HEWLETT­PACKARD TIPPINGPOINT          FIPS 140‐2 NON‐PROPRIETARY SECURITY POLICY   HP TippingPoint Intrusion Prevention System       Hardware Versions: S10, S110, S330, S660N, S1400N, S2500N,  S5100N  Firmware Versions: 3.1.4.1427 , 3.2.0.1530        Document Version: 1.4        HP TippingPoint IPS Non-Proprietary Security Policy Page 1 of 32 FIPS 140-2 Non-Proprietary Security Policy HP TippingPoint Intrusion Prevention System Contents  1.  Introduction ................................................................................................................. 4  1.1.  Purpose ................................................................................................................ 4  1.2  References ........................................................................................................... 4  1.3  Definitions and Acronyms .................................................................................. 4  2.  Module Specifications ................................................................................................ 6  2.1  Overview ............................................................................................................. 6  2.2  Security Level ..................................................................................................... 6  2.3  Physical Characteristics ...................................................................................... 7  2.4  Cryptographic Boundary ..................................................................................... 9  2.5  Excluded Components ........................................................................................ 9  2.6  Ports and Interfaces ........................................................................................... 10  2.7  Modes of Operation .......................................................................................... 11  3.  Roles, Services, and Authentication ......................................................................... 12  3.1.  Authentication Mechanisms and Strength ........................................................ 12  3.2.  Roles ................................................................................................................. 14  3.3.  Module Services................................................................................................ 15  3.4.  Unauthenticated Services .................................................................................. 18  4.  Secure Operation and Security Rules ....................................................................... 20  4.1.  Secure Operation ............................................................................................... 20  4.2.  Security Rules ................................................................................................... 22  4.3.  Crypto-Officer Guidance .................................................................................. 24  4.4.  User Guidance ................................................................................................... 25  4.5.  Physical Security Rules..................................................................................... 25  5.  Security Relevant Data Items and Access Control ................................................... 27  5.1.  Cryptographic Algorithms ................................................................................ 27  5.2.  Cryptographic Keys, CSPs, and SRDIs ............................................................ 28  5.3.  Access Control Policy ....................................................................................... 31  6.  Mitigation of Other Attacks ...................................................................................... 32  List of Figures Figure 1: TippingPoint IPS Deployment in a Network ...................................................... 6  Figure 2: TippingPoint S10 ................................................................................................. 7  Figure 3: TippingPoint S110/S330 ..................................................................................... 7  Figure 4: TippingPoint S660N/S1400N.............................................................................. 8  Figure 5: TippingPoint S2500N/S5100N............................................................................ 8  HP TippingPoint IPS Non-Proprietary Security Policy Page 2 of 32     List of Tables  Table 1: Definitions and Acronyms .................................................................................... 4  Table 2: Module Security Level Specification ................................................................... 6  Table 3: Hardware Comparison .......................................................................................... 9  Table 4: FIPS 140-2 Interfaces and the Corresponding Module’s Physical Ports ............ 11  Table 5: Roles and Descriptions ....................................................................................... 14  Table 6: Module Services ................................................................................................. 15  Table 7: Unauthenticated Services.................................................................................... 18  Table 8: FIPS Mode Cryptographic Algorithms ............................................................... 27  Table 9: Non-FIPS Mode Cryptographic Algorithms ...................................................... 28  Table 10: SRDI Information ............................................................................................. 28  Table 11: Access Control Policy....................................................................................... 31  HP TippingPoint IPS Non-Proprietary Security Policy Page 3 of 32 1. Introduction This document is a non-proprietary Cryptographic Module Security Policy for the HP TippingPoint Intrusion Prevention System (IPS) models S10, S110, S330, S660N, S1400N, S2500N, and S5100N. The S660N, S1400N, S2500N, and S5100N IPS models should be operated with the 3.2.0.1530 Firmware version and the S10, S110, and S330 IPS models should be operated with the 3.1.4.1427 Firmware version. This Security Policy may freely be reproduced and distributed in its entirety (without modification). Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, specifies the U.S. and Canadian Governments’ requirements for cryptographic modules. The following pages describe how HP TippingPoint’s IPS meets these requirements and how to use the IPS in a mode of operation compliant with FIPS 140-2. This policy was prepared as part of the Overall Level 1 FIPS 140-2 validation of the HP TippingPoint Intrusion Prevention System. More information about FIPS 140-2 and the Cryptographic Module Validation Program (CMVP) is available at the website of the National Institute of Standards and Technology (NIST): http://csrc.nist.gov/groups/STM/cmvp/index.html. In this document, the HP TippingPoint Intrusion Prevention System is referred to as the IPS, the module, or the device. 