Lucent VPN Firewall Bricks® 350, 1000 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 6.2 January 27, 2005 © Copyright 2005 Lucent Technologies, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Non-Proprietary Security Policy Page 2 of 68 Table of Contents 1 INTRODUCTION.................................................................................................................. 4 1.1 PURPOSE ............................................................................................................................. 4 1.2 REFERENCES ....................................................................................................................... 4 1.3 TERMINOLOGY ................................................................................................................... 4 1.4 DOCUMENT ORGANIZATION ............................................................................................... 4 2 THE BRICK 350 AND BRICK 1000 VPN FIREWALLS ................................................. 6 2.1 THE CRYPTOGRAPHIC MODULE .......................................................................................... 7 2.2 MODULE INTERFACES ......................................................................................................... 9 2.3 ROLES AND SERVICES ....................................................................................................... 17 2.3.1 Crypto Officer Services .................................................................................. 17 2.3.2 User Services ................................................................................................ 59 2.4 PHYSICAL SECURITY ........................................................................................................ 59 Brick 350 Module:.................................................................................................... 59 Brick 1000 Module:.................................................................................................. 60 2.5 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................. 62 2.6 SELF-TESTS ...................................................................................................................... 64 3 SECURE OPERATION OF THE BRICK 350 AND BRICK 1000 VPN FIREWALLS 65 3.1 INITIAL SETUP .................................................................................................................. 65 3.2 MODULE INITIALIZATION AND CONFIGURATION .............................................................. 65 3.3 IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 66 3.4 REMOTE ACCESS .............................................................................................................. 66 Page 3 of 68 1 Introduction 1.1 Purpose This is the non-proprietary Cryptographic Module Security Policy for the Brick 350 and Brick 1000. This security policy describes how the Brick 350 and Brick 1000 (Hardware Version: Brick 350 and Brick 1000; Firmware Version: Lucent LVF 7.2.292) meet the security requirements of FIPS 140-2, and how to operate the Bricks in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Brick 350 and Brick 1000 VPN Firewalls. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. 1.2 References This document deals only with operations and capabilities of the Brick 350 and Brick 1000 in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the Brick 350 and Brick 1000 and the entire Brick series, from the following sources: · The Lucent Technologies website contains information on the full line of products at http://www.lucent.com. The Lucent product descriptions can be found at: http://www.lucent.com/products/subcategory/0,,CTID+2017-STID+10080- LOCL+1,00.html · For answers to technical or sales related questions please refer to the contacts listed on the Lucent Technologies website at http://www.lucent.com/support/access.html. · The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the module 1.3 Terminology In this document, the Brick 350 and Brick 1000 as a group are referred to as the Module(s) or module(s). When referring to a specific Brick, the module is referred to as the Brick 350 module, or the Brick 1000 module. 1.4 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Module Software Listing Page 4 of 68 Other supporting documentation as additional references This document provides an overview of the Brick 350 and Brick 1000 modules and explains the secure configuration and operation of the modules. This introduction section is followed by Section 2, which details the general features and functionality of the Brick 350 and Brick 1000 modules. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. This Security Policy and other Validation Submission Documentation was produced by Corsec Security, Inc. under contract to Lucent Technologies, Inc. With the exception of this Non- Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Lucent- proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Lucent Technologies, Inc. Page 5 of 68 2 The Brick 350 and Brick 1000 VPN Firewalls The VPN Firewall Brick is a high-speed packet-processing appliance, oriented towards providing security functions. The module is offered in several models, providing different physical interface combinations as well as different capacity and throughput ratings. The module is Intel Pentium based, using a PCI bus backplane, so its speed and capacity scales with standard components and has a minimum growth predictable according to Moore's Law. The Brick product line provides Local Area Network (LAN)-level Ethernet interfaces, in both 10/100 copper and Gigabit fiber ports. In the larger module (Brick 1000), the fan is the only continuously moving part, allowing for the module to have an extremely long hardware mean time between failures (MTBF) ­ greater than 7 years. Within the module, local policy and configuration data are only stored on a solid-state Non- Volatile Random Access Memory (NVRAM) disk. The module does not run as an application on top of a commercial operating system; rather, it runs as the kernel of a small, highly application-specific operating system, designed for small embedded security applications. VPN Firewall Bricks incorporate these features: · Packet Forwarding ­ Bridging and Routing · IEEE 802.1q VLAN Tag Support · Virtual Firewalls & Stateful Packet Filtering · Application Filters · Virtual Private Networking (VPN) & Network Address Translation (NAT) · User Authentication · Quality of Service/Bandwidth Management · Denial of Service Protection · Brick Partitions · Brick Failover/Redundancy & State Sharing · Dynamic Address Support · Logging The same software binary image ("tvpc.Z") runs on all modules, so all features discussed are available on all module platforms. The binary images are identical across all platforms, regardless of the Brick's model number or configuration setup. Bricks are available in a variety of hardware models; the models differ solely in throughput, capacity, and physical interface types. This Security Policy applies to the following FIPS 140-2 Level 2 validated Modules: Brick 350 Module: For enterprise-class demands of large corporate facilities. · VPN Firewall Brick® Model 350 Basic [8-10/100 Ethernet Ports, Internal AC Power Supply, Internal Floppy Drive] Brick 1000 Module: For service providers offering advanced security services packages. Page 6 of 68 · VPN Firewall Brick® Model 1000 (5/4) [5-10/100 Ethernet Ports/4-Gigabit Fiber Ports, Dual Internal AC Power Supply, Internal Floppy Drive] 2.1 The Cryptographic Module Figure 1 - The Brick 350 Module Figure 2 - The Brick 1000 Module The Brick 350 and Brick 1000 modules are multiple-chip standalone cryptographic modules. The cryptographic boundary is defined as the front, right, left, top, and bottom sides of the case; all portions of the rear of the case that are not designed to accommodate a network module or power supply; and the inverse of the three-dimensional space within the case that would be occupied by any installed power supply or network module that does not perform approved services. The cryptographic boundary includes the connection apparatus between the network modules and power supplies and the motherboard that hosts the network modules and power supplies, but the boundary does not include the power supplies and network modules themselves. In other words, the cryptographic boundary encompasses all hardware components within the case of the module except any installed network modules and power supplies. All of the functionality discussed in this document is provided by components within this cryptographic boundary. Page 7 of 68 The Brick 1000 module requires that a special opacity shield be installed on the top portion of the rear of the module, covering the top row of ventilation holes along the rear of the chassis (as shown in Figure 3) in order to operate in FIPS-approved mode. The shield completely covers the ventilation holes on the top of the rear panel of the Brick 1000 module. To apply, remove the three pan-head screws from the rear of the chassis and attach the opacity shield to the chassis, using the three flat-head screws that are supplied with the FIPS kit. Figure 3 demonstrates the proper application of the shield. Figure 3 ­ Brick 1000 Opacity Shield Application Page 8 of 68 2.2 Module Interfaces Module features such as tunneling, data encryption, and termination of Remote Access Wide Area Networks (WANs) via Internet Protocol Security (IPSec) make the Lucent VPN Firewall Brick an ideal platform for building virtual private networks. The interfaces for the module are located on the front and rear panels of the modules as shown in the following figures. Figure 4 ­ Brick 350 Physical Interfaces Page 9 of 68 Figure 5 ­ Brick 1000 Physical Interfaces The physical interfaces include a power switch, a keyboard port, a monitor port, and a console port (RS-232 serial connector) on the backplane for local system access (on the Brick 350, the port labeled "Serial Port" is the Console Port), Ethernet ports (Ether0 and Ether1 for the Brick 350, and Ether0 for the Brick 1000), and the Network Module connection interfaces on the motherboard. The module's status interfaces are located on the front panel. These LEDs provide overall status of the module's operation. Figure 6 and Figure 7 show the front panel LEDs of the Brick 350 and Brick 1000 modules. Table 1 and Table 2 provide descriptions for the front panel LEDs, Table 3 and Table 4 provide descriptions for the rear panel LEDs, and Table 5 provides a description of the modules' audible buzzer. Front Panel LEDs: Page 10 of 68 Power LED FD Act LED Figure 6 ­ Brick 350 Front Panel LEDs Page 11 of 68 Model 1000 ­ Front View (Cover Open) Disk Activity LED Power LED Fault Indicator Floppy Activity LED LED Figure 7 ­ Brick 1000 Front Panel LEDs Page 12 of 68 LED Indication Description Power Solid Power is supplied to the module Off The module is not powered on FD Act Intermittent The flash disk is in use Off The flash disk is not in use Floppy Drive On The floppy drive is reading a diskette Off The floppy drive is not in use Table 1 ­ Brick 350 Front Panel LEDs and Descriptions LED Indicator Description Power Green Power is supplied to the module Off The module is not powered on Floppy Drive On The floppy drive is reading a diskette Off The floppy drive is not in use Disk Activity Amber The flash disk is in use Off The flash disk is not in use Fault (Power Orange Power supply failure Supply) Off The power supplies are on and functioning Table 2 ­ Brick 1000 Front Panel LEDs and Descriptions Rear Panel LEDs: Figure 8 ­ Brick 350 Rear Panel LEDs Page 13 of 68 Figure 9 ­ Brick 1000 Rear Panel LEDs LED Indicator Description Motherboard E0 Left: Off Port connected at 10Mbps Left: On Port connected at 100Mbps Right: On Port is on Right: Intermittent Data being transferred Motherboard E1 Left: Off Port connected at 10Mbps Left: Green Port connected at 100Mbps Left: Yellow Port connected at 1000Mbps Right: On Port is on Right: Intermittent Data being transferred Table 3 - Brick 350 Rear Panel LEDs and Descriptions Page 14 of 68 LED Indicator Description Encryption Blinking Encryption Accelerator Card is in use Accelerator (LED) Solid Encryption Accelerator Card failed while LED was blinking in the ON state Off If Encryption Accelerator Card is installed, either the EAC is not currently in use or the EAC failed while LED was blinking in the OFF state Motherboard Left: Off, Right: On Good connection at 10Mbps Ethernet Port 0 Left: On, Right: On Good connection at 100Mbps Left: Off, Right: Off No connection Left: Off, Right: Data being transferred at 10Mbps Intermittent Left: On, Right: Data being transferred at 100Mbps Intermittent Table 4 ­ Brick 1000 Rear Panel LEDs and Descriptions Audible Indicator Description Sustained alarm A power supply has failed Beep OS image has successfully been loaded by floppy Buzzer Off Alarm Cut Off Switch is enabled or the module is powered off Table 5 - Brick 350 and Brick 1000 Module Audible Description All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the following tables: Brick 1000 Module Brick 1000 Module Physical Interface FIPS 140-2 Logical Interface Network Module Interface Data Input Interface Ethernet Port Console Port Floppy Drive PS/2 Keyboard Port Network Module Interface Data Output Interface Ethernet Port SVGA Video Port Console Port Network Module Interface Control Input Interface Ethernet Port Power Switch Power Supply Alarm Reset Button PS/2 Keyboard Port Console Port Network Module Interface Status Output Interface Ethernet Port Page 15 of 68 Brick 1000 Module Brick 1000 Module Physical Interface FIPS 140-2 Logical Interface SVGA Video Port Ethernet Port LEDs Disk Activity LED Fault Status Indicator LED Power LED Floppy Drive LED Buzzer Motherboard Power Interface USB Port #1 Disabled / Non-functional USB Port #2 Serial