HEWLETT PACKARD ENTERPRISE FIPS 1402 NONPROPRIETARY SECURITY POLICY TippingPoint Intrusion Prevention System Hardware Version: S6100N Firmware Version: 3.8.0 Document Version: 1.4 Revision Date: 12/2/2015 TippingPoint IPS Non-Proprietary Security Policy Page 1 of 31 FIPS 1402 NonProprietary Security Policy TippingPoint Intrusion Prevention System Contents 1. Introduction ................................................................................................................. 4 1.1. Purpose ................................................................................................................ 4 1.2 References ........................................................................................................... 4 1.3 Definitions and Acronyms .................................................................................. 4 2. Module Specifications ................................................................................................ 6 2.1 Overview ............................................................................................................. 6 2.2 Security Level ..................................................................................................... 6 2.3 Physical Characteristics ...................................................................................... 7 2.4 Cryptographic Boundary ..................................................................................... 8 2.5 Excluded Components ........................................................................................ 8 2.6 Ports and Interfaces ............................................................................................. 9 2.7 Modes of Operation .......................................................................................... 10 3. Roles, Services, and Authentication ......................................................................... 11 3.1. Authentication Mechanisms and Strength ........................................................ 11 3.2. Roles ................................................................................................................. 13 3.3. Module Services................................................................................................ 14 3.4. Unauthenticated Services .................................................................................. 17 3.5 Non-FIPS Mode Services ................................................................................. 18 4. Secure Operation and Security Rules ....................................................................... 19 4.1. Secure Operation ............................................................................................... 19 4.2. Security Rules ................................................................................................... 20 4.3. Crypto-Officer Guidance .................................................................................. 22 4.4. User Guidance ................................................................................................... 24 4.5. Physical Security Rules..................................................................................... 24 5. Security Relevant Data Items and Access Control ................................................... 25 5.1. Cryptographic Algorithms ................................................................................ 25 5.2. Cryptographic Keys, CSPs, and SRDIs ............................................................ 26 5.3. Access Control Policy ....................................................................................... 30 6. Mitigation of Other Attacks ...................................................................................... 31 List of Figures Figure 1: TippingPoint IPS Deployment in a Network ...................................................... 6 List of Tables Table 1: Definitions and Acronyms .................................................................................... 4 Table 2: Module Security Level Specification ................................................................... 6 TippingPoint IPS Non-Proprietary Security Policy Page 2 of 31 Table 3: S6100N Model Configuration .............................................................................. 8 Table 4: FIPS 140-2 Interfaces and the Corresponding Module's Physical Ports .............. 9 Table 5: Roles and Descriptions ....................................................................................... 13 Table 6: Module Services ................................................................................................. 14 Table 7: Unauthenticated Services.................................................................................... 17 Table 8: FIPS Mode Cryptographic Algorithms ............................................................... 25 Table 9: Non-FIPS Mode Cryptographic Algorithms ...................................................... 26 Table 10: SRDI Information ............................................................................................. 26 Table 11: Access Control Policy....................................................................................... 30 TippingPoint IPS Non-Proprietary Security Policy Page 3 of 31 1. Introduction This document is a nonproprietary Cryptographic Module Security Policy for the TippingPoint Intrusion Prevention System (IPS) model S6100N. This model should be operated with the 3.8.0 firmware version for compliance with the security policy described herein. Using other versions of firmware will remove the module from the FIPS approved mode of operation. This Security Policy may freely be reproduced and distributed in its entirety (without modification). Federal Information Processing Standards (FIPS) 1402, Security Requirements for Cryptographic Modules, specifies the U.S. and Canadian Governments' requirements for cryptographic modules. The following pages describe how TippingPoint IPS meets these requirements and how to use the IPS in a mode of operation compliant with FIPS 1402. This policy was prepared as part of the Overall Level 1 FIPS 1402 validation of the TippingPoint Intrusion Prevention System. More information about FIPS 1402 and the Cryptographic Module Validation Program (CMVP) is available at the website of the National Institute of Standards and Technology (NIST): http://csrc.nist.gov/groups/STM/cmvp/index.html. In this document, the TippingPoint Intrusion Prevention System is referred to as the IPS, the module, or the device. 