Tracker Security Overview

Tracker Overview

The Tracker provides a powerful, flexible and reliable platform for the management of remote equipment. With its' access control tools, intelligent monitoring capability and range of connectivity options covering serial, modem, Ethernet and digital I/O, the Tracker allows you to manage all your on-site equipment from one access point.

The Tracker combines the latest low-power, high performance processors with integrated communications and a prodigious storage capacity to deliver a reliable, solid state control platform ideally suited as a remote management system for the demanding service provider.

• Low power consumption: Without any need for fans or special ventilation the Tracker runs cool to the touch, this translates to improved reliability and minimal environmental impact.
• Solid state: with no moving parts the Tracker will deliver a reliable service 24 hours a day, 365 days a year for many years, without requiring maintenance.
• Integrated UPS option: As a critical part of your communications infrastructure, the Tracker will continue to provide access and control for your systems for up to 12 hours after power loss.
• High capacity solid state storage: With support for integrated Compact Flash modules of up to 4Gb you can collect and store data, local backups or complete boot images on site, safe in the knowledge that it will be there when you need it.
• Single box solution: With integrated modems, network adaptors, serial ports and digital contacts all in one box, the Tracker provides a powerful one-box solution for your remote management service.

Read more information about the Tracker 2700 series

Tracker Models

There are a number of models in the Tracker range. They have similar capabilities and share the same software kernel. Some features have been added to later models and are not supported on the original Tracker 2700. The range includes

• Tracker 2700 - the original unit has been superseded by the Tracker 2750 and 2740 range.
• Tracker 2720 - this is a secure modem that acts as a key into a remote Tracker
• Tracker 2730 - this is a secure modem that acts as a lock at a remote location
• Tracker 2740/41/45/46 - a range of low cost remote access platforms for network management and system administration
• Tracker 2750 - an expandable unit with nine slots to hold a range of plug in card modules that enable you to tailor the hardware to suit an application

Tracker Security Introduction

This document provides an overview of the security features included within the Tracker series product line as well as some of the security considerations associated with its use. Security capabilities such as Point-to-Point Tunnelling, the built-in packet filtering firewall, two factor authentication, restricted answering and limiting system services will be described.

A corporate information strategy will not be effective unless IT administrative services are protected through processes that safeguard voice and data network infrastructure devices against malicious attacks. Trackers provide a secure, consistent, auditable environment for system and network administrators to remotely access network devices and to perform daily tasks without the fear of the system being compromised.

Trackers can be easily integrated into IT infrastructure, complementing and adding to corporate network security. However it is important to note that Trackers are not edge devices and are designed to operate behind firewalls; they are not intended to replace firewalls. The level of security provided by Trackers is more than adequate for a device that operates behind a firewall and provides a very high degree of protection against attacks that may originate from within a network.

Some Trackers have been security approved by the US and UK Governments. Under the UK ITSEC scheme, the Tracker 2700 has achieved an E2 Assurance Level. The Tracker 2700, 2720 and 2730 products have received Information Assurance Accreditation from the US Government's Defence Information System Network (DISN) Security Accreditation Working Group.

Tracker Hardware And Operating System

Trackers consist of proprietary hardware designed and manufactured by Data Track and an operating system based on a customized version of Linux. The use of a non Intel processor ensures that the Tracker is not susceptible to the common forms of security attack associated with Intel processor based hardware platforms.

The operating system is based on Linux version 2.0.38; but has been heavily modified to allow the kernel to run on the proprietary Tracker hardware. Specific modules were carefully selected from standard Linux so that only those modules absolutely necessary for the functionality required on the Tracker have been included. The kernel includes a custom loader; this ensures that only modules compiled by the Tracker-specific compiler are loaded into the system. Consequently, each module included in a Tracker consists of a non-standard set of code customized to work with the proprietary hardware platform.

The operating system is maintained independently from publicly available Linux code so is immune to security problems that may be introduced in such code. The only method of accessing the Linux operating system is through the Root password. Non root users run secure menus and have no access to the system files. Even if the system were to crash in normal operation it would not be possible for these users to get to the Linux system prompt.