1.1. Purpose This document covers the secure operation of the TippingPoint IPS appliances including the initialization, roles, and responsibilities of operating the product in a secure, FIPS- compliant manner. 1.2 References This Security Policy deals specifically with the operation and implementation of the module in the technical terms of the FIPS 140-2 standard. Additional information on the module can be found on the HP TippingPoint website. 1.3 Definitions and Acronyms This Security Policy uses the following definitions and acronyms. Table 1: Definitions and Acronyms Term/Acronym Description AES Advanced Encryption Standard CF Compact Flash CLI Command Line Interface CSP Critical Security Parameter HP TippingPoint IPS Non-Proprietary Security Policy Page 4 of 32 DES Data Encryption Standard DH Diffie Hellman DRNG Deterministic Random Number Generator FIPS Federal Information Processing Standard GbE Gigabit Ethernet GUI Graphical User Interface HMAC Hash-based Message Authentication Code HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IPS Intrusion Prevention System LCD Liquid Crystal Display LSM Local Security Manager MD5 Message Digest 5 RNG Random Number Generator Public Key encryption developed by RSA Data RSA Security, Inc. (Rivest, Shamir and Adleman) SFP Small Form-Factor Pluggable SHA Secure Hash Algorithm SMS Security Management System SRDI Security Relevant Data Item SSH Secure Shell SSL Secure Sockets Layer TDES Triple Data Encryption Standard TLS Transport Layer Security TP TippingPoint XFP 10 Gigabit Small Form Factor Pluggable Zero Power High Availability. ZPHA is a mechanism which allows IPS network traffic intended for the ZPHA module’s monitoring ports to continue to flow when it loses power. HP TippingPoint IPS Non-Proprietary Security Policy Page 5 of 32 2. Module Specifications 2.1 Overview The HP TippingPoint IPS operates in-line in the network, blocking malicious and unwanted traffic, while allowing good traffic to pass unimpeded. In fact, the module optimizes the performance of good traffic by continually cleansing the network and prioritizing applications that are mission critical. Figure 1: TippingPoint IPS Deployment in a Network The HP TippingPoint IPS is deployed seamlessly into the network and immediately begins filtering out malicious and unwanted traffic. Its switch-like performance characteristics allow it to be placed in-line at the perimeter, on internal network segments, at the core, and at remote site locations. These powerful enforcement points can be centrally controlled to institute and enforce business-wide security policies, allowing the TippingPoint IPS to see all network traffic and protect against external as well as internal attacks. HP TippingPoint solutions decrease IT security cost by eliminating ad-hoc patching and alert response, while simultaneously increasing IT productivity and profitability through bandwidth savings and protection of critical applications. 2.2 Security Level When operated in the FIPS approved mode of operation (denoted ‘Full-FIPS’ mode on the appliance), the HP TippingPoint IPS Cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140-2. Table 2: Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 HP TippingPoint IPS Non-Proprietary Security Policy Page 6 of 32 Roles, Services and Authentication 3 Finite State Model 1 Physical Security 1 Operational Environment N/A Cryptographic Key Management 1 EMI/EMC 1 Self Tests 1 Design Assurance 2 Mitigation of Other Attacks N/A 2.3 Physical Characteristics From a FIPS 140-2 perspective, each TippingPoint IPS model is considered to be a multiple-chip standalone hardware module using production-grade components contained within an opaque, hard enclosure made of production-grade steel. The S660N, S1400N, S2500N, and S5100N IPS models should be operated with the 3.2.0.1530 Firmware version and the S10, S110, and S330 IPS models should be operated with the 3.1.4.1427 Firmware version. The IPS module only allows the installation of new firmware signed by a TippingPoint private key so it has a limited operational environment. The IPS module is available in the following physical configurations: 1. S10 2. S110 and S330 (same physical configuration) 3. S660N and S1400N (same physical configuration) 4. S2500N and S5100N (same physical configuration) The different module configurations are shown in the pictures below: Figure 2: TippingPoint S10 Figure 3: TippingPoint S110/S330 HP TippingPoint IPS Non-Proprietary Security Policy Page 7 of 32 Figure 4: TippingPoint S660N/S1400N Figure 5: TippingPoint S2500N/S5100N The major differences between the different module configurations are listed in the Table below: HP TippingPoint IPS Non-Proprietary Security Policy Page 8 of 32 Table 3: Hardware Comparison Dimension Inspection IPS Removable Monitoring Ports Management (H*W*D) Through- Model components (excluded) Interfaces (inches) put 2 segments (4 1 2.01*10.63 ports) RJ-45 10/100/1000 *7.32 S10 N/A 10/100/1000 GbE Copper 20Mbps (1U rack- Ethernet (Copper) port, 1 RJ-45 mountable) Console port 1 1.74*16.75 4 segments (8 10/100/1000 S110, *18.25 ports) RJ-45 110Mbps, Fans GbE Copper S330 (1U rack- 10/100/1000 300Mbps port, 1 RJ-45 mountable) Ethernet (Copper) Console port 5 segments (10 1 ports) RJ-45 10/100/1000 3.42*16.8* Fans, power 10/100/1000 GbE Copper S660N, 24 750Mbps, supplies, Ethernet (Copper) port, 1 RJ-45 S1400N (2U rack- 1.5Gbps external CF ; 5 segments (10 Console port, mountable) ports) 1GbE SFP 1 LCD and Keypad Fans, power supplies, 5 segments (10 external CF, 1 ports) RJ-45 SFP and XFP 10/100/1000 3.42*16.8* 10/100/1000 transceivers, GbE Copper S2500N, 24 Ethernet (Copper) 3Gbps, and ZPHA port, 1 RJ-45 S5100N (2U rack- ; 5 segments (10 5Gbps module Console port, mountable) ports) 1GbE SFP ; inserted in 1 LCD and 1 segment (2 the ZPHA Keypad ports) 10GbE XFP connector port 2.4 Cryptographic Boundary The cryptographic boundary of the module is the module’s external hard-metal enclosure that forms the physical perimeter of the module. The cryptographic boundary includes all components within the hard metal enclosure of the module. 