Port Parallel Port Monitor Port #2 (Motherboard) Sound Ports Mouse Port Table 6 - Brick 1000 Module FIPS 140-2 Logical Interfaces Brick 350 Module Brick 350 Module Physical Interface FIPS 140-2 Logical Interface Network Module Interface Data Input Interface Ethernet Ports Serial Port Floppy drive PS/2 Keyboard Port Network Module Interface Data Output Interface Ethernet Ports SVGA Video Port Network Module Interface Control Input Interface Ethernet Ports Power Button PS/2 Keyboard Port Network Module Interface Status Output Interface Ethernet Ports SGVA Video Port Ethernet Port LEDs Flash Disk Activity LED Power LED Floppy Drive LED Buzzer Motherboard Power Interface Parallel Port Disabled / Non-functional USB Port #1 Page 16 of 68 Brick 350 Module Brick 350 Module Physical Interface FIPS 140-2 Logical Interface USB Port #2 USB Port #3 Table 7 - Brick 350 Module FIPS 140-2 Logical Interfaces 2.3 Roles and Services Authentication is role-based. The two roles allowed in a FIPS 140-2 Level 2 approved mode of operation are the Crypto Officer role and the User role. The Crypto Officer (via the Lucent Security Management Server [LSMS]) generates a digital certificate which is then loaded into the module at initialization. This certificate is then used during a Secure Sockets Layer (SSL)- like protocol to authenticate the Crypto Officer to the module during all future authentication attempts. Users authenticate to the module using a shared secret Hashed Message Authentication Code - Secure Hash Algorithm (HMAC-SHA-1) key. This authentication is per packet via verification of an HMAC. The Crypto Officer communicates with the module through an encrypted session that is established using the Crypto Officer Session Keys (DES or 3DES ­ NIST FIPS PUB 46-3 and HMAC ­ NIST PUB 198) and authenticates to the module using a digital certificate. Virtual Private Network (VPN) functionality is available via the User Role. VPN clients authenticate to the module per (network-layer) packet using a shared secret HMAC-SHA-1 key configured by the Crypto Officer. The Crypto Officer may also authenticate to the cryptographic module via the local console port using a password (which is hashed locally) in order to perform a small number of maintenance activities. 2.3.1 Crypto Officer Services The Crypto Officer is responsible for the configuration and management of the module. The Crypto Officer first provides an initial configuration for the module and then is able to access the module over an encrypted session. Through this session, the Crypto Officer can perform full management of the module, including loading IPSec Security Associations (SAs) onto the module for Users. During the initial configuration of the module, the Crypto Officer generates a disk using the LSMS and this information is then loaded onto the module over the Module's floppy disk drive. The files on this disk include the following configuration information: · Crypto Officer certificate containing the Crypto Officer Certificate Authority (CA) Digital Signature Algorithm (DSA) public key · DSA key pair for the module (the public key is contained in a certificate generated by the Crypto Officer) · Diffie-Hellman (DH) public parameters · IP address of the LSMS Page 17 of 68 · Domain Name Server (DNS) Host Name given to identify the Module The module's public key (of the DSA key pair loaded onto the module) is contained in a certificate generated by the LSMS CA. Each module is given such a unique certificate, and this is used during the Crypto Officer handshake protocol to authenticate the module to the Crypto Officer. Additionally, the Crypto Officer possesses a certificate, to allow the module to authenticate the Crypto Officer. Collectively, these certificates provide a mutual authentication between the Crypto Officer and every module, so an intruder cannot masquerade as either the Crypto Officer or a module. Once the module has been initialized, the Crypto Officer may begin management of the module through a Triple Data Encryption Standard (3DES) encrypted IP session. The module provides the Crypto Officer role exclusively to the LSMS after the initial configuration is completed. Digital certificates are used to authenticate the Crypto Officer to the module and the module to the Crypto Officer, and a Diffie-Hellman key agreement is performed to negotiate encrypted session keys (HMAC SHA-1 and 3DES keys). After the encrypted session is established, the Crypto Officer accesses the module's services through this session. Through an encrypted session, the Crypto Officer configures the module for use by IPSec clients. The Crypto Officer loads IPSec SAs onto the module over the encrypted session, including any IPSec SA session keys. As part of these SAs, the Crypto Officer configuration shared secret HMAC keys used to authenticate the User to the module. Page 18 of 68 An operator assuming the Crypto Officer role performs all administrative functions listed below, which are services that are embedded within the LSMS and activated from Application Programming Interface (API) calls to the module: Writing Commands... LSMS Function Service Call Description Service Output if the returned value is equal to the exact length of the issued command, then the Prepare the module to command download a full policy executed definition including both successfully; if the "begin BTABLE all of the individual rule returned value is tableload" policies and the brick equal to any value configuration (routes, other than the interfaces, VLANs, etc). exact length of the issued command, then the command did not execute successfully. if the returned value is equal to make a copy of the current the exact length of brick zone table the issued configuration in command, then the preparation for loading the command initial (post-boot) policy executed for contacting the LSMS to successfully; if the "begin BATABLE download the initial policy. returned value is tableadd" The reason for the copy is equal to any value so that we do not lose state other than the information in the event exact length of the that we just transitioned issued command, from the standby to the then the command active. did not execute successfully. if the returned Clears out any loading state value is equal to from a zone in preparation "begin load" the exact length of [BLOAD] for loading a new zone the issued policy. command, then the Page 19 of 68 Writing Commands... LSMS Function Service Call Description Service Output command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed saves full policy signer successfully; if the [STABLE] "sign table" information (e.g. returned value is administrator name, date). equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command saves domain (zone) signer executed [SDOMAIN] "sign domain" information (e.g. successfully; if the administrator name, date). returned value is equal to any value other than the exact length of the issued command, then