Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

Size: px
Start display at page:

Download "Cisco 7206 VXR NPE-G2 with VSA FIPS 140-2 Non-Proprietary Security Policy"

Transcription

1 Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy Level 2 Valiation Version 1.1 July 2011 Table of Contents Introuction 2 References 2 Document Organization 2 Moule Descriptions 3 Cisco 7206VXR NPE-G2 3 Cisco VPN Services Aapter (VSA) 3 Moule Valiation Level 3 Cryptographic Moule 4 Moule Interfaces 4 Roles, Services & Authentication 5 User Services 6 Cryptographic Key Management 7 Self-Tests 11 Secure Operation 12 System Initialization an Configuration 13 IPSec Requirements & Cryptographic Algorithms 14 Protocols 14 Remote Access 14 Americas Heaquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA Cisco Systems, Inc. All rights reserve. This ocument may be freely reprouce an istribute whole an intact incluing this copyright notice

2 Tamper Evience VXR NPE-G2 with VSA 15 Acronym 17 Obtaining Documentation, Support & Security Guielines 18 Introuction References This is a non-proprietary Cryptographic Moule Security Policy for the 7206VXR NPE-G2 with VSA from Cisco Systems, Inc., referre to in this ocument as the moules, routers, or by the specific moel name. This security policy escribes how moules meet the security requirements of FIPS an how to run the moules in a FIPS moe of operation. This policy was prepare as part of the FIPS Level 2 valiation of the following moule: 7206VXR NPE-G2 with VSA FIPS (Feeral Information Processing Stanars Publication 140-2: Security Requirements for Cryptographic Moules) etails the U.S. Government requirements for cryptographic moules. More information about the FIPS stanar an valiation program is available on the NIST website at This ocument eals only with operations an capabilities of the moule in the technical terms of a FIPS cryptographic moule security policy. More information is available on the moule from the following sources: The Cisco Systems website contains information on the full line of proucts from Cisco Systems. The NIST Cryptographic Moule Valiation Program website contains contact information for answers to technical or sales-relate questions for the moule. Document Organization The Security Policy ocument is one ocument in a FIPS Submission Package. In aition to this ocument, the Submission Package contains: Venor Evience ocument Finite State Machine Other supporting ocumentation as aitional references With the exception of this Non-Proprietary Security Policy, the FIPS Valiation Documentation is proprietary to Cisco Systems, Inc. an is releasable only uner appropriate non-isclosure agreements. For access to these ocuments, please contact Cisco Systems, Inc. 2 2 Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

3 Moule Descriptions Cisco 7206VXR NPE-G2 Cisco 7206 VXR routers are esigne to support gigabit capabilities an to improve ata, voice, an vieo integration in both service provier an enterprise environments. Cisco 7206 VXR routers support a high-spee network processing engines like NPE-G2 an all other available network processing engines. Cisco 7206 VXR routers accommoate a variety of network interface port aapters an an Input/Output (I/O) controller. A Cisco 7206 VXR router equippe with NPE-G2 can support up to six high-spee port aapters an can also support higher-spee port aapter interfaces incluing Gigabit Ethernet an OC-12 ATM (Optical Carrier-12 Asynchronous Transfer Moe). In aition, a Cisco 7206VXR router with an NPE-G2 provies integrate I/O functionality. Cisco 7206 VXR routers also contain bays for up to two AC-input or DC-input power supplies. Cisco 7206 VXR routers support the following features: Online insertion an removal (OIR): A, replace or remove port aapters without interrupting the system. Dual hot-swappable, loa-sharing power supplies: Provie system power reunancy; if one power supply or power source fails, the other power supply maintains system power without interruption. Also, when one power supply is powere off an remove from the router, the secon power supply immeiately takes over the router power requirements without interrupting normal operation of the router. Environmental monitoring an reporting functions: Maintain normal system operation by resolving averse environmental conitions prior to loss of operation. Downloaable software: Loa new images into Flash memory remotely, without having to physically access the router. This capability is not permitte in FIPS moe of operations, however. Cisco VPN Services Aapter (VSA) The Cisco 7206VXR NPE-G2 routers incorporate the VPN Services Aapter (VSA) cryptographic accelerator car that fits into the I/O controller slot of the 7206VXR. The VSA features haare acceleration for various cryptographic algorithms, proviing increase performance for site-to-site an remote-access IPSec VPN services. The Cisco VSA supports full Layer 3 routing, quality of service (QoS), multicast an multiprotocol traffic, an broa support of integrate LAN/WAN meia. The VSA off-loas IPSec processing from the main processor, thus freeing resources on the processor engines for other tasks. The evaluate platform consists of the following: 7206VXR Haare Version 2.9 NPE-G2 Haare Version 1.0 VSA Haare Version 1.0 Moule Valiation Level The following table lists the level of valiation for each area in the FIPS PUB

4 No. Area Title Level 1 Cryptographic Moule Specification 2 2 Cryptographic Moule Ports an Interfaces 2 3 Roles, Services, an Authentication 2 4 Finite State Moel 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key management 2 8 Electromagnetic Interface/Electromagnetic Compatibility 2 9 Self-Tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Cryptographic Moule The cryptographic bounary for the 7206VXR NPE-G2 with VSA is efine as encompassing the "top," "front," "left," "right," an "bottom" surfaces of the case; all portions of the "backplane" of the case which are not esigne to accommoate a removable port aapter; the inverse of the three-imensional space within the case that woul be occupie by an installe port aapter an the VSA installe into the I/O controller slot. The cryptographic bounary inclues VSA installe into the I/O controller slot an the connection apparatus between the port aapter an the motherboar/aughterboar that hosts the port aapter, but the bounary oes not inclue the port aapter itself. In other wors, the cryptographic bounary encompasses all haare components within the case of the evice except any installe moular port aapter. All of the functionality iscusse in this ocument is provie by components within this cryptographic bounary. Each moule is a multi-chip stanalone moule. Moule Interfaces Each moule provies a number of physical an logical interfaces to the evice, an the physical interfaces provie by the moule are mappe to four FIPS efine logical interfaces: ata input, ata output, control input, an status output. The logical interfaces an their mapping are escribe in the following tables: Table 2 FIPS Logical Interfaces: 7206VXR NPE-G2 with VSA Router Physical Interface FIPS Logical 10/100/1000 RJ-45 Port SFP Gigabit Ethernet Port Port Aapter/Mi plane Interface Console Port Auxiliary Port Data Input Interface 4 4 Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

