Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy



Similar documents
Pulse Secure, LLC. January 9, 2015

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

FIPS Non-Proprietary Security Policy. IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0)

1C - FIPS Cisco VPN Client Security Policy

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.

Secure Network Communications FIPS Non Proprietary Security Policy

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

FIPS Security Policy LogRhythm Log Manager

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS Security Policy

13135 Lee Jackson Memorial Hwy., Suite 220 Fairfax, VA United States of America

Secure Computing Corporation Secure Firewall (Sidewinder) 2150E (Hardware Version: 2150 with SecureOS v )

FIPS SECURITY POLICY FOR

FIPS Security Policy. for Motorola, Inc. Motorola Wireless Fusion on Windows CE Cryptographic Module

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

FIPS Security Policy LogRhythm or Windows System Monitor Agent

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

VMware, Inc. VMware Java JCE (Java Cryptographic Extension) Module

FIPS Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

NitroGuard Intrusion Prevention System Version and Security Policy

Symantec Mobility: Suite Server Cryptographic Module

FIPS Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

SecureDoc Disk Encryption Cryptographic Engine

JUNOS-FIPS-L2 Cryptographic Module Security Policy Document Version 1.3

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS Non-Proprietary Cryptographic Module Security Policy

FIPS Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 0.9

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

Cisco Telepresence C40, C60, and C90 Codecs (Firmware Version: TC5.0.2) (Hardware Version: v1) FIPS Non-Proprietary Security Policy

TANDBERG MXP Codec (Firmware Version: F6.0) FIPS Non-Proprietary Security Policy

SNAPcell Security Policy Document Version 1.7. Snapshield

Security Policy. Trapeze Networks

FIPS Security Policy 3Com Embedded Firewall PCI Cards

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy

MOTOROLA ACCOMPLI 009 PERSONAL COMMUNICATOR MODULE OVERVIEW SCOPE OF DOCUMENT. Security Policy REV 1.2, 10/2002

FIPS Level 1 Security Policy for Cisco Secure ACS FIPS Module

FIPS Security Policy for WatchGuard XTM

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

SkyRecon Cryptographic Module (SCM)

FIPS SECURITY POLICY

HEWLETT PACKARD TIPPINGPOINT. FIPS NON PROPRIETARY SECURITY POLICY HP TippingPoint Security Management System

FIPS SECURITY POLICY

Security Policy, DLP Cinema, Series 2 Enigma Link Decryptor

FIPS Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: Winterson Road Linthicum, MD 21090

Understanding the Cisco VPN Client

Blue Coat Systems, Inc. Secure Web Gateway Virtual Appliance-V100 Software Version: FIPS Non-Proprietary Security Policy

SafeEnterprise TM ATM Encryptor II Model 600 FIPS Level 3 Validation Non-Proprietary Security Policy

Network Security Services (NSS) Cryptographic Module Version

FIPS Security Policy

Non-Proprietary Security Policy for the FIPS Level 1 Validated Fortress Secure Client Software Version 3.1

ES3X 16 P, SM ES3X 24 P, SM D ES3X 48 P, PVDM4 32, PVDM4 64, PVDM4

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

McAfee Firewall Enterprise 8.3.1

VPN. VPN For BIPAC 741/743GE

McAfee Firewall Enterprise 8.2.1

Security Policy for Oracle Advanced Security Option Cryptographic Module

7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE,

Cisco Catalyst 3560-X and 3750-X Switches FIPS Level 2 Non-Proprietary Security Policy

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

SSL SSL VPN

FIPS Documentation: Security Policy 05/06/ :21 AM. Windows CE and Windows Mobile Operating System. Abstract

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

OpenSSL FIPS Security Policy Version 1.2.4

TABLE OF CONTENTS NETWORK SECURITY 2...1

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA , ASA , ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40

Chapter 7 Transport-Level Security

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Application Note: Onsight Device VPN Configuration V1.1

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

A COMPARISON OF THE SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES IN FIPS AND FIPS 140-2

How To Industrial Networking

PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls Security Policy

Sonus Networks, Inc. SBC 5110 and 5210 Session Border Controllers Hardware Version: SBC 5110 and SBC 5210 Firmware Version: 4.0

DRAFT Standard Statement Encryption

FIPS Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: 0.7

HP LTO-6 Tape Drive Level 1 Security Policy

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

WebSphere DataPower Release FIPS and NIST SP a support.

