FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 FIPS 140-2 Non-Proprietary Security Policy IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Document Version 2.1 October 1, 2010 Document Version 2.1 © IBM Internet Security Systems Page 1 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Prepared For: Prepared By: IBM Internet Security Systems, Inc. Apex Assurance Group, LLC 6303 Barfield Road 555 Bryant Street, Ste. 804 Atlanta, GA 30328 Palo Alto, CA 94301 www.iss.net www.apexassurance.com Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for the Proventia GX Series Security Appliances Version 3.1. Document Version 2.1 © IBM Internet Security Systems Page 2 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Table of Contents 1 Introduction ........................................................................................................................................... 5 1.1 About FIPS 140 ................................................................................................................................ 5 1.2 About this Document........................................................................................................................ 5 1.3 External Resources .......................................................................................................................... 5 1.4 Notices ............................................................................................................................................. 5 1.5 Acronyms ......................................................................................................................................... 6 2 IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 ................ 7 2.1 Product Overview ............................................................................................................................. 7 2.2 Validation Level Detail...................................................................................................................... 7 2.3 Cryptographic Algorithms................................................................................................................. 8 2.3.1 Approved Algorithms and Implementation Certificates ............................................................. 8 2.3.2 Non-Approved Algorithms ......................................................................................................... 8 2.4 Cryptographic Module Specification................................................................................................. 9 2.4.1 Excluded Components .............................................................................................................. 9 2.5 Module Interfaces........................................................................................................................... 10 2.6 Roles, Services, and Authentication .............................................................................................. 10 2.6.1 Management Options .............................................................................................................. 11 2.6.2 Operator Services and Descriptions........................................................................................ 12 2.6.3 Operator Authentication........................................................................................................... 13 2.7 Physical Security ............................................................................................................................ 14 2.8 Operational Environment ............................................................................................................... 14 2.9 Cryptographic Key Management.................................................................................................... 15 2.10 Self-Tests ..................................................................................................................................... 20 2.10.1 Power-On Self-Tests ............................................................................................................. 20 2.10.2 Conditional Self-Tests............................................................................................................ 20 2.11 Mitigation of Other Attacks ........................................................................................................... 21 3 Guidance and Secure Operation ....................................................................................................... 22 3.1 Crypto Officer Guidance................................................................................................................. 22 3.1.1 Firmware Installation ............................................................................................................... 22 3.1.2 Enabling FIPS Mode................................................................................................................ 22 3.1.3 General Guidance ................................................................................................................... 23 3.1.4 Placement of Tamper Evidence Labels................................................................................... 