2.5 Excluded Components The following module components are excluded from FIPS 140-2 requirements: 1. Monitoring Ports HP TippingPoint IPS Non-Proprietary Security Policy Page 9 of 32 The module may have different types of monitoring ports (i.e. Copper, SFP, or XFP) depending on the module configuration used. Each of the above physical configurations of the module has 2 ports per segment, which are used for the IPS functionality. One of the ports in a segment is typically used for the internal protected network while the other port is used for the external unprotected network. These ports are used only for the network data that is monitored for intrusion prevention services, and these ports are not associated with any cryptographic processes, keys or CSPs. The monitoring ports can never input or output any cryptographic keys, CSPs, or any FIPS-relevant data. Thus, these ports cannot affect the security of the module and are excluded from FIPS 140-2 security requirements. 2. ZPHA Connector Port: The module configurations S2500N and S5100N have a ZPHA connector port which can be used to support an optional ZPHA Module. The ZPHA connector can accommodate only one ZPHA module at a time. These ZPHA modules have monitoring ports which can be connected to external networks and to the IPS module’s monitoring ports using external network cables. This enables the module to support the Zero Power High Availability (ZPHA) mechanism, which allows IPS network traffic to continue to flow when the box loses power. The ZPHA connector and the ports supported by the ZPHA modules are not associated with any management data, cryptographic services, keys or CSPs. The ZPHA connector can never compromise the IPS module’s security and is excluded from FIPS 140-2 security requirements. 2.6 Ports and Interfaces Each IPS model provides a management port and a console port, which carry all of the module’s cryptographic data, keys and CSPs. The external compact flash port is only available in the S660N, S1400N, S2500N and S5100N. COMPACT FLASH PORT: The module configurations S660N, S1400N, S2500N and S5100N have an external compact flash port located on the front side of the module. The compact flash can be used only to store logs and other system data. No cryptographic keys, CSPs, or security- relevant management data can ever be input or output using this external compact flash. USB PORT: The S10, S110 and S330 module configurations each support two USB ports, which can be used in the non-approved mode to update the software or configuration from an externally connected USB drive. These module configurations do not accept any software updates over the USB port in FIPS-approved mode (Full FIPS mode). Thus, the USB port is considered unused in these configurations for FIPS purposes. The module configurations S660N, S1400N, S2500N and S5100N have only one USB port that is labeled “ZPHA” on the front side of the module body. This port is only used to provide power to an external ZPHA appliance. There is no other use of this port and it is not associated with any cryptography, keys, CSPs or security-relevant data. HP TippingPoint IPS Non-Proprietary Security Policy Page 10 of 32 The following table indicates the mapping of the module’s physical ports to the FIPS 140-2 logical interfaces. Table 4: FIPS 140-2 Interfaces and the Corresponding Module’s Physical Ports FIPS 140-2 Logical Interface Module’s Physical Port Ethernet Management Port RJ-45 Console Port Data Input Compact Flash Port Ethernet Management Port RJ-45 Console Port Data Output Compact Flash Port Ethernet Management Port RJ-45 Console Port Control Input Power/Reset Button/Switch LCD Keypad Ethernet Management Port RJ-45 Console Port LCD Screen Status Output LEDs Compact Flash Port Power Port Power Interface USB Port 2.7 Modes of Operation The module can be operated in a FIPS-approved mode or in a non-FIPS mode. The module supports 3 modes of operation: Disable, Crypto, and Full. Only the ‘Full’ FIPS mode on the module is considered as the FIPS Approved mode of operation. The ‘Disable’ mode and the ‘Crypto’ mode on the module are considered as non-FIPS modes of operation. The cryptographic algorithms allowed by the module in the Approved Full-FIPS mode of operation are indicated in Table 8 of this document. The Cryptographic Keys, CSPs, and SRDIs of the module in an Approved mode of operation are described in Table 10 of this document. The rules and procedures followed and enforced by the module in the Approved mode of operation are described in Section 4 of this document. HP TippingPoint IPS Non-Proprietary Security Policy Page 11 of 32 3. Roles, Services, and Authentication 3.1. Authentication Mechanisms and Strength An operator can authenticate and access the module in any one of the following ways: • CLI over Console Port • CLI via SSH over Management Port • CLI via Telnet over Management Port • LSM (HTTP or HTTPS) over Management Port. LSM stands for the Local Security Manager, which offers a Web-based GUI for managing one IPS device. LSM provides a graphical display for reviewing, searching, and modifying settings. The GUI interface also provides reports to monitor the device traffic, triggered filters, and packet statistics. HTTP is disabled in FIPS mode and HTTPS provides SSL protection. • Using the TippingPoint SMS Client GUI via SSL over Management Port for allowing management of the IPS module by the SMS. SMS stands for the Security Management System, which is a central management point for managing different TippingPoint appliances, monitoring events and scheduling reports. A single SMS can be used to monitor and manage multiple IPS devices. This authentication is required for enabling the SMS management. • Using a TippingPoint SMS as a remote authentication server. This is possible only when the IPS is already being managed by an SMS. Remote authentication can only be used with CLI and LSM. The remote authentication data is always protected by SSL. Telnet and HTTP are disabled by default and cannot be enabled while in Full FIPS mode. SSH and HTTPS must be used instead. The TippingPoint IPS supports password authentication for all users. A user must specify a name and password when authenticating to the IPS through LSM, through the CLI, using the SMS Client, or using an SMS as a remote authentication server. AUTHENTICATION STRENGTH: When authenticating through the CLI, through LSM, or using the SMS client to an IPS in Full FIPS mode with remote authentication disabled, the IPS does the enforcement of user name and password restrictions. The IPS requires usernames with a minimum of 6 characters and passwords with a minimum of 8 characters. In the default configuration, there is no restriction on what characters can be in the password. Thus, there are 95^8 (i.e. 6.6*10^15) possible passwords of the minimum length from the set of all displayable ASCII characters including space. The odds of randomly guessing a password of the minimum length would thus be 1 in 6.6*10^15 which is much less than 1 in 1,000,000. Thus, it meets the FIPS requirement. HP TippingPoint IPS Non-Proprietary Security Policy Page 12 of 32 The IPS has a