This approach enables the Tracker hardware platform to have a number of significant improvements over a conventional Linux based system:

• Improved reliability: By removing features and tools that have no relevance to the operation of a Tracker, the operating system is not only significantly smaller, but there is much less to go wrong.
• Better security: Many of the original Linux libraries have been modified to tighten the system security. For example if a user provides invalid credentials three times in a row, the system will drop the connection and raise an alarm.
• Quick start-up: The Tracker is impressively quick off the mark. Power-up and you can be logged in under a minute. Restarting the system after a configuration change takes less than 30 seconds.
• Enhanced access control features: Several changes have been made to the operating system to enhance access control. For example you can dynamically modify a firewall rule to allow access and have it automatically expire after a predetermined time.
• Simplified management: The complex scripts normally associated with starting Unix systems has been replaced with a single start-up file and the naming convention, location and structure of configuration files has been rationalised to significantly simplify system management.

The operating system can be updated remotely by a user having Root password privileges. The new operating system does not overwrite the current system unless it has been successfully uploaded.

Trackers do not allow the execution of user generated shell scripts. User programs to extend the application set in Trackers are restricted to the Python run-time environment that is included in the system.

Tracker System Services

Standard Linux services that are not required by the Tracker. Services that are required have been removed. Services that are required have been hardened to make them very secure in operation; many of the known problems associated with standard operating systems have been eradicated.

A list of services that are enabled during Tracker operation are shown in the appendix to this document. Where relevant, a discussion of the security implications of each of these services is presented. For a full description of the Tracker operation please refer to the Tracker Reference Guide.

Restricted Shell Environments and User Commands

Trackers include the ability to restrict not only the menu and shell environments that users are presented with whenever they logon but also the commands available in the shell environment on a user by user basis.

Access Control

The Tracker can be accessed in one of three ways; local console, modem or network. Each of these is described below along with their associated security features.

Local serial console

The local console provides a VT100 compatible terminal interface for direct local connection to the Tracker. Access is secured by username and password.

Security Features:

• The local console is normally only used for initial configuration and can be disabled if required.
• Auditing facility allows command line activity to be logged.
• Day to day configuration is restricted to menu based interface that limits system access and provides an audit of changes made.

Modem

Where one or more modems are fitted, the Tracker can be configured to accept conventional data calls or inbound dial-up network connections. Significantly, unlike a conventional RAS server, the Tracker will allow one modem to accept either type of call.

Security Features:

• Where CLI is provided, incoming calls can be restricted to one more specific originating telephone numbers.
• Incoming calls can be restricted to Terminal only, Dial-up Network only or disabled altogether.
• Dial-up network connections are subject to PPP authentication. The Tracker assigns an IP address to the connecting host based on the PPP user credentials. This feature, combined with the IP firewall facility allows network traffic to be restricted to selected devices depending on the credentials presented. For example, a 3rd party maintainer can be restricted to accessing a specific network device behind the Tracker, and be unable to access the Tracker itself.
• Customised dial-back behaviour can be developed to meet specific customer requirements.

Network

Network connectivity to the Tracker can be established via either physical Ethernet ports or dial-up PPP connections. The Tracker can be configured to host Telnet, SSH, FTP or data collection services. Additionally network traffic can be selectively forwarded through the Tracker to local network devices.

Security Features:

• Packet filtering firewall allows control of network traffic to or through the Tracker. Timed firewall rules allow temporary access to network devices using modified firewall rules that will automatically expire after a fixed period.
• With two Ethernet ports, the Tracker allows separation of Equipment and corporate networks with firewall controlled access between the two if required.
• Support for encrypted tunnels using Point-to-Point Tunnelling Protocol (PPTP) and strong Microsoft Point-to-Point Encryption (MPPE).
• Users accessing the Tracker via Telnet, SSH or FTP are authenticated using a username and password. SSH provides a fully encrypted alternative to Telnet terminal sessions.
• User accounts can be restricted to allow Telnet access to menu based interfaces that restrict access to specific equipment. Alternately a user can be configured to connect transparently to local equipment using either serial or Telnet connections. Network Address Translation (NAT) allows outbound connections from managed network devices without exposing the host addresses.
• Local Telnet and FTP services can be disabled if necessary.
• Where command line access is required for a user, the commands available to them can be restricted on a user by user basis.