23 3.2 User Guidance ............................................................................................................................... 34 3.2.1 General Guidance ................................................................................................................... 34 Document Version 2.1 © IBM Internet Security Systems Page 3 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 List of Tables Table 1 – Acronyms and Terms .................................................................................................................... 6 Table 2 – Validation Level by DTR Section .................................................................................................. 7 Table 3 – Algorithm Certificates.................................................................................................................... 8 Table 4 – Interface Descriptions ................................................................................................................. 10 Table 5 – Logical Interface / Physical Interface Mapping ........................................................................... 10 Table 6 – Operator Services and Descriptions ........................................................................................... 13 Table 7 - Key/CSP Management Details .................................................................................................... 19 List of Figures Figure 1 - GX4004 Tamper Evidence Label Placement (Front/Right) ........................................................ 24 Figure 2 - GX4004 Tamper Evidence Label Placement (Front/Left) .......................................................... 25 Figure 3 - GX4004 Tamper Evidence Label Placement (Bottom) .............................................................. 25 Figure 3 - GX5000 Series Tamper Evidence Label Placement (Front) ...................................................... 27 Figure 4 – GX5000 Tamper Evidence Label Placement (Rear/RIght) ....................................................... 28 Figure 6 – GX5000 Tamper Evidence Label Placement (Rear/Left) .......................................................... 29 Figure 7 – GX5000 Tamper Evidence Label Placement (Bottom).............................................................. 30 Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front, Rear, and Sides) ......................... 34 Document Version 2.1 © IBM Internet Security Systems Page 4 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 1 Introduction 1.1 About FIPS 140 Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic products to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Communications Security Establishment of Canada (CSEC) Cryptographic Module Validation Program (CMVP) owns the FIPS 140 program. The CMVP accredits independent testing labs to perform FIPS 140 testing; the CMVP also validates test reports for all products pursuing FIPS 140 validation. Validation is the term given to a product that is documented and tested against the FIPS 140 criteria. More information is available on the CMVP website at http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.2 About this Document This non-proprietary Cryptographic Module Security Policy for the Proventia GX Series Security Appliances Version 3.1 from IBM Internet Security Systems provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-2. This document contains details on the module’s cryptographic keys and critical security parameters. This Security Policy concludes with instructions and guidance on running the module in a FIPS 140-2 mode of operation. The IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 may also be referred to as the “modules” in this document. 1.3 External Resources The IBM Internet Security Systems website (http://www.iss.net) contains information on the full line of products from IBM Internet Security Systems, including a detailed overview of the Proventia GX Series Security Appliances Version 3.1 solution. The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/) contains links to the FIPS 140-2 certificate and IBM Internet Security Systems contact information. 1.4 Notices This document may be freely reproduced and distributed in its entirety without modification. Document Version 2.1 © IBM Internet Security Systems Page 5 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 1.5 Acronyms The following table defines acronyms found in this document: Acronym Term AES Advanced Encryption Standard CBC Cipher Block Chaining CSEC Communications Security Establishment of Canada CSP Critical Security Parameter DTR Derived Testing Requirement FIPS Federal Information Processing Standard GPC General Purpose Computer GPOS General Purpose Operating System GUI Graphical User Interface HMAC Hashed Message Authentication Code IBM International Business Machines ISS Internet Security Systems KAT Known Answer Test NIST National Institute of Standards and Technology RSA Rivest Shamir Adelman SHA Secure Hashing Algorithm Table 1 – Acronyms and Terms Document Version 2.1 © IBM Internet Security Systems Page 6 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 2 IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 2.1 