5 10/100/1000 BASE-TX LAN Port Gigabit Ethernet Port Port Aapter Interface Console Port Auxiliary Port 10/100 Management Port 10/100/1000 BASE-TX LAN Port Gigabit Ethernet Port Port Aapter Interface Power Switch Reset Switch Console Port Auxiliary Port 10/100 Management Port Data Output Interface Control Input Interface 10/100/1000 BASE-TX LAN Port Port Aapter Interface Gigabit Ethernet Port LEDs Console Port Auxiliary Port 10/100 Management Port Power Plug Status Output Interface Power Interface Roles, Services & Authentication Authentication is role-base. There are two main roles in the router that operators may assume: the Crypto Officer role an the User role. The aministrator of the router assumes the Crypto Officer role in orer to configure an maintain the router using Crypto Officer services, while the Users exercise only the basic User services. The moule supports RADIUS an TACACS+ for authentication. A complete escription of all the management an configuration capabilities of the moules can be foun in the Performing Basic System Management manual an in the online help for the moules. The User an Crypto Officer passwors an the RADIUS/TACACS+ share secrets must each be at least 8 characters long, incluing at least one letter an at least one number character, in length. See the Secure Operation section for more information. If 6 integers, one special character an one alphabet are use without repetition for an 8 igit PIN, the probability of ranomly guessing the correct sequence is 1 in 832,000,000. In orer to successfully guess the sequence in one minute woul require the ability to make over 13,000,000 guesses per secon, which far excees the operational capabilities of the moule. Incluing the rest of the alphanumeric characters rastically ecreases the os of guessing the correct sequence. The 7206 can also use certificate creentials using 1024 bit RSA keys an SHA-1 in such a case the security strength is 80 bits, so an attacker woul have a 1 in 2 80 chance of a successful authentication which is much stronger than the one in a million chance require by FIPS To excee a one in 100,000 probability of a successful ranom key guess in one minute, an attacker woul have to be capable of approximately 1.8 x attempts per minute, which vastly excees the operational capabilities of the moule to support. 5

6 User Services A User enters the system by accessing the console/auxiliary port with a terminal program or via IPSec protecte Telnet or SSH v2 session to a LAN port. The IOS prompts the User for their passwor. If the passwor is correct, the User is allowe entry to the IOS executive program. The services available to the User role consist of the following: Status Functions: View state of interfaces an protocols, version of IOS currently running Network Functions: Connect to other network evices through outgoing telnet, PPP, etc. an initiate iagnostic network services (i.e., ping, mtrace) Terminal Functions: Ajust the terminal session (e.g., lock the terminal, ajust flow control) Directory Services: Display irectory of files kept in flash memory Get VPN service: Negotiation an encrypte ata transport via Get VPN Perform Self-Tests: Perform the FIPS 140 start-up tests on eman Crypto Officer Services A Crypto Officer enters the system by accessing the console/auxiliary port with a terminal program or via IPSec protecte telnet or SSH v2 session to a LAN port. The Crypto Officer authenticates as a User an then authenticates as the Crypto Officer role.. During initial configuration of the router, the Crypto Officer passwor (the enable passwor) is efine. A Crypto Officer may assign permission to access the Crypto Officer role to aitional accounts, thereby creating aitional Crypto Officers. The Crypto Officer role is responsible for the configuration an maintenance of the router. The Crypto Officer services consist of the following: Configure the Router Define network interfaces an settings, create comman aliases, set the protocols the router will support, enable interfaces an network services, set system ate an time, an loa authentication information. Define Rules an Filters Create packet Filters that are applie to User ata streams on each interface. Each Filter consists of a set of Rules, which efine a set of packets to permit or eny base characteristics such as protocol ID, aresses, ports, TCP connection establishment, or packet irection. Status Functions View the router configuration, routing tables, active sessions, use get commans to view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, an view physical interface status. Manage the Router Log off users, shutown or reloa the router, manually back up router configurations, view complete configurations, manager user rights, an restore router configurations. Set Encryption/Bypass Set up the configuration tables for IP tunneling. Set keys an algorithms to be use for each IP range or allow plaintext packets to be set from specifie IP aress. Change Port Aapters Insert an remove aapters in a port aapter slot. Change VSA Insert an remove VSA in an I/O Controller slot. (This service available only for 7206VXR NPE-G2 with VSA) 6 6 Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

7 Perform Self-Tests: Perform the FIPS 140 start-up tests on eman Unauthenticate Services Observe L.E.D. status Perform Power up Self-Test Perform Bypass Function Cryptographic Key Management The router securely aministers both cryptographic keys an other critical security parameters such as passwors. The tamper evience seals provie physical protection for all keys. All keys are also protecte by the passwor-protection on the Crypto Officer role login, an can be zeroize by the Crypto Officer. All zeroization consists of overiting the memory that store the key. Keys are exchange an entere electronically or via Internet Key Exchange (IKE). The moule supports the following critical security parameters (CSPs): Table 4 CSP Name Critical Security Parameters Description CSP 1 This is the see key for X9.31 RNG. This key is store in an upate perioically after the generation of 400 bytes; hence, it is zeroize perioically. Also, the operator can turn off the router to zeroize this key. CSP 2 The public an private exponents use in Diffie-Hellman (DH) exchange. Zeroize after DH share secret has been generate. CSP 3 The share secret within IKE exchange. Zeroize when IKE session is terminate. CSP 4 Same as above CSP 5 Same as above CSP 6 Same as above CSP 7 The IKE session encrypt key. The zeroization is the same as above. CSP 8 The IKE session authentication key. The zeroization is the same as above. Storage CSP 9 The key use to generate IKE skeyi uring preshare-key NVRAM authentication. The no crypto isakmp key comman zeroizes it. This key can have two forms base on whether the key is relate to the hostname or the IP aress. CSP 10 This key generates keys 3, 4, 5 an 6. This key is zeroize after generating those keys. 7

8 CSP 11 The fixe key use in Cisco venor ID generation. This key is embee in the moule binary image an can be elete by erasing the Flash. CSP 12 The IPSec encryption key. Zeroize when IPSec session is terminate. CSP 13 The IPSec authentication key. The zeroization is the same as above. NVRAM CSP 14 This key is use by the router to authenticate itself to the peer. The router itself gets the passwor (that is use as this key) from the AAA server an sens it onto the peer. The passwor retrieve from the AAA server is zeroize upon completion of the authentication attempt. CSP 15 The authentication key use in PPP. This key is in the an not zeroize at runtime. One can turn off the router to zeroize this key because it is store in. CSP 16 This key is use by the router to authenticate itself to the peer. The key is retrieve from the local atabase (on the router itself). Issuing the no username passwor comman zeroizes the passwor (that is use as this key) from the local atabase. CSP 17 The passwor of the User role. This passwor is zeroize by overiting it with a new passwor. CSP 18 The plaintext passwor of the CO role. This passwor is zeroize by overiting it with a new passwor. NVRAM NVRAM NVRAM CSP 19 The ciphertext passwor of the CO role. However, the algorithm NVRAM use to encrypt this passwor is not FIPS approve. Therefore, this passwor is consiere plaintext for FIPS purposes. This passwor is zeroize by overiting it with a new passwor. CSP 20 The RADIUS share secret. This share secret is zeroize by executing the no form of the RADIUS share secret set comman. CSP 21 The TACACS+ share secret. This share secret is zeroize by executing the no form of the RADIUS share secret set comman. CSP 22 The SSH session key. It is zeroize automatically when the SSH session is terminate. CSP 231 The keys an CSPS above from no.1 to 21 are locate in the router outsie VSA CSP 24 NVRAM, NVRAM, GDOI TEK algorithm key - This key is create using the GROUPKEY-PULL registration protocol an upate using the GROUPKEY-PUSH registration protocol with GDOI. It is use to encrypt ata traffic between Get VPN peers 8 8 Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