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

FIPS Security Policy

Connect:Direct Secure+ Option (3.7 on UNIX, 4.5 on z/os)

Security Policy Revision Date: 23 April 2009

Chapter 4 Virtual Private Networking

VPN SECURITY POLICIES

Implementing and Managing Security for Network Communications

Security Policy for FIPS Validation

The BANDIT Products in Virtual Private Networks

Chapter 8 Virtual Private Networking

Transcription:

Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document Version 0.5 Prepared for: Prepared by: Nortel Networks, Inc. Corsec Security, Inc. 600 Technology Park Drive Billerica, MA 01821 10340 Democracy Lane, Suite 201 Fairfax, VA 22030 Phone: (978)-670-8888 Phone: (703) 267-6050 Fax: (978) 288-4004 Fax: (703) 267-6810 http://www.nortel.com http://www.corsec.com

Revision History Version Modification Date Modified By Description of Changes 0.1 2007-05-15 Xiaoyu Ruan Darryl H. Johnson Initial draft. 0.2 2008-02-21 Xiaoyu Ruan Added algorithm certificate numbers. 0.3 2008-06-06 Xiaoyu Ruan Version changed to 07_11.101. 0.4 2008-06-10 Xiaoyu Ruan Addressed Lab comments. 0.5 2008-09-17 Darryl H. Johnson Addressed Lab comments. Nortel VPN Client Software Page 2 of 14

Table of Contents 0 INTRODUCTION...4 0.1 PURPOSE...4 0.2 REFERENCES...4 0.3 DOCUMENT ORGANIZATION...4 1 VPN CLIENT SOFTWARE...5 1.1 OVERVIEW...5 1.2 MODULE INTERFACES...6 1.3 ROLES AND SERVICES...7 1.3.1 Crypto Officer Role...7 1.3.2 User Role...8 1.4 PHYSICAL SECURITY...9 1.5 OPERATIONAL ENVIRONMENT...9 1.6 CRYPTOGRAPHIC KEY MANAGEMENT...9 1.7 SELF-TESTS...12 1.8 DESIGN ASSURANCE...12 1.9 MITIGATION OF OTHER ATTACKS...12 2 SECURE OPERATION...13 2.1 INITIAL SETUP...13 2.2 CRYPTO OFFICER GUIDANCE...13 2.2.1 Installation...13 2.2.2 Management...13 2.2.3 Zeroization...13 2.3 USER GUIDANCE...13 3 ACRONYMS...14 Table of Figures FIGURE 1 LOGICAL BLOCK DIAGRAM...6 List of Tables TABLE 1 SECURITY LEVEL PER FIPS 140-2 SECTION...5 TABLE 2 MAPPING OF LOGICAL AND PHYSICAL INTERFACES...6 TABLE 3 MAPPING OF CRYPTO OFFICER S SERVICES TO INPUTS, OUTPUTS, CSPS, AND TYPE OF ACCESS...7 TABLE 4 MAPPING OF USER S SERVICES TO INPUTS, OUTPUTS, CSPS, AND TYPE OF ACCESS...8 TABLE 5 LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS...11 TABLE 6 FIPS-APPROVED MSCAPI MODULES PROVIDING RSA FUNCTIONALITY...13 TABLE 7 ACRONYMS...14 Nortel VPN Client Software Page 3 of 14

