Nortel Networks Nortel VPN Router 600, 1750, 2700, 2750, and 5000 (Hardware Modules with Firmware Version 7_05.100) FIPS 140-2 Security Policy Level 2 Validation Document Version 1.0 Prepared for: Prepared by: Nortel Networks Corsec Security, Inc. 600 Technology Park 10340 Democracy Lane, Suite 201 Billerica, MA 01821 Fairfax, VA 22030 Phone: (800) 466-7835 Phone: (703) 267-6050 Fax: (978) 288-4004 Fax: (703) 267-6810 http://www.nortel.com http://www.corsec.com © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Revision History Version Modification Date Modified By Description of Changes 0.1 2007-05-15 Xiaoyu Ruan Initial draft Darryl Johnson 0.2 2007-07-25 Xiaoyu Ruan Added Router 2700 0.3 2007-10-23 Darryl Johnson Removed references to Router 2700 0.4 2008-02-19 Darryl Johnson Added references to FIPS physical security kits; added references to Router 2700; updated firmware version number 0.5 2008-02-21 Xiaoyu Ruan Added algorithm certificate numbers 0.6 2008-04-08 Darryl Johnson Added text for additional label needed for 600 0.7 2008-06-03 Xiaoyu Ruan Addressed Lab comments. 0.8 2008-06-18 Xiaoyu Ruan Addressed Lab comments. 0.9 2008-10-10 Darryl Johnson Addressed CMVP comments 1.0 2008-10-27 Darryl Johnson Addressed CMVP comments Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 2 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Table of Contents 0 INTRODUCTION ...............................................................................................................................................5 0.1 PURPOSE .........................................................................................................................................................5 0.2 REFERENCES ...................................................................................................................................................5 0.3 DOCUMENT ORGANIZATION ...........................................................................................................................5 1 NORTEL VPN ROUTER 600, 1750, 2700, 2750, AND 5000...........................................................................6 1.1 OVERVIEW......................................................................................................................................................6 1.2 MODULE INTERFACES ....................................................................................................................................7 1.3 ROLES AND SERVICES...................................................................................................................................12 1.3.1 Crypto Officer Role..............................................................................................................................12 1.3.2 User Role .............................................................................................................................................13 1.3.3 Authentication Mechanisms .................................................................................................................13 1.3.4 Unauthenticated Operator ...................................................................................................................14 1.4 PHYSICAL SECURITY ....................................................................................................................................14 1.5 OPERATIONAL ENVIRONMENT ......................................................................................................................14 1.6 CRYPTOGRAPHIC KEY MANAGEMENT ..........................................................................................................14 1.7 SELF-TESTS ..................................................................................................................................................17 1.8 MITIGATION OF OTHER ATTACKS.................................................................................................................18 2 SECURE OPERATION....................................................................................................................................19 2.1 INITIAL SETUP ..............................................................................................................................................19 2.1.1 Applying Tamper-Evident Labels ........................................................................................................19 2.1.2 Applying Tamper-Evident Shields........................................................................................................20 2.2 CRYPTO OFFICER GUIDANCE ........................................................................................................................21 2.2.1 Initialization.........................................................................................................................................22 2.2.2 Management ........................................................................................................................................22 2.2.3 Zeroization...........................................................................................................................................22 2.3 USER GUIDANCE ..........................................................................................................................................23 3 ACRONYMS......................................................................................................................................................24 Table of Figures FIGURE 1 ­ NORTEL VPN ROUTER DEPLOYMENT ARCHITECTURE ................................................................................6 FIGURE 2 ­ VPN ROUTER 600 REAR PANEL PHYSICAL