IP tunnels e g Cisco GRE IP tunnels between each router Static routes may be defined to route traffic between hosts and networks through the tunnels This example solution is shown in the figure below B 8 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO CT PT TACLANE GRE IP tunnel configured between Router A and Router B to route traffic between PT networks using routes oA through tunnels Enet Router B UNCLASSIFIED FOUO Figure B 4 2 U TACLANE Configuration With IP Tunnels How it Works U FOUO All IP datagram traffic between PT hosts is encapsulated by the PT routers supporting the GRE IP tunnels and all resulting encapsulated IP datagrams have the source and destination IP addresses of tunnel endpoints Router A and Router B The CT network Router C only needs to route between the Router A and Router B IP addresses in the directly connected networks known to Router C U FOUO Note that since the added PT side routers can communicate with each other since they are behind TACLANEs it is possible for these routers to exchange dynamic routing information e g using BGP to reduce the need for manual configuration B 9 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05
188. ntify the remote TACLANE associated with the destination host Static routing has a higher precedence so the routing table is always searched first Specifically the sequence is 1 check for specific static route in remote TACLANE static routing table 2 if static route not found use the default static route if it is defined 3 if neither of the above are true try to use SDD assumes SDD PPK has been filled and assigned to a multicast address U FOUO When a default static route is defined SDD Probes will never be sent because the default route always produces a match If a user wants the TACLANE to try SDD then a default static route must not be configured U FOUO TACLANE proxy ARP replies to an ARP request received by the PT interface when the target address is covered by a static routing table entry TACLANE will not proxy ARP reply to a PT host based solely on a default route The target IP address in the PT ARP request must be covered by a static routing table entry other than the default route U FOUO If the optional PT default gateway IP address is configured all off net decrypted PT IP traffic will be delivered to the PT default gateway U FOUO If the optional PT default gateway is not configured TACLANE will ARP for all off net destination IP addresses for decrypted PT IP traffic Assumes proxy ARP support in PT routers Proxy ARP allows a router to reply to a received ARP request for a host in a net
189. ntrol List Result The following screen is displayed TACLANE Mi GENERAL DYNAMICS Revision aise TACLANE Micro Serial Number A000300400A8 Unclassified Device State Secure Comm gt gt Security gt gt Access Control List sissies Access Control List Operation gt 8 There are currently no KMIDs in the Access Control List to display Maintenance gt AUER CLI Total KMIDs 0 lt lt Prev Next gt gt Network gt 9 Firefly ector Set KMIDs Security System lt lt Prev Next gt gt HOME 2 Select ADD Result The following screen is displayed GENERAL DYNAMICS OS EANESMIEIO Revision 3 3 ame TACLANE Micro Serial Number 400030040048 ty Level Unclassified Device State Secure Comm gt gt Security gt gt Access Control List 550 En bed Access Control List RELOAD Operation Maintenance Add KMID is Key Management Add this KMID to the Access Control List Network Security v v v v v v System HOME 3 Enter the KMID value Note The KMIDs must be unique for each ACL entry 4 Select YES to save the ACL entry 8 23 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 8 3 U Deleting Access Mode and ACL Entries Introduction _ U FOUO The SSO operator can delete Access Control List ACL entries The ACL consists of a list of up to 256 KMI
190. o verify that ActiveX is enabled The browser was unable to perform a request to dynamically refresh the display Please manually refresh the page using the RELOAD button on the page or the REFRESH button on the tool bar to update the display If that is unsuccessful ensure that the device is currently powered on Check the LEDs on the TACLANE The TACLANE may be restarting System Level Messages The device must have a security level selected to access this functionality Define a security level through the Operation menu before attempting this function The device was unable to access the battery configuration Resubmit the desired changes C 1 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 The device was unable to update the battery configuration because another manager was updating the device at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes CIK Management Messages Leaving this page before CIK creation is complete will prevent the display of the resulting creation status Resulting status message will be missed Unable to access CIK data Resubmit the desired changes The selected CIK could not be created Resubmit the desired changes It is not possible to abort CIK creation a
191. o Serial Number 400030040048 y Level Unclassified Device State Secure Comm gt gt Key Management gt gt PrePlaced Key Bisco Ensbed Manage PrePlaced Key Chains Operation gt Ma bees ChainId Type Security Level Short Title Edition Segment 1 User Unclassified USEVD 00000000200 111111 A o Em spp Top Secret USEYD 00000000203 111111 ao boo Key Management Network Security roy On Ony On OR One oO ae 12 2 2 Sas Ka E S S a DELETE ENTIRE CHAIN MANAGE KEYS IN CHAIN pA To delete a PrePlaced Key chain select the radio button next to the Chain Id and DELETE ENTIRE CHAIN 4 18 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 PPKs in a particular chain Result The following screen is displayed GENERAL DYNAMICS Device Name TACLANE Micro Security Level Unclassified gt gt Key Management gt gt PrePlaced Key 550 Enabled Manage PrePlaced Keys In Chain Operation 9 The PrePlaced Key was filled Maintenance Key Management r PrePlaced Key Chain Info p ees Chain Id il Type User Security Level Confidential Algorithm BATON RETURN TO CHAINS HOME Effective Date Short Title 3 To delete specific changeover PPKs select the radio button next to the Chain Id and MANAGE KEYS IN CHAIN This displays a list of all the 02 26
192. o two entries with the same network ID and prefix length The same network ID may be defined in multiple entries as long as the prefix lengths are different e A longest match search of the table based on combination of network ID and prefix length is used to determine the remote TACLANE to which the IP traffic should be sent e GEM X can also configure the routing table One routing table can be generated by the GEM X and distributed to all the TACLANEs PT Default U FOUO If the optional PT default gateway IP address is configured all Gateway or off net decrypted PT IP traffic will be delivered to the PT default gateway ARP Used to If the optional PT default gateway is not configured TACLANE will ARP Deliver PT IP for all off net destination IP addresses for decrypted PT IP traffic Traffic e Assumes proxy ARP support in PT routers Proxy ARP allows a router to reply to a received ARP request for a host in a network that is in the router s routing table CT Default e U FOUO If the optional CT default gateway IP address is configured all Gateway or off net encrypted CT IP traffic will be delivered to the CT default gateway ARP Used toy If the optional CT default gateway is not configured TACLANE will ARP Deliver CT IP for all off net destination IP addresses for encrypted CT IP traffic Traffic e Assumes proxy ARP support in CT routers Proxy ARP allows a router to reply to a received ARP request for a host in a
