Security Policy. Trapeze Networks



Similar documents
Security Policy. Trapeze Networks

SNAPcell Security Policy Document Version 1.7. Snapshield

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Pulse Secure, LLC. January 9, 2015

JUNOS-FIPS-L2 Cryptographic Module Security Policy Document Version 1.3

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS Non-Proprietary Cryptographic Module Security Policy

FIPS Security Policy LogRhythm Log Manager

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS Security Policy

Security Policy, DLP Cinema, Series 2 Enigma Link Decryptor

Secure Network Communications FIPS Non Proprietary Security Policy

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

FIPS Security Policy LogRhythm or Windows System Monitor Agent

FIPS Security Policy. for Motorola, Inc. Motorola Wireless Fusion on Windows CE Cryptographic Module

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

VMware, Inc. VMware Java JCE (Java Cryptographic Extension) Module

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy

Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS Non-Proprietary Security Policy

FIPS Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

SecureDoc Disk Encryption Cryptographic Engine

HP LTO-6 Tape Drive Level 1 Security Policy

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

FIPS Non-Proprietary Security Policy. IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0)

13135 Lee Jackson Memorial Hwy., Suite 220 Fairfax, VA United States of America

FIPS Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls Security Policy

FIPS SECURITY POLICY

Symantec Mobility: Suite Server Cryptographic Module

FIPS Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 0.9

FIPS SECURITY POLICY

FIPS Level 1 Security Policy for Cisco Secure ACS FIPS Module

FIPS SECURITY POLICY

NitroGuard Intrusion Prevention System Version and Security Policy

Security Policy for FIPS Validation

SkyRecon Cryptographic Module (SCM)

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

SafeEnterprise TM ATM Encryptor II Model 600 FIPS Level 3 Validation Non-Proprietary Security Policy

FIPS Documentation: Security Policy 05/06/ :21 AM. Windows CE and Windows Mobile Operating System. Abstract

FIPS Security Policy

FIPS Security Policy 3Com Embedded Firewall PCI Cards

FIPS SECURITY POLICY

Security Policy: Key Management Facility Crypto Card (KMF CC)

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

Cisco Telepresence C40, C60, and C90 Codecs (Firmware Version: TC5.0.2) (Hardware Version: v1) FIPS Non-Proprietary Security Policy

OpenSSL FIPS Security Policy Version 1.2.4

FIPS Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: Winterson Road Linthicum, MD 21090

Certification Report

1C - FIPS Cisco VPN Client Security Policy

FIPS Security Policy for WatchGuard XTM

Secure Computing Corporation Secure Firewall (Sidewinder) 2150E (Hardware Version: 2150 with SecureOS v )

FIPS SECURITY POLICY FOR

Certification Report

HEWLETT PACKARD TIPPINGPOINT. FIPS NON PROPRIETARY SECURITY POLICY HP TippingPoint Security Management System

Cisco Catalyst 3560-X and 3750-X Switches FIPS Level 2 Non-Proprietary Security Policy

MOTOROLA ACCOMPLI 009 PERSONAL COMMUNICATOR MODULE OVERVIEW SCOPE OF DOCUMENT. Security Policy REV 1.2, 10/2002

Computer Security: Principles and Practice

Certification Report

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Network Security Services (NSS) Cryptographic Module Version

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

How To Protect Your Computer From Attack

Athena Smartcard Inc. IDProtect Key with LASER PKI FIPS Cryptographic Module Security Policy. Document Version: 1.0 Date: April 25, 2012

An Introduction to Cryptography as Applied to the Smart Grid

Security Policy for Oracle Advanced Security Option Cryptographic Module

Message Authentication Codes. Lecture Outline

Security Builder. Certicom Corp. Security Builder Government Solutions Edition. Windows. FIPS Non-Proprietary Security Policy.