1.1. Purpose This document covers the secure operation of the TippingPoint IPS appliances including the initialization, roles, and responsibilities of operating the product in a secure, FIPS compliant manner. 1.2 References This Security Policy deals specifically with the operation and implementation of the module in the technical terms of the FIPS 1402 standard. Additional information on the module can be found on the TippingPoint website. 1.3 Definitions and Acronyms This Security Policy uses the following definitions and acronyms. Table 1: Definitions and Acronyms Term/Acronym Description AES Advanced Encryption Standard CF Compact Flash CLI Command Line Interface CSP Critical Security Parameter TippingPoint IPS Non-Proprietary Security Policy Page 4 of 31 DES Data Encryption Standard DH Diffie Hellman DRNG Deterministic Random Number Generator FIPS Federal Information Processing Standard GbE Gigabit Ethernet GUI Graphical User Interface HMAC Hashbased Message Authentication Code HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IPS Intrusion Prevention System LCD Liquid Crystal Display LSM Local Security Manager MD5 Message Digest 5 RNG Random Number Generator Public Key encryption developed by RSA Data Security, RSA Inc. (Rivest, Shamir and Adleman) SFP Small FormFactor Pluggable SHA Secure Hash Algorithm SMS Security Management System SRDI Security Relevant Data Item SSH Secure Shell TripleDES Triple Data Encryption Standard TLS Transport Layer Security TP TippingPoint XFP 10 Gigabit Small Form Factor Pluggable Zero Power High Availability. ZPHA is a mechanism which allows IPS network traffic intended for the ZPHA module's monitoring ports to continue to flow when it loses power. TippingPoint IPS Non-Proprietary Security Policy Page 5 of 31 2. Module Specifications 2.1 Overview The TippingPoint IPS operates inline in the network, blocking malicious and unwanted traffic, while allowing good traffic to pass unimpeded. In fact, the module optimizes the performance of good traffic by continually cleansing the network and prioritizing applications that are mission critical. Figure 1: TippingPoint IPS Deployment in a Network The TippingPoint IPS is deployed seamlessly into the network and immediately begins filtering out malicious and unwanted traffic. Its switchlike performance characteristics allow it to be placed inline at the perimeter, on internal network segments, at the core, and at remote site locations. These powerful enforcement points can be centrally controlled to institute and enforce businesswide security policies, allowing the TippingPoint IPS to see all network traffic and protect against external as well as internal attacks. TippingPoint solutions decrease IT security cost by eliminating adhoc patching and alert response, while simultaneously increasing IT productivity and profitability through bandwidth savings and protection of critical applications. 2.2 Security Level When operated in the FIPS approved mode of operation (denoted `FullFIPS' mode on the appliance), the TippingPoint IPS Cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 1402. Table 2: Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 TippingPoint IPS Non-Proprietary Security Policy Page 6 of 31 Cryptographic Module Ports and Interfaces 1 Roles, Services and Authentication 3 Finite State Model 1 Physical Security 1 Operational Environment N/A Cryptographic Key Management 1 EMI/EMC 1 Self Tests 1 Design Assurance 2 Mitigation of Other Attacks N/A 2.3 Physical Characteristics From a FIPS 1402 perspective, each TippingPoint IPS model is considered to be a multiplechip standalone hardware module using productiongrade components contained within an opaque, hard enclosure made of productiongrade steel. The S6100N IPS model should be operated with the 3.8.0 firmware version. The IPS module only allows the installation of new firmware signed by a TippingPoint private key so it has a limited operational environment. The module configurations are shown in the picture below: Figure 2: TippingPoint S6100N TippingPoint IPS Non-Proprietary Security Policy Page 7 of 31 The module configuration is listed in the Table below: Table 3: S6100N Model Configuration Inspectio Dimension IPS Removable Monitoring Ports Management n (H*W*D) Model components (excluded) Interfaces Through (inches) put Fans, power 5 segments (10 1 supplies, 3.42*16.8* ports) RJ45 10/100/1000 external CF, 24 10/100/1000 GbE Copper SFP and XFP (2U rack Ethernet (Copper); port, 1 RJ45 8Gbps S6100N transceivers, mountable 5 segments (10 Console port, Interface for ) ports) 1GbE SFP; 1 LCD and external 1 segment (2 Keypad ZPHA device ports) 10GbE XFP 2.4 Cryptographic Boundary The cryptographic boundary of the module is the module's external hardmetal enclosure that forms the physical perimeter of the module. The cryptographic boundary includes all components within the hard metal enclosure of the module. 2.5 Excluded Components The following module components are excluded from FIPS 1402 requirements: 1. Monitoring Ports The module may have different types of monitoring ports (i.e. Copper or SFP) depending on the module configuration used. Each of the above physical configurations of the module has 2 ports per segment, which are used for the IPS functionality. One of the ports in a segment is typically used for the internal protected network while the other port is used for the external unprotected network. These ports are used only for the network data that is monitored for intrusion prevention services, and these ports are not associated with any cryptographic processes, keys or CSPs. The monitoring ports can never input or output any cryptographic keys, CSPs, or any FIPSrelevant data. Thus, TippingPoint IPS Non-Proprietary Security Policy Page 8 of 31 these ports cannot affect the security of the module and are excluded from FIPS 1402 security requirements. 