193. ocedure U FOUO The operator can delete a remote TACLANE routing table entry or the entire routing table U FOUO Follow these steps to delete remote TACLANE static routes Step Action 1 To delete a static route from the MAIN MENU select Security gt Static Routes gt Route Management Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Name TACLANE Micro Serial Number 400030040048 Level Unclassified Device State Secure Comm gt gt Security gt gt Static Routes gt gt Route Management EJ ses Static Routes Operation 5 The Static Route was created Maintenance lt lt Prev Next gt gt Routes from SES r 7 cc NETID Prefix 10 1 0 0 24 Remote CT 170 0 0 1 lt lt Prev Next gt gt 2 Select the radio button next to the route to delete Select DELETE to delete the route 6 22 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 To delete all static routes from the MAIN MENU select Security gt Static Routes gt Delete All Routes Result The following screen is displayed GENERAL DYNAMICS Device Name TACLANE Micro Security Level Unclassified gt gt Security gt gt Static Routes gt gt Delete All Routes 550 Disabled Delete All Static Routes Operation gt Maintenance Delete all static routes
194. ocument CT Ciphertext D Depth DAC Discretionary Access Control dB Decibel dBm Decibel referenced to milliwatts DC Direct Current DF Don t Fragment DoD Department of Defense DoDAAC Department of Defense Activity Address Code DRAM Dynamic Random Access Memory DS Differentiated Services 1 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Acronym Definition Abbr DSCP Differentiated Services DIFFSERV Code Point DTD Data Transfer Device ECN Explicit Congestion Notification EEPROM Electrically Erasable Programmable Read Only Memory EFF Enhanced FIREFLY EKMS Electronic Key Management System EMI Electromagnetic Interference ENET Ethernet ESP Encapsulating Security Payload F Fahrenheit FF FIREFLY FFVS FIREFLY Vector Set FPL Fixed Packet Length FSU Field Software Upgrade ft Feet FTR Field Tamper Recovery GBSI Global Broadcast Service Interface GND Ground H Height HAIPE IS High Assurance Internet Protocol Interoperability Specification HEMP High altitude Electromagnetic Pulse HHMMWYV Heavy High Mobility Multipurpose Wheeled Vehicle HMI Human Machine Interface Hz Hertz ICD Interface Control Document ICMP Internet Control Message Protocol ID Identifier ID Inside Diameter IEEE Institute of Electrical and Electronics Engineers IETF In
195. olate enclaves of hosts within separate IP networks TACLANE A and TACLANE E are set to Top Secret TACLANE B and TACLANE C are set to Unclassified TACLANE A and TACLANE B are in a nested TACLANE configuration U FOUO The IP routers connected to the TACLANE are configured to default static route traffic to the opposite router UNCLASSIFIED FOUO T PT Nested TACLANEs Router TACLANE Router bo her PT CT PT Enet Enet TACLANE Enet TACLANE Enet Enet A B Secret Unclas Host Enet C1 Unclas UNCLASSIFIED FOUO Figure B 6 2 U TACLANE Single Gateway Nested Configuration Example B 15 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Connecting Networks at Different Security Levels continued How it Works U FOUO All IP traffic between the Unclassified network and the Unclassified enclaves on the Secret network travels through a pair of Unclassified TACLANEs TACLANE B and TACLANE D or TACLANE C and TACLANE D Host C1 communicates with Host B1 through TACLANE C and TACLANE D Top Secret traffic between Host Al and Host E1 is handled by the nested TACLANE configuration TACLANE A and TACLANE E are peer Top Secret TACLANEs and TACLANE B and TACLANE D are peer Unclassified TACLANEs The nested TACLANE configuration overlays the protected Top Secret traffic over the Unclassified traffic in order for it to b
196. on Select DISPLAY HOSTS to display the known hosts protected by this SA Result The following screen is displayed GENERAL DYNAMICS Device Name TACLANE Micro Security Level Unclassified gt gt Operation gt gt 5A Info gt gt SA Table TACLANE Micro Revision 3 3 Serial Number 400030040048 Device State Secure Comm 2 550 Enabled Display Hosts RELOAD Operation Maintenance Remote CT Address 170 0 0 1 Key Management Remote PT Address 10 1 0 1 Security Host Address 10 1 0 100 System lt lt Prev Next gt gt Select the radio button next to the desired Host Address Select DELETE to delete the host from the SA or Security Association Select BACK TO SA DATA to return to the Security Association Info screen 10 Select BACK TO SA TABLE to return to the Security Associations screen 6 9 U Configuring Remote TACLANE Static Routing 6 16 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Introduction Remote TACLANE Static Routing Table Default Static Route 10 July 2007 U FOUO The TACLANE operator can define static routes which associate destination IP network identifiers with remote TACLANEs protecting that target More basically a static route answers the following question which TACLANE should the SA be established with for communications to this remote net
197. or 10 0 21 1 remote as 1 neighbor 10 0 22 1 remote as 1 network p1 p2 10 16 255 255 255 248 ip route pl p2 12 8 255 255 255 252 p1 p2 11 77 ip route pl p2 12 12 255 255 255 252 p1 p2 11 69 ip route pl p2 12 16 255 255 255 252 p1 p2 11 69 ip route p1 p2 12 20 255 255 255 252 pl p2 11 77 B 29 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 How it Works 10 July 2007 U FOUO A unique IP address is provided for each GRE tunnel endpoint by assigning both a primary and a secondary address to each TACLANE connected red router interface The unique tunnel endpoint addresses allow a red router to route the packets for the destination ends of two tunnels to one connected TACLANE and to route the packets for the destination ends of the other two tunnels to the second connected TACLANE The unique addresses also allow a TACLANE to route encrypted packets to different TACLANEs at the other enclave depending on the destination tunnel endpoint address Accordingly four static routes are configured at each red router and two static routes are configured at each TACLANE The result is that the path of each GRE tunnel passes through a different combination of TACLANEs one from each enclave U FOUO The same routing protocol BGP 4 in this example is enabled at each red router and configured to advertise the private host subnet of its enclave via each of the four
198. ork e g the TACLANE user is using a private IP network such as network 10 0 0 0 and the CT network does not route traffic for private IP networks e The number of user networks is large T he number of user networks makes configuration of static IP routes on Router C cumbersome e g Router B fronts the Internet B 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 IP Routing Workarounds continued Two Example Solutions Manual PPK Configuration How it Works PT Router IP Tunnels U FOUO This section describes two example configurations The first example uses PPKs and the second uses IP tunnels U FOUO Note Remote TACLANE static routing eliminates the need for static routes to PT networks on CT routers and vice versa and also eliminates the need for the IP routing workarounds described in this section U FOUO One option is to manually configure each TACLANE with IP PPK assignments including each remote host IP address that is reachable behind every other TACLANE This same solution but to a different problem is illustrated in Multiple Gateways from Network U FOUO This lets the source TACLANE know the IP address of the destination TACLANE ahead of time so the TACLANE does not have to rely on the CT network to route automated peer TACLANE discovery messages to the correct TACLANE U FOUO A