9 CSP 25 GDOI KEK algorithm key - This key is create using the GROUPKEY-PULL registration protocol with GDOI. It is use protect GDOI rekeying ata. CSP 26 GDOI TEK integrity key CSP 27 Diffie Hellman private exponent - The private exponent use in Diffie-Hellman (DH) exchange as part of IKE. Zeroize after DH share secret has been generate. CSP 28 RSA private exponent - The private exponent use in RSA exchange as part of IKE an SSH. Zeroize after RSA share secret has been generate. 1. This key not present in 7206VXR NPE-G2 with VSA. The services accessing the CSPs, the type of access an which role accesses the CSPs are liste in Table 5. The moule supports IOS implementations of Triple-DES, DES-MAC, Triple- DES-MAC, AES, SHA-1, HMAC SHA-1, MD5, HMAC MD5, Diffie-Hellman, RNG an RSA cryptographic algorithms. Except for SHA-1 an RNG none of the other software algorithm implementations are use when operating in FIPS moe. IOS implementation of Diffie-Hellman is use in all moule configurations except 7206VXR NPE-G2 with VSA which uses haare implementation of DH. NOTE: Pursuant to the DES Transition Plan an the approval of the Withrawal of Feeral Information Processing Stanar (FIPS) 46-3, Data Encryption Stanar (DES); FIPS 74, Guielines for Implementing an Using the NBS Data Encryption Stanar; an FIPS 81, DES Moes of Operation, the DES algorithm shall not be use in FIPS approve moe of operation. 9

10 Table 5 Role an Service Access to CSPs SRDI/Role/Service Access Policy Role/Service Security Relevant Data Item CSP 1 CSP 2 CSP 3 CSP 4 CSP 5 CSP 6 CSP 7 CSP 8 CSP 8 CSP 10 CSP 11 CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 CSP 24 CSP 25 CSP 26 CSP 27 CSP 28 User role Status Functions Network Functions r r r r r r r r r r r r r r r r r Terminal Functions Directory Services Get VPN Crypto-Officer Role Configure the Router Define Rules an Filters Status Functions Manage the Router Set Encryption/Bypass r w Change Port Aapters Change VSA Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

11 Each cryptographic implementation has achieve the following valiations: Table 6 Algorithm Certificates Algorithm IOS (NPE-G2) VSA AES Not supporte in FIPS moe 91 Triple-DES Not supporte in 204 FIPS moe SHA HMAC SHA-1 Not supporte in 203 FIPS moe RNG RSA Not supporte in FIPS moe 707 Self-Tests The moule supports the following key management schemes: Pre-share key exchange via electronic key entry. Triple-DES/AES key an HMAC-SHA-1 key are exchange an entere electronically. Internet Key Exchange metho with support for pre-share keys exchange an entere electronically. o The pre-share keys are use with Diffie-Hellman key agreement technique to erive DES, Triple-DES or AES keys. o The pre-share key is also use to erive HMAC-SHA-1 key. The Diffie-Hellman key establishment methoology provies 80 or 96 bits of encryption strength. GDOI Key wrapping, key establishment methoology provies between 128 bits an 256 bits of encryption strength per NIST All pre-share keys are associate with the CO role that create the keys, an the CO role is protecte by a passwor. Therefore, the CO passwor is associate with all the pre-share keys. The Crypto Officer nees to be authenticate to store keys. All Diffie-Hellman (DH) keys agree upon for iniviual tunnels are irectly associate with that specific tunnel only via the IKE protocol. All of the keys an CSPs of the moule can be zeroize. Please refer to Figure 4 for information on methos to zeroize each key an CSP. The moules inclue an array of self-tests that are run uring startup an perioically uring operations to prevent any secure ata from being release an to insure all components are functioning correctly. The moules implement the following power-on self-tests: 11

12 Table 7 Moule Power On Self Tests Implementation IOS VSA Tests Performe Software/firmware test Bypass test SHA-1 KAT RNG KAT Firmware integrity test Triple-DES KAT AES KAT SHA-1 KAT HMAC-SHA-1 KAT RSA KAT DH Test 1. IOS implementation of DH is not use in 7206VXR NPE-G2 with VSA. The moules perform all power-on self-tests automatically at boot. All power-on self-tests must be passe before any operator can perform cryptographic services. The power-on selftests are performe after the cryptographic systems are initialize but prior to the initialization of the LANs; this prevents the moule from passing any ata uring a power-on self-test failure. In aition, the moule also provies the following conitional self-tests: Table 8 Moule Conitional Self Tests Implementation Tests Performe IOS Continuous Ranom Number Generator test for the FIPS-approve RNG Continuous Ranom Number Generator test for the non-approve RNGs Conitional Bypass test RSA PWCT VSA Continuous Ranom Number Generator test for the non-approve RNG Secure Operation These routers meet all the applicable Level 2 requirements for FIPS Follow the setting instructions provie below to place the moule in FIPS moe. Operating this router without maintaining the following settings will remove the moule from the FIPS approve moe of operation. All configuration activities must be performe via the comman line interface via the console (for initial configuration) or IPSec protecte SSH v2 or telnet sessions neither the web configuration tools CSRW or SDM may be use Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

13 System Initialization an Configuration Step 1 The Crypto Officer must perform the initial configuration. The following avance enterprise buils are the only allowable images; no other image may be loae. 7206VXR NPE-G2 with VSA: c7200-aventerprisek9-mz t10 (IOS version 12.4(15)T10) an c7200-aventerprisek9-mz t14 (IOS version 12.4(15)T14) Step 2 The value of the boot fiel must be 0x0102. This setting isables break from the console to the ROM monitor an automatically boots the IOS image. From the configure terminal comman line, the Crypto Officer enters the following syntax: config-register 0x0102 Step 3 The Crypto Officer must enter the following comman to prevent failover to software implementation: no crypto engine software ipsec Step 4 The Crypto Officer must create the enable passwor for the Crypto Officer role. The passwor must be at least 8 characters, incluing at least one letter an at least one number, an is entere when the Crypto Officer first engages the enable comman. The Crypto Officer enters the following syntax at the # prompt: enable secret [PASSWORD] Step 5 The Crypto Officer must always assign passwors (of at least 8 characters, incluing at least one letter an at least one number) to users. Ientification an authentication on the console/auxiliary port is require for Users. From the configure terminal comman line, the Crypto Officer enters the following syntax: line con 0 passwor [PASSWORD] login local Step 6 Step 7 The Crypto Officer shall not assign users to privilege level other than Level 1 (the efault). The Crypto Officer may configure the moule to use RADIUS or TACACS+ for authentication. Configuring the moule to use RADIUS or TACACS+ for authentication is optional. If the moule is configure to use RADIUS or TACACS+, the Crypto-Officer must efine RADIUS or TACACS+ share secret keys that are at least 8 characters long, incluing at least one letter an at least one number. Step 8 Step 9 The Crypto Officer must apply tamper evience labels as escribe later in this ocument. The moule must be configure to only use haare acceleration. As such if there is a failure in the VSA car, the moule is consiere to be out of FIPS-Approve Moe of operation. A failure in the integrity check for VSA will be inicate via the following console message: 13