PORTS ......................................................................................9 FIGURE 3 ­ VPN ROUTER 1750 REAR PANEL PHYSICAL PORTS ..................................................................................10 FIGURE 4 ­ VPN ROUTER 2700 REAR PANEL PHYSICAL PORTS ..................................................................................10 FIGURE 5 ­ VPN ROUTER 2750 REAR PANEL PHYSICAL PORTS ..................................................................................10 FIGURE 6 ­ VPN ROUTER 5000 REAR PANEL PHYSICAL PORTS ..................................................................................11 FIGURE 7 ­ TAMPER-EVIDENT LABEL PLACEMENT FOR 600........................................................................................19 FIGURE 8 ­ TAMPER-EVIDENT LABEL PLACEMENT FOR 1750, 2700, AND 2750 ..........................................................19 FIGURE 9 ­ TAMPER-EVIDENT LABEL PLACEMENT FOR 5000......................................................................................20 FIGURE 10 ­ TAMPER-EVIDENT SHIELD PLACEMENT FOR 600.....................................................................................20 FIGURE 11 ­ TAMPER-EVIDENT SHIELD PLACEMENT FOR 1750 AND 2750 ..................................................................21 FIGURE 12 ­ TAMPER-EVIDENT SHIELD PLACEMENT FOR 2700...................................................................................21 FIGURE 13 ­ FIPS MODE CONFIGURATION ..................................................................................................................22 List of Tables Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 3 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 TABLE 1 ­ SECURITY LEVEL PER FIPS 140-2 SECTION .................................................................................................6 TABLE 2 ­ NETWORK INTERFACE CARDS AVAILABLE ....................................................................................................7 TABLE 3 ­ ACCELERATOR CARDS SUPPORTED ..............................................................................................................8 TABLE 4 ­ VPN ROUTER AND ACCELERATOR CARDS SUPPORTED ................................................................................8 TABLE 5 ­ PHYSICAL PORTS AND LOGICAL INTERFACES ...............................................................................................9 TABLE 6 ­ LED STATUS ..............................................................................................................................................11 TABLE 7 ­ CRYPTO OFFICER SERVICES ........................................................................................................................12 TABLE 8 ­ USER SERVICES...........................................................................................................................................13 TABLE 9 ­ AUTHENTICATION MECHANISM USED BY THE MODULES ...........................................................................13 TABLE 10 ­ LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS ..................................16 TABLE 11 ­ ACRONYMS ...............................................................................................................................................24 Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 4 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 0 Introduction 0.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the VPN (Virtual Private Network) Router 600, 1750, 2700, 2750, and 5000 from Nortel Networks. This Security Policy describes how the Nortel VPN Router 600, 1750, 2700, 2750, and 5000 meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 ­ Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website at: (http://csrc.nist.gov/groups/STM/index.html. The Nortel VPN Router 600, 1750, 2700, 2750, and 5000 is referred to in this document as the routers, the cryptographic modules, or the modules. 0.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: · The Nortel website (http://www.nortel.com/) contains information on the full line of products from Nortel. · The CMVP website ((http://csrc.nist.gov/groups/STM/index.html) contains contact information for answers to technical or sales-related questions for the module. 0.3 Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: · Vendor Evidence document · Finite State Machine · Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Nortel. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is proprietary to Nortel and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Nortel. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 5 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 1 Nortel VPN Router 600, 1750, 2700, 2750, and 5000 1.1 Overview Nortel is a recognized leader in delivering communications capabilities that secure and protect the world's most critical information. Serving both service provider and enterprise customers, Nortel delivers innovative technology solutions encompassing routing, firewall, bandwidth management, encryption, authentication, and data integrity for secure tunneling across managed Internet Protocol (IP) networks and the Internet. Nortel VPN Routers give enterprises a competitive edge by enabling cost-effective, secure connectivity across the entire supply chain, including branch offices, suppliers, distributors, and other business partners. The modules streamline equipment requirements by packaging required VPN firmware and hardware in a single box, without requiring other localized network equipment or servers, minimizing administration costs. A typical deployment of Nortel VPN Routers is shown in Figure 1. Figure 1 ­ Nortel VPN Router Deployment Architecture The Nortel VPN Router 600, 1750, 2700, 2750, and 5000 is validated at the following FIPS 140-2 Section levels: Table 1 ­ Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key Management 2 Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 6 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Section Section Title Level 8 EMI/EMC 2 9 Self-tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Notice that N/A indicates "Not Applicable". EMC and EMI refer to Electromagnetic Compatibility and Electromagnetic Interference, respectively. 