Nokia IP265 Security Guide

Nokia IP265 - Security Appliance Manual

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Nokia IP265 manual content summary:

  • Nokia IP265 | Security Guide - Page 1
    Security Policy Level 2 Validation Version 1.7 Aug 2007 Module Hardware Versions: IP260, IP265, IP1220, and IP1260 Firmware Versions: IPSO v3.9 and v4.1 Check Point VPN-1 NGX (R60) [HFA-03] © Copyright 2005, 2006, 2007 Nokia This document may be freely reproduced and distributed whole and intact
  • Nokia IP265 | Security Guide - Page 2
    NOKIA VPN APPLIANCE 4 2.1 OVERVIEW ...4 2.2 CRYPTOGRAPHIC MODULE 5 2.3 MODULE INTERFACES 7 2.4 ROLES AND SERVICES 8 2.4.1 Crypto Officer Role 8 2.4.2 User 26 3.1.1 Hardware Setup 26 3.1.2 Installing, Upgrading or Downgrading the Module Firmware 28 3.1.3 Initializing Check Point Modules 31
  • Nokia IP265 | Security Guide - Page 3
    .com/) contains information on the full line of products from Nokia. Additional information regarding the Check Point VPN-1 firmware that is used inside the Nokia VPN Appliances, including specific configuration instructions for the firmware can be found by referencing the Check Point VPN-1 FIPS
  • Nokia IP265 | Security Guide - Page 4
    Point VPN-1/FireWall-1 performance by using the Nokia Firewall Flows. VPN performance is enhanced through the use of internal hardware cryptographic acceleration. The following chart illustrates the performance differences of the modules covered by this Security Policy: Model IP260 IP265 IP1220
  • Nokia IP265 | Security Guide - Page 5
    of the module to the end user. The end-user has no option to service or install these internal components. All component slots are secured with Tamper seals (see Section 3.1.1.1) for FIPS mode. The IP260 and IP265 hardware versions do not support FRU options. The Nokia VPN Appliances run the
  • Nokia IP265 | Security Guide - Page 6
    were tested: FIPS 140-2 DTR Section 1 2 3 4 5 6 7 8 9 10 11 Requirements Section Title Cryptographic Module Specification Cryptographic Module Ports and Interfaces Roles, Services, and Authentication Finite State Model Physical Security Operational Environment Cryptographic Key Management EMI/EMC
  • Nokia IP265 | Security Guide - Page 7
    (Disabled) Console Port I/O IP260/IP265 4 1 1 N/A 2 (enabled) 1 1 1 1 1 IP1220/IP1260 4 1 1 3 2 (disabled) 1 1 1 built in, 1 per optional PMC NIC card) 1 1 built in, additional depending on number of I/O option cards installed Descriptions of the status LEDs © Copyright 2005, 2006, 2007 Nokia
  • Nokia IP265 | Security Guide - Page 8
    for this purpose: • CLI - the Crypto Officer can use the CLI to configure and monitor IPSO systems. This can be done locally by using the console port or remotely by using the SSH secured management session. © Copyright 2005, 2006, 2007 Nokia Page 8 of 43 This document may be freely reproduced and
  • Nokia IP265 | Security Guide - Page 9
    provided in Table 3. . Service Startup configuration Table 3 - Crypto Officer Services, Descriptions, Inputs, and Outputs Description Input Output Provide network connectivity and set a password for the admin account Commands and configuration data(via local console) Status of commands and
  • Nokia IP265 | Security Guide - Page 10
    keys for TLS (read/write access); X9.31 PRNG keys (read access) Password (read/write access) Password (read access) The password itself is read-write while the v3 service is read access © Copyright 2005, 2006, 2007 Nokia Page 10 of 43 This document may be freely reproduced and distributed whole and
  • Nokia IP265 | Security Guide - Page 11
    and view the security and access features through the CLI: configure and view network access; add firmware licenses to the platform; configure Authentication, Authorization, and Accounting (AAA); enable and disable and configure SSH services; add and delete new system users; create and delete groups
  • Nokia IP265 | Security Guide - Page 12
    or peers; display information about packages installed on the local system Commands and configuration data Configure, manage, and view SNMP settings through the CLI: configure SNMP parameters; enable and disable SNMP; add users who are authorized to use SNMPv3; show SNMP implementation commands
  • Nokia IP265 | Security Guide - Page 13
    's CLI commands Initial configuration of the Check Point firmware: install licenses, configure the SNMP daemon, modify the list of UNIX groups authorized to run VPN-1 services, register a cryptographic token, enter random data to help seed the PRNG, configure the one-time SIC password, and specify
  • Nokia IP265 | Security Guide - Page 14
    write access) Table 4 - User Services, Descriptions, Inputs and Outputs 2.4.3 Authentication Mechanisms The modules implement password-based authentication (console and SSH), RSA-based authentication (TLS, IKE and SSH), DSA-based authentication (SSHv2). HMAC SHA-1 is used for data packet integrity