password configuration option that requires passwords to have at least 2 letters (i.e. 52 possible for each), 1 number (i.e. 10 possible), and 1 non-alphanumeric character (i.e. 95-52-10=33 possible). This would reduce the number of possible passwords from the default settings. Assuming a minimum password length and fixed positions (but not values) for the restrictive character classes, the number of possible passwords is 52*52*10*33*(95^4) = 7.3*10^13. The odds of randomly guessing a password would thus be 1 in 7.3*10^13 which is much less than 1 in 1,000,000. Since the positions of the required character classes are not fixed, the number of possible passwords of the minimum length is larger. Thus the actual odds are even lower. When authenticating through the CLI or through LSM to an IPS in Full FIPS mode with remote authentication enabled, the SMS by default does the enforcement of user name and password restrictions. For maintaining FIPS compliance while using remote authentication with an IPS in Full FIPS mode, the SMS must be configured to use the highest setting (i.e. level 2) for users and passwords. The SMS level 2 setting requires a minimum of 6 character usernames. This setting also requires a minimum of 8 character passwords with no spaces where 2 must be letters (i.e. 52 possible for each), 1 must be numeric (i.e. 10 possible), and 1 must be non-alphanumeric (i.e. 94-52-10=32 possible). Assuming a minimum password length and fixed positions (but not values) for the restrictive character classes, the number of possible passwords is 52*52*10*32*(94^4) = 6.7*10^13. The odds of randomly guessing a password would thus be 1 in 6.7*10^13 which is much less than 1 in 1,000,000. Since the positions of the required character classes are not fixed, the number of possible passwords of the minimum length is larger. Thus the actual odds are even lower. When authenticating through the CLI or through LSM to an IPS in Full FIPS mode with remote authentication disabled, the IPS does the enforcement of the number of unsuccessful login attempts allowed within a given period. In the default configuration, a user account is locked for 5 minutes after 5 failed login attempts for that user. Thus the odds of randomly guessing a password with retries within one minute is 5 times the odds discussed above (i.e. 1 in 7.3*10^13 in the largest odds case) for IPS enforcement resulting in odds of about 1 in 1.4*10^13, which is much less than 1 in 100,000, and thus meets the FIPS requirement. The maximum number of retries can be configured up to 10, which would result in 10 times the odds discussed above, which results in odds of about 1 in 7.3*10^12, which is still much less than 1 in 100,000. To maintain FIPS compliance, the user must not disable the configuration for account lockout on login failure or configure the lockout time to less than 1 minute. When authenticating to an IPS in Full FIPS mode using the SMS client or through the CLI or LSM with remote authentication enabled, the fastest transfer speed is 1 Gbps over the management port. 1 Gbps corresponds to 7.5*10^9 bytes/min. For any of these scenarios, both the user name and password are sent on each login attempt. The minimum for this will be 14 bytes (6 character username plus 8 character password). Thus the maximum logins per minute would be 7.5*10^9 / 14 = 5.4*10^8 logins/min. The odds for a successful login on repeated tries within a minute would thus be 5.4*10^8 times the odds for one login. When the IPS is enforcing the password restrictions (i.e. using the largest odds case of 1 in 7.3*10^13), the resulting retry odds are about 1 in HP TippingPoint IPS Non-Proprietary Security Policy Page 13 of 32 135,000 which is less than 1 in 100,000 as required by FIPS. When SMS is enforcing the password restrictions (i.e. using odds of 1 in 6.7*10^13), the resulting retry odds are about 1 in 120,000 which also meets the FIPS requirement. Note that the actual odds for these scenarios is even lower due to the actual odds on one attempt being lower than the estimates (see above) and due to overhead for sending the login information that is not included in the estimates. 3.2. Roles For each of the above access methods, the TippingPoint IPS supports identity-based authentication, where each user has a Username and Password. An access level is associated with each user. There are 3 user access levels and their corresponding FIPS roles are shown in the table below. A user, who sets up and performs the first-time initialization of the module, is implicitly assigned a Super-User Crypto-Officer role. Table 5: Roles and Descriptions Type of Authenti- User Access FIPS Description Authenti cation Level Role -cation Data Can login to the CLI and LSM but primarily has read-only access to the Identity- Username Operator configuration settings. The only User based and CSP an operator can modify is his Password own password. Can login to the CLI and LSM and modify some configuration settings. Identity- Username An administrator can modify his own Crypto- Administrator based and password, can load a new TLS RSA Officer Password key pair over SSL, and can perform software upgrades to the module. Can login to the CLI and LSM and modify all configuration settings. Only a Super-User can login to the SMS to manage multiple IPS Identity- Username modules. Only a super-user can add Crypto- Super-User based and and delete users and modify any Officer Password user’s password and access level. Also, only a super-user can configure the box for FIPS mode and do all key management. The IPS module does not have support for a maintenance role. The IPS module does not support bypass mode. HP TippingPoint IPS Non-Proprietary Security Policy Page 14 of 32 Concurrent Operators The module allows up to 10 concurrently authenticated operators and rejects any additional authentication requests. In addition, at least one Super-User must remain in the module so the module does not allow the deletion of the last Super-User (Crypto- Officer). 