0 Introduction 0.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Virtual Private Network (VPN) Client Software from Nortel Networks, Inc. This Security Policy describes how the VPN Client Software meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 Security Requirements for Cryptographic Modules) details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/stm/index.html. The VPN Client Software is referred to in this document as the VPN Client, the Client Software, or the module. 0.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: The Nortel website (http://www.nortel.com/) contains information on the full line of products from Nortel. The CMVP website (http://csrc.nist.gov/groups/stm/index.html) contains contact information for answers to technical or sales-related questions for the module. 0.3 Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Nortel. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is proprietary to Nortel and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Nortel. Nortel VPN Client Software Page 4 of 14

1 VPN Client Software 1.1 Overview The Nortel VPN Client provides the user-side functionality for secure remote access over Internet Protocol (IP) networks using Nortel IP access routers and VPN routers. The VPN Client ensures end-to-end network security by establishing a fully encrypted and authenticated VPN connection from a user s desktop across the Internet, terminating at a Nortel VPN router located at a trusted enterprise location. The following table details the security level achieved by the VPN Client in each of the eleven sections of FIPS 140-2. Table 1 Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 Electromagnetic Interference/Electromagnetic Compatibility 3 9 Self-tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A The Nortel VPN Client is a software module composed of a set of binaries running on the Windows 2000 or Windows XP operating system on a general-purpose personal computer (PC). The module was tested for FIPS 140-2 requirements on Windows XP Professional with Service Pack (SP) 2. Testing was not performed on Windows 2000. In FIPS 140-2 terminology, the VPN Client is a multi-chip standalone module that meets the Level 1 FIPS 140-2 requirements. Physically, the module is composed of the components of a general purpose PC, and the physical cryptographic boundary is the case of the PC. The PC or motherboard manufacturer could provide a block diagram for the exact hardware on which the module is installed, and the physical cryptographic boundary surrounds all of those components. Logically, the VPN Client consists of the following four binaries running on Windows 2000 or Windows XP operating system (and the logical cryptographic boundary includes these four components, as depicted in Figure 1): VPN Client Application (extranet.exe) Performs Internet Key Exchange (IKE) and provides a graphical user interface (GUI) IPSec Driver (ipsecw2k.sys) Performs Internet Protocol Security (IPsec) functions Filter Driver (eacfilt.sys) Filters traffic other than IKE and IPsec communications Library (CertAl.dll) Interfaces with Microsoft Crypto Application Programming Interface (MSCAPI) for authentication using digital certificates Nortel VPN Client Software Page 5 of 14

Figure 1 Logical Block Diagram 1.2 Module Interfaces The VPN Client Software s physical ports are those provided by the general purpose PC, including the Ethernet ports and mouse/keyboard ports. The Client s logical interfaces are composed of: GUI line interface (CLI) Application programming interface (API) Configuration and log files Packets traversing the networking stack A mapping of the FIPS 140-2 logical interfaces to the VPN Client s logical interfaces and the physical interfaces of the PC can be found in the following table. Table 2 Mapping of Logical and Physical Interfaces FIPS Logical Interface VPN Client Logical Interface(s) Physical Interface(s) Data Input Interface The data input is any data sent into the module through the networking stack to an application on the PC (such as email, browser, etc), and any data coming into the module through the networking stack from the network ports. Also, data input to the module via the MSCAPI for certificate processing and Rivest Shamir Adleman (RSA) algorithm operations. Network ports Nortel VPN Client Software Page 6 of 14