199. pend on the particular configuration Note Entries displayed in italics are currently disabled 8 31 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 0 U MAINTAINING TACLANE 9 1 U Setting the Date and Time Introduction U FOUO The SSO operator can set the TACLANE date and time Note U FOUO All communicating TACLANEs must have their date and time set within 55 minutes of each other to ensure that no communications blackout periods occur Only the SSO can access this command Clock Drift U FOUO Nominal TACLANE clock drift is maximum 2 min month TACLANE date and time should be checked for accuracy at least once every 6 months and adjusted if needed Setting the U FOUO The Remote Manager can remotely change the system date and Date and time Time by i Remote Manager 9 32 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to set the date and time Step Action 1 From the MAIN MENU select Maintenance gt Date Time Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number AO00300400A8 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Date Time 2 ns Date
200. power source match the requirements for the TACLANE AC power cord The AC power cord ends in three pole grounding plugs Do not use three pole to two pole adapters with these plugs AC outlet Verify that the AC outlet used is properly installed and grounded The outlet must comply with applicable National Electric Codes U FOUO There are no operator serviceable parts inside the TACLANE chassis There is a risk of electrical shock inside TACLANE Any service should be performed only by depot personnel U FOUO TACLANE may have a lithium battery installed Do not incinerate lithium batteries because of the risk of explosion Lithium batteries will last up to two years scheduled replacement is recommended U FOUO TACLANE may use an alkaline battery as a backup or in places where a lithium battery is not available Battery lifetime for alkaline batteries is approximately three months when the TACLANE Micro is not connected to prime power 1 5 U Hardware Versions TACLANE Micro U FOUO The following table identifies the base part number for the TACLANE Micro product Refer to section 2 0 of this document for a description of the capabilities of TACLANE Micro Base Part Number TACLANE Version MC 10901 2 TACLANE Micro KG 175D if UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide Other TACLANE Versions UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 J
201. pping failure unavailability of one TACLANE at each enclave will disable communications between the private subnets of the two enclaves This can be seen by visualizing that only GRE Tunnel 11 and GRE Tunnel 22 are configured The failure of TACLANE 21 will disable GRE Tunnel 11 and remove TACLANE 11 from service The overlapping failure of TACLANE 12 will then disable GRE Tunnel 22 so that no path remains between the two red routers In the four tunnel configuration the failure of TACLANE 21 does not disable GRE Tunnel 12 or remove TACLANE 11 from service so an overlapping failure of TACLANE 12 still leaves the path through GRE Tunnel 12 intact U FOUO A four tunnel configuration may be more robust than is necessary in a network where the number of TACLANE protected enclaves is very large The probability that one TL will fail at each enclave at the same time decreases as the number of enclaves increases If the redundancy design must assure that all n enclaves remain connected when one TL is unavailable at each of the n enclaves then a four tunnel configuration is needed If all n enclaves must remain connected when one TL is unavailable at each of n 1 or fewer enclaves then a two tunnel configuration may be sufficient but enclave to enclave latency could increase If enclave to enclave latency must not increase when one TL fails at two or more enclaves then a four tunnel configuration will be necessary The number of GRE tunnels can be redu
202. ransceivers if used are working properly If using twisted pair Ethernet cables check that straight or crossover twisted pair cables are used where needed Verify that the network speed settings are compatible 10 79 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 10 U Troubleshooting Security Associations ain U FOUO The table below describes TACLANE security association eN e problems their causes and solutions Also see applicable Release Notes for the TACLANE software version Problem Cause Solution Cannot enter secure IP configuration incorrect or Check that the IP configuration communications mode incomplete is complete and correct Configuration error Cannot secure IP SAs IP Ethernet cable transceiver Check that the Ethernet cables communications fail problem and transceivers if used are working properly If using twisted pair Ethernet cables check that straight or crossover twisted pair cables are used where needed The underlying network is Check that the underlying experiencing a failure or is not network is configured and configured correctly operating correctly If the TACLANE was inserted into an existing IP Ethernet configuration flush the ARP caches on hosts and routers Verify that the network speed settings are compatible Firewall prohibiting SDD IKE Check
203. records if available 9 67 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 0 U TROUBLESHOOTING TACLANE 10 1 U Alarm Introduction Alarm Recovery U FOUO An alarm is the result of an internal failure When a TACLANE is in an alarm condition the ALARM status LED is illuminated U FOUO Note The ALARM status LED is illuminated briefly during diagnostics This is normal U FOUO TACLANE automatically attempts to recover from an alarm TACLANE automatically resets during alarm recovery and attempts to return to the previous operating mode After two successive alarms of the same type the TACLANE will halt 1 e it will stop attempting to restart Power can be cycled by the operator to attempt to recover from a repeated alarm condition If the condition persists the TACLANE must be returned to the depot for repair Note the circumstances surrounding the alarm as this information may be useful to depot personnel 10 68 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 10 2 U Tamper Introduction Tamper Recovery U FOUO Tamper is the result of opening the TACLANE chassis loss of battery power when powered off or removal of the battery while the TACLANE is powered off When a TACLANE is in a tamper condition the T
204. red with static routes if all TACLANEs support static routing B 10 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 UNCLASSIFIED FOUO T PT Enet TACLANE Enet A T PT IP Encryptor Configure static routes for networks B behind different IP encryptors to point to TACLANE A Enet CT PT Enet Enet TACLANE C T PT IP Encryptor D UNCLASSIFIED FOUO Figure B 5 2 U TACLANE Encryption Gateway Connecting Many Subnet Enclaves U FOUO The CT network represented by Router C requires at least a static route for the network behind IP Encryptor D to point to TACLANE A This is needed to route automated peer discovery messages to the correct TACLANE The routing configuration may need further modification depending on the nature of the different IP encryptor Note that this solution can be augmented with the solutions from IP Routing Workarounds or static routing capabilities How it Works U FOUO In both scenarios the TACLANE encryption gateway works by having the different IP encryptor decrypt IP datagram traffic before it is encrypted again by the TACLANE and vice versa B 11 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 B 6 U Connecting Networks at Different Security Levels Introduction Two Example Configurat