Product Overview The Proventia Network Intrusion Prevention System (IPS) automatically blocks malicious attacks while preserving network bandwidth and availability. The Proventia Network IPS appliances are purpose-built, Layer 2 network security appliances that you can deploy either at the gateway or the network to block intrusion attempts, denial of service (DoS) attacks, malicious code, backdoors, spyware, peer-to-peer applications, and a growing list of threats without requiring extensive network reconfiguration. The Proventia GX Series Security Appliances Version 3.1 can be securely managed via the following interfaces: • Proventia Manager, which offers a browser-based graphical user interface (GUI) for local, single appliance management. • SiteProtector, which is a central management console for managing appliances, monitoring events, and scheduling reports 2.2 Validation Level Detail The following table lists the level of validation for each area in FIPS 140-2: Validation FIPS 140-2 Section Title Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 Electromagnetic Interference / Electromagnetic 2 Compatibility Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Table 2 – Validation Level by DTR Section Document Version 2.1 © IBM Internet Security Systems Page 7 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 The “Mitigation of Other Attacks” section is not relevant as the module does not implement any countermeasures towards special attacks. 2.3 Cryptographic Algorithms 2.3.1 Approved Algorithms and Implementation Certificates The module’s cryptographic algorithm implementations have received the following certificate numbers from the Cryptographic Algorithm Validation Program: Algorithm Algorithm Standard CAVP Certificate Use Type Asymmetric RSA with RFC2246 GX4004: 563 Sign / verify Key 1536-bit (TLS v1.0, operations modulus PKCS1.5) GX5008, 5108, 5208: 564 Key transport GX6116: 565 Hashing SHA-1, SHA- FIPS 180-3 GX4004: 1091 Message digest 224, SHA- in TLS sessions 256, SHA- GX5008, 5108, 5208: 1092 Module integrity 384, SHA- via SHA-1 512 GX6116: 1093 Keyed Hash HMAC-SHA1 FIPS 198 GX4004: 682 Message verification GX5008, 5108, 5208: 683 GX6116: 684 Symmetric AES 256 in FIPS 197 GX4004: 1182 Data encryption / Key CBC mode decryption GX5008, 5108, 5208: 1183 GX6116: 1184 Random ANSI X9.31 ANSI X9.31 GX4004: 653 Random Number Number (TDES) Generation Generation GX5008, 5108, 5208: 654 GX6116: 655 Table 3 – Algorithm Certificates 2.3.2 Non-Approved Algorithms The module implements the following non-FIPS approved algorithms: • Firmware-based random number generator (dev/urandom) This RNG is used only as a seeding mechanism to the FIPS-approved PRNG. o Document Version 2.1 © IBM Internet Security Systems Page 8 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 2.4 Cryptographic Module Specification The modules are the IBM Internet Security Systems GX4004, GX5008, GX5108, GX5208, and GX6116 running firmware version 3.1. Each module is classified as a multi-chip standalone cryptographic module. The physical cryptographic boundary is defined as the module case. 2.4.1 Excluded Components Excluded components include the following: • Monitoring Ports (Ports 0 to 3 on GX4004) These ports accept and pass data traffic that is analyzed by the internal IDS o analysis engine. The traffic is not security relevant and does not interact with the cryptographic processing of the appliance. • Management Port 2 (Port 4 on GX4004) This port is not security relevant and does not interact with the cryptographic o processing of the appliance. • Network Card on GX5008, GX5108, GX5208, and GX6116 The network card provides input/output functionality from the motherboard to the o exterior network; it does not provide any FIPS security relevant processing. • Top board on GX6116 This board provides IDS/IPS functionality; it does not provide any FIPS security o relevant processing. Although the actual data over these interfaces is excluded, the appliances do provide analysis of data. These scan results are encrypted by the cryptographic module and sent to the management interfaces (i.e., Proventia Manager and/or SiteProtector) for review. The following keys are excluded because SSH is non-functional in FIPS mode of operation due to disabled root privileges (see Section 3 – Guidance and Secure Operation): • RSA Private 1024-bit for sign / verify operations and key establishment for SSHv1 • RSA Private 1024-bit for sign / verify operations and key establishment for SSHv2 • DSA Private 1024-bit for sign / verify operations and key establishment for SSHv2 These excluded keys cannot be used in FIPS mode of operation; they can only be used in non- FIPS mode. Additionally, the Command Line Interface is “non functional” in FIPS mode of operation due to disabled root privileges. Document Version 2.1 © IBM Internet Security Systems Page 9 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 2.5 Module Interfaces Each appliance runs the same version of firmware and has the same basic physical interfaces; the main difference is the number of Monitoring Ports (i.e., traffic monitoring interfaces) and the processing speed. The table below describes the main interface on each module: Physical