Nokia IP265 Security Guide - Page 5

Cryptographic Module - memory

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 5 highlights

2.2 Cryptographic Module The Nokia VPN Appliances were tested as multi-chip standalone cryptographic modules. Each module's metal enclosure physically encloses the complete set of hardware and firmware components, and represents the cryptographic boundary of each module. The cryptographic module supports the following hardware versions: ƒ IP260 / IP265 - half-width 1U rack mount ƒ IP1220 / IP1260 - full width 2U rack mount The IP1220 and IP1260 hardware chasses include support for Field Replaceable Unit (FRU) upgrades to internal network interface cards, hard drives, FLASH memory, and other components (e.g., fans and power supplies replaced with identical components). All FRU upgrades are performed by the factory or a reseller prior to delivery of the module to the end user. The end-user has no option to service or install these internal components. All component slots are secured with Tamper seals (see Section 3.1.1.1) for FIPS mode. The IP260 and IP265 hardware versions do not support FRU options. The Nokia VPN Appliances run the Nokia proprietary, security-hardened IPSO operating system along with a binary image of the Check Point VPN-1 cryptographic firmware for VPN and firewall functionalities. The IPSO OS and the module's physical hardware chassis and computing platform provide the operational environment upon which the Check Point VPN-1 application binary executes. The following firmware combinations were used for the FIPS 140-2 validation testing covered by this Security Policy: ƒ IPSO v3.9 [build 045] with Check Point VPN-1 NGX (R60) [HFA-03] ƒ IPSO v4.1 [build 020] with Check Point VPN-1 NGX (R60) [HFA-03] The cryptographic modules implement the same version of Check Point firmware that has been previously validated under FIPS 140-2 by both Check Point and Nokia. However, the Nokia IPSO operating system and VPN Appliance hardware combination constitute different operational environments for the Check Point firmware; therefore the Check Point module binary image was packaged into each of the Nokia VPN Appliance configurations and was retested as part of the complete Nokia VPN Appliance FIPS 140-2 solution. FIPS Algorithm validation testing was performed and validation certificates obtained for all Approved cryptographic functions implemented by the modules covering all hardware and firmware configurations listed in this document. This includes separate algorithm validations for algorithms implemented by IPSO, the Check Point VPN-1 firmware, and hardware © Copyright 2005, 2006, 2007 Nokia Page 5 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
2.2
Cryptographic Module
The Nokia VPN Appliances were tested as multi-chip standalone
cryptographic modules. Each module’s metal enclosure physically
encloses the complete set of hardware and firmware components, and
represents the cryptographic boundary of each module. The cryptographic
module supports the following hardware versions:
IP260 / IP265
– half-width 1U rack mount
IP1220 / IP1260 – full width 2U rack mount
The IP1220 and IP1260 hardware chasses include support for Field
Replaceable Unit (FRU) upgrades to internal network interface cards, hard
drives, FLASH memory, and other components (e.g., fans and power
supplies replaced with identical components).
All FRU upgrades are
performed by the factory or a reseller prior to delivery of the module to the
end user. The end-user has no option to service or install these internal
components. All component slots are secured with Tamper seals (see
Section 3.1.1.1) for FIPS mode. The IP260 and IP265 hardware versions
do not support FRU options.
The Nokia VPN Appliances run the Nokia proprietary, security-hardened
IPSO operating system along with a binary image of the Check Point
VPN-1 cryptographic firmware for VPN and firewall functionalities.
The IPSO OS and the module’s physical hardware chassis and computing
platform provide the operational environment upon which the Check Point
VPN-1 application binary executes. The following firmware combinations
were used for the FIPS 140-2 validation testing covered by this Security
Policy:
IPSO v3.9 [build 045] with Check Point VPN-1 NGX (R60) [HFA-03]
IPSO v4.1 [build 020] with Check Point VPN-1 NGX (R60) [HFA-03]
The cryptographic modules implement the same version of Check Point
firmware that has been previously validated under FIPS 140-2 by both
Check Point and Nokia. However, the Nokia IPSO operating system and
VPN Appliance hardware combination constitute different operational
environments for the Check Point firmware; therefore the Check Point
module binary image was packaged into each of the Nokia VPN Appliance
configurations and was retested as part of the complete Nokia VPN
Appliance FIPS 140-2 solution.
© Copyright 2005, 2006, 2007
Nokia
Page 5 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
FIPS Algorithm validation testing was performed and validation certificates
obtained for all Approved cryptographic functions implemented by the
modules covering all hardware and firmware configurations listed in this
document. This includes separate algorithm validations for algorithms
implemented by IPSO, the Check Point VPN-1 firmware, and hardware