1.2 Module Interfaces The Nortel VPN Router 600, 1750, 2700, 2750, and 5000 are multi-chip standalone modules that meet overall level 2 FIPS 140-2 requirements. The cryptographic boundary of the Nortel VPN Router 600, 1750, 2700, 2750, and 5000 is defined by the outer case of the modules which encloses the complete set of hardware and firmware components. The VPN Routers are validated in three configurations as follows: 1. With no accelerator cards installed. The hardware version number for this configuration is 600, 1750, 2700, 2750, and 5000. 2. With the Hardware Accelerator card installed in the 1750, 2700, 2750, and 5000 Routers. The hardware version number for this configuration is 1750, 2700, 2750, and 5000 with DM0011051 or DM0011052. 3. With the Security Accelerator card installed in the 1750, 2700, 2750, and 5000 Routers. The hardware version number for this configuration is 1750, 2700, 2750, and 5000 with DM0011085 or DM0011084. The firmware version number (7_05.100) is the same for all configurations. The VPN Routers are designed to be modular. They include a power supply, Random Access Memory (RAM), processors, hard disk, floppy drive and Peripheral Component Interconnect (PCI) slots. The VPN Routers communicate with their clients via Local Access Network (LAN) and Wide Access Network (WAN) network interface cards that can be factory installed or field installed. The following network interface cards are available. The option cards are excluded from the security requirements of FIPS 140-2 because they do not provide any security-relevant functionality. Table 2 ­ Network Interface cards available Factory Installable Field Installable Description DM1004002 DM1011002 10/100 Ethernet Option Card DM3919002 DM3919001 1000Base-SX Option Card DM3919003 DM3919004 1000Base-T Option Card DM3811001 DM3811002 56/64K Channel Service Unit/Data Service Unit (CSU/DSU) PCI Option Card DM2111015 DM2111016 Asymmetrical Digital Subscriber Line (ADSL) Annex A Option Card. DM2111017 DM2111018 ADSL Annex B Option Card. DM1519006 DM1519003 Integrated Services Digital Network (ISDN) - BRI S/T Option Card DM1519005 DM1519004 ISDN - BRI U (US/Canada Only - American National Standards Institute (ANSI) Standard) Option Card DM2111013 DM2111014 Half Height Single Port T1/FT1 E1 (G.703) w/CSU/DSU Option Card Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 7 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Factory Installable Field Installable Description DM2119002 DM2119001 Quad T1/FT1 E1 (G.703) w/quad CSU/DSU (4 x RJ48C) Option Card DM3819002 DM3819004 V.90 Modem Option Card DM2111027 DM2111006 Single X.21 / V.35 Card Option Card DM2104003 DM2111003 High Speed Serial Interface (HSSI) option card for external T3/E3 CSU/DSU DM1004002 DM1011002 10/100 Ethernet Option Card Additionally, the VPN Router supports the following hardware cryptographic acceleration cards: Table 3 ­ Accelerator Cards Supported Factory Installable Field Installable Description DM0011051 DM0011052 Hardware Accelerator Option Card DM0011084 DM0011085 Security Accelerator Option Card The modules support the Hifn 7854 chip on the security accelerator card and the Hifn 7811 chip on the hardware accelerator card, for hardware cryptographic acceleration. Table 4 lists the hardware accelerator cards supported by the modules. Table 4 ­ VPN Router and Accelerator Cards Supported VPN Router platform Security Accelerator supported Hardware Accelerator supported 600 No No 1750 Yes Yes 2700 Yes Yes 2750 Yes Yes 5000 Yes Yes After opening the router and installing the cards, the Crypto-Officer has to reapply the tamper-evidence labels as described in section 2 of this document. The modules' design separates the physical ports into four logically distinct and isolated categories. They are logically divided but are accessed through either the Console port or the network ports. They are: · Data Input · Data Output · Control Input · Status Output Data input/output are the packets utilizing the services provided by the modules. These packets enter and exit the modules through the network ports. Control input consists of Configuration/Administration data entered into the modules through the web interface or the Command Line Interface (CLI) management interface and the input for the power and reset switch. Any user can be given administrative permissions by the Crypto Officer. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 8 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Status output consists of the status indicators displayed through the Light Emitting Diodes (LEDs) and log information through the Graphical User Interface (GUI) or CLI. A user with administrative permissions has access to the modules status logs. The following is a list of the possible physical ports supported by the modules: · Power connector · Power switch · Network ports (LAN port, WAN port) · Serial port · LEDs · Reset switch All of these physical interfaces are not available in every Router. Table 5 lists the interfaces available in each Router and also provides the mapping from the physical interfaces to logical interfaces as defined by FIPS 140-2: Table 5 ­ Physical Ports and Logical Interfaces FIPS 140-2 VPN Router 600 VPN Router 1750, 2700, 2750, Logical Interface Physical Port and 5000 Physical Port Data Input Network ports Network ports Data Output Network ports Network ports Control Input Serial port, Network Serial port, Network ports, ports Power switch, Reset switch Status Output LEDs, Serial port, LEDs, Serial port, Network Network ports ports Power Power connector Power connector The physical ports of the modules are depicted in the following figures: Figure 2 ­ VPN Router 600 Rear Panel Physical Ports Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 9 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Figure 3 ­ VPN Router 1750 Rear Panel Physical Ports Figure 4 ­ VPN Router 2700 Rear Panel Physical Ports Figure 5 ­ VPN Router 2750 Rear Panel Physical Ports Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 10 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Figure 6 ­ VPN Router 5000 Rear Panel Physical Ports The cryptographic modules have a number of LEDs which indicate the state of the modules. The descriptions for the LEDs are listed below for each module. Table 6 ­ LED Status Model LED Indicator Description On The router is receiving Direct Current (DC) power Power Off The router is not receiving DC power A serious alarm condition exists that requires attention. A red alert usually Alert Red indicates a hardware error. The red alert condition is described in the health check display. 600 A non-fatal alarm condition exists. The yellow alert condition is described Attention Amber in the health check display. Ready Green The router has booted and is operational. The router is booting and is in a non-ready state. If the Boot LED and the Boot Amber Ready LED light at the same time, the 600 is in recovery mode Power (Nortel On The router is receiving Alternating Current (AC) power. Networks logo) Off The router is not receiving AC power. 1750 A non-fatal alarm condition exists. The yellow alert condition is described Alert Yellow in the health check display. A serious alarm condition exists that requires attention. A red alert usually 2700 indicates a hardware error. The red alert condition is described in the Fail Red health check display. 2750 Boot Yellow The router is booting and is in a non-ready state. The boot process has completed successfully and the router has reached Ready Green a state of readiness. A non-fatal alarm condition exists. The yellow alert condition is described 5000 Alert Yellow in the health check display. A serious alarm condition exists that requires attention. A red alert usually Fail Red indicates a hardware error. The red alert condition is described in the health check display. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 11 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Model LED Indicator Description Boot Yellow The system is booting and is in a non-ready state. The boot process has completed successfully and the system has reached Ready Green a state of readiness. 1.3 Roles and Services The modules support role-based authentication. There are two roles in the module (as required by FIPS 140-2) that operators may assume: a Crypto Officer role and a User role. 1.3.1 Crypto Officer Role The Crypto Officer role is the administrator for the router and does the initial setup and maintenance. Descriptions of the services available to the Crypto Officer role are provided in the table below. CSP stands for Critical Security Parameter. Crypto Officer services are provided via various protocols including Transport Layer Security (TLS), Secure Shell (SSH), and Remote Authentication Dial-In User Service (RADIUS). Table 7 ­ Crypto Officer Services Keys/CSPs and Type of Service Description Input Output Access Configuring Define network interfaces and Command and Command RSA public key - write, read the router settings, set the protocols the parameters response RSA private key - write, read router will support and load Password - write, read authentication information RADIUS shared secret - write, read Create user Creating, editing and deleting Command and Command Password - write, read groups user groups, define common parameters response IPsec pre-shared keys - sets of user permissions. write, read Create users Creating, editing and deleting Command and Command Password - write, read user, Define user accounts parameters response and assign permissions. Define rules Create packet filters that are Command and Command None and filters applied to user data streams parameters response on each interface. Monitor View the router configuration, Command Status None status active sessions and logs. information Manage the Log off users, shut down or Command and Command All - write, read, delete router reset the router, backup or parameters response restore the router configuration, create recovery diskette or zeroize. RADIUS RADIUS server logs in and RADIUS shared Status RADIUS shared secret - read service performs User authentication. secret information TLS service Manage the module using Command, Status RSA public key - read with TLS protocol. username, information RSA private key - read password Password - read TLS Session Keys - write, read, delete ANSI X9.31 PRNG key - write, read, delete Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 12 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Keys/CSPs and Type of Service Description Input Output Access SSH service Manage the module using Command, Status SSH DSA public key - read with SSH protocol. username, information SSH DSA private key - read password Password - read SSH Diffie-Hellman key pair - write, read, delete ANSI X9.31 PRNG key - write, read, delete