  • Nokia IP265 | Security Guide - Page 15
    login locally at initialization through the console CLI and enter an authorized RSA or DSA public key generated at the client. This public key will be used authenticate by using the user ID and password. It is the same password used to access the CLI. The only restriction is that the password must be
  • Nokia IP265 | Security Guide - Page 16
    using a password with repetition, the number of potential passwords is 26^6. Table 5 - Estimated Strength of Authentication Mechanisms 2.5 Electromechanical Interference/Compatibility (FCC Compliance) Each module hardware configuration module hardware version. Specific quantities and locations are
  • Nokia IP265 | Security Guide - Page 17
    Point firmware. Hardware acceleration is accomplished either by hard-wired accelerator chips or by optional version-specific internal accelerator cards that are installed by the factory or reseller prior to delivery to the end-user. The IP380 and IP385 module hardware versions support an optional
  • Nokia IP265 | Security Guide - Page 18
    under 1024-bits) Key agreement / Key establishment: • Diffie-Hellman (Public key sizes under 1024-bits, private key sizes under 160-bits) © Copyright 2005, 2006, 2007 Nokia Page 18 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Nokia IP265 | Security Guide - Page 19
    PUB 198, RFC 2104 (HMAC: Keyed-Hashing for Message Authentication), and RFC 2404 (using HMAC-SHA-1-96 within ESP and AH). Data hashing: • Secure Hash Algorithm (SHA 80 bits of encryption strength. © Copyright 2005, 2006, 2007 Nokia Page 19 of 43 This document may be freely reproduced and distributed
  • Nokia IP265 | Security Guide - Page 20
    Session security: • SSHv1 (configured to use FIPS-approved algorithms) • SSHv2 (configured to use FIPS-approved algorithms) • TLS v1.0 (configured to use FIPS-approved algorithms) according to RFC 2246 • IPSec (configured to use FIPS-approved algorithms) © Copyright 2005, 2006, 2007 Nokia Page 20 of
  • Nokia IP265 | Security Guide - Page 21
    The module supports the following using X9.31 PRNG Internal - using X9.31 PRNG Internal - using X9.31 PRNG Internal - using X9.31 PRNG External Storage Stored in plaintext on disk Stored in plaintext in memory during IKE © Copyright 2005, 2006, 2007 Nokia Page 21 of 43 This document may be
  • Nokia IP265 | Security Guide - Page 22
    memory Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Cached to disk Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory, but entropy used Copyright 2005, 2006, 2007 Nokia Page 22 of 43 This
  • Nokia IP265 | Security Guide - Page 23
    supported in IPSO v3.9 only CSPs type Six-character password (SNMPv3 requires at least eight characters) Generation External Storage Stored in plaintext on disk Use used should be used for DSA not be used in FIPS PRNG is used to keys, and passwords are stored in plaintext in memory. 2.8.5
  • Nokia IP265 | Security Guide - Page 24
    Self-tests: • Integrity tests: the modules use a CRC-32 to check the integrity of its various firmware components, including verifying the integrity of the random number generators of the module. © Copyright 2005, 2006, 2007 Nokia Page 24 of 43 This document may be freely reproduced and distributed whole
  • Nokia IP265 | Security Guide - Page 25
    SharePoint was used to provide configuration management for the module's FIPS documentation. These document management utilities provide access control, versioning, and logging. 2.11 Mitigation of Other Attacks The modules do not employ security mechanisms to mitigate specific attacks. © Copyright
  • Nokia IP265 | Security Guide - Page 26
    can use the module after the Crypto Officer changes the mode of operation to FIPS-Approved. The secure operation for the User is described in Section 3.2, "User Guidance". 3.1 Crypto Officer Guidance The secure operation procedures include the initial setup, configuring the Check Point modules in
  • Nokia IP265 | Security Guide - Page 27
    IP260/IP265) provides optional storage media for the Nokia VPN appliances. Refer to Figure 4 for placement of tamper seals over the Flash memory bays when configuring in Figure 4 depending on whether or not Flash cards are installed. 3. Record the serial number of the applied seal(s) in a
  • Nokia IP265 | Security Guide - Page 28
    the boot command. 8. Follow the initial configuration procedures described in the appropriate Appliance Installation Guide. 3.1.2 Installing, Upgrading or Downgrading the Module Firmware New modules come preinstalled with the Nokia IPSO operating system and a version of the Check Point VPN
  • Nokia IP265 | Security Guide - Page 29
    page 8. Now access the device console, exit and login again if you have a currently active session, and follow the instructions below to install the NGX with (R60) and HFA-03 B. Install Check Point NGX (R60) from the system console: 1. FTP (with user ID and password) the Check Point packages to