OpenSSL FIPS Security Policy Version 1.2.2

Certification Report

Certification Report

A COMPARISON OF THE SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES IN FIPS AND FIPS 140-2

Seagate Secure Enterprise Self-Encrypting Drives FIPS 140 Module FIPS Security Policy

Contact: Denise McQuillin Checked: Filename: _b2.doc

7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE,

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

Introduction to Security and PIX Firewall

Using BroadSAFE TM Technology 07/18/05

OpenSSL FIPS Security Policy Version 1.2.3

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA , ASA , ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Network Authentication X Secure the Edge of the Network - Technical White Paper

Non-Proprietary Security Policy for the FIPS Level 1 Validated Fortress Secure Client Software Version 3.1

Overview. SSL Cryptography Overview CHAPTER 1

KeyStone Architecture Security Accelerator (SA) User Guide

FIPS Security Policy

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Archived NIST Technical Series Publication

PrivyLink Cryptographic Key Server *

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

How To Evaluate Watchguard And Fireware V11.5.1

Brocade MLXe and Brocade NetIron CER 2000 Series Ethernet Routers

Network Security Essentials Chapter 7

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH)

Transcription:

MP-422F Mobility Point Security Policy Trapeze Networks August 14, 2009 Copyright Trapeze Networks 2007. May be reproduced only in its original entirety [without revision].

TABLE OF CONTENTS 1. MODULE OVERVIEW...3 2. SECURITY LEVEL...4 3. MODES OF OPERATION...4 4. PORTS AND INTERFACES...5 5. IDENTIFICATION AND AUTHENTICATION POLICY...5 6. ACCESS CONTROL POLICY...6 ROLES AND SERVICES...6 UNAUTHENTICATED SERVICES:...6 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)...6 DEFINITION OF PUBLIC KEYS...6 DEFINITION OF CSPS MODES OF ACCESS...7 7. OPERATIONAL ENVIRONMENT...8 8. SECURITY RULES...8 9. PHYSICAL SECURITY POLICY...8 PHYSICAL SECURITY MECHANISMS...8 OPERATOR REQUIRED ACTIONS...8 10. MITIGATION OF OTHER ATTACKS POLICY...9 11. DEFINITIONS AND ACRONYMS...10 Page 2

1. Module Overview The Trapeze Networks MP-422F Mobility Point (access point) HW P/N MP-422F Rev. A, FW Versions MSS 6.1.1.2.0, 6.1.0.3 and 6.1.0.4 is a multi-chip standalone cryptographic module, whose primary purpose is to provide secure network communication to and from wireless users and connect them to an MX switch. The cryptographic boundary is defined as being the outer perimeter of the enclosure; the diagram below illustrates the cryptographic boundary. Figure 1 Image of the Cryptographic Module (Top) Figure 2 Image of the Cryptographic Module (Bottom) Page 3

2. Security Level The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-2. Table 1 Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 2 Module Ports and Interfaces 2 Roles, Services and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A 3. Modes of Operation Approved mode of operation The cryptographic module only supports an Approved mode and supports the following Approved algorithms: AES CCM (Cert. #641) SHA-1 (Cert. #676) HMAC SHA-1 (Cert. #330) The module also supports the following non-approved algorithms: RSA Key Wrapping (1024-bit keys provide an effective strength of 80-bits) MD5 RNG (non-compliant) Page 4

The Approved software may be determined by verifying the software version is the Approved version via execution of the Show Version Details service from an attached MX switch. 4. Ports and Interfaces The cryptographic module provides the following physical ports and logical interfaces: 10/100 Mbps Ethernet (Qty. 2): Control In, Data In/Out, Status Out, Power In External RF Antenna (Qty. 2): Control In, Data In/Out, Status Out LEDs: Status Out 5. Identification and Authentication Policy Assumption of roles The cryptographic module shall support two distinct operator roles (User and Cryptographic- Officer). Table 2 Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User Role-based operator authentication Knowledge of a Shared Secret (TK) Cryptographic-Officer Role-based operator authentication Knowledge of a Shared Secret (MX Secret) Table 3 Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism Knowledge of a Shared Secret The shared secret is at least 32-bits and at most 256-bits in length. The probability that a random attempt will succeed or a false acceptance will occur is at least 1/2^32 which is less than 1/1,000,000. Network latency and processor performance prevent a brute force attack from being successful within a given minute. The probability of a random attempt successfully authenticating to the module within one minute is less than 1/100,000 as a result of these resource restrictions. Page 5