the command Page 20 of 68 Writing Commands... LSMS Function Service Call Description Service Output did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed change brick state to successfully; if the [ALOAD] "abort load" "aborted" for use by the returned value is "read load state" command. equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command signals the end of a full executed load (prerequisite "begin successfully; if the "end [ETABLE] tableload"). This causes returned value is tableload" the brick to verify the equal to any value signatures on the load. other than the exact length of the issued command, then the command did not execute successfully. if the returned signals the end of a policy value is equal to (prerequisite "begin load"). the exact length of [ELOAD] "end load" This causes the brick to the issued verify the signatures on the command, then the policy. command Page 21 of 68 Writing Commands... LSMS Function Service Call Description Service Output executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command make the pending full executed policy or individual zone successfully; if the [SWITCH] "switch over" policy active. (prerequisite returned value is begin load or begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command add an entry to the zone executed assignment table "add table" successfully; if the [ATABLE] (prerequisite "begin returned value is tableload") equal to any value other than the exact length of the issued command, then the command did not execute Page 22 of 68 Writing Commands... LSMS Function Service Call Description Service Output successfully. if the returned value is equal to the exact length of the issued command, then the command passes the public certificate executed for the administrator successfully; if the (none) "adm cert" signing this particular returned value is object. (prerequisite, begin equal to any value load or tableload). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed passes the signing successfully; if the administrators public (none) "adm pk" returned value is key..(prerequisite, begin equal to any value load or tableload). other than the exact length of the issued command, then the command did not execute successfully. if the returned pass the public certificate value is equal to (i.e. the signature) of the the exact length of object (full load or (none) "data cert" the issued individual zone load). command, then the (prerequisite, begin load or command tableload). executed Page 23 of 68 Writing Commands... LSMS Function Service Call Description Service Output successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command add an entry to the list of executed ethertype non-ip protocols successfully; if the "add [AETHTYP] allowed to pass through the returned value is ethertype" firewall (prerequisite, begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command active the pending list of executed ethertype non-ip protocols "switch successfully; if the [SETHTYP] allowed to pass ethertype" returned value is (prerequisite, begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. Page 24 of 68 Writing Commands... LSMS Function Service Call Description Service Output if the returned value is equal to the exact length of the issued command, then the command add an entry to the list of executed dsap non-ip protocols successfully; if the [ADSAP] "add dsap" allowed to pass through the returned value is firewall (prerequisite, begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command activate the pending list of executed dsap non-ip protocols successfully; if the [SDSAP] "switch dsap" allowed to pass returned value is (prerequisite, begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to add an entry to the pending the exact length of IP static routing table. the issued [AROUTE] "add route" (prerequisite, begin command, then the tableload). command executed successfully; if the Page 25 of 68 Writing Commands... LSMS Function Service Call Description Service Output returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed add an entry to the pending successfully; if the reflection proxy table. [APROXY] "add proxy" returned value is (prerequisite, begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. add an entry to the *active* [This function reflection proxy table. cannot be used in "add dynamic [ADPROXY] (This is an old command the FIPS mode of proxy" that is no longer used in operation.] LVF version 7.2.292) if the returned value is equal to the exact length of the issued command, then the "delete delete an entry from the command [DDPROXY] dynamic *active* reflection proxy executed proxy" table. (Never used.) successfully; if the returned value is equal to any value other than the exact length of the Page 26 of 68 Writing Commands... LSMS Function Service Call Description Service Output issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed adds a pending rule to the successfully; if the [ARULE] "add rule" loading domain. returned value is (prerequisite, begin load). equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed adds an active rule to the successfully; if the "add dynamic [ADRULE] specified domain. (Never returned value is rule" used.) equal to any value other than the exact length of the issued command, then the command did not execute successfully. "delete Does nothing [DDRULE] does nothing. dynamic rule" adds a pending dependency if the returned "add mask" [AMASK] mask to the specified value is equal to Page 27 of 68 Writing Commands... LSMS Function Service Call Description Service Output domain. (prerequisite, the exact length of begin load). the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed adds an active dependency successfully; if the "add dynamic mask to the specified returned value is [ADMASK] mask" domain. equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued adds a pending host group command, then the entry to the specified [AHOST] "add hostgrp" command domain. (prerequisite, executed begin load) successfully; if the returned value is equal to any value other than the Page 28 of 68 Writing Commands... LSMS Function Service Call Description Service Output exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed adds an active host group successfully; if the "add dynamic [ADHOST] entry to the specified returned value is hostgrp" domain. equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command deletes a host group entry executed "delete from the specified domain. successfully; if the [DDHOST] dynamic (Host group entry must returned value is hostgrp" have been loaded with an equal to any value add dynamic hostgroup). other than the exact length of the issued command, then the command did not execute successfully. adds a pending service if the returned [ASRV] "add srvgrp" group entry to the specified value is equal to domain. (prerequisite, the exact length of Page 29 of 68 Writing Commands... LSMS Function