Interface Description / Use LCD Initial network configuration, restarting or shutting down the appliance and obtaining IPS version information Monitoring Ports Either inline intrusion prevention (IPS mode) or passive intrusion (excluded) detection (IDS mode). Inline prevention uses a pair of ports per segment. Passive detection uses a single port per segment. IDS traffic is excluded from the validation. Serial Console Port Optional terminal-based setup and recovery USB Ports Connection to a CD-ROM or similar peripheral for loading images Network traffic bypass (i.e., traffic not subjected to analysis engines) Management Port 1 Communication with Proventia Manager and SiteProtector Management System Management Port 2 Exclusively for sending TCP Reset responses. This interface is (excluded) excluded from the validation. Table 4 – Interface Descriptions Each module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to four FIPS 140-2 defined logical interfaces: data input, data output, control input, and status output. The logical interfaces and their mapping are described in the following table: FIPS 140-2 Logical Module Physical Interface Interface Data Input Management 1 Data Output Management 1 Control Input Management 1 Serial Console Port USB Ports LCD Panel Status Output Management 1 LCD Panel LEDs Power Power Plug On/Off Switch Table 5 – Logical Interface / Physical Interface Mapping 2.6 Roles, Services, and Authentication In FIPS-approved mode of operation, the module is accessed via Command Line Interface (CLI), Proventia Manager, or the SiteProtector management application. The CLI is used only for installation and initial configuration of the module. The module supports basic management Document Version 2.1 © IBM Internet Security Systems Page 10 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 via the LCD panel. This unauthenticated service is used to define basic network configuration, such as IP address, subnet mask, etc.), allowing an operator to initialize the module for FIPS mode of operation. When in FIPS mode, the LCD Management only allows basic diagnostic services. As required by FIPS 140-2, there are two roles (a Crypto Officer role and User role) in the module that operators may assume. The module supports identity-based authentication, and the respective services for each role are described in the following sections. 2.6.1 Management Options1 2.6.1.1 Command Line Interface The command line interface offers basic functions for installation and initial configuration. An authorized operator can use the CLI to initially configure the following functions: • Change Password • Network Configuration Information • Host Configuration • Time Zone/Data/Time Configuration • Agent Name Configuration • Port Link Configuration • Adapter Mode Configuration. More details can be found on page 29 of Proventia Network IPS G and GX Appliance User Guide. 2.6.1.2 Proventia Manager Proventia Manager offers a browser-based graphical user interface (GUI) for local, single appliance management. An authorized operator can use Proventia Manager to manage the following functions: • Monitor appliance status • View log files • Register SiteProtector 1 Please note that Proventia Manager and SiteProtector are outside of the module boundary and only the module interface to these applications are relevant to the validation. Document Version 2.1 © IBM Internet Security Systems Page 11 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 • Configure password • IDS/IPS configuration (excluded from FIPS mode) This connection is secured via TLS. 2.6.1.3 SiteProtector SiteProtector is the IBM ISS central management console. SiteProtector can manage appliances, monitor events, and schedule reports. By default, the appliances are configured to be managed through Proventia Manager. If managing a group of appliances along with other sensors, the centralized management capabilities of SiteProtector may be preferred. SiteProtector controls the following management functions of the appliance: • Monitor appliance status • View log files • Configure password • IDS/IPS configuration (excluded from FIPS mode) After the appliance is registered with SiteProtector, the functions above can be viewed in Proventia Manager and changed only from SiteProtector. 2.6.2 Operator Services and Descriptions The services available to the User and Crypto Officer roles in the module are as follows: Service Input / Output Key/CSP Service Description Interface Roles (API) Access Configure Initializes the Configuration Parameters Serial None Crypto Console Port module for / Module configured Officer USB Ports FIPS mode of LCD Panel operation Self Test Performs self Initiate self tests / Self Management None Crypto 1 tests on critical tests run Officer Power switch functions of User module Session Decrypt Decrypts a Initiate AES decryption / Management Crypto 1 Key block of data data decrypted Officer using AES User Session Encrypt Encrypts a Initiate AES encryption/ Management Crypto 1 Key block of data data encrypted Officer using AES User Document Version 2.1 © IBM Internet Security Systems Page 12 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Service Input / Output Key/CSP Service Description