2. ZPHA Connector Port: The module configurations have a ZPHA connector port which can be used to support an optional ZPHA Module. The ZPHA connector can accommodate only one ZPHA module at a time. These ZPHA modules have monitoring ports which can be connected to external networks and to the IPS module's monitoring ports using external network cables. This enables the module to support the Zero Power High Availability (ZPHA) mechanism, which allows IPS network traffic to continue to flow when the box loses power. The ZPHA connector and the ports supported by the ZPHA modules are not associated with any management data, cryptographic services, keys or CSPs. The ZPHA connector can never compromise the IPS module's security and is excluded from FIPS 1402 security requirements. 2.6 Ports and Interfaces Each IPS model provides a management port and a console port, which carry all of the module's cryptographic data, keys and CSPs. COMPACT FLASH PORT: The module S6100N has an external compact flash port located on the front side of the module. The compact flash can be used only to store logs and other system data. No cryptographic keys, CSPs, or securityrelevant management data can ever be input or output using this external compact flash. The module S6100N has only one USB port that is labeled "ZPHA" on the front side of the module body. This port is only used to provide power to an external ZPHA appliance. There is no other use of this port and it is not associated with any cryptography, keys, CSPs or securityrelevant data. The following table indicates the mapping of the module's physical ports to the FIPS 1402 logical interfaces. Table 4: FIPS 1402 Interfaces and the Corresponding Module's Physical Ports FIPS 1402 Logical Interface Module's Physical Port Ethernet Management Port RJ45 Console Port Data Input Compact Flash Port Ethernet Management Port RJ45 Console Port Data Output Compact Flash Port TippingPoint IPS Non-Proprietary Security Policy Page 9 of 31 Ethernet Management Port RJ45 Console Port Control Input Power/Reset Button/Switch LCD Keypad Ethernet Management Port RJ45 Console Port LCD Screen Status Output LEDs Compact Flash Port Power Port Power Interface USB Port 2.7 Modes of Operation The module can be operated in a FIPSapproved mode or in a nonFIPS mode. The module supports 3 modes of operation: Disable, Crypto, and Full. Only the `Full' FIPS mode on the module is considered as the FIPS Approved mode of operation. The `Disable' mode and the `Crypto' mode on the module are considered as nonFIPS modes of operation. The cryptographic algorithms allowed by the module in the Approved FullFIPS mode of operation are indicated in Table 8 of this document. The Cryptographic Keys, CSPs, and SRDIs of the module in an Approved mode of operation are described in Table 10 of this document. The rules and procedures followed and enforced by the module in the Approved mode of operation are described in Section 4 of this document. TippingPoint IPS Non-Proprietary Security Policy Page 10 of 31 3. Roles, Services, and Authentication 3.1. Authentication Mechanisms and Strength An operator can authenticate and access the module in any one of the following ways: CLI over Console Port CLI via SSH over Management Port CLI via Telnet over Management Port LSM (HTTP or HTTPS) over Management Port. LSM stands for the Local Security Manager, which offers a Webbased GUI for managing one IPS device. LSM provides a graphical display for reviewing, searching, and modifying settings. The GUI interface also provides reports to monitor the device traffic, triggered filters, and packet statistics. HTTP is disabled in FIPS mode and HTTPS provides TLS protection. Using the TippingPoint SMS Client GUI via TLS over Management Port for allowing management of the IPS module by the SMS. SMS stands for the Security Management System, which is a central management point for managing different TippingPoint appliances, monitoring events and scheduling reports. A single SMS can be used to monitor and manage multiple IPS devices. This authentication is required for enabling the SMS management. Using a TippingPoint SMS as a remote authentication server. This is possible only when the IPS is already being managed by an SMS. Remote authentication can only be used with CLI and LSM. The remote authentication data is always protected by TLS. Using RADIUS for remote authentication (disallowed by policy when in Full FIPS mode). Using TACACS+ for remote authentication (disallowed by policy when in Full FIPS mode). Telnet and HTTP are disabled by default and cannot be enabled while in Full FIPS mode. SSH and HTTPS must be used instead. RADIUS and TACACS+ authentication support is disallowed by policy so should not be enabled when in Full FIPS mode. The TippingPoint IPS supports password authentication for all users. A user must specify a name and password when authenticating to the IPS through LSM, through the CLI, using the SMS Client, or using an SMS as a remote authentication server. TippingPoint IPS Non-Proprietary Security Policy Page 11 of 31 AUTHENTICATION STRENGTH: When authenticating through the CLI, through LSM, or using the SMS client to an IPS in Full FIPS mode with remote authentication disabled, the IPS does the enforcement of user name and password restrictions. The IPS requires usernames with a minimum of 6 characters and passwords with a minimum of 8 characters. In the default configuration, there is no restriction on what characters can be in the password. Thus, there are 95^8 (i.e. 6.6*10^15) possible passwords of the minimum length from the set of all displayable ASCII characters including space. The odds of randomly guessing a password of the minimum length would thus be 1 in 6.6*10^15 which is much less than 1 in 1,000,000. Thus, it meets the FIPS requirement. The IPS has a password configuration option that requires passwords to have at least 2 letters (i.e. 52 possible for each), 1 number (i.e. 10 possible), and 1 nonalphanumeric character (i.e. 955210=33 possible). This would reduce the number of possible passwords from the default settings. Assuming a minimum password length and fixed positions (but not values) for the restrictive character classes, the number of possible passwords is 52*52*10*33*(95^4) = 7.3*10^13. The odds of randomly guessing a password would thus be 1 in 7.3*10^13 which is much less than 1 in 1,000,000. Since the positions of the required character classes are not fixed, the number of possible passwords of the minimum length is larger. Thus the actual odds are even lower. When authenticating