Service Call Description Service Output begin load). the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed adds an active service successfully; if the "add dynamic [ADSRV] group entry to the specified returned value is srvgrp" domain. (Not used) equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the sets file descriptor and command [SCOMM] "set comm" address of the connection executed to the audit server. successfully; if the returned value is equal to any value other than the exact length of the Page 30 of 68 Writing Commands... LSMS Function Service Call Description Service Output issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed turns off packet processing successfully; if the "disable for packets not originating [DISABLE] returned value is firewall" on the firewall or destined equal to any value to the firewall. other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed undoes "disable firewall". successfully; if the "reenable [RENABLE] firewall or destined to the returned value is firewall firewall. equal to any value other than the exact length of the issued command, then the command did not execute successfully. marks all of the MAC table if the returned "refresh mac entries as stale so that they value is equal to [RFRSHMAC] table" can move if necessary. the exact length of Any sessions that have a the issued Page 31 of 68 Writing Commands... LSMS Function Service Call Description Service Output pointer to this entry have to command, then the be rerouted the next time a command packet comes through that executed requires the MAC entry. successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed attempts to refresh all of successfully; if the "refresh arp [RFRSHARP] the entries in the ARP returned value is table" table. equal to any value other than the exact length of the issued command, then the command did not execute successfully. [This function this is an old command that cannot be used in [SETAUTH] "set auth" is no longer used in LVF the FIPS mode of version 7.2.292. operation.] if the returned value is equal to the exact length of sets load type so that when the issued [LDTYPE] "set ldtype" a switchover occurs, the command, then the brick knows what to do. command executed successfully; if the returned value is Page 32 of 68 Writing Commands... LSMS Function Service Call Description Service Output equal to any value other than the exact length of the issued command, then the command did not execute successfully. sets the load state for use [This function by the "read load state". cannot be used in "write load [WLSTATE] (This is an old command the FIPS mode of state" that is no longer used in operation.] LVF version 7.2.292) if the returned value is equal to the exact length of the issued command, then the prevent the brick from command rebooting in the event that executed a fatal error occurs (aka a successfully; if the [BOOTFREEZE] "zb" "panic"). This allows returned value is critical information to be equal to any value retained on the screen long other than the enough to read it. exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command [REBOOT] "zr" force the brick to reboot. executed successfully; if the returned value is equal to any value other than the exact length of the issued command, Page 33 of 68 Writing Commands... LSMS Function Service Call Description Service Output then the command did not execute successfully. [This function this is an old command that cannot be used in [REDIRECT] "redirect" is no longer used in LVF the FIPS mode of version 7.2.292. operation.] if the returned value is equal to the exact length of the issued command, then the command executed add a pending Security successfully; if the Association to the specified [AIPSEC] "add ipsec" returned value is zone. (prerequisite begin equal to any value load). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed add an active Security successfully; if the "add dynamic [ADIPSEC] Association to the specified returned value is ipsec" zone. equal to any value other than the exact length of the issued command, then the command did not execute successfully. [DDIPSEC] "delete delete an active Security if the returned Page 34 of 68 Writing Commands... LSMS Function Service Call Description Service Output dynamic Association to the specified value is equal to ipsec" zone. the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed prints general debug trace successfully; if the [TRCTRACE] "trace" help (disabled in returned value is production). equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued Prints a specific table command, then the [TRCDUMP] "trace dump" (disabled in production). command executed successfully; if the returned value is equal to any value Page 35 of 68 Writing Commands... LSMS Function Service Call Description Service Output other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed successfully; if the sets trace levels (disabled [TRCLEVEL] "trace level" returned value is in production). equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed successfully; if the enables specific tracing [TRCENABLE] "trace enable" returned value is (disabled in production). equal to any value other than the exact length of the issued command, then the command did not execute successfully. prints general or specific Displays control [TRCHELP] "trace help" debug trace help. status information Page 36 of 68 Writing Commands... LSMS Function Service Call Description Service Output about how to use the trace functions if the returned value is equal to the exact length of the issued command, then the command executed causes a stack dump to be successfully; if the [DUMPENABLE] "dump enable" generated if the current returned value is thread terminates. equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed causes the brick to generate successfully; if the ARPs for any local [ARPSRVRS] "arp servers" returned value is management addresses (i.e. equal to any value LSMS). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of "add audit create an audit msg trace [ADDAUDFIL] the issued filter" filter. command, then the command executed Page 37 of 68 Writing Commands... LSMS Function Service Call Description Service Output successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed successfully; if the "mod audit modify an audit msg trace [MODAUDFIL] returned value is filter" filter. equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed "delete audit delete an audit msg trace successfully; if the [DELAUDFIL] filter" filter. returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 38 of 68 Writing Commands... LSMS Function Service Call Description Service Output Enables or disables an audit msg trace filter. If the returned value is equal to the exact length of the issued command, then the command "set audit enable/disable an audit msg executed [SETAUDFIL] filter" trace filter. successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Enable/disable ARP filters. If the returned value is equal to the exact length of the issued command, then the command executed [SETARPFILTER] "set arp filter" enable/disable arp filters. successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. set nonip enable/disable non-IP Enable/Disable [SETNONIPFILTER] filter" filters. non-IP filters. Page 39 of 68 Writing Commands... LSMS Function Service Call Description Service Output If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the "add packet [ADDPKTFIL] create a packet trace filter returned value is filter" equal to any value other than the exact length of the issued command, then the command did not execute successfully. If the returned value is equal to the exact length of "mod packet modifies a packet trace the issued [MODPKTFIL] filter" filter command, then the command executed successfully; if the Page 40 of 68 Writing Commands... LSMS Function Service Call Description Service Output returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the "delete packet [DELPKTFIL] deletes a packet trace filter returned value is filter" equal to any value other than the exact length of the issued command, then the command did not execute successfully. If the returned value is equal to the exact length of the issued command, then the command executed successfully; if the "set packet enables/disables a packet [SETPKTFIL] returned value is filter" trace filter equal to any value other than the exact length of the issued command, then the command did not execute successfully. Page 41 of 68 Writing Commands... LSMS Function Service Call Description Service Output If the returned value is equal to the exact length of the issued command, then the command sets the size of the window executed over which error messages successfully; if the get throttled. ("throttled" [SETTHROTTLE] "set throttle" returned value is means to have the message equal to any value rate reduced to a particular other than the level.) exact length of the issued command, then the command did not execute successfully. Displays status causes the brick to identify "what are you" information about [WWHATAREU] itself the brick on screen if the returned value is equal to the exact length of the issued command, then the command executed successfully; if the "delete deletes an entry from the [DSESS] returned value is session" session cache. equal to any value other than the exact length of the issued command, then the command did not execute successfully. implements a number of Displays subcommands to modify or configuration display: information for [CONFIG] "config" - Intelligent Cache description of Management Policy. subcommands. - MAC move and starcast Page 42 of 68 Writing Commands... LSMS Function Service Call Description Service Output zone If a subcommand matching policy. is issued, then if - UDP encapsulation policy the returned value - redundant LSMS rehome is equal to the policy exact length of the - SLA probes issued command, - the current (write) then the command command tracing executed setting successfully; if the - also allows for removal of returned value is cache equal to any value entries based upon the tag other than the that exact length of the associates them with a issued command, particular then the command dynamic host group or did not execute IPSec tunnel. successfully. if the returned value is equal to the exact length of the issued command, then the command move a couple of brick- executed wide configuration settings successfully; if the "switch [SMINOSCFG] from pending to active returned value is minos" (starcast zone matching & equal to any value mac moves). other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of "write display failover info or the issued [WFAILOVER] failover" cause failover to standby. command, then the command executed successfully; if the Page 43 of 68 Writing Commands... LSMS Function Service Call Description Service Output returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Displays status output failover information. if the returned value is equal to the exact length of the issued command, then the command examines the state of the executed standby to determine if it successfully; if the can take over all of the [CANFAILOVER] "can failover" returned value is processing without losing equal to any value anything (i.e. no interfaces other than the have failed). exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command set the file descriptor "set file executed [SETSFD] associated with an active descriptor" successfully; if the remote console. returned value is equal to any value other than the exact length of the issued command, then the command Page 44 of 68 Writing Commands... LSMS Function Service Call Description Service Output did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command the flag controls whether or executed not certain messages (such successfully; if the as those generated using [SETTRACEFLAG] "set trace flag" returned value is the trace audit command) equal to any value get displayed on the other than the console. exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed force the thread that waits successfully; if the "exit for the active brick to send [EFILEDOWN] returned value is fdownload" it messages to quite so this equal to any value brick can go active. other than the exact length of the issued command, then the command did not execute successfully. if the returned add interface information value is equal to "add to the pending table the exact length of [PORTTBL] interface" (prerequisite begin the issued tableload). command, then the command Page 45 of 68 Writing Commands... LSMS Function Service Call Description Service Output executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command executed add information about a successfully; if the [VIPTBL] "add vlanip" VLAN (prerequisite begin returned value is tableload). equal to any value other than the exact length of the issued command, then the command did not execute successfully. if the returned value is equal to the exact length of the issued command, then the command adds a brick partition to the executed [PARTITION] "add partition" pending table. (prerequisite successfully; if the begin tableload). returned value is equal to any value other than the exact length of the issued command, then the command did not execute Page 46 of 68 Writing Commands... LSMS Function Service Call Description Service Output successfully. if the returned value is equal to the exact length of the issued command, then the command executed successfully; if the "set sets the time offset between [SETTIMEOFFSET] returned value is timeoffset" the LSMS and the brick. equal to any value other than the exact length of the issued command, then the command did not execute successfully. tts - display the stack of the currently executing thread ttS - display the stacks of all of the threads. ttx - display a summary of memory