Authentication

System Login

Regardless of the method used to connect to the Tracker, the system requires that users authenticate themselves by use of a Username/Password combination as a minimum; additional authentication is available and is described later in this document. The Username/Password combination defines the access rights that individual users are allowed. Any number of Username/Passwords combinations can be provided each with their own access rights. On successful login users can be provided with a whole variety of access privileges including

• Being directed to a single serial port for a 'talk through' session
• Being directed to a single port at an IP address on a network
• Being presented with a secure menu system (see below)
• Being able to collect stored data such as CDR records
• Being able to configure elements of the Tracker configuration e.g. serial ports

Or any combination of the above. Administrators can be given access to the Tracker itself to configure many of its parameters including IP addresses, serial port configuration, system clock, etc. The Tracker firewall and other highly sensitive areas are only available through the Root password system.

Secure Menu System

Users can be directed to a secure menu system depending on their Username/Password. Any number of menus can be designed and associated with a Username/Password combination. A sample of such menus is shown below.

It is only possible to select one of the options shown. The menus are written using the Python Scripting language; it is not possible to break out of the menu system to the Linux operating system even if the unit were to crash.

Two Factor Authentication

Data Track offer two factor authentication for modem dial up using a special Data Track developed modem called a Tracker 2720. The advantage of this system is that it can be easily integrated into an existing communications infrastructure with no software change required; it is a device to device authentication mechanism that requires no human intervention.

Figure 1: Tracker 2720 Challenge/Response Authentication System

The Tracker 2720 Modem is designed to provide a high level of security for dial up connectivity by restricting incoming access to only those Trackers that have been both pre-programmed with an appropriate symmetric encryption key and included in an access control list of the terminating Tracker.

The lock and key security mechanism employed uses the AES symmetric key encryption algorithm with a 64 character key to provide secure authentication between a Tracker 2720 Modem and a remote Tracker. The Trackers at both ends of the connection must each be pre-programmed with an identical key before a secure link can be established between the two devices.

Since the keys form the basis of the security architecture, it is imperative that they are protected to ensure the integrity of the security mechanism.

Access Control

Each Tracker 2720 Modem is pre-programmed with a unique 10-digit identifier at the factory that is used to identify itself to a remote Tracker during an authentication session. Once it has been factory programmed into a Tracker, this identifier can be read but not changed. Fields within the identifier are used to depict group membership as well as unique identity. They are defined as follows:

• The first four digits identify group membership
• The last six digits identify the serial number of the Tracker 2720 in that group

Remote Tracker 2730/2700 devices contain two separate lists that are used to control access to the device. The two lists are the Standard Key Access and Deny lists and the Master Key Access and Deny lists.

Handshake

Successful authentication is dependent on both devices being preconfigured with an identical key. In addition, the 2730 or 2700 device's access control list must be preconfigured with the 10 digit identifier of the 2720 Modem(s) that are allowed access.

The authentication and access control process is described below.

• The Tracker 2720 (KEY) acts a standard modem issuing typical AT type commands input via a serial interface and is used to call a Tracker 2730 or 2700 (LOCK) using a PSTN line. The modems answer and establish a communication link as typical modems would.
• The Tracker 2730 or 2700 then issues a 'challenge' to the Tracker 2720.
• The composite message issued by the 2730 or 2700 is received by the Tracker 2720 and is decrypted using its pre configured key.
• The Tracker 2720 Modem then takes this decrypted message, adds its own 10 digit ID in the message, re-encrypts it using its key and sends it back to the 2730 or 2700 as a response.
• The Tracker 2730 or 2700 receives the message, decrypts it using its key and extracts the Tracker 2720 Modem's ID from the message.
• If both the 2720 Modem and 2730 or 2700 are pre configured with identical keys then the first stage of authentication will be successfully completed.
• In the second stage the 2730 or 2700 device then compares the extracted 2720 Modem ID against its local Access and Deny lists to verify whether the incoming 2720 Modem is an authorized unit.

In the case of the 2700 if the Tracker 2720 Modem is included in the standard access list it is granted access to the Login prompt. The user will now have to input a valid Username/Password combination; this will define the access rights granted.

