Nokia IP265 Security Guide - Page 31

Installing IPSO and NGX R60, Installation Guide for FIPS 140-2 Kit and Nokia IPSO 3.9 Build, - user guide

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 31 highlights

1. Access the console on the device that is running 3.7.99 FIPS build with Check Point NG AI (R54). 2. If the device is running in the FIPS mode, exit this mode by executing the 'set fips off with-restore' command followed by the 'save config' command. This will bring the device to a non-fips mode of operation. 3. Ensure that the IPSO 3.9 Build 045 and Check Point NGX (R60) and HFA-03 are on an FTP server reachable from the device. 4. Follow the steps in the 'Installing IPSO and NGX R60' section of the "Installation Guide for FIPS 140-2 Kit and Nokia IPSO 3.9 Build 045" document. 5. If you did not install NGX (R60) while installing IPSO 3.9 build 045c above, follow the instructions in Section 3.1.2.1(B) and (C) above. 3.1.3 Initializing Check Point Modules Before the User can use the Check Point VPN-1 functionalities (also before he can enable FIPS mode), the Check Point module must be enabled and initialized using the CLI. The initialization process requires that the Crypto Officer establishes the SIC configuration. This is done via the cpconfig command. Once you have rebooted the device after installing the correct IPSO and VPN-1 versions, run 'cpconfig' and follow the instructions. Be sure to choose the following options during cpconfig: Distributed Installation (option 2) and Enforcement Module (option 1). You will also be prompted to initialize the SIC (Secure Internal Communication). This is used to initialize secure communication with the Check Point SmartCenter Management Station. Also enter a valid Check Point license. NGX (R60) includes support for Diffie-Hellman Group 14 (2048 bit modulus) key sizes. Groups 15-18 (3072 bits to 8192 bits) can also be optionally configured. To support Groups 15-18, the Local Crypto-Officer must obtain patch SK27054 from Check Point support before beginning the initialization of the module. The patch contains instructions for enabling the additional groups and will be installed during the initialization process. Using the SmartDashboard application, the Check Point module should be configured for FIPS mode by selecting the screens and options shown in the screen shots included in Section 3.1.6 of this document. Only the screens shown should be configured. © Copyright 2005, 2006, 2007 Nokia Page 31 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
1. Access the console on the device that is running 3.7.99 FIPS build
with Check Point NG AI (R54).
2. If the device is running in the FIPS mode, exit this mode by
executing the ‘set fips off with-restore’ command followed by the
‘save config’ command. This will bring the device to a non-fips
mode of operation.
3. Ensure that the IPSO 3.9 Build 045 and Check Point NGX (R60)
and HFA-03 are on an FTP server reachable from the device.
4. Follow the steps in the ‘
Installing IPSO and NGX R60
’ section of
the “
Installation Guide for FIPS 140-2 Kit and Nokia IPSO 3.9 Build
045
” document.
5. If you did not install NGX (R60) while installing IPSO 3.9 build 045c
above, follow the instructions in Section 3.1.2.1(B) and (C) above.
3.1.3
Initializing Check Point Modules
Before the User can use the Check Point VPN-1 functionalities (also
before he can enable FIPS mode), the Check Point module must be
enabled and initialized using the CLI.
The initialization process requires that the Crypto Officer establishes the
SIC configuration.
This is done via the
cpconfig
command. Once you have
rebooted the device after installing the correct IPSO and VPN-1 versions,
run ‘cpconfig’ and follow the instructions. Be sure to choose the following
options during cpconfig: Distributed Installation (option 2) and
Enforcement Module (option 1). You will also be prompted to initialize the
SIC (Secure Internal Communication). This is used to initialize secure
communication with the Check Point SmartCenter Management Station.
Also enter a valid Check Point license.
NGX (R60) includes support for Diffie-Hellman Group 14 (2048 bit
modulus) key sizes. Groups 15-18 (3072 bits to 8192 bits) can also be
optionally configured. To support Groups 15-18, the Local Crypto-Officer
must obtain patch SK27054 from Check Point support before beginning
the initialization of the module. The patch contains instructions for
enabling the additional groups and will be installed during the initialization
process.
Using the SmartDashboard application, the Check Point module should be
configured for FIPS mode by selecting the screens and options shown in
the screen shots included in Section 3.1.6 of this document. Only the
screens shown should be configured.
© Copyright 2005, 2006, 2007
Nokia
Page 31 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.