14 VSA boot error: POST FAILURE The status of the VSA can also be verifie with the show crypto engine accelerator statistic an show crypto eli commans. NOTE: The keys an CSPs generate in the cryptographic moule uring FIPS moe of operation cannot be use when the moule transitions to non-fips moe an vice versa. While the moule transitions from FIPS to non-fips moe or from non-fips to FIPS moe, all the keys an CSPs are to be zeroize by the Crypto Officer. IPSec Requirements & Cryptographic Algorithms Step 1 Step 2 Step 3 The only type of key management that is allowe in FIPS moe is Internet Key Exchange (IKE). Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowe in a FIPS configuration: ah-sha-hmac esp-sha-hmac esp-3es esp-aes The following algorithms shall not be use: MD-5 for signing MD-5 HMAC DES Software implementations of AES, DES, Triple-DES, SHA-1, an HMAC Protocols Step 1 SNMP v3 over a secure IPSec tunnel may be employe for authenticate, secure SNMP gets an sets. Since SNMP v2c uses community strings for authentication, only gets are allowe uner SNMP v2c. Step 2 Secure DNS is not allowe in FIPS moe of operation an shall not be configure. Remote Access Step 1 Telnet access to the moule is only allowe via a secure IPSec tunnel between the remote system an the moule. The Crypto officer must configure the moule so that any remote Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

15 connections via telnet are secure through IPSec, using FIPS-approve algorithms. Note that all users must still authenticate after remote access is grante. Step 2 SSH access to the moule is allowe in FIPS approve moe of operation, using SSH v2 an a FIPS approve algorithm. Tamper Evience All Critical Security Parameters are store an protecte within each appliance s tamper evient enclosure. The aministrator is responsible for properly placing all tamper evient labels. The security labels for FIPS compliance are provie in the FIPS Kit: Prouct Number: CVPN7200FIPS/KIT= Prouct Description: Kit(Instructions,labels)to configure 7206 for FIPS operation These security labels are very fragile an cannot be remove without clear signs of amage to the labels. The Crypto Officer shoul inspect the tamper evient labels perioically to verify they are intact an the serial numbers on the applie tamper evient labels match the recors in the security log. Any port aapter slot not populate with a port aapter must be populate with an appropriate slot cover in orer to operate in a FIPS compliant moe. The slot covers are inclue with each router, an aitional covers may be orere from Cisco. The same proceure mentione below to apply tamper evience labels for port aapters must also be followe to apply tamper evience labels for the slot covers. The Tamper evient labels (12) shall be installe for the moule to operate in FIPS moe. 7206VXR NPE-G2 with VSA The front of the router provies 6 port aapter slots (An aitional port aapter slot is available when a port aapter jacket car is inserte into the I/O controller slot), an the rear of the router provies on-boar LAN connectors, PC Car slots, an Console/Auxiliary connectors. The power cable connection, a power switch, an the access to the Network Processing Engine are at the rear of the router. Once the router has been configure to meet FIPS Level 2 requirements, the router cannot be accesse without signs of tampering. The Crypto Officer shall be instructe to recor serial numbers, an to inspect for these signs of tampering or change numbers perioically. To seal the system, apply serialize tamper-evience labels as epicte in Figure 1 an Figure 2 as follows: Step 1 Step 2 Clean the cover of any grease, irt, or oil before applying the tamper evience labels. Alcohol-base cleaning pas are recommene for this purpose. The ambient air must be above 10 C, otheise the labels may not properly cure. A tamper evience label shall be place so that the one half of the label covers the enclosure an the other half covers the NPE-G2. 15

16 PCMCIA ETHERNET-10BFL Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 A tamper evience label shall be place over the Compact Flash car slot on the NPE- G2. A tamper evience label shall be place over the USB ports of the NPEG2. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the port aapter slot 1. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the port aapter slot 2. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the port aapter slot 3. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the port aapter slot 4. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the port aapter slot 5. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the port aapter slot 6. A tamper evience label shall be place such that one half of the label covers the enclosure an the other half covers the VSA. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the power supply plate. A tamper evience label shall be place so that one half of the label covers the enclosure an the other half covers the reunant power supply plate. Allow the labels to cure for five minutes. Figure 1 Cisco 7206VXR (Front) Tamper Evient Label Placement TOKEN RING ETHERNET 10BT Cisco 7200 Series VXR Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

17 Figure 2 Cisco 7206VXR (Back) Tamper Evient Label Placement Acronyms AAA AES CMVP CSP DES FIPS HTTP KAT LED NPE NIST NVLAP PPP RAM RSA SHA VAM Authentication, Authorization an Accounting Avance Encryption Stanar Cryptographic Moule Valiation Program Critical Security Parameter Data Encryption Stanar Feeral Information Processing Stanar Hyper Text Transfer Protocol Known Answer Test Light Emitting Dioe Network Processing Engine National Institute of Stanars an Technology National Voluntary Laboratory Accreitation Program Point to Point Protocol Ranom Access Memory Rivest, Shamir, & Aleman [metho for asymmetric encryption] Secure Hash Algorithm VPN Acceleration Moule 17

18 Obtaining Documentation, Support & Security Guielines For information on obtaining Cisco ocumentation, security guielines, recommene aliases, support an a means to provie ocumentation feeback, see the monthly What s New in Cisco Prouct Documentation, which also lists new an revise Cisco technical ocumentation. To fin an HTML or PDF version of many Cisco titles go to Type the title in the Search fiel an click Go Cisco 7206 VXR NPE-G2 with VSA FIPS Non-Proprietary Security Policy

19 Cisco an the Cisco Logo are traemarks of Cisco Systems, Inc. an/or its affiliates in the U.S. an other countries. A listing of Cisco's traemarks can be foun at Thir party traemarks mentione are the property of their respective owners. The use of the wor partner oes not imply a partnership relationship between Cisco an any other company. (1005R). 19

Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy

Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Cisco 2811 an Cisco 2821 Integrate Services Router FIPS 140-2 Non Proprietary Security Policy Level 2 Valiation Version 1.3 November 23, 2005 Introuction This ocument is the non-proprietary Cryptographic

More information

Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy

Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document Version 0.5 Prepared for: Prepared by: Nortel Networks, Inc.