FIPS Logical Interface VPN Client Logical Interface(s) Physical Interface(s) Data Output Interface Control Input Interface Status Output Interface The data output is any data going out of the module through the networking stack from an application on the PC (such as email, browser, etc), and any data going out of the module through the networking stack out the network ports. Also, data output from the module to MSCAPI for certificate processing and RSA operations. Data read from configuration files, data input via the Nortel VPN Client GUI or CLI. The Status Output is all error messages either logged by the module in a log file or the error messages in the GUI. The error messages from IKE negotiations are also status output. The logged error messages can be seen through the log files provided. Network ports Keyboard port, hard disk, mouse ports Light-emitting diodes (LEDs), hard disk, monitor ports 1.3 Roles and Services The module supports role-based authentication. There are two roles in the module (as required by FIPS 140-2) that operators may assume: Crypto Officer and User. 1.3.1 Crypto Officer Role The Crypto Officer role has the ability to install, uninstall, and configure the module s services using the GUI and CLIs provided by the module. Descriptions of the services (along with the inputs, outputs, critical security parameters (CSPs) and type of access for each) available to the Crypto Officer role are provided in the table below. Table 3 Mapping of Crypto Officer s Services to Inputs, Outputs, CSPs, and Type of Access Install Service Description Input Output CSP Customize Client installation Create a connection Profile data Installing the VPN Client Client software installation customization using setup.ini To set up connection parameters To add/edit/delete a profile or s or s Result of installation Result of customization Status of command, response and results Status of command, response and results Keyed-Hash Message Authentication Code (HMAC) - Secure Hash Algorithm (SHA1) for Integrity check Username and password Type of Access Read Read/Write Nortel VPN Client Software Page 7 of 14

Service Description Input Output CSP Authentication Name Server KeepAlives Auto Connect Connect before logon Uninstall Start/Stop Show status To authenticate to the Nortel VPN router To specify a Domain Name Service (DNS) or Windows Internet Name Service (WINS) server, overriding the Nortel VPN router To enable or disable KeepAlive packets that maintain a connection during idle periods To Install/uninstall Auto Connect feature To enable or disable the Nortel VPN Client Graphical Identification and Authentication (GINA) dialog box on logon To uninstall the software To start/stop the Nortel VPN Client services. The self tests are performed during the module start/restart. Status messages for the module written to log file. or s option Menu or s Zeroization Zeroizing CSPs Uninstalling the module and reformatting the hard drive 1.3.2 User Role response Username and password response response response response response All CSPs Status of command HMAC-SHA1 for Integrity check Type of Access Write Delete Read s Status info in log file Result of zeroizing All CSPs Delete The User role has the ability to establish and utilize VPN sessions with a Nortel VPN router. Descriptions of the services available to the User role are provided in the table below. Table 4 Mapping of User s Services to Inputs, Outputs, CSPs, and Type of Access Service Description Input Output CSP VPN session Use the VPN services Encrypted/decrypted data Encrypt/decrypted data IPsec Session keys Type of Access Read/Write Nortel VPN Client Software Page 8 of 14

Service Description Input Output CSP Connect Edit profile Change password Monitor Status Disconnect To establish VPN session by authenticating to the Nortel VPN router Edit the profile information on the Client Change the current password used on the Nortel VPN router To monitor connection status To end the VPN session 1.4 Physical Security Authentication Information Result of login attempt Updated profile information Username and password Username and password Password Updated password Password Write Status of command Status of command IPsec Session keys Type of Access Read/Write Read/Write Delete The VPN Client Software is a multi-chip standalone cryptographic module. It is a software module and does not implement any physical security mechanisms. Although the VPN Client consists entirely of software, the FIPS 140-2 tested platform is a standard PC which has been tested for, and meets, applicable Federal Communication Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for home and business use as defined in Subpart B of FCC Part 15. 1.5 Operational Environment The Nortel VPN Client was tested and validated on Windows XP, but it could run on either Windows XP or Windows 2000. For FIPS 140-2 compliance, these are considered to be single user operating systems. As such, all keys, intermediate values, and other CSPs remain only in the process space of the operator using the module. The operating system uses its native memory management mechanisms to ensure that outside processes cannot access the process space used by the module. 1.6 Cryptographic Key Management The module utilizes the following FIPS-approved software algorithm implementations: Advanced Encryption Standard (AES) Cipher-Block Chaining (CBC) mode (128, 256 bits) FIPS 197 (certificate #721) Triple Data Encryption Standard (Triple-DES) CBC mode (112, 168 bits) FIPS 46-3 (certificate #644) Secure Hash Algorithm (SHA-1) FIPS 180-2 (certificate #740) Keyed-Hash Message Authentication Code SHA-1 (HMAC-SHA1) FIPS 198 (certificate #389) Pseudorandom Number Generator (PRNG) General purpose implementation of FIPS 186-2 [(x-original); (SHA-1)] (certificate #421) In the FIPS mode of operation, the module utilizes the following non-approved key agreement schemes. They are allowed by FIPS 140-2: Nortel VPN Client Software Page 9 of 14

Diffie-Hellman Group 2 (1024 bit), providing 80 bits of key strength Diffie-Hellman Group 5 (1536 bit), providing 96 bits of key strength The module disables the following algorithm(s) when running in a FIPS mode of operation: Diffie-Hellman Group 8 (Elliptical Curve Discrete Logarithm (ECDL)) Diffie-Hellman Group 1 (768 bit) Data Encryption Standard (DES) 40-bit DES Message-Digest Algorithm 5 (MD5) Keyed Hash Message Authentication Code MD5 (HMAC-MD5) The following table lists all cryptographic keys, key components, and CSPs used by the module. Nortel VPN Client Software Page 10 of 14

Table 5 List of Cryptographic Keys, Cryptographic Key Components, and CSPs Key Key Type Generation / Input Output Storage Zeroization Use Integrity check HMAC-SHA1 key FIPS 186-2 PRNG Seed key Passwords IPsec pre-shared keys RSA public keys (Certificates) IKE Diffie-Hellman key pair IKE Diffie-Hellman public key IPsec session keys HMAC (160 bits) Seed key (160 bits) Alphanumeric string (minimum of 6 characters) IPsec pre-shared key (160 bits) RSA public key (1024 4096 bits) Diffie-Hellman Group 2 (1024 bits) or Group 5 (1536 bits) Diffie-Hellman Group 2 (1024 bits) or Group 5 (1536 bits) AES (128, 256 bits) Triple-DES (112, 168 bits), HMAC-SHA-1 keys (160 bits) Externally generated predetermined value hard coded into the module Generated internally by gathering system entropy Externally created by an operator and entered into the module Generated internally by HMAC of user ID and password Externally generated and input into and output from the module during IKE Generated internally during IKE Exchanged during IKE Negotiated during IKE using Diffie- Hellman key agreement Never Never Never Never During IPsec/IKE negotiation in plaintext Never During IPsec/IKE negotiation in plaintext Never Non-volatile memory (hard drive plaintext) in module binaries in \isakmpd\fips.cpp Volatile memory only (plaintext) Volatile memory, or nonvolatile memory (hard drive plaintext) Volatile memory only (plaintext) Volatile memory only (plaintext) Volatile memory only (plaintext) Volatile memory only (plaintext) Volatile memory only (plaintext) When the module is uninstalled or the hard drive is reformatted. When the module reboots By changing the password When the module reboots When the module reboots When no longer used by the module or reboot When no longer used by the module or reboot When no longer used by the module or reboot Software integrity check Used by FIPS 186-2 PRNG Generate pre-shared keys for authentication during IKE Mutual authentication between the module and the server Mutual authentication between the module and the server Used for session key agreement public key sent to server Used for session key agreement received from server Used to encrypt/decrypt/hmac tunnel traffic Nortel VPN Client Software Page 11 of 14

