Nokia IP265 Security Guide - Page 26
Crypto Officer Guidance
View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 26 highlights
3 SECURE OPERATION (APPROVED MODE) The Nokia VPN Appliances meet Level 2 requirements for FIPS 140-2. The following subsections describe how to place and keep the module in FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation. The procedures are described in "Crypto Officer Guidance". The User can use the module after the Crypto Officer changes the mode of operation to FIPS-Approved. The secure operation for the User is described in Section 3.2, "User Guidance". 3.1 Crypto Officer Guidance The secure operation procedures include the initial setup, configuring the Check Point modules in a FIPS compliant manner, and keeping the module in a FIPS-approved mode of operation. These procedures are described in the following sections. 3.1.1 Hardware Setup The Crypto Officer receives the module in a carton. Within the carton the module is placed inside an ESD bag; two foam end caps are placed on both sides of the chassis, protecting the module during shipping. The Crypto Officer should examine the carton and the ESD bag for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. Since the module does not enforce an access control mechanism before it is initialized, the Crypto Officer must maintain control of the module at all times until the initial setup is complete. Before turning on the module, the Crypto Officer must ensure that the module meets Level 2 physical security requirements. To satisfy these requirements, the Crypto Officer must install one or more tamper-evident seals (also called "FIPS Tape") provided in the module's FIPS kit. • N431174001 (12 pc) - Tamper-evident seal After the seal(s) are in place, the Crypto Officer must initialize the module and set the module to FIPS mode. 3.1.1.1 Applying the Tamper-Evident Seal(s) Depending on the module hardware chassis type, one or more tamper seals are required to provide tamper evidence for the module chassis. The tamper-evident seals each contain a unique serial number which aids the Crypto Officer in determining whether the original labels have been replaced. Refer to Section 2.2 for a list of the module hardware versions and their respective chassis type. External Flash memory (optional on © Copyright 2005, 2006, 2007 Nokia Page 26 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.