More information

ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580-20, ASA 5580-40, ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40

ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580-20, ASA 5580-40, ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40 Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580-20, ASA 5580-40, ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40 and 5585-X SSP-60 Security Appliances FIPS 140-2 Non Proprietary Security

More information

ES3X 16 P, SM ES3X 24 P, SM D ES3X 48 P, PVDM4 32, PVDM4 64, PVDM4

ES3X 16 P, SM ES3X 24 P, SM D ES3X 48 P, PVDM4 32, PVDM4 64, PVDM4 Cisco Integrated Services Router (ISR) 4451 X (with SM ES3X 16 P, SM ES3X 24 P, SM D ES3X 48 P, PVDM4 32, PVDM4 64, PVDM4 128 and PVDM4 256) and Integrated Services Router (ISR) 4431 (with PVDM4 32, PVDM4

More information

JUNOS-FIPS-L2 Cryptographic Module Security Policy Document Version 1.3

JUNOS-FIPS-L2 Cryptographic Module Security Policy Document Version 1.3 JUNOS-FIPS-L2 Cryptographic Module Security Policy Document Version 1.3 Juniper Networks January 10, 2007 Copyright Juniper Networks 2007. May be reproduced only in its original entirety [without revision].

More information

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc. Secure File Transfer Appliance Security Policy Document Version 1.9 Accellion, Inc. November 11, 2010 Copyright Accellion, Inc. 2010. May be reproduced only in its original entirety [without revision].

More information

Cisco Catalyst 3560-X and 3750-X Switches FIPS 140-2 Level 2 Non-Proprietary Security Policy

Cisco Catalyst 3560-X and 3750-X Switches FIPS 140-2 Level 2 Non-Proprietary Security Policy Cisco Catalyst 3560-X and 3750-X Switches FIPS 140-2 Level 2 Non-Proprietary Security Policy Overall Level 2 Validation Version 0.54 April 25, 2012 Introduction... 3 References... 3 FIPS 140-2 Submission

More information

Security Policy. Trapeze Networks

Security Policy. Trapeze Networks MX-200R-GS/MX-216R-GS Mobility Exchange WLAN Controllers Security Policy Trapeze Networks August 14, 2009 Copyright Trapeze Networks 2007. May be reproduced only in its original entirety [without revision].

More information

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc. Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0 Accellion, Inc. December 24, 2009 Copyright Accellion, Inc. 2009. May be reproduced only in its original entirety

More information

FIPS 140 2 Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

FIPS 140 2 Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive FIPS 140 2 Non Proprietary Security Policy Kingston Technology Company, Inc. DataTraveler DT4000 G2 Series USB Flash Drive Document Version 1.8 December 3, 2014 Document Version 1.8 Kingston Technology

More information

SNAPcell Security Policy Document Version 1.7. Snapshield

SNAPcell Security Policy Document Version 1.7. Snapshield SNAPcell Security Policy Document Version 1.7 Snapshield July 12, 2005 Copyright Snapshield 2005. May be reproduced only in its original entirety [without revision]. TABLE OF CONTENTS 1. MODULE OVERVIEW...3

More information

FIPS 140-2 Non-Proprietary Security Policy. IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0)

FIPS 140-2 Non-Proprietary Security Policy. IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) FIPS 140-2 Non-Proprietary Security Policy IBM Internet Security Systems SiteProtector Document Version 2.3 August 5, 2010 Document Version 2.3 IBM Internet Security Systems Page 1 of 24 Prepared For:

More information

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS 140-2 Non-Proprietary Cryptographic Module Security Policy

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS 140-2 Non-Proprietary Cryptographic Module Security Policy VASCO Data Security International, Inc. DIGIPASS GO-7 FIPS 140-2 Non-Proprietary Cryptographic Module Security Policy Security Level: 2 Version: 1.7 Date: August 12, 2015 Copyright VASCO Data Security

More information

FIPS 140 2 Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

FIPS 140 2 Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security FIPS 140 2 Non Proprietary Security Policy IBM Internet Security Systems Proventia GX Series Security Document Version 1.6 January 25, 2013 Document Version 1.6 IBM Internet Security Systems Page 1 of

More information

FIPS 140-2 Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

FIPS 140-2 Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0 FIPS 40-2 Non- Proprietary Security Policy McAfee SIEM Cryptographic Module, Version.0 Document Version.4 December 2, 203 Document Version.4 McAfee Page of 6 Prepared For: Prepared By: McAfee, Inc. 282

More information

FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager

FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager LogRhythm 3195 Sterling Circle, Suite 100 Boulder CO, 80301 USA September 17, 2012 Document Version 1.0 Module Version 6.0.4 Page 1 of 23 Copyright

More information

NitroGuard Intrusion Prevention System Version 8.0.0.20080605 and 8.2.0 Security Policy

NitroGuard Intrusion Prevention System Version 8.0.0.20080605 and 8.2.0 Security Policy NitroGuard Intrusion Prevention System Version 8.0.0.20080605 and 8.2.0 Security Policy FIPS 140-2 Level 2 Validation Model Numbers NS-IPS-620R-4C-B NS-IPS-1220R-6C-B NS-IPS-1220R-4C-2F-B NS-IPS-620R-4C-BFS

More information

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy SECURE USB FLASH DRIVE Non-Proprietary Security Policy FIPS 140-2 SECURITY POLICY VERSION 9 Page 1 of 10 Definitions and Acronyms AES Advanced Encryption Standard CBC Cipher Block Chaining CRC Cyclic Redundancy

More information

FIPS 140-2 SECURITY POLICY

FIPS 140-2 SECURITY POLICY FIPS 140-2 SECURITY POLICY Juniper Networks NetScreen-5200 HW P/N NS-5200 VERSION 3010 FW VERSIONS SCREENOS 5.0.0R9.H, SCREENOS 5.0.0R9A.H AND SCREENOS 5.0.0R9B.H Juniper NS-5200 Security Policy 1 Copyright

More information

Security Policy. Trapeze Networks

Security Policy. Trapeze Networks MP-422F Mobility Point Security Policy Trapeze Networks August 14, 2009 Copyright Trapeze Networks 2007. May be reproduced only in its original entirety [without revision]. TABLE OF CONTENTS 1. MODULE

More information

FIPS 140-2 SECURITY POLICY

FIPS 140-2 SECURITY POLICY FIPS 140-2 SECURITY POLICY Juniper Networks, Inc. SSG 320M and SSG 350M HW P/N SSG-320M and SSG-350M, FW Version ScreenOS 6.2.0 Document # 530-023730-01 Copyright Notice Copyright 2009 Juniper Networks,

More information

Cisco Telepresence C40, C60, and C90 Codecs (Firmware Version: TC5.0.2) (Hardware Version: v1) FIPS 140-2 Non-Proprietary Security Policy

Cisco Telepresence C40, C60, and C90 Codecs (Firmware Version: TC5.0.2) (Hardware Version: v1) FIPS 140-2 Non-Proprietary Security Policy Cisco Systems Cisco Telepresence C40, C60, and C90 Codecs (Firmware Version: TC5.0.2) (Hardware Version: v1) FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Document Version 1.0 2011 CISCO

