Nokia IP265 Security Guide - Page 26

Crypto Officer Guidance

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 26 highlights

3 SECURE OPERATION (APPROVED MODE) The Nokia VPN Appliances meet Level 2 requirements for FIPS 140-2. The following subsections describe how to place and keep the module in FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation. The procedures are described in "Crypto Officer Guidance". The User can use the module after the Crypto Officer changes the mode of operation to FIPS-Approved. The secure operation for the User is described in Section 3.2, "User Guidance". 3.1 Crypto Officer Guidance The secure operation procedures include the initial setup, configuring the Check Point modules in a FIPS compliant manner, and keeping the module in a FIPS-approved mode of operation. These procedures are described in the following sections. 3.1.1 Hardware Setup The Crypto Officer receives the module in a carton. Within the carton the module is placed inside an ESD bag; two foam end caps are placed on both sides of the chassis, protecting the module during shipping. The Crypto Officer should examine the carton and the ESD bag for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. Since the module does not enforce an access control mechanism before it is initialized, the Crypto Officer must maintain control of the module at all times until the initial setup is complete. Before turning on the module, the Crypto Officer must ensure that the module meets Level 2 physical security requirements. To satisfy these requirements, the Crypto Officer must install one or more tamper-evident seals (also called "FIPS Tape") provided in the module's FIPS kit. • N431174001 (12 pc) - Tamper-evident seal After the seal(s) are in place, the Crypto Officer must initialize the module and set the module to FIPS mode. 3.1.1.1 Applying the Tamper-Evident Seal(s) Depending on the module hardware chassis type, one or more tamper seals are required to provide tamper evidence for the module chassis. The tamper-evident seals each contain a unique serial number which aids the Crypto Officer in determining whether the original labels have been replaced. Refer to Section 2.2 for a list of the module hardware versions and their respective chassis type. External Flash memory (optional on © Copyright 2005, 2006, 2007 Nokia Page 26 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
3 S
ECURE
O
PERATION
(A
PPROVED
M
ODE
)
The Nokia VPN Appliances meet Level 2 requirements for FIPS 140-2.
The following subsections describe how to place and keep the module in
FIPS-approved mode of operation. The Crypto Officer must ensure that
the module is kept in a FIPS-approved mode of operation. The procedures
are described in “Crypto Officer Guidance”.
The User can use the module after the Crypto Officer changes the mode
of operation to FIPS-Approved. The secure operation for the User is
described in Section 3.2, “User Guidance”.
3.1
Crypto Officer Guidance
The secure operation procedures include the initial setup, configuring the
Check Point modules in a FIPS compliant manner, and keeping the
module in a FIPS-approved mode of operation. These procedures are
described in the following sections.
3.1.1
Hardware Setup
The Crypto Officer receives the module in a carton. Within the carton the
module is placed inside an ESD bag; two foam end caps are placed on
both sides of the chassis, protecting the module during shipping. The
Crypto Officer should examine the carton and the ESD bag for evidence of
tampering. Tamper-evidence includes tears, scratches, and other
irregularities in the packaging.
Since the module does not enforce an access control mechanism before it
is initialized, the Crypto Officer must maintain control of the module at all
times until the initial setup is complete.
Before turning on the module, the Crypto Officer must ensure that the
module meets Level 2 physical security requirements. To satisfy these
requirements, the Crypto Officer must install one or more tamper-evident
seals (also called “FIPS Tape”) provided in the module’s FIPS kit.
N431174001 (12 pc) – Tamper-evident seal
After the seal(s) are in place, the Crypto Officer must initialize the module
and set the module to FIPS mode.
3.1.1.1
Applying the Tamper-Evident Seal(s)
Depending on the module hardware chassis type, one or more tamper
seals are required to provide tamper evidence for the module chassis. The
tamper-evident seals each contain a unique serial number which aids the
Crypto Officer in determining whether the original labels have been
replaced. Refer to Section 2.2 for a list of the module hardware versions
and their respective chassis type.
External Flash memory (optional on
© Copyright 2005, 2006, 2007
Nokia
Page 26 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.