usage ttd - exists in the API, a collection of commands but does nothing. that display information "ctrl [WTTCMDS] about the amount of ttp - displays per commands" thread statistics and memory free, number of current state packets processed, etc. ttD - redisplays the last panic dump since the brick rebooted (if any) ttr - reboot the brick ttm - another memory usage summary ttq - display the mac Page 47 of 68 Writing Commands... LSMS Function Service Call Description Service Output table tta - enable copying audit messages to the console as well as the LSMS ttb - toggle the "enable fastpkt" flag (fastpkt is a fast packet processing algorithm for TCP and UDP) ttE and ttP - make the brick print out usage statistics every 30 seconds. ttc - displays session cache statistics tt? - tt command help ttF - display syn flood table ttf - display list of files attached to thread #6. if the returned value is equal to the exact length of the issued command, then the command executed change the default internal successfully; if the "set delay from the time the [WBOOTDELAY] returned value is bootdelay" brick boots until the time it equal to any value can become active. other than the exact length of the issued command, then the command did not execute successfully. add an entry to the pending if the returned [WADDAPPFILTER] "add appfilter" application filter policy value is equal to Page 48 of 68 Writing Commands... LSMS Function Service Call Description Service Output (prerequisite begin load). the exact length of the issued command, then the command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Display status [WPING] "ping" sends out pings. output ping information Display status [WTRACEROUTE] "traceroute" does traceroute. output traceroute information if the returned value is equal to the exact length of the issued command, then the command adds link aggregation executed information to the pending successfully; if the "add [ADDAGGREGATE] brick config table returned value is aggregate" (prerequisite (begin equal to any value tableload). other than the exact length of the issued command, then the command did not execute successfully. adds Point to Point if the returned Protocol over Ethernet value is equal to [ADDPPPOE] "add pppoe" (PPPoE) information to the the exact length of pending brick config table. the issued (prerequisite (begin command, then the Page 49 of 68 Writing Commands... LSMS Function Service Call Description Service Output tableload). command executed successfully; if the returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. "display displays current PPPoE Displays current [DISPLAYPPPOE] pppoe" state. PPPoE state if the returned value is equal to the exact length of the issued command, then the command executed enables the brick to print successfully; if the [TRACEPPPOE] "trace pppoe" PPPoE negotiation returned value is messages. equal to any value other than the exact length of the issued command, then the command did not execute successfully. Displays current displays the current non-IP "display non-IP protocols [DISPLAYNONIP] protocols to allow through nonip" allowed with the brick. module if the returned value is equal to activates the currently the exact length of pending link aggregation the issued [INSTALLAGGREGATES] "instaggr" set without deleting the command, then the pending set. command executed successfully; if the Page 50 of 68 Writing Commands... LSMS Function Service Call Description Service Output returned value is equal to any value other than the exact length of the issued command, then the command did not execute successfully. Table 8 - LSMS Writing Commands Reading Commands... LSMS Function Service Call Description Service Output read the rules for a Displays rules for a [RRULES] "read rules" particular zone. particular zone. read the zone assignment Displays table [RTABLE] "read table" table entries. entries for zone assignment. read the session cache Displays session entries or some summary cache [RCACHE] "read cache" info for a zone. entries/summary information for a zone. read information about the Display defined management configuration "read config servers. information about [RCONFIG] data" defined management servers. read keywords from the Displays keywords [RKEYWRD] "read keyword" inferno.ini configuration from inferno.ini file. configuration file the current timestamp. Displays the current [RTIME] "read time" timestamp. read the number of seconds Displays the since the brick number of seconds [RUPTIME] "read uptime" booted/became active. since the module booted/became active. Page 51 of 68 Reading Commands... LSMS Function Service Call Description Service Output read information about the Displays status state of the Intelligent information about [REPORTICM] "report icm" Cache Management the state of the feature. Intelligent Cache Management. read information about the Displays [RDOMINF] "read dominfo" policy's signer. information about policy's signer. read information about the Displays brick config's signer. information about [RTBLINF] "read tblinfo" module's configuration signer. this is an old command that [This function is no longer used in LVF cannot be used in [RLSTATE] "read load state" version 7.2.292 the FIPS mode of operation.] read whether or not the Displays ping status [RPINGSTAT] "read ping stat" audit channel seems information. healthy. read some information Displays SA about the SAs for a zone. information for a [RSAS] "read sas" (e.g. SPIs, host addresses, zone. algorithms. *NOT* keys). read whether or not this Displays status brick is restricted to 56 bit information on [REXPORT] "get export" encryption. whether module is restricted to 56 bit encryption. "get read the current software Displays current [RSWVERSION] sw_version" version. software version. read entries from the MAC Displays entries [RMAC] "read mac" table. from MAC table. read entries from the ARP Displays entries [RARP] "read arp" table. from ARP table. read entries from the audit Displays entries "read audit [RAUDFIL] trace filter table. from audit trace filter" filter table. read entries from the Displays entries "read packet [RPKTFIL] packet trace filter table. from the packet filter" trace filter table. "read read entries from the host Displays entries [RHSTGRPS] hostgroups" group table for a zone. from the host group Page 52 of 68 Reading Commands... LSMS Function Service Call Description Service Output table for a zone. read entries from the Displays entries "read service group table for a from the service [RSRVGRPS] servicegroups" zone. group table for a zone. read the list of static routes. Displays the list of [RROUTES] "read routes" static routes. determine whether the hash Displays whether of a string matches a the hash of a string [MHASH] "match hash" reference hash. matches a reference hash. reads the brick's name and Displays module's a couple of other useful name, version, and [RWHATAREU] "what are you" pieces of