205. s Ifa match is found the corresponding PPK is for the security association e Existing security associations using FIREFLY TEKs are checked for a match based on the remote TACLANE IP address Ifa match is found the corresponding existing security association using a FIREFLY TEK is used to secure the IP traffic U FOUO If there is no matching PPK assignment or security association using a FIREFLY TEK and an operational FIREFLY vector set is usable at the current security level the following occurs a new security association is created and the initiator and responder peer TACLANEs cooperatively generate a FIREFLY TEK using their FIREFLY vector sets U FOUO If automated peer TACLANE discovery is not desirable remote TACLANE static routes can be defined This eliminates the need for automated peer TACLANE discovery See the section Configuring Remote TACLANE Static Routing When static routes are configured PPK and FIREFLY can both be used to secure communications without use of automated peer TACLANE discovery U FOUO TACLANEs support static multicast e A static multicast group is configured on the TACLANE by assigning a PPK to the static multicast group address e Remote TACLANE IP addresses that are a mix of multicast and unicast IP addresses may be assigned to the same PPK e TACLANE will encrypt all PT IP datagram traffic destined for the specified multicast Class D IP address and send the CT ESP IP dat
206. s Enabled the TACLANE does not encrypt PT IGMP messages as user multicast traffic but instead regenerates the IGMP messages on the CT side When the IGMP MLD Bypass is Enabled the TACLANE regenerates user IGMP messages traveling from both CT to PT as well as from PT to CT U FOUO When the IGMP MLD Bypass is Disabled the TACLANE does not participate in the IGMP protocol It treats all PT IGMP messages from the PT network as user multicast traffic to be encrypted And the TACLANE treats all IGMP messages from the CT network as user multicast traffic to be decrypted Therefore IGMP PDUs received on the CT interface that are not encapsulated in ESP will be discarded U FOUO The default for the IGMP MLD Bypass parameter is Disabled U FOUO Setting the IGMP MLD Bypass parameter to Enabled is necessary for cooperation with multicast router s located in the CT network Refer to Appendix B of the Operator s Manual for more details on IGMP configuration U FOUO Note that the TACLANE also supports IGMP on the CT side in order to support the HAIPE IS Secure Dynamic Discovery SDD multicast traffic The IGMP Bypass parameter however has no affect on the TACLANE s IGMP support for SDD traffic Regardless of whether the IGMP MLD Bypass parameter is Enabled or Disabled the TACLANE will support IGMP for SDD traffic whenever the SDD multicast group is configured i e assigned to the SDD PPK Continued on next page 7 18 UNCLA
207. s is disabled 3 Select YES to save changes 7 19 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 9 U Displaying Bypass Information Introduction U FOUO The operator can display the bypass information Procedure U FOUO Follow these steps to display the bypass information Step Action 1 From the MAIN MENU select Security gt Traffic Flow Security gt Bypass Result The following screen is displayed GENERAL DYNAMICS e e evision 3 3 400030040048 Secure Comm gt gt Security gt gt Traffic Flow Security gt gt Bypass 550 Dissbsd Display Bypass Operation gt Maintenance ES Don t Fragment Bit Bypass DISABLED Key Management Pa Bit Setting 0 gt 5 PMTU Bypass DISABLED IGMP MLD Bypass DISABLED TOS Bypass ENABLED TOS Constant 00000000 Accepted DSCP Values cso cst cs2 CS3 c54 ESS c56 cs 000001 001001 010001 011001 100001 101001 110001 111001 000010 AF11 AF21 AF31 AF41 101010 110010 111010 000011 001011 010011 011011 100011 101011 110011 111011 000100 AF12 AF22 AF32 AF42 101100 110100 111100 000101 001101 010101 011101 100101 101101 110101 111101 000110 AF13 AF23 AF33 AF43 EFPHB 110110 111110 000111 001111 010111 011111 100111 101111 110111 111111 7 20 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFF
208. s the TACLANE and the Filename of the FSU file on the download server including any path information Note The file name including the path information must be 231 or fewer characters 4 Select YES to save changes 9 43 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 9 U Delete Download Servers Introduction U FOUO The operator can delete an FSU download server Important U FOUO The following notes apply to deleting FSU download servers Notes e Only the SSO can access this command e A download server cannot be deleted if an FSU download is in process Procedure U FOUO Follow these steps to deleting an FSU download servers Step Action 1 From the MAIN MENU select Maintenance gt Field Software Upgrade gt Servers Result The following screen is displayed GENERAL DYNAMICS ae Revision 3 3 TACLANE Micro r 400030040048 evel Unclassified 2 Secure Comm gt gt Maintenance gt gt Field Software Upgrade gt gt Servers 2s Manage Download Servers Operation Maintenance Glick up or down arrow fo move selected server ke gement Priority IP Address Side Filename 2 Select the radio button next to the download server 3 Select DELETE to delete the FSU download server 9 44 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator
209. screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 e TACLANE Micro Jumber 400030040048 Security Level Unclassified Device State Secure Comm gt gt Security gt gt Static Routes gt gt Route Management E Static Routes Operation gt Pem 3 The Static Route was created Maintenance gt Key Management gt lt lt Prev Next gt gt Network gt Routes from Me TES i C Security gt C NET ID Prefix 10 1 0 0 24 Remote CT 170 0 0 1 System gt lt lt Prev Next gt gt HOME 2 Select the radio button next to the desired Static Route Select VIEW MODIFY Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A000300400A8 Security Level Unclassified Device State Secure Comm gt gt Security gt gt Static Routes gt gt Route Management o Configure Static Route Operation Maintenance Address Type IPv4 Key Management NET IDjPrefix Length 10 1 0 0 24 Remote PT Address 148 20 20 2 Save Changes 3 Update the Network ID Prefix Length Remote CT INE Address and or Remote PT INE Address 6 21 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Select YES to save changes 6 11 U Deleting Remote TACLANE Static Routes Introduction Pr
210. t Key Management gt gt gt gt 2 Select CREATE next to the CIK to be created Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 me TACLANE Micro Serial Number AO00300400A8 el Unclassified Device State Secure Comm gt gt Security gt gt Create CIK BoE Create cik Operation 9 Please remove the current CIK Maintenance ion Pi a CIK Creation Progress Security by Cancel CIK creation CANCEL System Note If the CIK create is not completed within five minutes the TACLANE automatically restarts 9 35 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Remove the CIK from the TACLANE Result The following screen is displayed ci ee m TACLANE Micro Revision 3 3 ne TACLANE Micro Serial Number A000300400A8 y Level Unclassified Device State Secure Comm gt gt Security gt gt Create CIK Boe Create cik Operation gt 9 Please insert a blank KSD Maintenance gt CIK Creation Progress Continued on next page 9 36 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Creating a CIK continued Procedure continued Step Action 4 Insert a blank CIK Result The following screen is displayed