More information

Pulse Secure, LLC. January 9, 2015

Pulse Secure, LLC. January 9, 2015 Pulse Secure Network Connect Cryptographic Module Version 2.0 Non-Proprietary Security Policy Document Version 1.1 Pulse Secure, LLC. January 9, 2015 2015 by Pulse Secure, LLC. All rights reserved. May

More information

1C - FIPS 140-2 Cisco VPN Client Security Policy

1C - FIPS 140-2 Cisco VPN Client Security Policy This document describes the Cisco VPN Client security policy. Introduction This non-proprietary cryptographic module security policy describes how version 3.6.5 of the Cisco software VPN Client meets the

More information

FIPS 140 2 Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

FIPS 140 2 Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security FIPS 140 2 Non Proprietary Security Policy IBM Internet Security Systems Proventia GX Series Security Document Version 1.2 January 31, 2013 Document Version 1.2 IBM Internet Security Systems Page 1 of

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

HEWLETT PACKARD TIPPINGPOINT. FIPS 140 2 NON PROPRIETARY SECURITY POLICY HP TippingPoint Security Management System

HEWLETT PACKARD TIPPINGPOINT. FIPS 140 2 NON PROPRIETARY SECURITY POLICY HP TippingPoint Security Management System HEWLETT PACKAD TIPPINGPOINT FIPS 140 2 NON POPIETAY SECUITY POLICY HP TippingPoint Security Management System Level 1 Validation Firmware Version: 3.2.0.8312.3 Document Version: 1.03 Page 1 of 31 FIPS

More information

SecureDoc Disk Encryption Cryptographic Engine

SecureDoc Disk Encryption Cryptographic Engine SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the

More information

CCNA Security 1.1 Instructional Resource

CCNA Security 1.1 Instructional Resource CCNA Security 1.1 Instructional Resource Chapter 8 Implementing Virtual Private Networks 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe the purpose and types of VPNs and define where

More information

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2 Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2 FIPS 140 2 Non Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.1 Prepared for: Prepared

More information

SafeEnterprise TM ATM Encryptor II Model 600 FIPS 140-2 Level 3 Validation Non-Proprietary Security Policy

SafeEnterprise TM ATM Encryptor II Model 600 FIPS 140-2 Level 3 Validation Non-Proprietary Security Policy SafeEnterprise TM ATM Encryptor II Model 600 FIPS 140-2 Level 3 Validation Non-Proprietary Security Policy Hardware Models T1 RJ45 (901-11001-00x) E1 BNC (901-27001-00x) T3 BNC (901-37001-00x) E3 BNC (901-77001-00x)

More information

FIPS 140-2 Level 1 Security Policy for Cisco Secure ACS FIPS Module

FIPS 140-2 Level 1 Security Policy for Cisco Secure ACS FIPS Module FIPS 140-2 Level 1 Security Policy for Cisco Secure ACS FIPS Module Contents Overview, page 1 Security Requirements, page 2 Cryptographic Module Specification, page 2 Cryptographic Module Ports and Interfaces,

More information

FIPS 140-2 SECURITY POLICY FOR

FIPS 140-2 SECURITY POLICY FOR FIPS 140-2 SECURITY POLICY FOR SPECTRAGUARD ENTERPRISE SERVER August 31, 2011 FIPS 140-2 LEVEL-1 SECURITY POLICY FOR AIRTIGHT NETWORKS SPECTRAGUARD ENTERPRISE SERVER 1. Introduction This document describes

More information

FIPS 140-2 Security Policy LogRhythm 6.0.4 or 6.3.4 Windows System Monitor Agent

FIPS 140-2 Security Policy LogRhythm 6.0.4 or 6.3.4 Windows System Monitor Agent FIPS 140-2 Security Policy LogRhythm 6.0.4 or 6.3.4 Windows System Monitor Agent LogRhythm, Inc. 4780 Pearl East Circle Boulder, CO 80301 May 1, 2015 Document Version 2.0 Module Versions 6.0.4 or 6.3.4

More information

FIPS 140-2 SECURITY POLICY

FIPS 140-2 SECURITY POLICY FIPS 140-2 SECURITY POLICY Juniper Networks, Inc. SSG 140 HW P/N SSG-140-SB, SSG-140-SH, FW Version ScreenOS 6.3.0r6 Copyright Notice Copyright 2012 Juniper Networks, Inc. May be reproduced only in its

More information

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0 Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.0 Prepared for: Prepared

More information

FIPS 140-2 Security Policy for WatchGuard XTM

FIPS 140-2 Security Policy for WatchGuard XTM FIPS 140-2 Security Policy for WatchGuard XTM XTM 850, XTM 860, XTM 870, XTM 870-F XTM 1520, XTM 1525 XTM 1520-RP, XTM 1525-RP XTM 2520 Version: 2.9 November 5, 2014 FIPS 140-2 Security Policy for WatchGuard

More information

Secure Computing Corporation Secure Firewall (Sidewinder) 2150E (Hardware Version: 2150 with SecureOS v7.0.1.01)

Secure Computing Corporation Secure Firewall (Sidewinder) 2150E (Hardware Version: 2150 with SecureOS v7.0.1.01) Secure Computing Corporation Secure Firewall (Sidewinder) 2150E (Hardware Version: 2150 with SecureOS v7.0.1.01) FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Document Version 1.1 Prepared

More information

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004 ZyWALL 5 Internet Security Appliance Quick Start Guide Version 3.62 (XD.0) May 2004 Introducing the ZyWALL The ZyWALL 5 is the ideal secure gateway for all data passing between the Internet and the LAN.

More information

FIPS 140-2 Security Policy 3Com Embedded Firewall PCI Cards

FIPS 140-2 Security Policy 3Com Embedded Firewall PCI Cards FIPS 140-2 Security Policy 3Com Embedded Firewall PCI Cards 3Com Corporation 5403 Betsy Ross Drive Santa Clara, CA 95054 USA February 24, 2006 Revision Version 0.4 Page 1 of 15 1. Introduction The following

More information

FIPS 140-2 Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 1.9. 1201 Winterson Road Linthicum, MD 21090

FIPS 140-2 Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 1.9. 1201 Winterson Road Linthicum, MD 21090 Ciena Corporation 565/5100/5200 Advanced Services Platform FW Version: 11.2 and 11.21 HW Versions: 565 Chassis (NT0H50DAE5 REV 004), Backplane SP Card (NT0H5066E5 Rev 04), QOTR/E Card (NT0H25BAE5 Rev 2),

More information

PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls Security Policy

PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls Security Policy PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls Security Policy Version: N Palo Alto Networks Revision Date: 11/19/15 www.paloaltonetworks.com 2015

More information

TABLE OF CONTENTS NETWORK SECURITY 2...1

TABLE OF CONTENTS NETWORK SECURITY 2...1 Network Security 2 This document is the exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors

More information

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client Topology Note: ISR G2 devices have Gigabit Ethernet interfaces instead of FastEthernet Interfaces. All contents are Copyright 1992 2012

More information

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline Course Number: SEC 150 Course Title: Security Concepts Hours: 2 Lab Hours: 2 Credit Hours: 3 Course Description: This course provides an overview of current technologies used to provide secure transport

More information

1.1.1 Determining the Slot Number (Default)

1.1.1 Determining the Slot Number (Default) EK-FSFCO-WS ULTRIX/ULTRIX Worksystem Software Boot Commans for DECstation/DECsystem 5000 Moel 200 Series Processors Dear Digital Customer, Because of changes in the firmware of the DECstation/DECsystem

More information

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version 2.42. www.northropgrumman.