In the case of the Tracker 2730, if the Tracker 2720 Modem is included in the Standard Access Control List, it is granted access to the serial port of the 2730 device, and to communicate with the connected equipment.

If the Tracker 2720 Modem ID is included in the Master Access Control List, it is granted access to the 2730 itself so that an administrator can configure it.

Restricted Answering

A Tracker can be configured so that its internal modem(s) only accept calls from specific telephone numbers or groups of telephone numbers. When a call is made to a Tracker with this feature enabled it will check the incoming CLI/ANI against a list of pre defined numbers. If the incoming call is not from one of these then the call will not be answered. The restricted access capability requires that CLI/ANI be enabled on both the originating and local phone lines.

Within the Tracker, this security feature is controlled by entries included in the modemx.dial.conf file and is used by the mgetty daemon to determine whether or not an incoming call should be answered on the specified modem. For further details refer to the Tracker Reference Guide.

Reducing Susceptibility to War Dialling Attacks

War dialling is the process of attempting to identify modems so that attached equipment can be attacked and compromised. Hackers usually run War Dialling programs against all numbers in an exchange. During this process, the war dialler program automatically dials each phone number in a pre defined list and identifies numbers that may have modems to exploit. Some of these programs even run predefined scripts of a list of usernames and passwords to attempt to gain access to the system.

Use of the restricted answering option eliminates the susceptibility of Trackers to war dialling attacks.

IP VPN Connectivity

A Tracker can communicate over one or more of its Ethernet connections using industry standard IP protocols. Hackers can use various tools to monitor traffic looking for passwords or other sensitive data. To minimize the security risks associated with communicating over networks carrying IP traffic, Trackers can be configured to use the Point-to-Point Tunnelling Protocol (PPTP). This will establish a secure encrypted tunnel or virtual private network (VPN) connection from a remote client over an existing public or private wide area network (WAN).

To authenticate to the Tracker, the remote system must be configured with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) and 128-bit MPPE stateless encryption. During the PPTP connection process, the Tracker assigns an IP address to the remote computer after it has successfully authenticated. This allows administrators in a remote location to establish a secure connection over the Internet to a Tracker and feel comfortable that the security of the device and the connected network are not at risk of compromise from a malicious intruder.

Encryption

PPTP

The Point-to-Point Tunnelling Protocol (PPTP) is a protocol that allows Point-to-Point Protocol (PPP) connections to be tunnelled through an IP network, creating a Virtual Private Network (VPN). Microsoft implemented its own algorithms and protocols to support PPTP. This implementation of PPTP, called Microsoft PPTP, is used extensively in commercial VPN products precisely because it is already a part of the Microsoft Windows 95, 98, NT, 2000 and XP operating systems. Provisioning a Tracker to accept VPN tunnel terminations also requires packet-filtering rules to be added to the built in firewall.

SSH

The Tracker features both server and client Secure Shell (SSH). SSH is a set of standards and an associated network protocol that establishes a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user. SSH provides confidentiality and integrity of data exchanged between the two computers using encryption and message authentication codes. SSH is typically used to login to a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports; it can transfer files using the associated SFTP protocol.

Built-in Packet Filtering Firewall

Trackers include a built-in IP packet filtering firewall that is based on the standard Linux IPFWADM packet filtering mechanism that was included in the original Linux kernel version 2.0.38. IP packet filtering is the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. This mechanism can be used to control access to a Tracker by restricting input and output network traffic and is achieved by applying the appropriate filtering rules to each of the available network interfaces on the device. This packet filtering mechanism is used extensively within Trackers to restrict access to the device as well as any of the attached managed devices.

Default Packet Filtering Rules for the Tracker

The default settings for the Tracker 2700 firewall configuration are shown below.

# "flush" all of the forwarding commands
ipfwadm -F -f
# add a rule to accept packets for forwarding from any address and masquerade to wherever they are going
ipfwadm -F -a accept -m

This reflects a very passive security stance and if unchanged generally allows access from any hosts into the device. Users concerned with restricting unwarranted access are advised to adopt a more aggressive security stance and deny all connection requests except those that have explicitly declared in a packet-filtering rule.