SSH Session Key - write, read, delete 1.3.2 User Role The User role has the ability to access the VPN services provided by the modules which can be exercised by authenticating during the establishment of an IPsec session using a pre-shared key or digital certificate. Descriptions of the services available to the User role are provided in the table below. API stands for Application Programming Interface. Table 8 ­ User Services Keys/CSP and Type of Service Description Input Output Access VPN session Establish VPN session API calls, including Result of RSA private key - read establishment and authenticate proper messages to negotiation and Password - read authenticate session key IPsec pre-shared keys - read IKE Diffie-Hellman key pair - write, read, delete FIPS 186-2 PRNG Seed key - write, read, delete VPN session Use the VPN services Encrypted/decrypted Encrypted/decryp IPsec Session Keys - write, data ted data read, delete Change Change the user Command and Result of Password - write, read, password password parameters password change delete 1.3.3 Authentication Mechanisms The Crypto Officer can access the module over the console port, TLS session, or an IPsec VPN Client session. The Crypto Officer authenticates using user ID and password. The user authenticates using a pre-shared key or digital certificate during Internet Key Exchange (IKE). In addition to these mechanisms, authentication maybe performed by the internal Lightweight Directory Access Protocol (LDAP) or external LDAP or external LDAP proxy or RADIUS servers. Table 9 ­ Authentication Mechanism Used by the Modules Authentication Type Strength Password Passwords are required to be at least 8 characters in length, and the module supports lengths of up to 32 characters. Considering only the case sensitive English alphabet and the numerals 0-9 using an 8 digit password with repetition, the number of potential passwords is 628, which equates to a 1 in 628 chance of false positive. Pre-shared key The module authenticates the user during IKE using pre-shared keys. Pre-shared keys are generated based on user credentials. The probability of a random attempt to succeed is 1:2160. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 13 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Authentication Type Strength RSA Public Key The module supports RSA digital certificate authentication of users during IPsec/IKE. The Certificates module also supports RSA digital certificate authentication of LDAP servers during TLS. Using conservative estimates and equating a 1024 bit RSA key to an 80 bit symmetric key, 80 the probability for a random attempt to succeed is 1:2 . RADIUS shared secret The RADIUS server authenticates to the module using a hash of the secret key with other information. The shared secret should be at least 8 characters in length, and the module supports lengths of up to 32 characters. Considering only the case sensitive English alphabet and the numerals 0-9 using an 8-digit password with repetition, the number of potential passwords is 628, which equates to a 1 in 628 chance of false positive. 1.3.4 Unauthenticated Operator The Simple Network Management Protocol (SNMP) services are provided without authentication. An unauthenticated operator uses a community string to access the SNMP services. The SNMP implemented in the routers is version 1 and it only allows the unauthenticated operator to get non-security-relevant system condition information. The SNMP services do not affect the security of the module. 1.4 Physical Security The Nortel VPN Router 600, 1750, 2700, 2750, and 5000 are multi-chip standalone cryptographic modules and are enclosed in a hard and opaque metal case that completely encloses all of the internal components of the modules. There are only a limited set of vent holes provided in the case, and these obscure the view of the internal components of the module. Tamper-evidence labels are applied to the case to provide physical evidence of attempts to remove the case of the modules. Additionally an audible alarm can be enabled that is activated when the front cover is removed, except for the VPN router 600. All of the modules' components are production grade. The placement of tamper-evidence labels can be found in section 2 - Secure Operation. The modules were tested and found conformant to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (i.e., for business use). 1.5 Operational Environment The operational environment requirements do not apply to the VPN Router 600, 1750, 2700, 2750, and 5000. The modules do not provide a general purpose operating system. 1.6 Cryptographic Key Management The modules implement the following FIPS-approved algorithms: Firmware: · AES1-CBC2 (128, 256 bits) ­ FIPS 197 (certificates #718 and #719) · Triple DES3-CBC (168 bits) ­ FIPS 46-3 (certificates #641 and #642) · RSA4 (1024, 2048) ­ PKCS5#1 (certificates #338 and #339) 1 Advanced Encryption Standard 2 Cipher Block Chaining 3 Data Encryption Standard 4 Rivest, Shamir, and Adleman 5 Public Key Cryptography Standard Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 14 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 · DSA6 (1024) ­ FIPS 186-2 (certificate #272) · FIPS 186-2 PRNG7 ­ General purpose implementation [(x-Original); (SHA8-1)] (certificate #420) · ANSI X9.31 Appendix A.2.4 PRNG (certificate #419) · SHA-1 ­ FIPS 180-2 (certificates #738 and # 739) · HMAC9-SHA-1 ­ FIPS 198 (certificates #387 and #388) Security Accelerator: · AES-CBC (128 bits) ­ FIPS 197 (certificate #48) · Triple DES-CBC (168 bits) ­ FIPS 46-3 (certificate #158) · SHA-1 ­ FIPS 180-2 (certificate #143) · HMAC-SHA-1 ­ FIPS 198 (certificate #102) Hardware Accelerator: · Triple DES-CBC (168 