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version 2.42. www.northropgrumman. Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services FIPS Security Policy Version 2.42 www.northropgrumman.com/m5/ SCS Linux Kernel Cryptographic Services Security Policy Version

More information

13135 Lee Jackson Memorial Hwy., Suite 220 Fairfax, VA 22033 United States of America

13135 Lee Jackson Memorial Hwy., Suite 220 Fairfax, VA 22033 United States of America VMware, Inc. VMware Kernel Cryptographic Module Software Version: 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.0 Prepared for: Prepared by: VMware, Inc. 3401

More information

How To Industrial Networking

How To Industrial Networking How To Industrial Networking Prepared by: Matt Crites Product: Date: April 2014 Any RAM or SN 6xxx series router Legacy firmware 3.14/4.14 or lower Subject: This document provides a step by step procedure

More information

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM Objective Scenario Topology In this lab, the students will complete the following tasks: Prepare to configure Virtual Private Network (VPN)

More information

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May 2011. 1. New Features and Enhancements. Tip of the Day

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May 2011. 1. New Features and Enhancements. Tip of the Day NCP Secure Entry Mac Client Major Release 2.01 Build 47 May 2011 1. New Features and Enhancements Tip of the Day A Tip of the Day field for configuration tips and application examples is incorporated in

More information

FIPS 140-2 Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 0.9

FIPS 140-2 Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 0.9 Bomgar Corporation B200 and B300 Remote Support Appliances Firmware Version: 3.2.2FIPS; Software Version: 10.6.2FIPS; Hardware Versions: B200, B300, and B300 r1 FIPS 140-2 Non-Proprietary Security Policy

More information

HP Networking Switches

HP Networking Switches HP Networking Switches FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.02 April 2013 Copyright Hewlett-Packard Company 2012, May be reproduced only in its original entirety [without

More information

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS 140-2 Security Policy

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS 140-2 Security Policy SECUDE AG FinallySecure Enterprise Cryptographic Module (SW Version: 1.0) FIPS 140-2 Security Policy Document Version 2.4 04/22/2010 Copyright SECUDE AG, 2010. May be reproduced only in its original entirety

More information

Lab 6.2.12a Configure Remote Access Using Cisco Easy VPN

Lab 6.2.12a Configure Remote Access Using Cisco Easy VPN Lab 6.2.12a Configure Remote Access Using Cisco Easy VPN Objective Scenario Topology In this lab, the students will complete the following tasks: Enable policy lookup via authentication, authorization,

More information

Windows Server 2008 R2 Boot Manager Security Policy For FIPS 140-2 Validation

Windows Server 2008 R2 Boot Manager Security Policy For FIPS 140-2 Validation Boot Manager Security Policy Windows Server 2008 R2 Boot Manager Security Policy For FIPS 140-2 Validation v 1.3 6/8/11 1 INTRODUCTION... 1 1.1 Cryptographic Boundary for BOOTMGR... 1 2 SECURITY POLICY...

More information

7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE,

7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G Introduction This is a non-proprietary

More information

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues NCP Secure Entry Mac Client Service Release 2.05 Build 14711 December 2013 Prerequisites Apple OS X Operating System: The following Apple OS X operating system versions are supported with this release:

More information

Security Policy, DLP Cinema, Series 2 Enigma Link Decryptor

Security Policy, DLP Cinema, Series 2 Enigma Link Decryptor ISIONS DESCRIPTION ECO DATE APPROVED F Initial Release 2108109 06/02/10 Lee Armstrong Copyright 2010 by Texas Instruments.. Security Policy, DLP Cinema, Series 2 Enigma Link Decryptor The data in this

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Fundamental Principles of a Secure Network

More information

CISCO IOS NETWORK SECURITY (IINS)

CISCO IOS NETWORK SECURITY (IINS) CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.

More information

FIPS 140-2 SECURITY POLICY

FIPS 140-2 SECURITY POLICY FIPS 140-2 SECURITY POLICY Juniper Networks NetScreen-5GT HW P/N NS-5GT FW Version ScreenOS 5.4.0r4-5.4.0r19 Document # 530-021313-01 JuniperNetworks NetScreen-5GT Security Policy 1 Copyright Notice Copyright

More information

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved NCP Secure Client Juniper Edition Service Release: 9.30 Build 102 Date: February 2012 1. New Features and Enhancements The following describe the new features introduced in this release: Visual Feedback

More information

Lab 8.3.1.2 Configure Basic AP Security through IOS CLI

Lab 8.3.1.2 Configure Basic AP Security through IOS CLI Lab 8.3.1.2 Configure Basic AP Security through IOS CLI Estimated Time: 30 minutes Number of Team Members: Students will work in teams of two. Objective In this lab, the student will learn the following

More information

Tim Bovles WILEY. Wiley Publishing, Inc.

Tim Bovles WILEY. Wiley Publishing, Inc. Tim Bovles WILEY Wiley Publishing, Inc. Contents Introduction xvii Assessment Test xxiv Chapter 1 Introduction to Network Security 1 Threats to Network Security 2 External Threats 3 Internal Threats 5

More information

Integrated Services Router with the "AIM-VPN/SSL" Module

Integrated Services Router with the AIM-VPN/SSL Module Virtual Private Network (VPN) Advanced Integration Module (AIM) for the 1841 Integrated Services Router and 2800 and 3800 Series Integrated Services Routers The VPN Advanced Integration Module (AIM) for

More information

McAfee Firewall Enterprise 8.3.1

McAfee Firewall Enterprise 8.3.1 Configuration Guide Revision A McAfee Firewall Enterprise 8.3.1 FIPS 140-2 The McAfee Firewall Enterprise FIPS 140-2 Configuration Guide, version 8.3.1, provides instructions for setting up McAfee Firewall

More information

McAfee Firewall Enterprise 8.2.1

McAfee Firewall Enterprise 8.2.1 Configuration Guide FIPS 140 2 Revision A McAfee Firewall Enterprise 8.2.1 The McAfee Firewall Enterprise FIPS 140 2 Configuration Guide, version 8.2.1, provides instructions for setting up McAfee Firewall