  • Nokia IP265 | Security Guide - Page 30
    "Installation Guide for FIPS 140-2 Kit and Nokia IPSO 3.9 Build 045". 8. Follow the instructions below to install HFA (note that the FIPS 140-2 validated Check Point Hot Fix is HFA-03). C. Install HFA for Check Point NGX (R60) from the system console: 1. Ensure that all Check Point services are
  • Nokia IP265 | Security Guide - Page 31
    of the "Installation Guide for FIPS 140-2 Kit and Nokia IPSO 3.9 Build 045" document. 5. If you did not install NGX (R60) while installing IPSO 3.9 build 045c above, follow the instructions in Section 3.1.2.1(B) and (C) above. 3.1.3 Initializing Check Point Modules Before the User can use the Check
  • Nokia IP265 | Security Guide - Page 32
    FIPS Mode After installing or upgrading to console port, enter the following commands: a. set ssh server protocol 2,1 b. set ssh server enable 1 2. To ensure that the Crypto Officer can log in (with a password) using SSH, enter the following command: set ssh server permit-root-login yes 3. Configure
  • Nokia IP265 | Security Guide - Page 33
    configure, and monitor the IPSO module with the CLI, or monitor with SNMPv3 (when using IPSO 3.9; SNMP support is configure policies for the module. These policies determine how the firewall and VPN services of the module function. Screen shots from the Check Point © Copyright 2005, 2006, 2007 Nokia
  • Nokia IP265 | Security Guide - Page 34
    VPN functionality must be configured to use only FIPS-approved algorithms. The following pages use only the following FIPS-approved algorithms: Data encryption • Triple DES • AES Data packet integrity • HMAC with SHA1 Authentication • Certificates • Pre-shared keys © Copyright 2005, 2006, 2007 Nokia
  • Nokia IP265 | Security Guide - Page 35
    Figure 4 - Only FIPS-Approved Algorithms Can Be Used with IKE © Copyright 2005, 2006, 2007 Nokia Page 35 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Nokia IP265 | Security Guide - Page 36
    Figure 5 - Only Pre-shared Keys or Digital Certificates Can Be Used to Authenticate Clients Notes: Only 1024-bit or higher DSA and RSA key sizes should be used in FIPS mode. © Copyright 2005, 2006, 2007 Nokia Page 36 of 43 This document may be freely reproduced and distributed whole and intact
  • Nokia IP265 | Security Guide - Page 37
    in the FIPS approved mode of operation. 2. When Check Point VPN-1 NGX (R60) is used, additional Diffie-Hellman groups 15-18 (2048 bits to 8192 bits) are selectable as options. © Copyright 2005, 2006, 2007 Nokia Page 37 of 43 This document may be freely reproduced and distributed whole and intact
  • Nokia IP265 | Security Guide - Page 38
    Figure 7 - Only FIPS-Approved Algorithms Can Be Used with IPSec © Copyright 2005, 2006, 2007 Nokia Page 38 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Nokia IP265 | Security Guide - Page 39
    Used with IPSec or IKE Note: This applies equally for either star or meshed VPN community properties 3.2 User Guidance The User accesses the module VPN functionality as an IPSec client. Although outside the boundary of the module, the User no sharing occurs, a User must zeroize all keys while in
  • Nokia IP265 | Security Guide - Page 40
    The User should only use 1024-bit keys or higher for RSA and DiffieHellman in FIPS mode. The DES algorithm, 1 key Triple DES, and key sizes less than 1024-bits are not allowed in FIPS mode. © Copyright 2005, 2006, 2007 Nokia Page 40 of 43 This document may be freely reproduced and distributed whole
  • Nokia IP265 | Security Guide - Page 41
    the access and feature mechanisms that are disabled when the module is in FIPS mode: • HTTP access • FTP access • Telnet access • TFTP access • Load Sharing (Nokia IPSO Clustering) and High Availability (VRRP) • NTP • Syslog remote logging • Check Point remote installation daemon • SSLv3 • Disabled
  • Nokia IP265 | Security Guide - Page 42
    encryption algorithms should be used. AES DES1 3DES2 HMAC SHS DSA RSA RNG Nokia Firmware IPSO IPSO 3.9 4.1 N/A N/A #465 #207 #508 #181 #204 #166 #215 #229 Check Point Firmware NGX (R60) w/HFA-03 #442 #314 #466 #208 #509 N/A #167 #201 Cryptographic Accelerator Chips IP260 IP265 #226 #297 #317
  • Nokia IP265 | Security Guide - Page 43
    Federal Information Processing Standard Feature Pack Inter-Gateway Routing Protocol Pseudo Random Number Generator Random Access Memory Routing Information Protocol Rivest Shamir and Virtual Private Network © Copyright 2005, 2006, 2007 Nokia Page 43 of 43 This document may be freely reproduced
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
Nokia VPN Appliance
FIPS 140-2 Cryptographic Module Security Policy
Level 2 Validation
Version 1.7
Aug 2007
Module Hardware Versions:
IP260, IP265, IP1220, and IP1260
Firmware Versions:
IPSO v3.9 and v4.1
Check Point VPN-1 NGX (R60) [HFA-03]
© Copyright 2005, 2006, 2007 Nokia
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.