bits) ­ FIPS 46-3 (certificate #29) · SHA-1 ­ FIPS 180-2 (certificate #51) · HMAC-SHA-1 ­ FIPS 198 (certificate #101) The module utilizes the following non-FIPS-approved algorithm implementation in the FIPS mode of operation: Firmware: · Hardware RNG10 ­ for seeding the FIPS 186-2 PRNG · Non-approved RNG ­ for seeding the ANSI X9.31 PRNG · RSA PKCS #1 key wrap (1024 and 2048 bits), providing 80 and 112 bits of encryption strength; non- compliant less than 80 bits (when using key sizes less than 1024 bits) · Diffie-Hellman Group 5 (1536 bits), providing 96 bits of encryption strength · Diffie-Hellman Group 2 (1024 bits), providing 80 bits of encryption strength Security Accelerator: · RSA PKCS #1 key wrapping (1024 and 2048 bits), providing 80 and 112 bits of encryption strength; non- compliant less than 80 bits (when using key sizes less than 1024 bits) · Diffie-Hellman Group 5 (1536 bits)2 · Diffie-Hellman Group 2 (1024 bits)3 Additionally, the following algorithms are disabled within the module in the FIPS mode of operation: Firmware: · DES-CBC (56 bits) · DES MAC11 · Diffie-Hellman Group 8 (Elliptic Curve Diffie-Hellman) · Diffie-Hellman Group 1 (768 bit) · RC4-CBC (128, 40 bits) 6 Digital Signature Algorithm 7 Pseudo Random Number Generator 8 Secure Hash Algorithm 9 Keyed-Hash Message Authentication Code 10 Random Number Generator 11 Message Authentication Code Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 15 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 · RC2-CBC (128 bits) · MD5 · HMAC MD5 · MD2 Security Accelerator: · Hardware RNG ­ for seeding the FIPS-approved ANSI X9.31 PRNG · ANSI X9.31 PRNG ­ Appendix A.2.4 of ANSI X9.31 (certificate #82) · MD5 · HMAC MD5 Hardware Accelerator: · DES-CBC (56 bits) · MD5 · HMAC MD5 The module supports the following critical security parameters: Table 10 ­ List of Cryptographic Keys, Cryptographic Key Components, and CSPs Key Key Type Generation / Input Storage Zeroization Use Firmware DES MAC (56 Externally generated Non-volatile Zeroized by This key is used to integrity bits) predetermined value memory (hard formatting the perform the integrity check key hard coded into the drive ­ plaintext) hard drive check on the module in module binaries module. ANSI X9.31 Triple DES key Generated internally Volatile memory Zeroized when Used by ANSI X9.31 PRNG key by non-approved only (plaintext) the module PRNG RNG reboots FIPS 186-2 160 bits Generated internally Volatile memory Zeroized when Used by FIPS 186-2 PRNG by gathering system only (plaintext) the module PRNG Seed key entropy reboots RSA public 1024, 2048 bits Server public key is Non-volatile Zeroized when Public key used for key (X.509 internally generated memory the certificate is IPsec/IKE and TLS certificate) using PKCS #1; User deleted; User key negotiation public key is sent to public key is the module during zeroized when IPsec/IKE and TLS tunnel is session key disconnected negotiation. RSA private 1024-2048 bits Generated internally Non-volatile Zeroized when Private key used for key using PKCS #1. memory (PKSC#5 the certificate is IPsec/IKE and TLS ­ plaintext) deleted key negotiation SSH RSA 1024, 2048 bits Server public key is Non-volatile Zeroized when Public key used for public key (X.509 internally generated memory the certificate is SSH key negotiation certificate) using PKCS #1; User deleted; User public key is sent to public key is the module during zeroized when SSH sessions. SSH session is disconnected Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 16 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Key Key Type Generation / Input Storage Zeroization Use SSH RSA 1024-2048 bits Generated internally Non-volatile Zeroized when Private key used for private key using PKCS #1. memory (PKSC#5 the certificate is SSH key negotiation ­ plaintext) deleted Passwords Alphanumeric Entered into module Non-volatile Zeroized when Used for string (8 - 32 over a console port, memory (internal the password is authenticating the characters) TLS or IPsec session LDAP database ­ updated with a Crypto Officer and plaintext) new one Users IPsec pre- 160 bits Generated internally Not stored - in Zeroized when Mutual shared using user id and volatile memory not needed or authentication keys password only (plaintext) when the module between the server reboots and the client IKE Diffie- Diffie-Hellman Generated internally Not stored - When no longer Used for session key Hellman Group 2 (1024 using FIPS 186-2 Volatile memory used by the agreement ­ public key pair bits) or Group 5 PRNG during IKE only (plaintext) module or reboot key sent to client (1536 bits) SSH Diffie- Diffie-Hellman Generated internally Not stored - When no longer Used for session key Hellman Group 2 (1024 using ANSI X9.31 Volatile memory used by the agreement ­ public key pair bits) or Group 5 PRNG during SSH only (plaintext) module or reboot key sent to client (1536 bits) sessions SSH DSA 1024 bits Generated internally Not stored - Zeroized by Used for client to public key using ANSI X9.31 Volatile memory formatting the verify SSH traffic PRNG only (plaintext) hard drive SSH DSA 1024 bits Generated internally Not stored - Zeroized by Used for server to private key using ANSI X9.31 Volatile memory formatting the sign SSH traffic PRNG only (plaintext) hard drive SSH 128-bit AES Diffie-Hellman key Not stored - Upon session Encrypt and decrypt Session key agreement, Group 2 Volatile memory termination or SSH traffic Key or Group 5 only (plaintext) when a new key is generated (after a certain timeout) IPsec AES (128, 256 Negotiated during Not stored - in Zeroized when Used to Session bits) IKE using Diffie- volatile memory not needed or encrypt/decrypt/MAC Keys