through the CLI or through LSM to an IPS in Full FIPS mode with remote authentication enabled, the SMS by default does the enforcement of user name and password restrictions. For maintaining FIPS compliance while using remote authentication with an IPS in Full FIPS mode, the SMS must be configured to use the highest setting (i.e. level 2) for users and passwords. The SMS level 2 setting requires a minimum of 6 character usernames. This setting also requires a minimum of 8 character passwords with no spaces where 2 must be letters (i.e. 52 possible for each), 1 must be numeric (i.e. 10 possible), and 1 must be nonalphanumeric (i.e. 945210=32 possible). Assuming a minimum password length and fixed positions (but not values) for the restrictive character classes, the number of possible passwords is 52*52*10*32*(94^4) = 6.7*10^13. The odds of randomly guessing a password would thus be 1 in 6.7*10^13 which is much less than 1 in 1,000,000. Since the positions of the required character classes are not fixed, the number of possible passwords of the minimum length is larger. Thus the actual odds are even lower. When authenticating through the CLI or through LSM to an IPS in Full FIPS mode with remote authentication disabled, the IPS does the enforcement of the number of unsuccessful login attempts allowed within a given period. In the default configuration, a user account is locked for 5 minutes after 5 failed login attempts for that user. Thus the odds of randomly guessing a password with retries within one minute is 5 times the odds discussed above (i.e. 1 in 7.3*10^13 in the largest odds case) for IPS enforcement resulting in odds of about 1 in 1.4*10^13, which is much less than 1 in 100,000, and thus TippingPoint IPS Non-Proprietary Security Policy Page 12 of 31 meets the FIPS requirement. The maximum number of retries can be configured up to 10, which would result in 10 times the odds discussed above, which results in odds of about 1 in 7.3*10^12, which is still much less than 1 in 100,000. To maintain FIPS compliance, the user must not disable the configuration for account lockout on login failure or configure the lockout time to less than 1 minute. When authenticating to an IPS in Full FIPS mode using the SMS client or through the CLI or LSM with remote authentication enabled, the fastest transfer speed is 1 Gbps over the management port. 1 Gbps corresponds to 7.5*10^9 bytes/min. For any of these scenarios, both the user name and password are sent on each login attempt. The minimum for this will be 14 bytes (6 character username plus 8 character password). Thus the maximum logins per minute would be 7.5*10^9 / 14 = 5.4*10^8 logins/min. The odds for a successful login on repeated tries within a minute would thus be 5.4*10^8 times the odds for one login. When the IPS is enforcing the password restrictions (i.e. using the largest odds case of 1 in 7.3*10^13), the resulting retry odds are about 1 in 135,000 which is less than 1 in 100,000 as required by FIPS. When SMS is enforcing the password restrictions (i.e. using odds of 1 in 6.7*10^13), the resulting retry odds are about 1 in 120,000 which also meets the FIPS requirement. Note that the actual odds for these scenarios is even lower due to the actual odds on one attempt being lower than the estimates (see above) and due to overhead for sending the login information that is not included in the estimates. 3.2. Roles For each of the above access methods, the TippingPoint IPS supports identitybased authentication mechanism, where each user has an individually identified Username and Password. An access level is associated with each user. There are 3 user access levels and their corresponding FIPS roles are shown in the table below. A user, who sets up and performs the firsttime initialization of the module, is implicitly assigned a Super User CryptoOfficer role. Table 5: Roles and Descriptions Type of Authenti User Access FIPS Description Authenti cation Level Role cation Data Can login to the CLI and LSM but primarily has readonly access to the Operator configuration settings. The only CSP User Identity Username an operator can modify is his own based and password. Password Can login to the CLI and LSM and Crypto Administrator modify some configuration settings. Officer An administrator can modify his own Identity Username TippingPoint IPS Non-Proprietary Security Policy Page 13 of 31 password, can load a new TLS RSA based and key pair over TLS, and can perform Password software upgrades to the module. Can login to the CLI and LSM and modify all configuration settings. Only a SuperUser can login to the SMS to manage multiple IPS modules. Only a superuser can add Crypto Identity Username SuperUser based and and delete users and modify any Officer user's password and access level. Password Also, only a superuser can configure the box for FIPS mode and do all key management. The IPS module does not have support for a maintenance role. The IPS module does not support bypass mode. Concurrent Operators The module allows up to 10 concurrently authenticated operators and rejects any additional authentication requests. In addition, at least one SuperUser must remain in the module so the module does not allow the deletion of the last SuperUser (Crypto Officer). 3.3. Module Services The table below shows the services provided by the IPS and the access level required to perform them. Table 6: Module Services Opera Admin Super Service Service Service Input Notes tor istrator User output Only applicable to nonFIPS modes. Not Enable Full Y None None allowed to FIPS mode change mode once in full FIPS mode. View FIPS FIPS status, Y Y Y None status current TippingPoint IPS Non-Proprietary Security Policy Page 14 of 31 authenticated user information, logs. Configure own Username and Y Y Y None password Password Configure any user's Username and Y None password and password access level Configure password restrictions New value of Y Y and other the setting None user account option. settings for all users Done by "fips keys delete" CLI command which requires reboot. The ephemeral Y Zeroize keys None None keys are also always zeroized on a reboot (see reboot service below). Done by "fips keys generate" CLI command which requires reboot (see reboot service below). Some Generate new keys (e.g. RNG Y None None keys seed and seed keys) are