Nokia IP265 Security Guide - Page 5
Cryptographic Module - memory
View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 5 highlights
2.2 Cryptographic Module The Nokia VPN Appliances were tested as multi-chip standalone cryptographic modules. Each module's metal enclosure physically encloses the complete set of hardware and firmware components, and represents the cryptographic boundary of each module. The cryptographic module supports the following hardware versions: IP260 / IP265 - half-width 1U rack mount IP1220 / IP1260 - full width 2U rack mount The IP1220 and IP1260 hardware chasses include support for Field Replaceable Unit (FRU) upgrades to internal network interface cards, hard drives, FLASH memory, and other components (e.g., fans and power supplies replaced with identical components). All FRU upgrades are performed by the factory or a reseller prior to delivery of the module to the end user. The end-user has no option to service or install these internal components. All component slots are secured with Tamper seals (see Section 3.1.1.1) for FIPS mode. The IP260 and IP265 hardware versions do not support FRU options. The Nokia VPN Appliances run the Nokia proprietary, security-hardened IPSO operating system along with a binary image of the Check Point VPN-1 cryptographic firmware for VPN and firewall functionalities. The IPSO OS and the module's physical hardware chassis and computing platform provide the operational environment upon which the Check Point VPN-1 application binary executes. The following firmware combinations were used for the FIPS 140-2 validation testing covered by this Security Policy: IPSO v3.9 [build 045] with Check Point VPN-1 NGX (R60) [HFA-03] IPSO v4.1 [build 020] with Check Point VPN-1 NGX (R60) [HFA-03] The cryptographic modules implement the same version of Check Point firmware that has been previously validated under FIPS 140-2 by both Check Point and Nokia. However, the Nokia IPSO operating system and VPN Appliance hardware combination constitute different operational environments for the Check Point firmware; therefore the Check Point module binary image was packaged into each of the Nokia VPN Appliance configurations and was retested as part of the complete Nokia VPN Appliance FIPS 140-2 solution. FIPS Algorithm validation testing was performed and validation certificates obtained for all Approved cryptographic functions implemented by the modules covering all hardware and firmware configurations listed in this document. This includes separate algorithm validations for algorithms implemented by IPSO, the Check Point VPN-1 firmware, and hardware © Copyright 2005, 2006, 2007 Nokia Page 5 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.