211. t Maintenance gt gt Field Software Upgrade gt gt Upgrade Management Upgrade Management oO _ 8 The Image Download has completed Maintenance Key Management Configured Download Servers ah MODIFY SERVERS Network Filename Console HOME Downloaded Image Information IP Address 192 168 0 38 Q new alert Note Specific version information depends on the particular TACLANE configuration 2 Select INSTALL to initiate the install operation The progress of the FSU file decryption process is displayed on the screen for the operator Note Only a single FSU installation can be in progress at any time 3 When all images have been successfully written the Field Software Upgrade installation is complete The status of the installation is displayed to the operator 9 51 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 FSU Installation Results 10 July 2007 U FOUO If the installation fails then the FSU file must first be discarded before another FSU file can be downloaded and subsequently installed U FOUO If the installation is successful the TACLANE must be restarted for the new release to take effect No other FSU operations download or installation can be executed until a restart takes place U FOUO On restart the TACLANE will autorecover to the operationa
212. t PPK Assignment B ssocnabled PrePlaced Key SDD Assignment Operation Maintenance PrePlaced Key Chain Info Chain Id 3 Confidential 02 12 2007 RETURN TO CHAINS Key Management Network Security Level Security Effective Date System If the PPK assignment is disabled select ENABLE to enable the PPK SDD assignment If the PPK assignment is enabled select DISABLE to disable the PPK SDD assignment If disabling the PPK SDD Assignment select OK to confirm 6 7 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 6 4 U Delete a PPK Assignment Introduction U FOUO The SSO operator can delete a PPK assignment Notes U FOUO Only the SSO can delete a PPK assignment Procedure U FOUO Follow these steps to delete a PPK assignment Step Action 1 From the MAIN MENU select Security gt PPK Assignment Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Serial Number A00030040048 Securt y Level Unclassified Device State Secure Comm gt gt Security gt gt PPK Assignment 550 Enabled PrePlaced Key Chain Selection Operation Maintenance Chain Id Type Security Level Short Title Edition Segment 1 User Unclassified USEVD 00000000200 111111 a o User Secret USEVD 00000000202 111111 a fo Confidential USEV
213. t gt Key Management gt gt FIREFLY Vector Set Manage FIREFLY Vector Set Operation KMID 000000000001004 Classification u Capability EFF Maintenance Network Type Operational Universal Id 1311 Security gt gt Key Management gt gt gt System Universal Edition 01 Next Edition Current FFYS Expires On 12 31 2005 Next FFYS Expires On 1 new alert Note Specific values depend on the particular FIREFLY vector set Note Ifthe fill operation was unsuccessful due to a PrePlaced Key being loaded instead of a FFVS an FFVS Fill Failed entry is placed in the audit log with reason Invalid Key Material Disconnect the fill cable from the TACLANE fill port 4 6 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 4 4 U Deleting the FIREFLY Vector Set Introduction Note Procedure U FOUO The SSO operator can delete the operational FIREFLY vector set U FOUO The following notes apply to deleting the FIREFLY vector set e Only the SSO can delete a FIREFLY vector set U FOUO Follow these steps to delete the FIREFLY vector set Step Action l From the MAIN MENU select Key Management gt FIREFLY Vector Set Result The following screen is displayed TACLANE Micro GENERAL DYNAMICS SLANE Mic Device Name TACLANE Micro Serial Number A000300400A8
214. t this time Complete CIK creation CIK can be deleted after creation A valid CIK has been inserted Please insert a blank A CIK that is valid for KSD this TACLANE has been inserted An error occurred during CIK creation An invalid CIK was entered Remove CIK and insert a valid CIK The selected CIK could not be deleted Another manager has updated the device Check the data for possible updates Resubmit the desired changes Tamper Recovery Messages Recovery data download failed DTR failed Verify the TFTP server is running and that the correct Recovery IP address and filename are entered Error creating CIK Cannot overwrite current Recovery CIK Tamper Recovery failed Remove Recovery CIK Perform Tamper Recovery Do not use the Recovery CIK when prompted to insert a CIK Error creating CIK Tamper Recovery failed An invalid CIK was entered Restart the TACLANE Micro and perform Tamper Recovery with a valid CIK C 2 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Tamper Recovery failed Retry Tamper Recovery Process Recovery CIK update failed The TACLANE Micro was able to read but not write to the CIK Recovery CIK creation failed Tamper Recovery failed An invalid Recovery CIK was inserted while performing Depot Tamper Recovery Recovery
215. ter Redundancy i E EE uatie eisai eiags i R S U Using Four GRE Tunnels to Provide Double Ended TACLANE Redundancy without Router Redundancy 0 0 0 0 cecceeceeeseeeseeeteeeteeeees vii UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U THIS PAGE INTENTIONALLY LEFT BLANK Vili UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 1 0 U INTRODUCTION 11 U About the Manual Purpose Audience Edition Changes Contents U FOUO The purpose of this manual is to explain how to install operate and reconfigure the General Dynamics TACLANE Micro KG 175D encryptor U FOUO This manual is intended for operators with a basic understanding of IP networking as well as data encryption U FOUO This is the Operator s Manual for the TACLANE Micro It includes information specific to TACLANE Micro Release 3 3 Release 3 3 is HAIPE IS v1 3 5 compliant and supports the BATON and MEDLEY traffic encryption algorithms U FOUO The information presented in this manual is subject to change without notice Any changes will be incorporated in subsequent editions or change pages will be issued U FOUO This manual covers the following topics Section Title Page
216. ternet Engineering Task Force IGMP Internet Group Management Protocol IKE Internet Key Exchange in Inches INE In line Network Encryptor IP Internet Protocol IPv4 IP version 4 1 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Acronym Definition Abbr KG Key Generator km Kilometers KMID Key Material ID KSD Key Storage Device LAN Local Area Network Ibs Pounds LC Lampert Connector LCD Liquid Crystal Display LED Light Emitting Diode m Meters MAC Mandatory Access Control MAC Medium Access Control MAX Maximum Mbps Megabits per second MDI Media Dependent Interface MIB Management Information Base MTBF Mean Time Between Failures MTEK Main Traffic Encryption Key MTU Maximum Transmission Unit um Micrometers NA Numerical Aperture NIC Network Interface Card nm Nanometers NSA National Security Agency NSN National Stock Number PC Personal Computer PIN Personal Identification Number PMTU Path Maximum Transmission Unit PPK PrePlaced Key PSEQN Payload Sequence Number PT Plaintext RECIPe Remote Encryptor Configuration Information Protocol RFC Request For Comment SA Security Association SAMP Security Association Management Protocol SDD Secure Dynamic Discovery 1 5 UNCLASSIFIED FOR OFFICIAL USE ONLY