1.7 Self-Tests The VPN Client performs the following self-tests at power-up: Software integrity check: Verifying the integrity of the software binaries of the module using an HMAC- SHA1 keyed hash. AES Known Answer Test (KAT): Verifying the correct operation of the AES algorithm implementation. Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementation. SHA-1 KAT: Verifying the correct operation of the SHA-1 algorithm implementation. HMAC-SHA1 KAT: Verifying the correct operation of the HMAC-SHA1 algorithm implementation. FIPS 186-2 PRNG KAT: Verifying the correct operation of the FIPS 186-2 PRNG implementation. The VPN Client performs the following conditional self-tests: FIPS 186-2 Continuous Random Number Generator (RNG): Verifying that the Approved RNG does not repeatedly generate a constant value. Continuous RNG for entropy gathering: Verifying that the seed for the FIPS 182-2 PRNG does not repeatedly generate a constant value. Alternating bypass mode test: Verifying the integrity of the modules bypass capability hardcoded in the filter driver. The VPN Client will start its services only after all the self tests have passed. If the self tests have not passed, it enters an error state and logs the failure. All error conditions can be cleared by restarting the module. 1.8 Design Assurance Nortel Networks uses the ClearCase Configuration Management System. The ClearCase software is used for software and document version control, code sharing, and build management. ClearCase also keeps track of what versions of files were used for each release and what combinations were used in builds. Additionally, Microsoft Visual SourceSafe is used to provide configuration management for the VPN Client Software s FIPS documentation. This software provides access control, versioning, and logging. 1.9 Mitigation of Other Attacks This section is not applicable. The VPN Client module does not claim to mitigate any attacks beyond the FIPS 140-2 Level 1 requirements for this validation. Nortel VPN Client Software Page 12 of 14

2 Secure Operation The VPN Client Software meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. 2.1 Initial Setup By default, the Nortel VPN Client is configured for a FIPS mode of operation. 2.2 Crypto Officer Guidance The Crypto Officer is responsible for installation, customization configuration, management of the module, and removal of the module. More details on how to use the module can be found in the Configuring the Nortel VPN Client and Using the Nortel VPN Client in FIPS Mode documents. 2.2.1 Installation The module uses RSA digital signature generation and verification as provided by the Microsoft Windows Operating System through the FIPS-approved MSCAPI libraries. However, the RSA functionality is not included inside the module; it is provided by one of the following FIPS-approved MSCAPI modules: Table 6 FIPS-Approved MSCAPI Modules Providing RSA Functionality Certificate # Windows Platform rsaenh.dll Version 238 XP 5.1.2518.0 [XP] 5.1.2600.1029 [XP SP1] 5.1.2600.2161 {XP SP2] 103 2000 SPx 5.0.2150.1391 [SP1] 5.0.2195.2228 [SP2] 5.0.2195.3839 [SP3] 76 2000 5.0.2150.1 2.2.2 Management By default, the Nortel VPN Client is configured for a FIPS mode of operation. The module can be put in a non- FIPS mode during custom installation or configuration. When switching between FIPS and non-fips modes, the operator must zeroize the group and user passwords by overwriting them with new values. Operators must not perform switching between FIPS and non-fips mode when using the module in a FIPS mode of operation. This should only be done during installation. 2.2.3 Zeroization At the end of the life cycle of the module, the Crypto Officer must uninstall the module s software, overwrite all addressable locations with a single character, and reformat the hard drive which contained the software. This will zeroize all hard-coded keys and CSPs stored on the drive. 2.3 User Guidance The User accesses the module s VPN functionality. The User must not modify the configuration of the module as established by the Crypto Officer, nor should a User reveal any of the CSPs (such as group and user passwords) used by the module to other parties. Nortel VPN Client Software Page 13 of 14

3 Acronyms Table 7 Acronyms Acronym Definition AES Advanced Encryption Standard API Application Programming Interface CBC Cipher-Block Chaining CLI Line Interface CMVP Cryptographic Module Validation Program CSP Critical Security Parameter DES Data Encryption Standard DNS Domain Name Service ECDL Elliptical Curve Discrete Logarithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communication Commission FIPS Federal Information Processing Standard GINA Graphical Identification and Authentication GUI Graphical User Interface HMAC (Keyed-) Hash Message Authentication Code IKE Internet Key Exchange IP Internet Protocol IPsec Internet Protocol Security KAT Known Answer Test LED Light Emitting Diode MD5 Message-Digest Algorithm 5 MSCAPI Microsoft Crypto Application Programming Interface NIST National Institute of Standards and Technology PC Personal Computer PRNG Pseudorandom Number Generator RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SP Service Pack VPN Virtual Private Network WINS Windows Internet Name Service Nortel VPN Client Software Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information