Provisioning a Tracker with managed devices, PPTP VPN tunnels, or PPP dialup access causes some packet filtering rules to automatically be added to the firewall rule set.

Audit And Logging

Trackers include extensive logging facilities that record activities associated with many of the background services operational in the device. These log files are useful in identifying problems as well as suspicious activity within the system. Tracker log file are restricted in size and wrap around when full. Each log file is stored in the "var/log" directory. A list of the logging facilities available within a Tracker is provided in the appendix.

Conclusion

The Tracker series provides an organization with a platform for secure, consistent administration of network devices. The features and benefits delivered by the system are essential components of well-managed voice and data networks. In addition, the layers of defence against attacks provide the highest level of protection against compromise of the Tracker series or the administrative interfaces of any network devices connected to it.

Appendix 1 System Services

actd

actd is a service which monitors alerts generated on a Tracker and determines what actions (if any) are needed to be performed for each alert before the alert is made available for delivery by the service. The actd and alertd daemons must both be running if alerts are to be delivered. There are no configuration files associated with actd.

alertd

The alertd service provides a message delivery facility to a network management system such as the Data Track Alarm Management System (AMS). alertd is normally configured to start automatically by including it in the "/etc/config/task.conf" file.

digmond

The digmond service monitors the status of the Trackers 16 digital inputs. It is normally configured to start automatically by an entry in the task.conf file. Configuration of alerts in response to changes in the state of the digital inputs is done through the digital.conf file.

fifod

When the logd service is operating in fifo (first-in-first-out) collection mode, fifod provides a network service that makes data available for real-time access by a remote application. The remote application connects to the service and retrieves data using a simple request acknowledge protocol. fifod will remove data from the fifo buffer file only when the remote application acknowledges receipt. The service is normally started through an entry in the "/etc/config/inetd.conf" file.

ftpd

ftpd is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified in the "ftp" service section of the "services" configuration file located in "/etc/config".

ipforwd

The ipforwd service controls networking between the Tracker's network interfaces. By default, IP forwarding is turned off.

logd

The logd service provides the data collection facility for any of the Tracker's serial ports. Three modes of data collection are supported; static, overwrite and fifo. For a given serial port, only one mode of data collection can be in effect at any given time. The logd process is started automatically through an entry in task.conf

With static collection, received data is written to a file named data.raw located in a directory associated with the serial port. For serial port 1 for example, the file will be located in the /data/serial 1 directory. The file is available for download via FTP and data collection ceases when the file reaches its configured maximum size.

Overwrite collection is similar to static collection except that when the file reaches its maximum size, the oldest data is overwritten by the new data.

Fifo collection differs from static and overwrite type collections in that the collected data is available for reading in real-time via a fifo network service called fifod. If the remote PC or network link fails, the data is buffered until the connection is re-established. The fifo file is created in a directory associated with the serial port.

The operation of logd is controlled by task.conf and serial.conf files and is typically configured to start automatically at startup by including an entry in the /etc/config.task.conf file.

mgetty

mgetty is the process that monitors modems for incoming calls. It answers the phone and controls the process of giving remote users either a terminal type connection or a dial-up networking connection using PPP. The mgetty.conf file defines the settings for the mgetty process. Mgetty is normally configured to start automatically by including an entry in the "/etc/config/task.conf" file.

pingd

pingd is a service which is designed to monitor the connection status of a number of remote network hosts by PINGING each host at a regular interval. The list of hosts to monitor is specified in the associated "ping.conf" file along with the monitor interval and maximum response time allowed for each. The activity of pingd is monitored in the log file "/var/log/pingd.log"

pppd

Trackers utilize the pppd service to provide dialled up network connections. The pppd daemon makes use of the configuration files ppp.modem1, ppp.modem2 (if fitted) and "/etc/config/ppp.secrets" to control the communication link between an incoming request and the service.

pptpd

The pptpd service implements the PPTP tunneling protocol within the Tracker. By default, the PPTP daemon (pptpd) in a Tracker is configured to only accept incoming connection requests that have been configured with the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) and MMPE 128 bit encryption. Consequently, no PPTP incoming connection requests utilizing either PAP, CHAP or MS-CHAP v1 authentication will be authenticated. Furthermore, incoming client requests configured with weaker encryption key lengths, e.g. 40 bit keys, will be rejected. The Tracker pptpd daemon calls the pppd daemon with the options contained in the "/etc/config/tunnel.conf" file.