also regenerated on a reboot. The ephemeral TLS/SSH keys are generated during TLS/SSH TippingPoint IPS Non-Proprietary Security Policy Page 15 of 31 session negotiation (see login services below). New TLS RSA Install new Key Pair Y Y TLS RSA key encrypted None pair with TLS session key Can also be done unauthenticated Y Y Reboot None None using the power/reset button or power cycling the box. Software package None if it Install or signed by succeeds and Y Y update new TippingPoint, error software TLS message if it parameters, fails. data and input Username and CLI prompt if password, SSH successful parameters, Y Y Y Login to CLI and login input and data prompt if (when using unsuccessful SSH) Username and LSM password, TLS homepage if parameters, successful Y Y Y Login to LSM input and data and login (when using prompt if HTTPS) unsuccessful System Login via SMS Username and summary if Client GUI for password, TLS successful Y enabling parameters, and login central input and data prompt if management unsuccessful Remote Username and CLI prompt or Possible only if Y Y Y authentication Password, TLS LSM SMS is already TippingPoint IPS Non-Proprietary Security Policy Page 16 of 31 using SMS parameters, homepage, managing the input and data depending on IPS. the method used Configure nonFIPS Corresponding Y Y None related admin setting values level settings Configure nonFIPS Corresponding Y related super None setting values user level settings NonFIPS View nonFIPS related Y Y Y related None configuration configuration information View nonFIPS NonFIPS Y Y Y None related status related status 3.4. Unauthenticated Services The IPS module S6100N allows the following unauthenticated services: Table 7: Unauthenticated Services Service Service Procedure Service Outputs Inputs Using the power Poweroff, halt or switch, power cycling None None reboot the module the module, or using LCD and keypad None if all tests pass. If Perform FIPS power any test fails, log Reboot the module None up selftests message is generated and module reboots. Zeroize ephemeral Reboot the module None None keys NonFIPS related information such as Show nonFIPS related device temperature, Using LCD and keypad None information serial number, current memory usage, etc. No key or CSP information is TippingPoint IPS Non-Proprietary Security Policy Page 17 of 31 output by this service. Configure nonFIPS related settings such Using LCD and keypad None None as LCD backlight and contrast Insert or Eject external Using LCD and keypad None None compact flash or using eject switch Intrusion prevention Done automatically functionality on the based on the nonFIPS None None monitoring ports related configuration. 3.5 Non-FIPS Mode Services The module supports the following nonFIPS mode services which shall not be used when operated in FIPS mode. SSH with Blowfish, MD5, and HMACMD5 TLS with DES, RC2 and RC4 SNMP v2 TippingPoint IPS Non-Proprietary Security Policy Page 18 of 31 4. Secure Operation and Security Rules This section describes the rules enforced in the module when operated in the FIPS approved mode (FullFIPS mode) and all FIPSrelated actions or procedures permitted on the module. In order to operate the TippingPoint IPS securely, the user should be aware of the security rules enforced by the module and should adhere to the physical security rules and secure operation rules and procedures. 4.1. Secure Operation ENABLING APPROVED MODE OF OPERATION: To operate in a FIPScompliant manner, an IPS module must be placed in the approved mode of operation (called `FullFIPS' mode on the appliance) by using the following procedure: Ensure that the S6100N IPS model is updated to the 3.8.0 software release. After updating to the correct version of software, a CryptoOfficer (Superuser role on the appliance) must log in to the CLI over SSH and execute the following CLI commands: conf t host fipsmode full fips auth delete add p * The above mentioned CLI commands cause the IPS to do the following: Reboot Put the box into FullFIPS mode Perform the FIPS powerup self tests Zeroize the keys Generate new keys Delete the existing user database and add the new default superuser specified in the "fips auth delete" command. Enable monitoring port traffic Enable the TLS and SSH servers Only use cryptographic algorithms allowed by FIPS Perform the conditional FIPS selftests as needed The above steps for the approved mode of operation ensure that the IPS meets the FIPS requirements for doing self tests, does not use the same keys and users in FIPS and non FIPS modes, does not allow output during powerup self tests, uses only FIPSapproved cryptographic algorithms, etc. The IPS should now be operating in a FIPS compliant manner. If needed, the superuser can obtain a new TLS RSA key pair from TippingPoint and install it through LSM to replace the generated RSA key pair. Note that once the module is put into the FIPSapproved mode, it cannot be put back into a nonFIPS mode except by resetting the module to factorydefaults. TippingPoint IPS Non-Proprietary Security Policy Page 19 of 31 CHECKING FIPS MODE: The current FIPS status can be shown with the "show fips" CLI command. In case of powerup or conditional selftest errors, the error can be seen in one or more of the following: Console port. System Logs, which can be seen using LSM GUI options or using "show log sys" CLI command. LSM GUI popup messages. RUNNING POWERUP SELFTESTS: To force the FIPS powerup self tests to be rerun, the user must powercycle or reboot the appliance. ZEROIZING KEYS: To zeroize the keys, a superuser must log in to the CLI over SSH and execute the commands below. The zeroization will happen during the reboot. fips keys delete reboot full REGENERATING KEYS: To regenerate the keys after they have been zeroized, a superuser must log in over the console port and execute the commands below. This can only be done over the console port since the SSH and TLS keys have been deleted. The generation will happen during the reboot. fips keys generate reboot full 4.2. Security Rules The security rules enforced by the TippingPoint IPS appliances include both the security rules that TippingPoint has imposed and the security rules that result from the security requirements of FIPS 1402. 