217. tery 550 Disabled Replace Battery Operation Maintenance Battery Type Lithium Ion Key Management Date Last Changed 02 27 2007 Network Change Battery Security System 2 Select the battery type from the Battery Type pull down menu Note The Date Last Changed displays the current date as the date that the battery was changed 3 Select YES to save changes 9 41 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 9 7 U Displaying Battery Installed Date and Type Introduction U FOUO The operator can display the type of battery and the date on which the battery was installed Procedure U FOUO Follow these steps to display the battery installed date and type The display capabilities have been integrated with the configure capabilities See section 9 6 9 8 U Configuring Download Servers Introduction U FOUO The operator can configure up to three FSU download servers Important U FOUO The following notes apply to configuring FSU download servers Notes e Only the SSO can access this command e The download servers cannot be modified if an FSU download is in process e The download servers are listed in order of use during FSU i e download server with Priority 1 is attempted first followed by download server with Priority 2 etc 9 42 UNCLASSIFIED FOR OF
218. tion because Another manager has another manager was updating the device at the same updated the device time Check the data for possible updates Resubmit the desired changes The provided Router Options can not be set Resubmit the desired changes The device was unable to change the MTU because Another manager has another manager was updating the system at the same updated the device time Check the data for possible updates Resubmit the desired changes C 4 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 The device was unable to change the Ethernet Comm settings because another manager was updating the system at the same time Another manager has updated the device Check the data for possible updates Resubmit the desired changes FFVS and PPK Messages Timeout occurred during FIREFLY Vector Set fill The DTD must be connected to the fill port and the fill must be initiated from the DTD within five minutes Error occurred during FIREFLY Vector Set fill Check the Audit Log for the FFVS Fill Failed entry Note that if the reason Invalid Key Material verify that a fill of a PrePlaced Key was not attempted The device was unable to initiate the fill operation because another manager was updating the device at the same time Another manager has updated the device Chec
219. tivated 2 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 Easy to Use Local Key Management 10 July 2007 U FOUO The TACLANE Micro Human Machine Interface HMI is web browser based It uses the menu structure of the simple menu interface common to all TACLANE models The HMI is accessed by connecting a PC running browser software to the front panel mounted Ethernet Port provided for the Console and entering the IP address of the Console Port into the browser address window Refer to section 2 4 Web based Human Machine Interface HMI for more details on the TACLANE Micro HMI U FOUO Multiple instances of the web browser running on the operator s terminal can access a TACLANE Micro HMI at the same time This allows various multiple status screens to be displayed at the same time a command screen is being used to configure the TACLANE Micro This may be helpful for example in making configuration changes based on audit log entries or status displays Status screens have to be manually refreshed to maintain currency Managing a TACLANE Micro through multiple instances of the web browser in a time interleaved fashion would cause command errors These errors necessitate the operator reissuing a command if one or more commands are made from other instances between the loading of a command screen and execution of the command U FOUO The CIKs
220. to a PT host based solely on a default route The target IP address in the PT ARP request must be covered by a static routing table entry other than the default route Continued on next page B 5 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 General IP Ethernet Configuration Tips continued Remote U FOUO The operator may define a remote TACLANE routing table to Sie Routine associate destination IP networks subnetworks with remote TACLANEs Table e Up to 1024 IP network subnetwork destination entries may be defined Entries are pooled a maximum of 1024 entries may be created across all security levels The sum total of all entries at all security levels must be less than or equal to 1024 e Entries consist of a remote TACLANE IP address destination network ID and prefix length e Routes for the local TACLANE may be included This allows the same remote TACLANE routing table to be used in every TACLANE It is recommended that these routes be included when a CT default route is also defined e Multiple destination IP networks subnetworks may be associated with the same remote TACLANE IP address e One default route TACLANE table entry may be defined by identifying the network ID and prefix length as 0 0 0 0 0 e Validation checks on table entries include e Prefix length must be valid for the network ID e No duplicate table entries n
221. to replacing the battery e Replace with a 3 6V AA lithium battery e Alternative replacement with 1 5V AA alkaline battery 10 75 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Procedure U FOUO Follow these steps to replace the battery Step Action 1 Remove the battery cover turn counterclockwise Install a new battery with negative end first 2 3 Reinsert the battery cover turn clockwise 4 To update the battery installed date from the MAIN MENU select Maintenance gt Battery Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number 400030040048 Security Level Unclassified Device State OffLine gt gt Maintenance gt gt Battery Replace Battery RELOAD Operation Maintenance Battery Type Lithium Ion v Key Management Date Last Changed 02 27 2007 Network gt Change Battery Security YES System 5 Select YES to acknowledge battery replacement and return to the MAINTENANCE menu Note This sets the battery installed date to the current date 10 6 U Performing Diagnostics Introduction U FOUO Diagnostics are automatically performed periodically The operator can initiate diagnostics by restarting the TACLANE Procedure U FOUO Follow this step to initiate diagnostics Step
222. ttery Removal Note while the device is powered off It is recommended that the battery be changed while the device is powered on because when the device is NOT powered there is a 30 second time limit to change the battery In the unpowered situation if the battery is not changed within 30 seconds data will be lost Therefore it is important that the operator has the new battery ready before starting U FOUO It is very important that the new battery be placed in correctly for polarity If the battery is inserted backwards the device will be tampered if prime power is not present or removed 3 3 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Failure Rate U FOUO The Ground Benign prediction for the TACLANE Micro is Lorne greater than 100 000 hours at 25 C ground benign environment 3 4 U Mounting TACLANE U FOUO From one to three TACLANE Micros can be rack mounted side Micro Rack by side in a standard EIA 19 in rack In single or two unit mounting Mount A configuration the mounting tray facilitates mounting of up to 2 TACLANE Micro power supplies Cooling e U FOUO TACLANE is passively cooled i e there is no cooling fan Placement or mounting must make sure that the TACLANE is operating within its temperature limits for minimum maximum ambient temperature The TACLANE Micro should have clearance to permit a