pushdf

The pushdf daemon is intended for scheduled invocation of the pushf command. The configuration file is located in the "etc/config/pushfd.conf" file. The pushf command is used to deliver arbitrary files to a specified FTP server.

snmpd

snmpd is an SNMP agent which binds to a port and awaits requests from SNMP management software. Upon receiving a message, it processes the request(s), collects the requested information and/or performs the requested operation(s) and returns the information to the sender.

tcplogd

The tcplogd service provides a facility for collecting data across a network using TCP/IP with or without a data transfer protocol. Configuration of the tcplogd process is started automatically through an entry in the task.conf file.See the appropriate Tracker reference guide for details.

telnetd

The telnetd daemon supports the standard Telnet virtual terminal protocol.

trapcatd

trapcatd is service designed to receive SNMP traps from network devices, convert UDP packet data into an ASCII representation and direct these alarms to an application designed to recognize and process that specific type of data. SNMP traps are UDP packets that contain, amongst other things, the following information:

• SNMP object id information which uniquely identifies the type of trap and the type of device that generated it
• The IP address of the device that generated the trap
• A series of values for each of the data fields defined for the particular trap type. Each trap type will have a varying number of fields.

Generally each type of device has one type of trap that is used to deliver its alarms. The content of the trap identifies the type of alarm. The field content and layout for the trap is defined in the MIB supplied by the manufacturer of the equipment. The MIB is used by Data Track to write an application to process that specific type of trap.

Using the associated configuration file trapcatd.conf, the service can be configured to capture a maximum of 8 trap types, from a maximum of 8 managed devices. Received traps are converted into text and delivered to an application designed for that type of data. It takes each trap from the capture file, extracts the field content and applies the user defined rules to determine if the trap data should be delivered to the central management system as a Tracker alert. The user can determine how much or how little of the trap data is delivered when they write the rules.

Appendix 2 CESG Certificate

Appendix 3 JITEC Test Report

Data Track IA Re-Test Results

Product: Data Track 2700
Date: 23-27 May 05

The IA team first tested the Data Track 2700/2720/2730 solution between 02 Nov. 2004 and 04 Nov. 2004. The following document outlines the retest results for this solution. The retest was conducted during the week of May 23, 2005. This document will include any initial findings that remain. The network diagram is shown below (Figure 1).

As a result of the retest, several findings were removed in the Phase I portion of testing.

During the initial IA Phase I testing, there were one High Risk, 13 Medium Risk, and 18 Low Risk findings for the GR-815.

During the re-test, there was no High Risk, five Medium Risk and six Low Risk findings for the GR-815.

During the initial IA Phase I test, the Oct-2004 version of the Windows 2000 and Windows XP Golddisk were run on the associated laptops provided by Data Track. It should be noted that the solution that Data Track supplies to the sponsor does not include these laptops. It was determined that a Data Track provided laptop, properly STIGed, would be sufficient to perform the retest. The Data Track solution does not include any vendor provided Windows application software. The access method from the laptop is via Microsoft OS provided applications (VPN). The laptop was STIGed with the latest Windows XP Golddisk (May-2005).

During the initial Phase II testing, there were no vulnerabilities discovered. During the retest of Phase II, there were also no vulnerabilities discovered.

It should be noted that IA accreditation of this solution will include the 2720/2730 security devices as well as the 2700 Data Tracker.

I. System Description

A. Tracker 2700

The Tracker 2700 is a security appliance built upon a proprietary version of the Linux operating system and Data Track system applications. It is used to monitor building alarms, Simple Network Management Protocol (SNMP) traps from routers and Private Branch Exchanges (PBX's), other switch types, or collect Call Detail Records (CDR's).