Interface Roles (API) Access Establish Provides a Initiate session Management Private Crypto 1 Session protected establishment / session Key Officer session for established User establishment Public of AES keys Key with peers HMAC Key Premaster Secret (48 Bytes) Master Secret (48 Bytes) Zeroize Crypto Clear CSPs Terminate Session / Management None CSPs Officer from memory CSPs cleared 1 User Clear CSPs Reimage module / CSPs USB None Crypto from disk cleared and module Officer Serial restored to factory settings Show Shows status Show status commands / Management None Crypto 1 Status of the module Module status Officer Serial User Console Port USB Ports LCD Panel LEDs Table 6 – Operator Services and Descriptions 2.6.3 Operator Authentication The CO role authentication via CLI (when initially configuring the module for FIPS mode) or Proventia Manager over HTTPS/TLS in FIPS mode. Other than status functions available by viewing LEDs, the services described in Table 6 – Operator Services and Descriptions are available only to authenticated operators. When using Proventia Manager, the CO enters the password over a TLS session using the module’s PKI to establish the secure channel. The operator authenticates via username/password, and passwords are stored on the module. The module checks these parameters before allowing access. The module enforces a minimum password length of 6 characters (see Guidance and Secure Operation section of this document). The password can consist of alphanumeric values, {a-zA-Z0-9], yielding 62 choices per character. The probability of a successful random attempt is 1/626, which is less than Document Version 2.1 © IBM Internet Security Systems Page 13 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 1/1,000,000. Assuming 10 attempts per second via a scripted or automatic attack, the probability of a success with multiple attempts in a one minute period is 600/626, which is less than 1/100,000. The module will lock an account after 3 failed authentication attempts; thus, the maximum number of attempts in one minute is 3. Therefore, the probability of a success with multiple consecutive attempts in a one minute period is 3/626 which is less than 1/100,000. For authentication of SiteProtector sessions (i.e., the User Role), the module supports a public key based authentication with 1536 bit keys via RSA. A 1536-bit RSA key has 96-bits of equivalent strength. The probability of a successful random attempt is 1/2^96, which is less than 1/1,000,000. Assuming the module can support 60 authentication attempts in one minute, the probability of a success with multiple consecutive attempts in a one minute period is 60/2^96 which is less than 1/100,000. 2.7 Physical Security Each module is a multiple-chip standalone module and conforms to Level 2 requirements for physical security. The modules’ production-grade enclosure is made of a hard metal, and the enclosures contain a removable cover. The baffles installed by IBM Internet Security Systems satisfy FIPS 140-2 Level 2 requirements for module opacity. For details on tamper evidence, please see Section 3.1.4 – Placement of Tamper Evidence Labels. 2.8 Operational Environment The modules operate in a limited operational environment and do not implement a General Purpose Operating System. The modules meet Federal Communications Commission (FCC) FCC Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined by 47 Code of Federal Regulations, Part15, Subpart B. Document Version 2.1 © IBM Internet Security Systems Page 14 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 2.9 Cryptographic Key Management The table below provides a complete list of Critical Security Parameters used within the module: Key/CSP Description / Establishment / Generation Storage Services Privileges Name Use Export Session AES CBC Derived from the Storage: RAM plaintext Agreement: Via secure Decrypt Crypto Officer Key 256-bit key for Master Secret TLS tunnel Encrypt encryption / Type: Ephemeral RWD decryption of Entry: NA User management Association: The system traffic is the one and only Output: NA RWD owner. Relationship is maintained by the operating system via protected memory. PRNG 160-bit Use dev / urandom Storage: RAM plaintext Agreement: NA Establish Session Crypto Officer Seed system to gather bytes from Entropy seed several areas of Type: Ephemeral Entry: NA None the X9.31 system data PRNG (including time/date), Association: The system Output: NA concatenate them is the one and only User together and hash owner. Relationship is None via SHA-1 maintained by the operating system via protected memory. PRNG 256-bit value Gather bytes from Storage: RAM plaintext Agreement: NA Establish Session Crypto Officer Seed Key to seed the several areas of FIPS- system data Type: Ephemeral Entry: NA None Document Version 2.1 © IBM Internet Security Systems Page 15 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Key/CSP Description / Establishment / Generation Storage Services Privileges Name Use Export approved (including time/date) Association: The system User ANSI X9.31 is the one and only Output: NA None PRNG owner. Relationship is maintained by the operating system via protected memory. Private RSA Private Internal