223. two GRE tunnels is equal and both tunnels are up The routers will load balance either on a per packet basis or on a per destination basis depending on whether fast switching is enabled at the tunnel interfaces U FOUO Depending on the routing protocol the protocol can be configured with or without the GRE tunnel interface of the other red router as a protocol neighbor The GRE tunnels will support the multicast routing protocol messages e g all OSPF routers that routers exchange when neighbors are not configured A GRE tunnel interface will encapsulate a multicast routing protocol packet with a unicast IP header addressed to the other tunnel end B 25 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 Single Ended U FOUO The figure below is another two enclave example of a base Saray network where TACLANE redundancy is configured only at a gateway Router enclave The number of gateway red routers has been reduced to one making Redundancy this configuration applicable when the redundancy requirement does not extend beyond the TACLANE Note that the failure unavailability of the gateway red router Router B will disable both GRE tunnels and the use of both TACLANEs at the gateway UNCLASSIFIED FOUO CT PT TACLANE B1 Enet GRE Tunnel 1 Router A lt gt Router B ae Edge Switch B GRE Tunnel 2 Router A
224. ty level Step Action l From the MAIN MENU select Operation gt Security Level Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Number A0003004004A8 Security Level Unclassified Device State Secure Comm gt gt Operation gt gt Security Level Select Security Level Op Maintenance Security Level fiione 4 Key Management Set Selected Level Network 2 Select the desired security level from the pull down list Select YES to set the selected security level 4 Select OK to confirm the action and restart the TACLANE if currently in a security level 4 20 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 4 10 U Exiting a Security Level Introduction U FOUO The SSO operator can exit the current security level returning to no security level Certain menu choices are only available when the TACLANE is not in a security level Note U FOUO The following notes apply to exiting a security level e Only the SSO can access this command Procedure U FOUO Follow these steps to exit a security level Step Action l From the MAIN MENU select Operation gt Security Level Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro Serial Nu
225. uly 2007 U Connecting Networks at Different Security Levels continued Multiple Gateway Configuration U FOUO In this example there is a Secret IP network 148 10 and an Unclassified IP network 190 5 There are Unclassified hosts Host A1 homed on the Secret network that need to communicate with the Unclassified network and there are Secret hosts Host D1 homed on the Unclassified network that need to communicate with the Secret network U FOUO To provide the needed connectivity two TACLANEs are configured between the routers Router S2 and Router U1 each TACLANE within its own IP network the Unclassified TACLANE TACLANE B is on 140 4 0 0 and the Secret TACLANE TACLANE C is on 140 5 0 0 The enclave of Unclassified hosts on the Secret network must be contained within a separate IP network 148 12 0 0 Similarly the enclave of Secret hosts on the Unclassified network must be contained within a separate IP network 188 2 0 0 Note that the positioning of the TACLANE to the left or to the right of the IP routers serving 148 12 0 0 Router S1 and 188 2 0 0 Router U2 does not matter U FOUO The IP routers connected to the two TACLANEs are configured to route traffic to the correct TACLANE based on destination IP network The Secret router Router S2 is configured to route IP destined for 188 2 0 0 via the 140 5 0 0 network and to default route to the 140 4 0 0 network The Unclassified router Router U1 is con
226. uly 2007 U FOUO The following table identifies the base part numbers for other TACLANE versions Base Part Number TACLANE Version amp Description 0N649470 1 AC 0N649470 2 DC TACLANE Classic KG 175 supports 10Mbps IP Ethernet and ATM DS3 up to 45 Mbps rate encryption rear panel shows RJ 45 AUI and BNC connectors 0N649470 3 AC 0N649470 4 DC TACLANE GBSI KG 175 supports ATM OC3 encryption up to 45 Mbps rate rear panel shows MT RJ connectors IN649470 7 AC IN649470 8 DC TACLANE AUS KG 175 Australian version of the TACLANE Classic N649470 9 AC N649470 10 DC TACLANE CAN KG 175 Canadian version of the TACLANE Classic IN649470 18 DC TACLANE NZL KG 175 New Zealand version of the TACLANE Classic IN649470 5 AC IN649470 6 DC 0 0 0 0 0N649470 17 AC 0 0 0 TACLANE E100 KG 175 supports IP Ethernet 10 100 Mbps encryption rear panel shows MT RJ and RJ 45 connectors 0N649470 13 AC TACLANE E100 AUS KG 175 0N649470 14 DC Australian version of the TACLANE E100 0N649470 15 AC TACLANE E100 CAN KG 175 0N649470 16 DC Canadian version of the TACLANE E100 0N649470 19 AC TACLANE E100 NZL KG 175 New 0N649470 20 DC Zealand version of the TACLANE E100 0N684240 1 TACLANE GigE KG 175A 0N649755 1 TACLANE Mini KG 175B 1 6 U Programmable Imag
227. value U FOUO The default setting for this parameter is Disabled U FOUO The DF Bit bypass parameter can only be configured by the SSO U FOUO The following notes apply to configuring the DF Bit bypass parameter e Only the SSO has the privilege to configure the DF Bit bypass parameter e An audit log entry is generated when the DF Bit bypass parameter is modified U FOUO The DF Bit bypass parameter can be configured as either Enabled or Disabled The default setting for this parameter is Disabled Note that the bypass is from PT to CT but not in the opposite direction U FOUO When the DF Bit bypass is set to Disabled the DF bit in the CT IP header is always set to the value in the Bit Setting parameter U FOUO When the DF Bit bypass is set to Enabled the DF bit in the CT IP header is set to the incoming DF bit value bypass Continued on next page 7 13 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring Don t Fragment DF Bit Bypass continued Procedure U FOUO Follow these steps to configure the DF Bit bypass parameter Step Action l From the MAIN MENU select Security gt Traffic Flow Security gt Bypass Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 D Name TACLANE Micro Number A000300400A8 Security Level Unclassified Device Stat