Triple-DES Hellman key only (plaintext) when the module tunnel traffic (168 bits), agreement reboots HMAC-SHA-1 keys (160 bits) TLS AES (128, 256 Negotiated during Not stored - in Zeroized when Used to Session bits) TLS session volatile memory not needed or encrypt/decrypt/MAC Keys Triple-DES establishment. only in plaintext when the module the TLS session (168 bits), reboots HMAC-SHA-1 keys (160 bits) RADIUS Alphanumeric Entered into module Non-volatile Zeroized when Used to authenticate shared string over an console port, memory (internal the RADIUS RADIUS server secret (minimum of 8 - TLS or IPsec session LDAP database ­ server setup is 32 characters) plaintext) deleted 1.7 Self-Tests The VPN Router 600, 1750, 2700, 2750, and 5000 performs the following self-tests at power-up: Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 17 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Firmware: · Firmware integrity check: Verifying the integrity of the firmware binaries of the module using a DES MAC error detection code. · AES Known Answer Test (KAT): Verifying the correct operation of the AES algorithm implementations. · Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementations. · RSA sign/verify test: Verifying the correct operation of the RSA implementations. · DSA sign/verify test: Verifying the correct operation of the DSA implementation. · SHA-1 KAT: Verifying the correct operation of the SHA-1 algorithm implementations. · HMAC-SHA-1 KAT: Verifying the correct operation of the HMAC-SHA-1 algorithm implementations. · FIPS 186-2 PRNG KAT: Verifying the correct operation of the FIPS 186-2 PRNG implementations. · ANSI X9.31 PRNG KAT: Verifying the correct operation of the ANSI X9.31 PRNG implementations. Security accelerator (if installed): · AES KAT: Verifying the correct operation of the AES algorithm implementation. · Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementation. · SHA-1 KAT: Verifying the correct operation of the SHA-1 algorithm implementation. · HMAC-SHA-1 KAT: Verifying the correct operation of the HMAC-SHA-1 algorithm implementation. Hardware accelerator (if installed): · Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementation. · HMAC-SHA-1 KAT: Verifying the correct operation of the HMAC-SHA-1 algorithm implementation. The VPN Router 600, 1750, 2700, 2750, and 5000 perform the following conditional self-tests: Firmware: · Continuous test for the FIPS 186-2 PRNG: Verifying the correct operation of the FIPS 186-2 algorithm implementation. · Continuous test for the entropy gathering RNG: Verifying the correct operation of the seeding mechanism for the FIPS 182-2 PRNG. · Continuous test for the ANSI X9.31 PRNG: Verifying the correct operation of the ANSI X9.31 algorithm implementation. · Continuous test for the non-approved RNG: Verifying the correct operation of the seeding mechanism for the ANSI X9.31 PRNG. · RSA sign/verify pair-wise consistency test: Verifying that a newly generated RSA key pair works properly. · DSA sign/verify pair-wise consistency test: Verifying that a newly generated DSA key pair works properly. If any of the hardware accelerator cards self-tests fail, then the module forces the corresponding card to enter an error state, logs the error to a file, and shuts down the card. Cryptographic operations then failover to firmware. If any of the firmware self-tests fail, then the module enters an error state, logs the error to the event log, forces a controlled crash, and then reboots itself. 1.8 Mitigation of Other Attacks This section is not applicable. The modules do not claim to mitigate any attacks beyond the FIPS 140-2 level 2 requirements for this validation. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 18 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 2 Secure Operation The Nortel VPN Router 600, 1750, 2700, 2750, and 5000 meets Level 2 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. 2.1 Initial Setup Before enabling the FIPS mode, tamper-evident labels and the tamper-evident shields (included in the FIPS kit) must be applied to the VPN Router enclosures as shown in the following sections. 2.1.1 Applying Tamper-Evident Labels To provide evidence of tampering, the Nortel VPN Router 600, 1750, 2700, 2750, and 5000 requires the use of tamper-evident labels. The Nortel VPN Router 600 requires two tamper-evident labels: one overlapping the rear panel and top side and one covering the Recovery pinhole (see Figure 7). Figure 7 ­ Tamper-Evident Label Placement for 600 For sealing the Nortel VPN Routers 1750, 2700, and 2750, three tamper-evident labels need to be placed on the front bezel. A label should be placed on each of the bezel screws and another should be overlapped on the center section and bezel (see Figure 8). Figure 8 ­ Tamper-Evident Label Placement for 1750, 2700, and 2750 Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 19 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 The Nortel VPN Router 5000 requires two tamper-evident labels on both bezel screws to seal the module. Labels should be placed in an angle to avoid molding the labels over the curved handles and also hide LEDs at front (see Figure 9). Figure 9 ­ Tamper-Evident Label Placement for 5000 2.1.2 Applying Tamper-Evident Shields To prevent visual access to the internal components of the module, shielding must be applied to the VPN Router enclosures. The Nortel VPN Router 600 requires placement of one tamper-evident shield covering rear panel and the top side (see Figure 10). Figure 10 ­ Tamper-Evident Shield Placement for 600 For protecting the Nortel VPN Routers 1750, 2700, and 2750, one tamper-evident shield needs to be affixed over the ventilation holes at the right of the rear panel (see Figure 11). Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 20 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Figure 11 ­ Tamper-Evident Shield Placement for 1750 and 2750 The Nortel VPN Router 2700 requires two tamper-evident shields to be affixed over the large ventilation areas on the rear panel (see Figure 12). Figure 12 ­ Tamper-Evident Shield Placement for 2700 2.2 Crypto Officer Guidance The Crypto Officer is the administrator for the router and does the initial setup and maintenance. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 21 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 2.2.1 Initialization The modules are shipped with a default administrator ID and password. The FIPS mode of operation can be enabled from the CLI or web GUI. In CLI, use "fips enable" to enable the FIPS mode and use "no fips" to disable the FIPS mode. In GUI, the FIPS configuration is on the Services Available page. Figure 13 ­ FIPS Mode Configuration When FIPS mode is enabled, the modules automatically reboot and disable the following features/services. · Debugging scripts are disabled · FTP is disabled on the public interface · Telnet is disabled on the public interface · The `NULL' encryption option is disabled for IPsec services Additionally the Crypto Officer must perform these additional actions to put the modules in a FIPS mode: · Change the default administrator password · The Crypto Officer password must be between 8 and 32 characters in length · RADIUS shared secret must be between 8 and 32 characters in length · Maximum number of login attempts must be configured to five · RSA key size of 1024 bits or greater should be used · All cryptographic services (Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F) etc.) that employ Non-FIPS Approved algorithms must be disabled · All access to the web based management interface should be over a TLS session (Secure Hypertext Transfer Protocol or HTTPS) or IPsec VPN Client connection · Use only TLS and enable Ciphers 1 and 2 from services -> ssltls · LDAP and LDAP Proxy must be over a TLS session · The backup interface should be over an IPsec session · Disable DES (56 and 40 bits) · Do not perform any firmware upgrades At this point, the module must be rebooted to enable all of the changes. Upon reboot, initialization of the module in FIPS mode is complete and the module is now configured securely. 2.2.2 Management The Crypto Officer must be sure to only configure cryptographic services for the module using the FIPS Approved algorithms, as listed in the Cryptographic Key Management section above. IPsec and TLS must only be configured to use FIPS Approved cipher suites, and only digital certificates generated with FIPS Approved algorithms may be utilized. RSA key size must be a minimum of 1024 bits in length. Do not perform any firmware upgrades. When transitioning the modules from Non-FIPS mode to FIPS mode, the Crypto Officer should ensure that the module is running only the Nortel supplied FIPS 140-2 validated firmware. 2.2.3 Zeroization At the end of its life cycle or when taking the modules out of FIPS mode, the modules must be fully zeroized to protect CSPs. When switching between FIPS mode the module automatically reboots zeroizing all the CSPs. The Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 22 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Crypto Officer must wait until the modules have successfully rebooted in order to verify that zeroization has completed. 2.3 User Guidance The User does not have the ability to configure sensitive information on the modules, with the exception of their password. The User must be diligent to pick strong passwords (alphanumeric with a length between eight and 32 characters), and must not reveal their password to anyone. Additionally, the User should be careful to protect any secret/private keys in their possession, such as IPsec session keys. Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 23 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 3 Acronyms Table 11 ­ Acronyms Acronym Definition AC Alternating Current ADSL Asymmetrical Digital Subscriber Line AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface CBC Cipher Block Chaining CLI Command Line Interface CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CSU Channel Service Unit DC Direct Current DES Data Encryption Standard DSA Digital Signature Algorithm DSU Data Service Unit EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol GUI Graphical User Interface HMAC (Keyed-) Hash Message Authentication Code HSSI High Speed Serial Interface HTTPS Secure Hypertext Transfer Protocol IKE Internet Key Exchange IP Internet Protocol IPsec IP Security ISDN Integrated Services Digital Network KAT Known Answer Test L2F Layer 2 Forwarding L2TP Layer 2 Tunneling Protocol LAN Local Access Network LDAP Lightweight Directory Access Protocol LED Light Emitting Diode MAC Message Authentication Code Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 24 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 1.0 October 26, 2008 Acronym Definition N/A Not Applicable NIST National Institute of Standards and Technology PCI Peripheral Component Interconnect PKCS Public Key Cryptography Standards PPTP Point-to-Point Tunneling Protocol PRNG Pseudo Random Number Generator RADIUS Remote Authentication Dial-In User Service RAM Random Access Memory RNG Random Number Generator RSA Rivest Shamir and Adleman SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SSH Secure Shell TLS Transport Layer Security WAN Wide Access Network VPN Virtual Private Network Nortel VPN Router 600, 1750, 2700, 2750, and 5000 Page 25 of 25 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice.