1 motorola confidential proprietary 1 fips 140-2 level 2 and cc eal4 certified wireless solution...
TRANSCRIPT
1Motorola Confidential Proprietary 1
FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation
Sameer Kanagala
December 15, 2008
RFS7000-GR
AP300
Winner 2008
2Motorola Confidential Proprietary
Agenda
Overview
Feature Descriptions
Feature Summary
Questions
3Motorola Confidential Proprietary
FIPS 140-2 Level 2 and
Common Criteria (CC) EAL4 Overview
4Motorola Confidential Proprietary
Need for FIPS 140-2 Level 2 & CC EAL4: Customer Scenarios
Primary Targets for FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Infrastructure:
Government Agencies like DoD, Veterans Administration
Financial Institutions like Banks, and stock exchanges
Other organizations requiring Highest levels of security like air and seaports
5Motorola Confidential Proprietary
FIPS and CC DeploymentRFS7000 adopts up to 256 AP300sSwitch connection to AAA, Syslog and NTP servers is secured using IPSec TunnelsSwitch connection to other switches in a cluster is secured using IPSec Tunnels
WLAN Corporate: VLAN 100
EAP Exchange
Secure ConnectionsIPsec VPN Tunnels
RADIUS
NTP
AUDIT
RFS7000-GR
Local Console
AP300
EAP Exchange
AP300
6Motorola Confidential Proprietary
Tamper Evident Labels
Tamper-evident Labels with Motorola Logo (Batwings) are produced from a special thin gauge vinyl with self-adhesive backing
The primary goal of the Labels is to detect any attempt to gain access to the internals of the Switch
The Motorola tamper evidence labels have non-repeated serial numbers
The labels may be inspected by the customer for damage and compared against the applied serial numbers to verify that the module has not been tampered
New labels are applied at Manufacturing and after each service hence the customer MUST update his database after each such event
7Motorola Confidential Proprietary
FIPS and CC Feature Descriptions
8Motorola Confidential Proprietary
FIPS 140-2 Level 2 and CC EAL4 Feature Summary
FIPS 140-2 Level 2 FIPS Feature Additions
FIPS Feature Modifications
Common Criteria (CC) EAL4 CC Feature Additions
CC Feature Modifications
9Motorola Confidential Proprietary
RFS7000-GR vs. Regular Switch ReleasesUnsupported Features
Adaptive AP Support Encryption Mechanisms
WEP 40M28 (RC4) KeyGuard WPA-TKIP WPA2 TKIP
Authentication Mechanisms Kerberos
Transport Encryption WEP 40/128 (RC4) KeyGuard WPA-TKIP WPA2-TKIP
IPSEC VPN Gateway Encryption DES
Integrated AAA/RADIUS Server Allowed in FIPS only Mode but not in CC
NAC Support RTLS Engine and RTLS Partner Support
At a G
lance
10Motorola Confidential Proprietary
FIPS - Feature Additions
KAT, CRNG and Power on self tests for QuickSec and OpenSSL libraries
Security between switch and NTP server.
Security between switch and Auth server (Radius)
Security between switch and log server (SYSLOG)
WIPE command to erase all keys and passwords.
Firmware and Writable date integrity check
zeroization of keys.
Introduction of crypto officer and other roles (different from regular roles that we have in our existing CLI)
Upgrade and downgrade support (this includes new digitally signed key to be added which should be through FIPS approved algorithm used)
Authentication strength for management access (CLI)
Role based authentication Test for Hardware components Any test failure- handle the state
machine and reboot the box
11Motorola Confidential Proprietary
FIPS - Feature Modifications
Cert Manager, DHCP, Radius, Stunnel, OpenSSH, Version compatibility and FIPS approved algorithm usage.
Wireless – Power on self-test, KAT test for current AES library.
Removing/Suppressing all non-approved commands as part of FIPS. (including debug and other commands)
Core dump, Panic Dump and Root shell access removal.
VPN and IPSec tunnel for switch to server communication
Display of crypto keys. (Getting more than one confirmation)
QuickSec changes to have approved algorithm.
Disabling SNMP and Applet
FIPS documentation support for security target and protection profile documents.
L3 mobility and Cluster peers formed under IPSec/VPN tunnels
12Motorola Confidential Proprietary
CC - Feature Additions
Audit events generation and configuration
Cryptographic Key destruction
Access Banner – This expects to intercept the EAP and other authentication packets exchanged between MU and Radius server to locate the user-name.
Additional self test requirements based on user request.
Verification of integrity of data on the switch (non binary)
Critical Test for Hardware
Automatic power-up tests when crypto keys generated
Managing audit events and configurations
Switch-lockup when admin reaches max password attempt and allow only the serial port is accessible.
13Motorola Confidential Proprietary
CC - Feature modifications
Packet zeroization and overwriting with three different patters.
Overwriting all inter-mediate, private and plain test keys
Logging on and off for audit events
14Motorola Confidential Proprietary
Robustness Profile - Requirements
“The US Government Wireless Local Area Network (WLAN) Access System Protection Profile For Basic Robustness Environments Mandates that a Secure connection be established with any external Server or Device”
The Motorola Wireless LAN Switches in FIPS and CC mode will establish a IPSec Tunnel for :Security between switch and NTP server.
Security between switch and AAA (Radius)
Security between switch and log server (SYSLOG)
Security between switches in a cluster
15Motorola Confidential Proprietary
Configuration updates
AP300 gets configured by the Switch initially as part of the adoption sequence.
When the configuration is applied on the AP300, the radios will shutdown and reinitialize (this process takes less than 2 seconds) forcing currently associated MUs to be de-authenticated
16Motorola Confidential Proprietary
FIPS and CC Feature Summary
17Motorola Confidential Proprietary
Configuring some Key Features
For a complete list refer to RFS7000 FIPS/CC Service and Support Training Guide Access Banner
Administrator configurable banner that provides all users with a warning about unauthorized use of the TOE
A banner will be presented to all TOE users that allows direct access to the TOE
User roles The user roles provided are administrator and wireless user. Administrator can manage
TOE configuration where a wireless user can associate to the TOE and access the wired resources (ex: browsing the web)
username <name> privilege (crypto-officer|monitor) crypto-officer – Crypto officer and Network (wired/wireless) admin access monitor – Monitor (read-only) access Remote management using SSH 2.0 protocol Self test on demand Zeroization of packets used by both IP stack and data plane (network
interface). Packet zeroization and overwriting with three different patters.
18Motorola Confidential Proprietary
FIPS and CC Added Features
Feature Name
1 Power on self test for RNG, KAT and Key pair generations
2 IPSec/Tunnels between cluster, l3 mobility peers and between switch and external servers (Radius, Syslog and NTP server)
3 Zeroization of keys
4 Switch access authentication strength
5 Audit event generation and management
6 Firmware integrity
7 Data integrity
8 On demand self test execution
9 Access Banner
10 Crypto keys destruction
19Motorola Confidential Proprietary
FIPS and CC Unsupported Features
Feature Name
1 Auto-Install (not FIPS compliant)
2 Wep64, 128 and TKIP (not FIPS compliant)
3 Copy tech support (not FIPS compliant)
4 FTP, tftp, copy commands (not FIPS compliant)
5 Upgrade and downgrade using tftp, ftp, http (not FIPS compliant)
6 External Kerberos server (not FIPS compliant)
7 Applet
8 SNMP
9 OpenSSH 1.0 (not FIPS compliant)
10 Telnet
20Motorola Confidential Proprietary
FIPS and CC Unsupported Features (Continued)
Feature Name
11 Root shell access
12 Help desk user roles
13 NTP client with broadcast discovery server (not FIPS compliant)
14 IPSec/VPN tunnels using Public key crypto-graph protocols (RSA and DSA)
15 CLI Password reset without logging into CLI (not FIPS compliant)
16 GDB, Strace (not FIPS compliant)
17 Debug Commands (not FIPS compliant)
18 RFMS (since no SNMP support)
19 MSP (since No SNMP support)
20 Packet capture
21Motorola Confidential Proprietary
Thank You forYour Time and Attention
Questions/Comments/Feedback?