• Software Version: 10236
• Serial # 12030153
• IP Addresses used: Factory defaults 192.168.1.1, 192.168.2.1

B. Tracker 2720

The Tracker 2720 key acts as a modem obeying "Hayes AT" type commands input via a serial interface. It can be used to call remote equipment using a Public System Telephone Network (PSTN) line. It will be programmed with a 64 character secret code and a unique 10 digit identification. If it is used to call a standard modem then it will operate as a normal modem would. If it is used to contact a remote Tracker 2730 or Tracker 2700 (with the equivalent security mechanism enabled) then it will need to use its secret and ID to respond to a challenge generated by the remote Tracker.

• Software Version 1.0.3
• Serial #02040006
• Key: 9999000003

C. Tracker 2730

When the 2720 is used with the Tracker 2730, the 2730 acts as a "lock". When a Tracker 2720 with standard access is used to contact a Tracker 2730 it will authenticate and provide access out on the serial port only.

• Software Version 1.0.3
• Serial #02040025
• Lock: 9999000101

GR-815 Compliance - Tracker 2700

The GR-815-CORE-2 compliance matrix was applied to the Tracker 2700 box and associated companion equipment (2720/2730).

HIGH RISK

• None

MEDIUM RISK

• A new user is not prompted to change password R3-31 [19]

Data Track: User can never change password, Admin personnel must schedule and change all passwords.

• No password aging feature R3-32 [20] See above.
• No advisory warning banner for unauthorized entry/use R3-83 [51]

Data Track: This has been added in a late release of software.

• Security logs can be deleted by "root". R3-115 [79]

Data Track: Logs can be removed on a routine basis and stored on a secure server. Any deletion is recorded in the log. Auditor can keep logs secure off Tracker using standard security tools.

• No immediate real-time notification if security log fails to record R3-123 [87]

LOW RISK

• No ability to disable a user profile after an inactivity time interval R3-8 [221]
• No waiting period for updating existing password R3-37 [24]

Data Track: Users can't update their own passwords, Administrator must enforce all rules.

• The lock-out duration shall not be longer than 60 seconds when the threshold for incorrect user-entered information has been exceeded. R3-80 [48]
• No tuneable lock-out duration R3-81 [49] See above.
• No default suspension of user-ID for incorrect user-ID information R3-82 [50]
• No capability to specify conditions for uploading security files R3-161 [128]

Data Track: Security files can be polled or FTP transferred to secure locations, but it is true that it can not be based on specific events, except polling

IP VULNERABILITIES

Testing of the Data Track Tracker 2700 was performed according to the standard testing methodology: determine open TCP and UDP ports, run vulnerability scanning tools, verify if the vulnerabilities found with the tools are valid, and finally examine all aspects of the system for additional vulnerabilities. During testing of the 2700 no vulnerabilities were found. The following paragraphs describe briefly the steps taken during testing of the 2700.

The first step of testing was port scanning of both Ethernet interfaces of the 2700. After scanning the test team found that only one TCP port was open on only one of the interfaces (TCP 1723). This port was used for inbound Point-to-Point Tunneling Protocol (PPTP) communication. Once a VPN session was established, connections were established outbound from the other interface of the 2700. Both Retina and Nessus vulnerability scanning tools were used to scan the application running on this port and no vulnerabilities were found. In addition, tools were used to send large amounts of random data and malformed PPTP data to this port to determine if errors could be caused. The 2700 did not suffer any adverse affects from the random or malformed data.

In addition to the Tracker 2700 itself, one laptop was used in the configuration at the JITC lab. This laptop was not technically part of the solution as no application specific software was installed on the machines; they were simply used to demonstrate the functionality of the modem and VPN connections. Since they were used in the configuration they were tested as part of the solution. The Windows 2000 laptop had no Ethernet interface and was not tested, the other laptop was a Windows XP machine with the Windows internal firewall enabled and therefore also returned no results from port scanning or the vulnerability scanning tools.

The last piece of the 2700 to be tested was the secure modem. As per the 2700 documentation this modem uses encryption and a key exchange to verify the identity of the calling modem. The secure modem was dialled with a standard modem and despite what was sent the modem disconnected if its challenge was not answered in a short period of time. Although no cryptographic analysis was performed, the test team determined that the method used is effective at refusing unapproved connections.

HIGH RISK

• None

MEDIUM RISK

• None

LOW RISK

• None

A full copy of this article can be downloaded in PDF format.