4.2.1 FIPS 1402 Security Rules The following are the security rules derived from the FIPS 1402 requirements when in FullFIPS mode: The TippingPoint IPS appliance supports identitybased operator authentication, access levels, and services as discussed in section 3. The TippingPoint IPS appliance supports CSPs and controls access to them as discussed in section 5. TippingPoint IPS Non-Proprietary Security Policy Page 20 of 31 The TippingPoint IPS appliance has support for changing into FullFIPS mode, zeroizing/generating keys, etc. See section 4.1 for more information. When in FullFIPS mode, only cryptographic algorithms allowed by FIPS are used. See section 5.1 for the list of algorithms. The TippingPoint IPS module performs the following FIPS powerup selftests on every powerup and reboot: o Firmware integrity test for all executable components using checksum. If a check fails, a message is displayed on the console and the IPS halts execution. o Knownanswer selftests for each cryptographic algorithm used by the module i.e. AES (encrypt/decrypt) KATs, TripleDES (encrypt/decrypt) KATs, SHA (SHA1/224/256/384/512) KATs, HMACSHA (SHA 1/224/256/384/512) KATs and RSA (sign/verify) KATs . If a test fails, a message is logged and the IPS reboots. o Knownanswer selftest for the ANSI X9.31 Random Number Generator. If the test fails, a message is logged and the IPS reboots. The software performs the following FIPS conditional tests as needed: o Continuous random number generator tests for the approved ANSI X9.31 RNG and the nonapproved RNG. If a test fails, a message is logged, the current output of the random number generator is ignored, and the software tries the random number generator again. o Software Load Test: When a user attempts to update the software/firmware, verify that the new software file was signed by the TippingPoint software/firmware load private key. If the signature check fails, the software update is aborted with no changes to the existing installed software. This validation is also done on software loads when FIPS mode is disabled. Because of this validation, the IPS meets the requirements for a limited operational environment. o Pairwise consistency test after generating or installing new RSA keys. If the test fails, the new RSA key is ignored and will not be used. There is no data output from the data output interfaces of the IPS during the powerup self tests. With the exception of feedback output of user passwords during their modification over the console port, no private or secret CSPs are ever output from the IPS. This option is disabled by policy as mentioned in the User and CryptoOfficer enforced rules below. All external entry of CSPs is encrypted with the exception of password entry over the console port. The user password is obscured during entry to the module. NonFIPS serviceaccess is not accessible in FIPSapproved mode. This service enabling is disallowed by the module while it is operating in FullFIPS mode. The module does not support a FIPS bypass mode. TippingPoint IPS Non-Proprietary Security Policy Page 21 of 31 In FIPS approved mode, the operator is not allowed to configure the password settings for less than 8 characters. Telnet and HTTP are disabled in FullFIPS mode. The operator should use only FIPS approved cryptographic algorithms with SSH in Full FIPS mode. The operator should use only FIPS approved cryptographic algorithms with TLS 1.0 in Full FIPS mode The IPS uses productiongrade enclosure and components. 4.2.2 TippingPoint Security Rules The following are the security rules that are enforced by TippingPoint when the IPS module is in FullFIPS mode: TippingPoint always uses secure distribution means by making use of trusted thirdparty carriers such as UPS or FedEx for shipping the module to the authorized users. After receiving the module, it must be installed and initiated by a CryptoOfficer by following the procedure specified in the CryptoOfficer Guidance and in the documentation shipped with the module. No module operator has direct access to the internal storage on the IPS where the CSPs and installed software images are stored. If the module is reset to factorydefaults, it must be ensured that the module is using the firmware version specified in this document. If the module has been reset to an earlier version due to factory default action, it must be upgraded to this version. If remote authentication using a TippingPoint SMS Server is used, then only the SMS level 2 security setting should be used for establishing usernames and passwords on the SMS. This is required for meeting FIPS authentication strength requirements while authenticating to the IPS module. The level 2 setting on the SMS requires usernames to be a minimum of 6 characters and passwords to be a minimum of 8 characters, where 2 must be alphabetical, 1 must be numeric, and 1 must be nonalphanumeric. 4.3. CryptoOfficer Guidance The following are the security rules that must be enforced or followed by the Crypto Officer: The CryptoOfficer is responsible for a secure and successful installation, initialization and startup of the module. The CryptoOfficer should follow the directions provided in the documentation guide shipped with the module. The guide details the procedures to do the following: 1) Attach device to a rack TippingPoint IPS Non-Proprietary Security Policy Page 22 of 31 2) Connect the console port of the module to a computer and access the module's terminal. 3) Connect network connection segments to the module. 4) Connect the power. 5) Check the LEDs. 6) Using the console port, follow the prompt in the setup wizard to establish the CryptoOfficer authentication information and to configure the management options of the module. 