3.3. Module Services The table below shows the services provided by the IPS and the access level required to perform them. Table 6: Module Services Opera- Admin- Super Service Service Service Input Notes tor istrator User output Enable/disable Y Full-FIPS None None mode FIPS status, current View FIPS authenticated Y Y Y None status user information, logs. Configure Username and Y Y Y None own password Password Configure any user’s Username and Y None password and password access level Configure password restrictions New value of Y Y and other user the setting None account option. settings for all users Done by “fips keys delete” CLI command which requires Y Zeroize keys None None reboot. The ephemeral keys are also always zeroized on a reboot (see HP TippingPoint IPS Non-Proprietary Security Policy Page 15 of 32 reboot service below). Done by “fips keys generate” CLI command which requires reboot (see reboot service below). Some keys (e.g. RNG seed and seed keys) are also Generate new regenerated on Y None None keys a reboot. The ephemeral TLS/SSH keys are generated during TLS/SSH session negotiation (see login services below). New TLS Install new RSA Key Pair Y Y TLS RSA key encrypted None pair with TLS session key Can also be done unauthenticated using the Y Y Reboot None None power/reset button or power cycling the box. Software package None if it Install or signed by succeeds and Y Y update new TippingPoint, error software TLS message if it parameters, fails. data and input Perform FIPS None if all Done None power-up self- tests pass. If automatically HP TippingPoint IPS Non-Proprietary Security Policy Page 16 of 32 tests any test fails, during log message initialization is generated after reset or and module power cycle. reboots. Username and password, CLI prompt SSH if successful Y Y Y Login to CLI parameters, and login input and data prompt if (when using unsuccessful SSH) Username and LSM password, homepage if TLS successful Y Y Y Login to LSM parameters, and login input and data prompt if (when using unsuccessful HTTPS) Login via System Username and SMS Client summary if password, GUI for successful Y TLS enabling and login parameters, central prompt if input and data management unsuccessful CLI prompt Username and or LSM Possible only if Remote Password, homepage, SMS is already Y Y Y authentication TLS depending managing the using SMS parameters, on the IPS. input and data method used Configure non-FIPS Corresponding Y Y None related admin setting values level settings Configure non-FIPS Corresponding Y related super- None setting values user level settings Non-FIPS View non- related Y Y Y FIPS related None configuration configuration information View non- Non-FIPS Y Y Y None FIPS related related status HP TippingPoint IPS Non-Proprietary Security Policy Page 17 of 32 status Intrusion Done prevention automatically functionality based on the None None on the non-FIPS monitoring related ports. configuration. 3.4. Unauthenticated Services The IPS modules allow the following unauthenticated services: Table 7: Unauthenticated Services Service Service Procedure Service Outputs Inputs Using the power switch, power cycling Power-off, halt or the module, or using None None reboot the module LCD and keypad (only in S660N, S1400N, S2500N, S5100N) Perform power-up Reboot the module None None self-tests Zeroize and generate ephemeral keys and Reboot the module None None CSPs Non-FIPS related information such as Using LCD and keypad device temperature, serial Show non-FIPS (only in S660N, None number, current memory related information S1400N, S2500N, usage, etc. No key or S5100N) CSP information is output by this service. Configure non-FIPS Using LCD and keypad related settings such as (only in S660N, None None LCD backlight and S1400N, S2500N, contrast S5100N) Using LCD and keypad or using eject switch Insert or Eject external (only in S660N, None None compact flash S1400N, S2500N, S5100N) Module automatically Non-FIPS relevant data SNMP None sends alert notifications such as alerts, IPS HP TippingPoint IPS Non-Proprietary Security Policy Page 18 of 32 if SNMP has been network statistics. No key configured or CSP information is output by SNMP. HP TippingPoint IPS Non-Proprietary Security Policy Page 19 of 32 4. Secure Operation and Security Rules This section describes the rules enforced in the module when operated in the FIPS approved mode (Full-FIPS mode) and all FIPS-related actions or procedures permitted on the module. In order to operate the TippingPoint IPS securely, the user should be aware of the security rules enforced by the module and should adhere to the physical security rules and secure operation rules and procedures. 4.1. Secure Operation ENABLING APPROVED MODE OF OPERATION: To operate in a FIPS-compliant manner, an IPS module must be placed in the approved mode of operation (called ‘Full-FIPS’ mode on the appliance) by using the following procedure: • Ensure that the S660N, S1400N, S2500N, and S5100N IPS models are updated to the 3.2.0.1530 software release and the S10, S110, and S330 IPS models are updated to the 3.1.4.1427 software release. • After updating to the correct version of software, a Crypto-Officer (Super-user role on the appliance) must log in to the CLI over SSH and execute the following CLI commands: conf t host fips-mode full fips auth delete -add -p * • Additionally, on the IPS models S10, S110 and S330, the BIOS password must be set using the following procedure: Enter the device BIOS when the module reboots. Enter the existing BIOS password. Modify the password to a new compliant password. Save the settings and reboot. The above mentioned CLI commands cause the IPS to do the following: • Reboot • Put the box into Full-FIPS mode • Perform the FIPS power-up self tests • Zeroize the keys • Generate new keys • Delete the existing user database and add the new default super-user specified in the “fips auth delete” command. • Enable monitoring port traffic • Enable the SSL and SSH servers • Only use cryptographic algorithms allowed by FIPS • Perform the conditional FIPS self-tests as needed HP TippingPoint IPS Non-Proprietary Security Policy Page 20 of 32 The above steps for the approved mode of operation ensure that the IPS meets the FIPS requirements for doing self tests, does not use the same keys and users in FIPS and non- FIPS modes, does not allow output during power-up self tests, uses only FIPS-approved cryptographic algorithms, etc. The IPS should now be operating in a FIPS compliant manner. If needed, the super-user can obtain a new TLS RSA key pair from TippingPoint and install it through LSM to replace the generated RSA key pair. CHECKING FIPS MODE: The current FIPS status can be shown with the “show fips” CLI command. In case of power-up or conditional self-test errors, the error can be seen in one or more of the following: • Console port. • System Logs, which can be seen using LSM GUI options or using “show log sys” CLI command. • LSM GUI pop-up messages. RUNNING POWER-UP SELF-TESTS: To force the FIPS power-up self tests to be rerun, the user must power-cycle or reboot the appliance. ZEROIZING KEYS: To zeroize the keys, a super-user must log in to the CLI over SSH and execute the commands below. The zeroization will happen during the reboot. • fips keys delete • reboot -full REGENERATING KEYS: To regenerate the keys after they have been zeroized, a super-user must log in over the console port and execute the commands below. This can only be done over the console port since the SSH and SSL keys have been deleted. The generation will happen during the reboot. • fips keys generate • reboot -full DISABLING FIPS MODE: To disable Full-FIPS mode, a super-user must log in to the CLI over SSH and execute the following commands: • conf t host fips-mode disable • fips auth delete -add -p * After this, the operator must enter a new password when prompted by the module. These CLI commands cause the IPS to perform the same steps as done when going into Full- FIPS mode except that the box is put into disabled FIPS mode, the FIPS self-tests are no longer performed, and the IPS may use cryptographic algorithms not allowed by FIPS. HP TippingPoint IPS Non-Proprietary Security Policy Page 21 of 32 4.2. Security Rules The security rules enforced by the TippingPoint IPS appliances include both the security rules that TippingPoint has imposed and the security rules that result from the security requirements of FIPS 140-2. 4.2.1 FIPS 140-2 Security Rules The following are the security rules derived from the FIPS 140-2 requirements when in Full-FIPS mode: • The TippingPoint IPS appliance supports identity-based operator authentication, access levels, and services as discussed in section 3. • The TippingPoint IPS appliance supports CSPs and controls access to them as discussed in section 5. • The TippingPoint IPS appliance has support for changing into or out of Full-FIPS mode, zeroizing/generating keys, etc. See section 4.1 for more information. • When in Full-FIPS mode, only cryptographic algorithms allowed by FIPS are used. See section 5.1 for the list of algorithms. • The TippingPoint IPS appliance performs the following FIPS power-up self tests on every power-up and reboot: o Firmware integrity test for all executable components including the boot image and the firmware image using checksum for all hardware models. If a check fails, a message is displayed on the console and the IPS halts execution. o Known-answer self-tests for each cryptographic algorithm used by the module i.e. AES, Triple-DES, SHA, HMAC-SHA and RSA. If a test fails, a message is logged and the IPS is rebooted. o Known-answer self-test for the ANSI X9.31 Random Number Generator. If the test fails, a message is logged and the IPS is rebooted. • The software performs the following FIPS conditional tests as needed: o Continuous random number generator tests for the approved ANSI X9.31 RNG and the non-approved RNG. If a test fails, a message is logged, the current output of the random number generator is ignored, and the software tries the random number generator again. o Software Load Test: When a user attempts to update the software/firmware, verify that the new software file was signed by the TippingPoint software/firmware load private key. If the signature check fails, the software update is aborted with no changes to the existing installed software. This validation is also done on software loads when FIPS mode is disabled. Because of this validation, the IPS meets the requirements for a limited operational environment. o Pair-wise consistency test after generating or installing new RSA keys. If the test fails, the new RSA key is ignored and will not be used. • There is no data output from the data output interfaces of the IPS during the power-up self tests. • With the exception of feedback output of user passwords during their modification over the console port, no private or secret CSPs are ever output from HP TippingPoint IPS Non-Proprietary Security Policy Page 22 of 32 the IPS. This option is disabled by policy as mentioned in the User and Crypto- Officer enforced rules below. • All external entry of CSPs is encrypted with the exception of password entry over the console port. • The user password is obscured during entry to the module. • Non-FIPS service-access is not accessible in FIPS-approved mode. This service enabling is disallowed by the module while it is operating in Full-FIPS mode. • The module does not support a FIPS bypass mode. • In FIPS approved mode, the operator is not allowed to configure the password settings for less than 8 characters. • Telnet and HTTP are disabled in Full-FIPS mode. • SSL 2.0 and SSL 3.0 support is disabled in Full-FIPS mode. Only TLS 1.0/SSL 3.1 is allowed. • The IPS uses production-grade enclosure and components. 4.2.2 TippingPoint Security Rules The following are the security rules that are enforced by TippingPoint when the IPS module is in Full-FIPS mode: • TippingPoint always uses secure distribution means by making use of trusted third-party carriers such as UPS or FedEx for shipping the module to the authorized users. • After receiving the module, it must be installed and initiated by a Crypto-Officer by following the procedure specified in the Crypto-Officer Guidance and in the documentation shipped with the module. • No module operator has direct access to the internal storage on the IPS where the CSPs and installed software images are stored. • If the module is reset to factory-defaults, it must be ensured that the module is using the firmware version specified in this document i.e. 3.1.4.1427 (for S10, S110, S330) and 3.2.0.1530 (for S660N, S1400N, S2500N, S5100N). If the module has been reset to an earlier version due to factory default action, it must be upgraded to these versions. • The S2500N and S5100N module configurations allow for an external ZPHA module to be inserted in the ZPHA connector port on the module’s body. If no ZPHA module is used, the ZPHA connector port must be covered with the blank bay faceplate provided with the module. • If remote authentication using a TippingPoint SMS Server is used, then only the SMS level 2 security setting should be used for establishing usernames and passwords on the SMS. This is required for meeting FIPS authentication strength requirements while authenticating to the IPS module. The level 2 setting on the SMS requires usernames to be a minimum of 6 characters and passwords to be a minimum of 8 characters, where 2 must be alphabetical, 1 must be numeric, and 1 must be non-alphanumeric. HP TippingPoint IPS Non-Proprietary Security Policy Page 23 of 32 4.3. Crypto-Officer Guidance The following are the security rules that must be enforced or followed by the Crypto- Officer: • The Crypto-Officer is responsible for a secure and successful installation, initialization and start-up of the module. The Crypto-Officer should follow the directions provided in the documentation guide shipped with the module. The guide details the procedures to do the following: 1) Attach device to a rack 2) Connect the console port of the module to a computer and access the module’s terminal. 3) Connect network connection segments to the module. 4) Connect the power. 5) Check the LEDs. 6) Using the console port, follow the prompt in the setup wizard to establish the Crypto-Officer authentication information and to configure the management options of the module. 