generation Storage: On disk in Agreement: NA Establish Session Crypto Officer Key 1536-bit for at installation by plaintext sign / verify X9.31 PRNG Entry: NA RWD operations Type: Static User and Output: None RWD key Association: The system establishment is the one and only 2 for owner. Relationship is SiteProtector maintained by the to GX operating system via appliances protected memory. over TLS GX Public RSA Public Internal generation Storage: On disk in Agreement: NA Establish Session Crypto Officer Key 1536-bit for at installation by plaintext Entry: NA RWD 2 Key establishment methodology provides at least 96-bits of encryption strength 3 Key establishment methodology provides at least 96-bits of encryption strength Document Version 2.1 © IBM Internet Security Systems Page 16 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Key/CSP Description / Establishment / Generation Storage Services Privileges Name Use Export sign / verify X9.31 PRNG User operations Type: Static Output: plaintext during R and TLS negotiation key Association: The system establishment is the one and only 3 for external owner. Relationship is entities (such maintained by the as operating system via SiteProtector) X509 certificates. to GX appliances over TLS. Encryption/De cryption of the Premaster Secret for entry/output External RSA Public External generation Storage: RAM plaintext Agreement: NA Establish Session Crypto Officer Entity 1536-bit key by FIPS-approved Public Key associated technique Type: Ephemeral Entry: Plaintext RWD with remote User entities (such Association: The system Output: NA RWD as the is the one and only browser or owner. Relationship is SiteProtector) maintained by the operating system via X509 certificates. HMAC key 160-bit Partitioned from Storage: RAM plaintext Agreement: NA Establish Session Crypto Officer HMAC-SHA1 Master Secret for message Type: Ephemeral Entry: NA RWD Document Version 2.1 © IBM Internet Security Systems Page 17 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Key/CSP Description / Establishment / Generation Storage Services Privileges Name Use Export verification User Association: The system Output: None RWD is the one and only owner. Relationship is maintained by the operating system via protected memory. Crypto Alphanumeric Not generated by the Storage: On disk hashed Agreement: NA Configure Crypto Officer Officer passwords module; defined by with SHA-512 Password externally the human user Entry: Manual entry RWD generated by Type: Static a human user Output: NA User for Association: controlled authentication by the operating system RWD to the appliance. Premaster RSA- Internal generation Storage: RAM plaintext Agreement: NA Establish Session Crypto Officer Secret (48 Encrypted by X9.31 PRNG None Bytes) Premaster Type: Ephemeral Entry: Input during TLS Secret negotiation Message Association: The system User is the one and only Output: Output to None owner. Relationship is server encrypted by maintained by the Public Key operating system via protected memory. Master Used for Internal generation Storage: RAM plaintext Agreement: NA Establish Session Crypto Officer Secret (48 computing the by X9.31 PRNG None Bytes) Session Key Type: Ephemeral Entry: NA Document Version 2.1 © IBM Internet Security Systems Page 18 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Key/CSP Description / Establishment / Generation Storage Services Privileges Name Use Export User Association: The system Output: NA None is the one and only owner. Relationship is maintained by the operating system via protected memory. R = Read W = Write D = Delete Table 7 - Key/CSP Management Details Public keys are protected from unauthorized modification and substitution. The module ensures only authenticated operators have access to keys and functions that can generate keys. Unauthenticated operators to not have write access to modify, change, or delete a public key. Ephemeral CSPs are zeroized by the RAM clearing processes, and static CSPs are zeroized by reimaging the module. Document Version 2.1 © IBM Internet Security Systems Page 19 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 2.10 Self-Tests The modules include an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to ensure all components are functioning correctly. In the event of any self-test failure, the modules will output an error dialog and will shutdown. When a module is in an error state, no keys or CSPs will be output and the module will not perform cryptographic functions. The module does not support a bypass function. The following sections discuss the modules’ self-tests in more detail. 2.10.1 Power-On Self-Tests Power-on self-tests are run upon every initialization of each module and do not require operator intervention to run. If any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the users. Each module implements the following power-on self-tests: • Module integrity check via SHA-1 • RSA pairwise consistency (signing and signature verification) • AES KAT (encryption and decryption) • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 KAT • HMAC-SHA1 KAT • KAT for Approved PRNG Each module performs all power-on self-tests automatically when the module is initialized. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The Power-on self-tests can be run on demand by rebooting the module in FIPS approved Mode of Operation. 2.10.2 Conditional Self-Tests Conditional self-tests are test that run continuously during operation of each module. If any of these tests fail, the module will enter an error state. The module can be re-initialized to clear the error and resume FIPS mode of operation. No services can be accessed by the operators. Each module performs the following conditional self-tests: • Pairwise consistency test for RSA implementation • Continuous RNG test run on output of ANSI X9.31 PRNG Document Version 2.1 © IBM Internet Security Systems Page 20 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 • Continuous test on output of ANSI X9.31 PRNG seed mechanism • Continuous RNG test for non-approved firmware RNG • Continuous test to ensure seed and seed key are not the same values The modules do not perform a firmware load test because no additional firmware can be loaded in the module while operating in FIPS-approved mode or in non-FIPS mode. Please see Section 3 for guidance on configuring and maintaining FIPS mode. Once in non-FIPS mode, the only way to resume FIPS mode is to reimage the module and perform a clean install for FIPS mode. 2.11 Mitigation of Other Attacks The module does not mitigate other attacks. Document Version 2.1 © IBM Internet Security Systems Page 21 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 3 Guidance and Secure Operation This section describes how to configure the modules for FIPS-approved mode of operation. Operating a module without maintaining the following settings will remove the module from the FIPS-approved mode of operation. 3.1 Crypto Officer Guidance 3.1.1 Firmware Installation To install the appliance firmware, please follow these steps: 1. Log in to the ISS support site at https://webapp.iss.net/myiss/login.jsp 2. Select Downloads from the menu 3. Choose FIPS enabled systems from the Select a Product dropdown menu and then select Go 4. Select the appropriate firmware from the Version dropdown menu then select Go 5. Select Other Updates and select Continue next to the bundle listing for the appropriate firmware 6. Accept the End User License and select Submit 7. Download the *.iso image and follow the upgrade instructions in the Reinstalling Appliance Firmware section of IBM Proventia Network Intrusion Prevention System G/GX Appliance User Guide. 3.1.2 Enabling FIPS Mode When first powering on the module, the operator will be guided through a configuration wizard. In the CLI, the following will appear: Enable FIPS mode [y/N] To initialize the module for FIPS mode, the Crypto Officer must select Y at this prompt. Note: The module can only be enabled for FIPS mode at the time of initial configuration. Once the module is configured for FIPS mode, the only way to return the module to a non-FIPS approved mode of operation is to reimage the module. Additionally, if the module enters an error state (e.g., a known answer test fails), the module must be powered off and reimaged to FIPS mode of operation. Document Version 2.1 © IBM Internet Security Systems Page 22 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 The Cryptographic Officer must follow the General Guidance (Section 3.1.3) to place the module in FIPS mode by removing root privileges to the GX Linux-based operating system. 3.1.3 General Guidance The Crypto Officer must configure and enforce the following initialization procedures in order to operate in FIPS approved mode of operation: • Verify that the firmware version of the module is Version 3.1.No other version can be loaded or used in FIPS mode of operation. • Apply tamper evidence labels as specified in Section 3.1.4 – Placement of Tamper Evidence Labels. The tamper evident labels shall be installed for the module to operate in a FIPS Approved mode of operation. • Ensure any unused labels are secure at all times. • Inspect the tamper evidence labels periodically to verify they are intact. • Do not disclose passwords and store passwords in a safe location and according to his/her organization’s systems security policies for password storage. • Root privilege to the module must be disabled; therefore, SSH cannot be used in FIPS mode of operation. 3.1.4 Placement of Tamper Evidence Labels To meet Physical Security Requirements for Level 2, each module enclosure must be protected with tamper evidence labels. The tamper evident labels shall be installed for the module to operate in a FIPS Approved mode of operation. The Crypto Officer is responsible for applying the labels; IBM Internet Security Systems does not apply the labels at time of manufacture. Once applied, the Crypto Officer shall not remove or replace the labels unless the module has shown signs of tampering, in which case the Crypto Officer shall reimage the module and follow all Guidance to place the module in FIPS mode. Please note that if additional labels need to be ordered, the Crypto Officer shall contact IBM Internet Security Systems support and request part number FIPS-LABELS: FIPS 140 tamper evidence labels. The Crypto Officer is responsible for • securing and having control at all times of any unused seals, and • maintaining the direct control and observation of any changes to the module such as reconfigurations where the tamper evident seals or security appliances are removed or installed to ensure the security of the module is maintained during such changes and the module is returned to a FIPS Approved state. Document Version 2.1 © IBM Internet Security Systems Page 23 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 3.1.4.1 GX4004 A total of two tamper evidence labels are required and are included with the appliance. Application of the tamper evidence labels is as follows: 1. Turn off and unplug the system. 