7) This completes the initial setup configuration. Only the console port should be used for module initialization. The LCD and Keypad should not be used for module initialization and setup since it allows the plaintext display of username and password on the LCD. All physical ports and logical interfaces of the module are allowed for use by the CryptoOfficer. Please refer to the `Ports and Interfaces' section for details. Use the console port only in a secure, controlled environment since the traffic is in plain text. In general, use the CLI over SSH instead of over the console port unless the console port is the only option (e.g. to restore keys after zeroization). Add, delete, modify and manage all user accounts as required. Refer to Table 6 of this document for the services and their inputs and outputs which are allowed in this role. Follow the steps in the section 4.1 for enabling FIPS mode, generating/zeroizing keys, etc. to ensure the IPS operates in a FIPScompliant manner. For CLI commands that take a password such as the password modification and new user addition CLI commands, use the option to be prompted for the password (with the use of a `*' in the command) rather than entering the password as part of the command. This will prevent the password from being visible to the module operator. In the user settings, do not enable RADIUS or TACACS+ authentication support. If remote authentication using a TippingPoint SMS Server is used, then only the SMS level 2 security setting should be used for establishing usernames and passwords on the SMS. This is required for meeting FIPS authentication strength requirements while authenticating to the IPS module. The level 2 setting on the SMS requires usernames to be a minimum of 6 characters and passwords to be a minimum of 8 characters, where 2 must be alphabetical, 1 must be numeric, and 1 must be nonalphanumeric. Keep the IPS in a secure environment and do not attempt to open the enclosure. In the password security settings, do not disable account lockout for repeated login failures or change the lockout period to less than 1 minute. This will ensure that the FIPS password strength requirements are met. If desired, install a new TLS RSA key pair through the LSM GUI after obtaining it from TippingPoint's TMC website. This must only be done using HTTPS. Follow all rules applicable to the CryptoOfficer role as specified in this Security Policy document. TippingPoint IPS Non-Proprietary Security Policy Page 23 of 31 4.4. User Guidance The following are the security rules that must be enforced or followed by the User: All physical ports and logical interfaces of the module are allowed for use by the User role. Please refer to `Ports and Interfaces' section for details. Use the console port only in a secure, controlled environment since the traffic is in plain text. In general, use the CLI over SSH instead of over the console port unless the console port is the only option (e.g. to restore keys after zeroization). For CLI commands that take a password such as the password modification CLI command, use the option to be prompted for the password (with the use of a `*' in the command) rather than entering the password as part of the command. This will prevent the password from being visible to the module operator. If remote authentication using a TippingPoint SMS Server is used, then only the SMS level 2 security setting should be used for establishing usernames and passwords on the SMS. This is required for meeting FIPS authentication strength requirements while authenticating to the IPS module. The level 2 setting on the SMS requires usernames to be a minimum of 6 characters and passwords to be a minimum of 8 characters, where 2 must be alphabetical, 1 must be numeric, and 1 must be nonalphanumeric. Keep the IPS in a secure environment and do not attempt to open the enclosure. Refer to Table 6 of this document for the services and their inputs and outputs which are allowed in this role. Follow all rules applicable to the User role as specified in this Security Policy document. 4.5. Physical Security Rules The TippingPoint IPS appliances satisfy the requirements for FIPS 1402 Level 1 Physical Security. The IPS appliances use productiongrade enclosures and components. The outer enclosure of the module is made of productiongrade steel. The IPS module should be kept in a secure environment and no operator should attempt to open the enclosure. No other specific physical security mechanisms are required. TippingPoint IPS Non-Proprietary Security Policy Page 24 of 31 5. Security Relevant Data Items and Access Control This section specifies the TippingPoint IPS Security Relevant Data Items (SRDIs) as well as the access control policy enforced by the IPS. 5.1. Cryptographic Algorithms When in the approved mode of operation (FullFIPS mode), the IPS module uses the cryptographic algorithms in the table below. Table 8: FIPS Mode Cryptographic Algorithms Algorithm Type Modes/Mod sizes/Options Certificate # FIPS approved Signature Algorithms RSA 2048 bit modulus (Sign/Verify, 1637 Yes Key Gen) Symmetric Algorithms AES 128, 192, 256 bit (ECB, CBC) 3214 Yes TripleDES 3key (ECB, CBC) 1829 Yes Hashing Algorithms SHA Byteoriented. 2662 Yes SHA1,224,256,384,512 HMACSHA Byteoriented. 2027 Yes SHA1,224,256,384,512 (Minimum HMAC key size = 112 bits) Random Number Generators RNG ANSI X9.31: 3key TripleDES 1347 Yes Nonapproved RNG Only used to seed the ANSI N/A No X9.31 RNG; permitted for use in FIPS Approved Mode. Key Establishment/Transport Algorithms DiffieHellman Key 2048bit ; Provides 112 bits of N/A No Agreement (used with security strength ; Allowed for SSH) use in FIPS Approved Mode ; RSA Key Transport 2048 bit ; Provides 112 bits of N/A No (used with TLS) security strength ; Allowed for use in FIPS Approved Mode CVL SP800135 KDFs (SSH, TLS) 438 Yes Note: The KDF (key derivation function) used in each of SSH and TLS protocols was certified by CAVP with CVL Cert. #438. SSH and TLS protocols have not been reviewed or tested by the CMVP or CAVP. Please refer to IG D.11, bullet 2 for more information. TippingPoint IPS Non-Proprietary Security Policy Page 25 of 31 The module generates cryptographic keys whose strengths are modified by available entropy. The encryption strength for each of the following generated keys is at least 112 bits: AES key encrypting key, TLS RSA key pair, SSH RSA key pair, TLS premaster secret, and SSH DiffieHellman private exponent. The IPS supports the following nonFIPS approved cryptographic algorithms: Table 9: NonFIPS Mode Cryptographic Algorithms Algorithm Type/Name FIPSapproved Symmetric Algorithms Blowfish No RC2 No RC4 No DES No Hashing Algorithms MD5 No HMACMD5 No Please note that HMACMD5 and MD5 are allowed in FIPS mode strictly for TLS 1.0. 