7) This completes the initial setup configuration. • Only the console port should be used for module initialization. The LCD and Keypad should not be used for module initialization and setup since it allows the plaintext display of username and password on the LCD. • All physical ports and logical interfaces of the module are allowed for use by the Crypto-Officer. Please refer to the ‘Ports and Interfaces’ section for details. Please note that the USB port has no use in FIPS-approved mode for S10, S110 and S330 module configurations and should not be used for these configurations while the module is operating in FIPS mode. • Use the console port only in a secure, controlled environment since the traffic is in plain text. In general, use the CLI over SSH instead of over the console port unless the console port is the only option (e.g. to restore keys after zeroization). • Add, delete, modify and manage all user accounts as required. • Refer to Table 6 of this document for the services and their inputs and outputs which are allowed in this role. • Follow the steps in the section 4.1 for enabling/disabling FIPS mode, generating/zeroizing keys, etc. to ensure the IPS operates in a FIPS-compliant manner. • For CLI commands that take a password such as the password modification and new user addition CLI commands, use the option to be prompted for the password (with the use of a ‘*’ in the command) rather than entering the password as part of the command. This will prevent the password from being visible to the module operator. • If remote authentication using a TippingPoint SMS Server is used, then only the SMS level 2 security setting should be used for establishing usernames and passwords on the SMS. This is required for meeting FIPS authentication strength requirements while authenticating to the IPS module. The level 2 setting on the SMS requires usernames to be a minimum of 6 characters and passwords to be a minimum of 8 characters, where 2 must be alphabetical, 1 must be numeric, and 1 must be non-alphanumeric. HP TippingPoint IPS Non-Proprietary Security Policy Page 24 of 32 • Keep the IPS in a secure environment and do not attempt to open the enclosure. • Do not edit boot options in the BIOS for S10, S110, S330 module versions while the module is operating in Full FIPS mode. • In the password security settings, do not disable account lockout for repeated login failures or change the lockout period to less than 1 minute. This will ensure that the FIPS password strength requirements are met. • If desired, install a new TLS RSA key pair through the LSM GUI after obtaining it from TippingPoint’s TMC website. This must only be done using HTTPS. • Follow all rules applicable to the Crypto-Officer role as specified in this Security Policy document. 4.4. User Guidance The following are the security rules that must be enforced or followed by the User: • All physical ports and logical interfaces of the module are allowed for use by the User role. Please refer to ‘Ports and Interfaces’ section for details. Please note that the USB port has no use in FIPS-approved mode for S10, S110 and S330 module configurations and should not be used for these configurations while the module is operating in FIPS mode. • Use the console port only in a secure, controlled environment since the traffic is in plain text. In general, use the CLI over SSH instead of over the console port unless the console port is the only option (e.g. to restore keys after zeroization). • For CLI commands that take a password such as the password modification CLI command, use the option to be prompted for the password (with the use of a ‘*’ in the command) rather than entering the password as part of the command. This will prevent the password from being visible to the module operator. • If remote authentication using a TippingPoint SMS Server is used, then only the SMS level 2 security setting should be used for establishing usernames and passwords on the SMS. This is required for meeting FIPS authentication strength requirements while authenticating to the IPS module. The level 2 setting on the SMS requires usernames to be a minimum of 6 characters and passwords to be a minimum of 8 characters, where 2 must be alphabetical, 1 must be numeric, and 1 must be non-alphanumeric. • Keep the IPS in a secure environment and do not attempt to open the enclosure. • Do not edit boot options in the BIOS for S10, S110, S330 module versions while the module is operating in Full FIPS mode. • Refer to Table 6 of this document for the services and their inputs and outputs which are allowed in this role. • Follow all rules applicable to the User role as specified in this Security Policy document. 4.5. Physical Security Rules The TippingPoint IPS appliances satisfy the requirements for FIPS 140-2 Level 1 Physical Security. The IPS appliances use production-grade enclosures and components. HP TippingPoint IPS Non-Proprietary Security Policy Page 25 of 32 The outer enclosure of the module is made of production-grade steel. The IPS module should be kept in a secure environment and no operator should attempt to open the enclosure. No other specific physical security mechanisms are required. HP TippingPoint IPS Non-Proprietary Security Policy Page 26 of 32 5. Security Relevant Data Items and Access Control This section specifies the TippingPoint IPS Security Relevant Data Items (SRDIs) as well as the access control policy enforced by the IPS. 5.1. Cryptographic Algorithms When in the approved mode of operation (Full-FIPS mode), the IPS module uses the cryptographic algorithms in the table below. Table 8: FIPS Mode Cryptographic Algorithms Algorithm Type Modes/Mod sizes/Options Certificate # FIPS- approved Signature Algorithms RSA (Sign/Verify) 1024, 2048 bit modulus 756, 757, Yes 758 Symmetric Algorithms AES (ECB, CBC) 128, 192, 256 bit 1557, 1558, Yes 1559 Triple-DES (ECB, 2-key and 3-key 1021, 1022, Yes CBC) 1023 Hashing Algorithms SHA Byte-oriented. 1381, 1382, Yes SHA-1,224,256,384,512 1383 HMAC-SHA Byte-oriented. 