IPsec

KlasRouter uses a FIPS 140-2 approved IPSec implementation which supports many forms of encryption, including AES-256 and the highly secure Suite-B elliptical curve cryptography (ECC) algorithms. This provides a future-proof option for non-CCI encryption of data at TS collateral and below. The FIPS Certificate and Security Policy for KlasRouter is available on NIST's website. As de-boxing a FIPS approved device invalidates the approval commercial off the shelf FIPS solutions are often extremely bulky. To counter this the KlasRouter has been FIPS tested within a ultra compact enclosure (8.79" x 5.25" x 1.36") ensuring that it can be built easily into a fly-away-case.

KlasRouter currently is deployed in systems with active authority to operate (ATO) on and authority to connect (ATC) to the Joint Worldwide Intelligence Communications System (JWICS).

GAN bonding

KP4600 provides support for ISDN/Inmarsat GAN/M bonding of up to four ISDN BRI interfaces by using a KlasTA-II in the KP-ISDN-100. KlasTA was developed by Klas in 2003 to interface a KIV-7 or STE device to the Inmarsat GAN/M network. Since, it has become the market-leading ISDN Terminal Adaptor for Inmarsat networks initially providing 128kbits/s support over two Inmarsat GAN terminals. In 2005, this product was extended to provide 256kbit/s support over four Inmarsat GAN terminals. The KlasTA-256 was introduced in 2006 with support for Klas Aero protocol to provide a robust 256kb/s solution for Inmarsat Swift access from an aircraft. This product was developed under contract from Joint Special Operations Command for use in the JEMPRS-NT program.

KlasTA-II is an update of KlasTA-256 proving a more compact and space efficient solution. The device has been verified with terminals from Thrane & Thrane, EMS and Nera over its lifetime in garrison, airborne and tactical environments. Channels can be bonded together using Bonding Mode 1 or 2, but the Klas Aero protocol is recommended for most stable operation with DoD encryption devices. This protocol and license are included in the KP-ISDN-100 at no additional charge to the Government.

In KP4600, the KP1400 interfaces with the KP-ISDN-100 via a synchronous serial interface. This connectivity is provided using the Farsync Flex adapter from Farsite Communications. KP1400 connects to the Farsync Flex via USB which then converts the signaling to synchronous serial on KP-ISDN-100. Farsite Communications has been providing synchronous serial products to the government market since 2004 and have a strong record of delivery.

• Pioneer ISDN Module (KP-ISDN-100) supporting connectivity over up to four bonded Inmarsat GAN/M channels.

BGAN bonding

BGAN bonding is achieved by establishing an IPsec VPN tunnel from KlasRouter over each of the BGAN terminals to the VPN gateway. Traffic can be routed into each tunnel using policy-based routing to provide a reliable aggregation mechanism.

Enlarge Image

3G and WiFi backhaul

• WANdroid HM tablet for untrusted Ethernet connectivity/configuration, GFE cellular modem host/configuration, Wi-Fi connectivity/configuration and system troubleshooting.

KP4600 fully supports all required communications vectors. However, the requirements for WWAN/cellular data, Wi-Fi and untrusted Ethernet (e.g. commercial or public broadband Internet) support have the following technical challenges and implications:

• Use of GFE USB cellular dongles require a flexible computer-style platform rather than a commercial router such as Cisco 888 series with an aircard
• Requirement to enter PIN information for cellular modem SIM cards or to bypass service provider “splash screens” (typically terms of use acceptance, SSID selection and payment input) for Wi-Fi and untrusted Ethernet necessitates a GUI with web browser support on the WAN. This restricts the suitability of CradlePoint-style solutions which provide connectivity but no means of interaction without connection of a separate laptop.

The Klas WANdroid product has been solving this problem since 2009 using two separate devices but recently has implemented this functionality in a single hardware platform called WANdroid HM.

Figure 6: Wandroid HM Tablet

WANdroid HM WANdroid HM is an Android-based tablet with built-in Ethernet, Wi-Fi, cellular radios and USB interfaces. This system provides physical connectivity from KP1400 to Wi-Fi, cellular data, and untrusted Ethernet networks. The WANdroid application running on the tablet provides a GUI for selecting the preferred outbound link and monitoring its status as well as implementation of least cost routing algorithms. WANdroid HM has a 10 inch touch screen supporting resolution of 800x480. Among the physical interfaces are two USB A male ports (for supplied WAN USB-to- Ethernet adapter and GFE cellular modems), two micro SD card slots and an HDMI output port.

WANdroid HM is positioned outside of the KP4600 trusted boundary and outside the IPsec tunnel to minimize IA impact. WANdroid HM implements the supported transports as follows:

Wi-Fi Transport KP1400 is connected to the built-in Ethernet port of WANdroid HM. The WANdroid app launches automatically and user can select Wi-Fi as the preferred transport. A SSID can be selected and Wi-Fi WPA/WEP key can be entered, if required, and the built-in web browser launches for access to any “splash screens.” The WANdroid application then monitors link and indicates IPsec VPN status.

Cellular Transport KP1400 is connected to the built-in Ethernet port of WANdroid HM. Third party GFE USB cellular dongles may then be connected to WANdroid HM using either of the two built-in USB host ports. After installation, the WANdroid App will display the PIN entry window, if required, and the user may enter authentication details. The modem will then search for a network and register. WANdroid application then monitors the link and indicates IPsec VPN status.

3G/4G Cellular modems currently available from T-Mobile and Verizon—among many other CONUS and OCONUS service providers—are supported, including:

• T-Mobile o Rocket 2.0
• Jet3G o Sierra Wireless 888
• Verizon o USB 760
• UMW 190 o Sierra Wireless 888

Untrusted Ethernet Transport WANdroid HM operates as an Ethernet-to-Ethernet router in this case. KP1400 is connected to the built-in Ethernet port of WANdroid HM. The supplied USB-to-Ethernet adapter is inserted in WANdroid HM USB host port and an Ethernet connection is made to the untrusted WAN Ethernet network. The WANdroid application displays the Ethernet address which is allocated via DHCP from the untrusted network and launches a web browser allowing the user to navigate "splash screens" as mentioned. The WANdroid application then monitors the link and indicates VPN status.

Enlarge Image