More information

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355 VPN This chapter describes how to configure Virtual Private Networks (VPNs) that allow other sites and remote workers to access your network resources. It includes the following sections: About VPNs, page

More information

Cisco 3745. Cisco 3845 X X X X X X X X X X X X X X X X X X

Cisco 3745. Cisco 3845 X X X X X X X X X X X X X X X X X X Data Sheet Virtual Private Network (VPN) Advanced Integration Module (AIM) for the 1841 Integrated Services Router and 2800 and 3800 Series Integrated Services Routers The VPN Advanced Integration Module

More information

Cisco 7140 VPN Router Security Policy

Cisco 7140 VPN Router Security Policy Introduction This nonproprietary Cryptographic Module Security Policy describes how Cisco 7140 VPN routers meet the security requirements of the Federal Information Processing Standards (FIPS) 140-1, and

More information

Understanding the Cisco VPN Client

Understanding the Cisco VPN Client Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a

More information

Contact: Denise McQuillin Checked: Filename: 007-002-002_b2.doc

Contact: Denise McQuillin Checked: Filename: 007-002-002_b2.doc FIPS 140-2 Security Policy cipheroptics Security Gateway SafeNet High Assurance 4000 Gateway ECO, Date, and Revision History Rev A CB-072, 07/21/03, dtm Initial release Rev B CB-074, ttp, Mods requested

More information

Objectives. Background. Required Resources. CCNA Security

Objectives. Background. Required Resources. CCNA Security Chapter 8 Lab B, Configuring a Remote Access VPN Server and Client Topology IP Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 FA0/1 192.168.1.1 255.255.255.0 N/A

More information

Lab 9.1.1 Organizing CCENT Objectives by OSI Layer

Lab 9.1.1 Organizing CCENT Objectives by OSI Layer Lab 9.1.1 Organizing CCENT Objectives by OSI Layer Objectives Organize the CCENT objectives by which layer or layers they address. Background / Preparation In this lab, you associate the objectives of

More information

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham In part two of NetCertLabs Cisco CCNA Security VPN lab series, we explored setting up a site-to-site VPN connection where one side

More information

Chapter 4 Virtual Private Networking

Chapter 4 Virtual Private Networking Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between

More information

What s New in Fireware XTM v11.5.1

What s New in Fireware XTM v11.5.1 What s New in Fireware XTM v11.5.1 New Features in Fireware XTM v11.5.1 Major Changes IPv6 Network Configuration and Routing FIPS 140-2 Dynamic Routing Enhancements Clientless SSO Log and Report Manager

More information

Encrypted Preshared Key

Encrypted Preshared Key Encrypted Preshared Key The Encrypted Preshared Key feature allows you to securely store plain text passwords in type 6 (encrypted) format in NVRAM. Feature History for Encrypted Preshared Key Release

More information

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Document ID: 113337 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration

More information

VMware, Inc. VMware Java JCE (Java Cryptographic Extension) Module

VMware, Inc. VMware Java JCE (Java Cryptographic Extension) Module VMware, Inc. VMware Java JCE (Java Cryptographic Extension) Module Software Version: 1.0 FIPS 140-2 Non-Proprietary Security Policy F I P S S E C U R I T Y L E V E L 1 D O C U M E N T V E R S I O N : 1.0

More information

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the

More information

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520 Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520 This document describes how to configure an IPSec tunnel with a WatchGuard Firebox II or Firebox III (software version 4.5 or later) at one

More information

3.1 Connecting to a Router and Basic Configuration

3.1 Connecting to a Router and Basic Configuration 3.1 Connecting to a Router and Basic Configuration Objective This lab will focus on the ability to connect a PC to a router in order to establish a console session and observe the user interface. A console

More information

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router print email Article ID: 4938 Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router Objective Virtual Private

More information

FIPS 140-2 Security Policy. for Motorola, Inc. Motorola Wireless Fusion on Windows CE Cryptographic Module

FIPS 140-2 Security Policy. for Motorola, Inc. Motorola Wireless Fusion on Windows CE Cryptographic Module FIPS 140-2 Security Policy for Motorola, Inc Motorola Wireless Fusion on Windows CE Cryptographic Module Hybrid Module Software Component Version: 3.00.0 Hardware Component Version: CX 55222 Document Version

More information

A COMPARISON OF THE SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES IN FIPS 140-1 AND FIPS 140-2

A COMPARISON OF THE SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES IN FIPS 140-1 AND FIPS 140-2 NIST Special Publication 800-29 A COMPARISON OF THE SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES IN FIPS 140-1 AND FIPS 140-2 Ray Snouffer Annabelle Lee Arch Oldehoeft Security Technology Group Computer

More information

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

Triple DES Encryption for IPSec

Triple DES Encryption for IPSec Triple DES Encryption for IPSec Feature Summary Platforms Prerequisites IPSec supports the Triple DES encryption algorithm (168-bit) in addition to 56-bit encryption. Triple DES (3DES) is a strong form

More information

Lab 7.3.6 Configure Remote Access Using Cisco Easy VPN

Lab 7.3.6 Configure Remote Access Using Cisco Easy VPN Lab 7.3.6 Configure Remote Access Using Cisco Easy VPN Objective Scenario Estimated Time: 20 minutes Number of Team Members: Two teams with four students per team In this lab, the student will learn the

More information

Quick Start Guide. Cisco Small Business. 300 Series Managed Switches

Quick Start Guide. Cisco Small Business. 300 Series Managed Switches Quick Start Guide Cisco Small Business 300 Series Managed Switches Welcome Thank you for choosing the Cisco 300 Series Managed Switch, a Cisco Small Business network communications device. This device

More information

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall This document is a step-by-step instruction for setting up VPN between Netgear ProSafe VPN firewall (FVS318 or FVM318) and Cisco PIX

More information

LAN-Cell to Cisco Tunneling

LAN-Cell to Cisco Tunneling LAN-Cell to Cisco Tunneling Page 1 of 13 LAN-Cell to Cisco Tunneling This Tech Note guides you through setting up a VPN connection between a LAN-Cell and a Cisco router. As the figure below shows, the

More information

Integrated Services Router with the "AIM-VPN/SSL" Module

Integrated Services Router with the AIM-VPN/SSL Module Virtual Private Network (VPN) Advanced Integration Module (AIM) for the 1841 Integrated Services Router and 2800 and 3800 Series Integrated Services Routers The VPN Advanced Integration Module (AIM) for

More information

VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers Q&A VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers OVERVIEW Q. What is a VPN? A. A VPN, or virtual private network, delivers the benefits of private network security,

More information

VPN. VPN For BIPAC 741/743GE

VPN. VPN For BIPAC 741/743GE VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,

More information

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0 APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations

More information

Symantec Mobility: Suite Server Cryptographic Module

Symantec Mobility: Suite Server Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Symantec Mobility: Suite Server Cryptographic Module Software Version 1.0 Document Version 1.4 February 10, 2016 Prepared For: Prepared By: Symantec Corporation

More information