909, 910, Yes SHA-1,224,256,384,512 911 Random Number Generators PRNG ANSI X9.31: 3-key Triple-DES 838, 839, Yes 840 Non-approved RNG Only used to seed the ANSI N/A No X9.31 RNG; permitted for use in FIPS Approved Mode. Key Establishment/Transport Algorithms Diffie-Hellman Key 1024-bit ; Provides 80 bits of N/A No Agreement (used with security strength ; Allowed for SSH) use in FIPS Approved Mode ; RSA Key Transport 2048 bit ; Provides 112 bits of N/A No (used with TLS) security strength ; Allowed for use in FIPS Approved Mode The IPS supports the following non-FIPS approved cryptographic algorithms when not in Full-FIPS mode. These algorithms are not allowed in FIPS mode of operation. HP TippingPoint IPS Non-Proprietary Security Policy Page 27 of 32 Table 9: Non-FIPS Mode Cryptographic Algorithms Algorithm Type/Name FIPS-approved Symmetric Algorithms Blowfish No RC2 No RC4 No DES No Hashing Algorithms MD5 No HMAC-MD5 No 5.2. Cryptographic Keys, CSPs, and SRDIs While operating in a FIPS-compliant manner, the TippingPoint IPS module contains the following security relevant data items: Table 10: SRDI Information Security SRDI Generation/ Relevant Size Storage Output Zeroization Description Entry Data Item Not entered. Seed for Generated Ephemeral Zeroized on the ANSI using a non- : Stored in RNG seed 8 bytes No reboot or X9.31 approved RAM power cycle. RNG RNG on every reboot 3-key Not entered. Triple-DES 3 keys Generated seed key Ephemeral Zeroized on RNG seed of 8 using a non- for the : Stored in No reboot or key bytes approved ANSI RAM power cycle. each RNG on X9.31 every reboot RNG Not generated. RSA public Entered key used to Persistent: It is a public encrypted Software verify Stored in key so no 2048 with SSL load test software plain text No need to bits session key key upgrade, on internal zeroize. during uses SHA- storage. software 256 package install Not Persistent: No (The Stored in generated. Hashed option of hashed form User 8-32 Password Entered by using specifying so no need to password chars the user SHA256 the password zeroize. encrypted and stored as part of HP TippingPoint IPS Non-Proprietary Security Policy Page 28 of 32 with session on internal some CLI key (SSL or storage. commands is SSH) or in disallowed clear text by module (console policy – port). Section 4.2) Zeroized Persistent: AES when going Stored in symmetric Not entered. in or out of plaintext in key used to Generated Full-FIPS Key physically encrypt all using ANSI mode, on encrypting 128 bits No erasable private X9.31 RNG deleting fips key part of keys stored during key keys, or on internal on internal generation. reset to storage. storage factory defaults. Generated using ANSI X9.31 RNG Persistent: Public key is during key Encrypted output to its Stored in RSA public generation. with the peer as part encrypted and private A super-user key of SSL form so no TLS RSA keys used 2048 or admin encrypting negotiation. need to key pair for SSL, bits user can key and Private key is zeroize. use SHA- install a new stored on never output. 256 official key internal pair storage. encrypted with the SSL session key. May enter encrypted May be with the output Shared module’s encrypted secret RSA public with the exchanged key when peer’s RSA using RSA the module public key TLS Pre- Ephemeral Zeroized on Key acts as a when the Master 48 bytes : Stored in reboot or Transport TLS Server. module acts Secret RAM power cycle. and used to If the as a TLS derive the module acts Client. It is Master as a TLS never output Secret Client, it is if the module generated acts as a TLS using ANSI Server. X9.31 RNG. Master Not entered. TLS Ephemeral Zeroized on Secret used Computed master 48 bytes : Stored in No reboot or to derive as part of secret RAM power cycle. the SSL HP TippingPoint IPS Non-Proprietary Security Policy Page 29 of 32 encryption negotiation and MAC according to keys for TLS 1.0 both ends standard of an SSL using the session pre-master secret and nonces. AES/3DES AES: Not entered. symmetric 128, Derived Ephemeral TLS key for Zeroized on 192, or from master : Stored in encryption SSL No reboot or 256 bits; secret as part RAM key encryption power cycle. 3DES: of SSL in one 168 bits negotiation. direction Not entered. MAC key Derived Ephemeral TLS for Zeroized on from master : Stored in integrity integrity in 160 bits No reboot or secret as part RAM key one power cycle. of SSL direction negotiation. Module’s private exponent is generated during SSH negotiation using ANSI Public X9.31 RNG. Public value value and The public is output to SSH private value is its peer as Diffie- Ephemeral Zeroized on exponent derived from part of SSH Hellman 1024-bit : Stored in reboot or used for the private negotiation. Exchange RAM power cycle. SSH DH exponent Private Values Key and the DH exponent is Exchange group. The never output. peer’s DH public value enters the module according to SSH Standard. The shared Not entered. secret Derived by SSH DH established the module Ephemeral Zeroized on No Shared using SSH 1024-bit during SSH : Stored in reboot or Secret DH negotiation RAM power cycle. exchange using DH according parameters. HP TippingPoint IPS Non-Proprietary Security Policy Page 30 of 32 to the SSH Standard Persistent: Public key is Encrypted output to its Not entered. Stored in with the peer as part Generated encrypted key of SSH SSH RSA RSA key 2048 using ANSI form so no encrypting negotiation. key pair pair bits X9.31 RNG need to key and Private key is during key zeroize. stored on not output. generation. internal storage. AES/3DES AES: symmetric SSH 128, Not entered. key for Ephemeral Zeroized on session 192, or Derived SSH : Stored in No reboot or encryption 256 bits; during SSH encryption RAM power cycle. key 3DES: negotiation. in one 168 bits direction MAC key 160, Not entered. SSH for Ephemeral Zeroized on 256, Derived integrity integrity in : Stored in No reboot or 384, or during SSH key one RAM power cycle. 512 bits negotiation. direction 5.3. Access Control Policy The IPS allows controlled access to the SRDIs contained within it. The following table defines the access that the IPS services have to the SRDIs (i.e. R=read, W=write, Z=zeroize, D=delete). If no access is listed, the service does not use that SRDI. Table 11: Access Control Policy values, DH shared secret, master secret, encryption RNG seed and seed key TLS pre-master secret, session encryption key, Software load test key key, and integrity key Key encrypting key TLS RSA key pair SSH RSA key pair SSH DH exchange and integrity key User passwords Service Enable/disable Full-FIPS mode WZ WD RW W Z W RZ Z View FIPS status R R HP TippingPoint IPS Non-Proprietary Security Policy Page 31 of 32 Configure own password W R R Configure any user’s password W R R and access level Configure password restrictions R R and account lockout settings Zeroize keys WZ Z D Z D RZ Generate new keys WZ RW W Z W RZ Z Install new TLS RSA key pair R RW R Reboot WZ RZ RZ Install new firmware/software WZ RW RZ Z Do FIPS power-up self-tests Login to CLI R R R RW Login to LSM R R R RW Configure non-FIPS related R R admin level settings Configure non-FIPS related R R super-user level settings View non-FIPS related R R configuration View non-FIPS related status R R Intrusion prevention functionality on the monitoring ports. 6. Mitigation of Other Attacks The cryptographic module does not claim to mitigate any other attacks in a FIPS- approved mode of operation. HP TippingPoint IPS Non-Proprietary Security Policy Page 32 of 32