6. Access Control Policy Roles and Services Table 4 Services Authorized for Roles Role Authorized Services User Secure Wireless Access: Allows the User to browse the network through an encrypted channel. Cryptographic-Officer: Establish Secure Session: Set-up an encrypted communication channel between the access point and the MX switch. Configure: Specify the non-security relevant operational settings for the access point. Monitor: Shows the status and statistics of the module. Session Management: Install the User Transient Key or remove a User from the network. Access Point Management: Reset/Zeroize the access point or Update the MX Secret. Unauthenticated Services: The cryptographic module supports the following unauthenticated services: Self-tests: This service executes the suite of self-tests required by FIPS 140-2 and is invoked by power cycling the module. Show Status: Status information is available through the LEDs. Definition of Critical Security Parameters (CSPs) The following are CSPs contained in the module: MX Secret: Used to authenticate the CO to the module AP-MX Master Key: Used to encrypt traffic between the access point and MX AP-MX RSA Private Key: Used to unwrap the AP-MX Master Key Software Integrity Key: Used to verify the software integrity Transient Key: Used to provide data confidentiality for network traffic and authenticate the User. Group Transient Key: Used to provide data confidentiality for a network group Definition of Public Keys Page 6

The following public key is contained in the module: AP-MX RSA Public Key: Used by an MX switch to wrap the AP-MX Master Key Definition of CSPs Modes of Access Table 5 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as follows: Use Import Export: N/A Zeroize Role Table 5 CSP Access Rights within Roles & Services Service Cryptographic Keys and CSPs Access Operation C.O. User X Secure Wireless Access Use Transient Key or Group Transient Key Establish X Secure Session Use MX Secret Import AP-MX Master Key Use AP-MX RSA Private Key X Configure Use AP-MX Master Key X Monitor Use AP-MX Master Key X Session Management Use AP-MX Master Key Import Transient Key or Group Transient Key Access Point Use AP-MX Master Key X Management Import MX-Secret Import AP-MX RSA Private Key Zeroize All CSPs X X Show Status N/A X X Self-tests Use Software Integrity Key Page 7

7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the module does not contain a modifiable operational environment. 8. Security Rules The cryptographic module s design corresponds to the cryptographic module s security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 2 module. 1. The cryptographic module shall provide two distinct operator roles. These are the User role, and the Cryptographic-Officer role. 2. The cryptographic module shall provide role-based authentication. 3. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services. 4. The cryptographic module shall perform the following tests: Power up Self-Tests: 1. Cryptographic algorithm tests: AES CCM Known Answer Test HMAC SHA-1 Known Answer Test RSA Encrypt/Decrypt Known Answer Test 2. Software Integrity Test (HMAC SHA-1 Verification) 3. Critical Functions Tests: N/A. Conditional Self-Tests: 1. Continuous Random Number Generator Test (DRNG) 2. Software Load Test (HMAC SHA-1 Verification) 5. Data output shall be inhibited during self-tests, zeroization, and error states. 6. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. Physical Security Policy Physical Security Mechanisms The cryptographic modules include the following physical security mechanisms: Production-grade components and production-grade opaque enclosure with tamper evident seals. Operator Required Actions Page 8

The operator is required to periodically inspect tamper evident seals. Table 7 Inspection/Testing of Physical Security Mechanisms Physical Security Mechanisms Application Guidance Details Tamper Evident Seals The module includes two tamper labels, Tamper evident seals are provided to help which should be applied on opposing indicate any attempt to transfer or remove sides, bridging the gap between the two the label in order to gain access inside the halves of the enclosure. module. Operators should periodically inspect tamper evident seals. If you should detect any evidence of tampering, you should inform your management and security office immediately. Upon placement of the seals, allow 24 hours for the adhesive seal to cure. Each TEL s position and corresponding serial no. should be recorded and logged for future reference. Figure 3 Tamper Label Placement 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks beyond the scope of FIPS 140-2. Page 9

11. Definitions and Acronyms AES CCM Advanced Encryption Standard Counter with CBC-MAC SHA Secure Hash Algorithm MAC Keyed Hash Message Authentication Code RNG Random Number Generator RSA Rivest Shamir Adleman MD5 Message Digest Algorithm 5 DRNG Deterministic Random Number Generator Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information