228. w e RFC 1213 e System Group e RFC 1573 e Interfaces Group e IP Group IP address table only U FOUO GEM X provides remote security management of TACLANEs using the TACLANE Enterprise MIB Services for TACLANEs include e TACLANE discovery When configured to do so a TACLANE automatically attempts to contact its authorized manager upon startup e IP PPK assignments e Audit data upload TACLANE can store a maximum of 2 048 audit entries e Remote TACLANE static routing table download e Changing the system date and time for TACLANEs e Remote online offline restart control e Trap management TACLANE sends audit data exceeds threshold and low battery SNMP traps e Configuring an Access Control List ACL which is a list of up to 256 KMIDs with which the TACLANE can set up security associations U FOUO GEM X also provides network management of TACLANE protected network elements using SNMPv3 Please refer to the appropriate GEM X Operator s Manual for more information on configuring the TACLANE fronting the GEM X and for more information on GEM X U FOUO The following notes apply to a local HMI operator configuring the network manager parameters e Only the SSO can configure a network manager Continued on next page 8 27 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 U Configuring the Networ
229. work or target U FOUO In addition to defining remote TACLANE static routes for particular IP network addresses the TACLANE operator can also define one default static route to a remote TACLANE U FOUO The operator may define a remote TACLANE routing table to associate destination IP networks identifiers with remote TACLANEs e Up to 1024 route entries may be defined Entries are pooled across all security levels A default route may be defined as one of the route entries which supersedes all other routes e Entries consist of a remote TACLANE CT IP address remote TACLANE PT IP address destination network ID and prefix length When the target destination is in the destination network then use the TACLANE at the specified TACLANE CT address e The TACLANE may include routes to itself which will be ignored This enables a common static routing table to be used for a group of TACLANEs Common static routing tables reduce configuration burden and complexity It is recommended that these routes be included even when a CT default route is defined e Multiple destination IP networks identifiers may be associated with the same remote TACLANE IP address thus a TACLANE may protect multiple subnets or targets e Validation checks on table entries include e No duplicate table entries no two entries with the same network ID and subnet mask The same network ID may be defined in multiple entries as long as the subnet masks are di
230. work that is in the router s routing table 6 18 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 CT Default Gateway or ARP Used to Deliver CT IP Traffic Network ID Prefix length and Static Routing Notes Procedure 10 July 2007 U FOUO If the optional CT default gateway IP address is configured all off net encrypted CT IP traffic will be delivered to the CT default gateway U FOUO If the optional CT default gateway is not configured TACLANE will ARP for all off net destination IP addresses for encrypted CT IP traffic Assumes proxy ARP support in CT routers Proxy ARP allows a router to reply to a received ARP request for a host in a network that is in the router s routing table U FOUO When a CT default gateway is defined it is recommended that a route for the local TL protected network also be included in the static routing table U FOUO The TACLANE does not have to be restarted after changing static routing table entries However the SAs that used modified or deleted entries will still exist These can be removed manually or by restarting U FOUO The following notes apply to configuring remote TACLANE static routes e Routes can be associated with subnets portions of subnets or specific host addresses The granularity of scope is controlled by the prefix setting U FOUO Follow these steps to configure re
231. y number of enclaves in a community The case where the high value enclave is protected by two or more TACLANEs and client enclaves are each protected by a single TACLANE is referred to as single ended redundancy The case where every enclave is protected by two or more TACLANEs is referred to as double ended redundancy U FOUO The level of TACLANE redundancy that is required at a TACLANE protected enclave is typically two TACLANEs Some user communities have a requirement to protect a high value enclave with as many as six TACLANEs The configuration will also incorporate router redundancy if the redundancy requirement extends beyond TACLANE to the router on the Plaintext PT side The redundancy requirement usually includes the capability to load balance between the redundant TACLANEs that protect an enclave when more than one TACLANE is operational U FOUO Currently TACLANE does not have an internal redundancy function The TL operator must rely on routing protocols to implement TACLANE redundancy The examples in this section are limited to the configuration of Cisco Systems Generic Routing Encapsulation GRE tunnels and a routing protocol running on PT routers as a means to provide TACLANE redundancy Other TACLANE redundancy configurations may be possible e g using the Virtual Redundant Router Protocol VRRP or Cisco Systems Hot Standby Routing Protocol HSRP but they have not yet been tested by General Dynamics U F
232. yed GENERAL DYNAMICS TACLANE M cro Revision 3 3 me TACLANE Micro Serial Number A0003004004A8 vel Unclassified Device State Secure Comm gt gt Security gt gt 5A Configuration 550 Disabled Security Association Configuration Operation Maintenance Host Administrative Timeout in minutes 720 Key Management Daily MTEK update ENABLED 6 26 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 7 0 U CONFIGURING IP TRAFFIC FLOW SECURITY PARAMETERS General Notes U FOUO The TACLANE includes IP Traffic Flow Security TFS features that are required by the HAIPE IS Traffic Flow Security specification When configured appropriately the IP TFS features in the TACLANE prevent reduce compromise of sensitive information due to certain types of attacks This chapter explains how each IP TFS parameter may be configured by the Site Security Officer SSO and how the IP TFS configuration information can be displayed U FOUO There are important security and performance trade offs that should be considered when enabling and disabling TFS countermeasures For descriptions of these trade offs along with recommended network and equipment configurations that minimize security risks please refer to the TACLANE Security Features Users Guide U FOUO TFS configuration update has been extended to allow online updates o
233. yed in the initialized offline or secure comm mode Procedure U FOUO Follow these steps to display the ACL Step Action 1 From the MAIN MENU select Security gt Access Control List Result The following screen is displayed GENERAL DYNAMICS TACLANE Micro Revision 3 3 Device Name TACLANE Micro mber 400030040048 Security Level Unclassified evice State Secure Comm gt gt Security gt gt Access Control List 550 Disabled Access Control List Operation gt BY Access Mode DISABLED gt f Total KMIDs 5 lt lt Prev Next gt gt Key Management i Firefly Yector Set KMIDs Network gt SSS 000000000001000 Security 4 ooo000000002000 System Sy oooo00000003000 000000000004000 000000000005000 lt lt Prev Next gt gt 8 25 UNCLASSIFIED FOR OFFICIAL USE ONLY Interface amp Operator s Guide UNCLASSIFIED FOR OFFICIAL USE ONLY uTL 027 05 10 July 2007 8 5 U Configuring the Network Manager Introduction CT vs PT Side Management Network Managers U FOUO The SSO operator can configure the TACLANE to be managed by a remote network manager The operator can configure up to nine network managers For each manager the SSO operator configures the following parameters manager name password U FOUO For each manager the SSO operator may configure the following notification traps parameters Enable Disable defaulted to Enable
Download Pdf Manuals
Related Search