2. Clean the enclosure before applying the tamper evidence labels. 3. Place Label #1 the right side/bottom of the enclosure as shown in Figure 1 - GX4004 Tamper Evidence Label Placement (Front/Right) 4. Place Label #2 the left side/bottom of the enclosure as shown in Figure 2 - GX4004 Tamper Evidence Label Placement (Front/Left) Figure 1 - GX4004 Tamper Evidence Label Placement (Front/Right) Document Version 2.1 © IBM Internet Security Systems Page 24 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Figure 2 - GX4004 Tamper Evidence Label Placement (Front/Left) Figure 3 - GX4004 Tamper Evidence Label Placement (Bottom) Document Version 2.1 © IBM Internet Security Systems Page 25 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 3.1.4.2 GX5000 Series A total of seven tamper evidence labels are required and are included with the appliance. Application of the tamper evidence labels is as follows: 1. Turn off and unplug the system. 2. Clean the enclosure before applying the tamper evidence labels. 3. Place Label #1 over the top/right side of the enclosure as shown in Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) 4. Place Label #2 over the top/left side of the enclosure as shown in Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) 5. Place Label #3 over the top of the enclosure and the two fan baffles as shown in Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) 6. Place Label #4 over the front of the bezel and the two hard drive bay covers as shown in Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) 7. Place Label #5 over the front-right/bottom as shown in Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) 8. Place Label #6 over the front-left/top as shown in Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) Document Version 2.1 © IBM Internet Security Systems Page 26 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Figure 4 - GX5000 Series Tamper Evidence Label Placement (Front) 9. Place Label #7 over the service bays as shown in Figure 5 – GX5000 Tamper Evidence Label Placement (Rear/RIght) Document Version 2.1 © IBM Internet Security Systems Page 27 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Figure 5 – GX5000 Tamper Evidence Label Placement (Rear/RIght) Document Version 2.1 © IBM Internet Security Systems Page 28 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Figure 6 – GX5000 Tamper Evidence Label Placement (Rear/Left) Document Version 2.1 © IBM Internet Security Systems Page 29 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Figure 7 – GX5000 Tamper Evidence Label Placement (Bottom) 3.1.4.3 GX6116 Series A total of six tamper evidence labels are required and are included with the appliance. Application of the tamper evidence labels is as follows: 1. Turn off and unplug the system. 2. Clean the enclosure before applying the tamper evidence labels. Document Version 2.1 © IBM Internet Security Systems Page 30 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 3. Place Label #1 over the top/left side of the enclosure as shown in Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front) 4. Place Label #2 over the top/right side of the enclosure as shown in Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front) 5. Place Label #3 over the top/front of the enclosure such that the hard drive bezel is covered as shown in Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front) 6. Place Label #4 over the side/front of the enclosure such that the hard drive bezel is covered as shown in Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front) 7. Place Label #5 over the top of the enclosure and the outer fan baffle as shown in Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front) 8. Place Label #6 over the top of the enclosure and the inner fan baffle as shown in Figure 5 – GX6116 Series Tamper Evidence Label Placement (Front) Document Version 2.1 © IBM Internet Security Systems Page 31 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Document Version 2.1 © IBM Internet Security Systems Page 32 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Document Version 2.1 © IBM Internet Security Systems Page 33 of 34 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security Appliances Version 3.1 Figure 8 – GX6116 Series Tamper Evidence Label Placement (Front, Rear, and Sides) 3.2 User Guidance 3.2.1 General Guidance The User role is defined by a management session over a TLS tunnel. As such, this role is authenticated, and no additional guidance is required to maintain FIPS mode of operation. End of Document Document Version 2.1 © IBM Internet Security Systems Page 34 of 34