5.2. Cryptographic Keys, CSPs, and SRDIs While operating in a FIPScompliant manner, the TippingPoint IPS module contains the following security relevant data items: Table 10: SRDI Information Security SRDI Generation/ Relevant Size Storage Output Zeroization Description Entry Data Item Not entered. Generated Ephemeral Seed for using a non Zeroized on : Stored in RNG seed the ANSI 8 bytes approved No reboot or RAM X9.31 RNG RNG on power cycle. every reboot 3key Not entered. TripleDES 3 keys Generated Ephemeral Zeroized on RNG seed seed key of 8 using a non : Stored in No reboot or key for the bytes approved RAM power cycle. ANSI X9.31 each RNG on RNG every TippingPoint IPS Non-Proprietary Security Policy Page 26 of 31 reboot Not generated. RSA public Entered key used to Persistent: It is a public encrypted Software verify Stored in key so no 2048 with TLS load test software plain text No need to bits session key key upgrade, on internal zeroize. during uses SHA storage. software 256 package install Not No (The generated. option of Entered by Persistent: specifying the user Hashed the password Stored in encrypted using as part of hashed form User 832 Password with session SHA256 some CLI so no need password chars key (TLS or and stored commands is to zeroize. SSH) or in on internal disallowed clear text storage. by module (console policy ­ port). Section 4.2) Persistent: Zeroized AES Stored in when going symmetric Not entered. plaintext in into FullFIPS key used to Generated Key physically mode, on encrypt all using ANSI encrypting 128 bits erasable No deleting fips private X9.31 RNG key part of keys, or on keys stored during key internal reset to on internal generation. storage. factory storage defaults. Generated using ANSI X9.31 RNG Public key is Persistent: during key output to its Encrypted Stored in generation. peer as part RSA public with the encrypted A superuser of TLS and private key form so no TLS RSA 2048 or admin negotiation. keys used encrypting need to key pair bits user can Private key is for TLS, use key and zeroize. install a new never SHA256 stored on official key output. internal pair storage. encrypted with the TLS session key. TLS Pre Shared May enter Ephemeral May be Zeroized on 48 bytes Master secret encrypted : Stored in output reboot or TippingPoint IPS Non-Proprietary Security Policy Page 27 of 31 Secret exchanged with the RAM encrypted power cycle. using RSA module's with the Key RSA public peer's RSA Transport key when public key and used the module when the to derive acts as a TLS module acts the Master Server. If the as a TLS Secret module acts Client. It is as a TLS never output Client, it is if the module generated acts as a TLS using ANSI Server. X9.31 RNG. Not entered. Master Computed Secret used as part of to derive TLS the negotiation TLS encryption Ephemeral Zeroized on according to master and MAC 48 bytes : Stored in No reboot or TLS 1.0 secret keys for RAM power cycle. standard both ends using the of an TLS premaster session secret and nonces. AES/Triple AES: Not entered. DES 128, Derived Ephemeral TLS symmetric 192, or Zeroized on from master : Stored in encryption key for TLS 256 bits; No reboot or secret as RAM key encryption Triple power cycle. part of TLS in one DES: negotiation. direction 168 bits Not entered. MAC key Derived Ephemeral TLS for Zeroized on from master : Stored in integrity integrity in 160 bits No reboot or secret as RAM key one power cycle. part of TLS direction negotiation. Module's Public value private Public is output to exponent is value and its peer as SSH Diffie generated private Ephemeral part of SSH Zeroized on Hellman during SSH exponent 2048bit : Stored in negotiation. reboot or Exchange negotiation used for RAM Private power cycle. Values using ANSI SSH DH Key exponent is X9.31 RNG. Exchange never The public output. value is TippingPoint IPS Non-Proprietary Security Policy Page 28 of 31 derived from the private exponent and the DH group. The peer's DH public value enters the module according to SSH Standard. The shared secret Not entered. established Derived by SSH DH using SSH the module Ephemeral Zeroized on No Shared DH 2048bit during SSH : Stored in reboot or Secret exchange negotiation RAM power cycle. according using DH to the SSH parameters. Standard Persistent: Public key is Encrypted output to its Not entered. Stored in with the peer as part Generated encrypted key of SSH SSH RSA RSA key 2048 using ANSI form so no encrypting negotiation. key pair pair bits X9.31 RNG need to key and Private key is during key zeroize. stored on not output. generation. internal storage. AES/Triple AES: DES 128, SSH Not entered. symmetric 192, or Ephemeral Zeroized on session Derived key for SSH 256 bits; : Stored in No reboot or encryption during SSH encryption Triple RAM power cycle. key negotiation. in one DES: direction 168 bits MAC key 160, Not entered. SSH for Ephemeral Zeroized on 256, Derived integrity integrity in : Stored in No reboot or 384, or during SSH key one RAM power cycle. 512 bits negotiation. direction TippingPoint IPS Non-Proprietary Security Policy Page 29 of 31 5.3. Access Control Policy The IPS allows controlled access to the SRDIs contained within it. The following table defines the access that the IPS services have to the SRDIs (i.e. R=read, W=write, Z=zeroize, D=delete). If no access is listed, the service does not use that SRDI. Table 11: Access Control Policy master secret, encryption SSH DH exchange values, DH shared secret, session RNG seed and seed key TLS premaster secret, Software load test key key, and integrity key encryption key, and Key encrypting key SSH RSA key pair TLS RSA key pair User passwords Service integrity key Enable FullFIPS mode WZ WD RWZ W Z W RZ View FIPS status R R Configure own password W R R Configure any user's password W R R and access level Configure password restrictions R R and account lockout settings Zeroize keys WZ Z D Z D RZ Generate new keys WZ RWZ W Z W RZ Install new TLS RSA key pair R RW R Reboot WZ RZ RZ Install new firmware/software WZ RW RZ Z Do FIPS powerup selftests Login to CLI R R R RW Login to LSM R R R RW Configure nonFIPS related R R admin level settings TippingPoint IPS Non-Proprietary Security Policy Page 30 of 31 Configure nonFIPS related R R superuser level settings View nonFIPS related R R configuration View nonFIPS related status R R Intrusion prevention functionality on the monitoring ports. 6. Mitigation of Other Attacks The cryptographic module does not claim to mitigate any other attacks in a FIPS approved mode of operation. TippingPoint IPS Non-Proprietary Security Policy Page 31 of 31