information. other useful information about the module. displays the number of Displays number of SA's loaded via the "add SAs loaded via the "count dynamic [RCOUNTDYNSAS] dynamic ipsec" command "add dynamic sas" on this zone. ipsec" command on the zone. displays information about Displays the MAC move feature and information on the starcast zone matching MAC move feature [RMINOS] "read minos" policy. and the starcast zone matching policy. reads information about Displays whether whether the brick is ready module is ready to [RACTIVITY] "read activity" to transition from standby transition from to active. standby to active. displays failover Displays failover [RFAILOVER] "read failover" information. status. displays the current error Displays current [RDTHROTTLE] "read throttle" message throttling interval. error message throttling interval. waits for file transfer Displays file "read information from the active transfer information [RFILEDOWN] fdownload" to the standby. from active to standby. "read stickiness reads how long the brick Displays how long [RSTTIMER] timer" (LSMS should wait before trying to the module should redundancy) go back to the higher wait before trying Page 53 of 68 Reading Commands... LSMS Function Service Call Description Service Output priority LSMS. to get back to the higher priority LSMS. reads information about the Displays current current configuration for: configuration - UDP encapsulation policy information for: - NAT table policy - UDP [READ] "read" - SLA probes encapsulation policy - NAT table policy - SLA probes reads information about the Displays VLAN [RVLANS] "read vlans" VLAN configuration. configuration information. reads information about the Displays partition [RPARTITIONS] "read partitions" partition configuration. configuration information. reads what LSMS was last Displays what [RLASTHOMEDLSMS] "read lastlsms" connected. LSMS was last connected. reads the result of decoding Displays result of [RDEC64] "read decode64" base 64 encoded input back decoding base 64 into its original form. information. reads the result of encoding Displays result of [RENC64] "read encode64" base 64 arbitrary byte encoding base 64 streams. information. reads whether or not the Displays whether or "read audit [RCONTACT] audit channel is active. not the audit contact" channel is active. reads some pseudo random Sends back a "get random [RRANDOM] bytes. Used during the pseudo random bytes" initialization of flash. number to be used. displays current DHCP Displays current [DHCP] "dhcp" client state. DHCP client state. displays the model number Displays the [RMODELNUMBER] "read model" of this brick. module's model number. disabled on this version of N/A [VPN] "vpn" the brick. Table 9 - LSMS Reading Commands Page 54 of 68 The console/serial/keyboard/monitor ports provide a CLI which offers the Crypto Officer the following services: Service Input Description Service Output "bootstrap" allows CO to reload the Bootstraps the module certificate and initialization information into the brick via the serial port (keyboard) "help" prints list of commands Displays list of commands and their system usage "help " prints help for Displays usage of "logout" logout from remote port Closes down the CLI "initialize flash" initializes flash Initializes the flash configuration configuration "ping [options]" sends an ICMP ping sends ICMP ping to packet and prints response specified IP address times "repeat" repeat the previous Attempts to execute the command previous command entered by keyboard "refresh " refresh brick's mac or arp Displays "
table table cleared if successful" Displays "Error -> refresh, missing table argument" if unsuccessful "display arptable" display contents of the arp Displays the IP Address, table MAC Address, VlanID, Status, Refcntarptable, and total arp entries "display configuration" prints the inferno.ini file Displays the contents of the inferno.ini file "display dhcp" display DHCP Displays DHCP server IP, configuration information DHCP gateway IP, time lease expires in, time lease renewal in, and DNS server(s) "display encapsulation " display UDP Displays the UDP encapsulation info for the encapsulation information zone for the "display failover" display failover status Displays failover status if enabled; Page 55 of 68 Service Input Description Service Output Displays "Failover feature not enabled" if disabled "display files " print the names of the Displays the size, date, files and names of the files for the given "display hostgroups " display a zone's Displays a table with Host hostgroup definitions Name, Typ, TmOut, TagValue, IP Address / Range for all entries in the "display icm" display ICM info Displays current ICM information "display interfacestatus []" display information about Displays the Interface, an interface's NIC Root, I/F, MAC, Link, Speed, and Mode for all the interfaces on the NIC "display lsms" print the current LSMS Displays "Last LSMS was connected (or the last " "display mactable []" display MAC table for the Displays a table with specified interface entries for IF, MAC, Address, Status, VLAN, and Refcnt for all mac table entries and total number of mac table entries "display mempools" print information on 5 Displays information on memory pools of the the memory pools of the brick brick in a table as Pool, Max-Size, Cur-Size, Peak, Arena-Sz, and In- Use "display nat " print information about Displays a table with NAT tables for a zone entries for Name, RefCt, Pre-NAT list, and Post- NAT list "display partitions" print partition information Displays partition and VLAN ID "display policy < zone>" prints the ruleset for the Displays a table with specified zone entries for Rule#, Source, Destination, Service, A, D, SM, DM, PM, DEP, and VPN. Displays load date, sign date, and LSMS administrator for the Page 56 of 68 Service Input Description Service Output policy. "display pppoe" display pppoe information Displays pppoe information for #, Vlan, States, Address, MTU, DNS1, and DNS2 "display remoteconsole" display information about Displays "User is the remote console connected through remote console." "displayroutes []" display routing Displays routing information for an information for an interface interface "display sa " display a zone's current Displays SPI, User Name, security associations Source, Destination, Prot, AH, ESP, TEP, Sec/Kbytes for current SAs "display servicegroups " display a zone's Displays Service, Name, servicegroup definitions Definitions, and App Mon for "display sessions prints the zone's session Displays Source, [] cache optionally filtered Destination, Service, by an IP address AVE, Rule#, FWD- PKT/B, and REV-PKT/B for "display slamon " displays the list of SLA Displays #send, probes and some statistics #received, max round trip, about each one (#send, delay for entries in #received, max round trip if they exist delay) "display time" print the brick's current Displays "the current time time in GMT is