1 / 21

FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation

FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation. RFS7000-GR. AP300. Winner 2008. December 15, 2008. Sameer Kanagala. 1. Agenda. Overview Feature Descriptions Feature Summary Questions.

ovidio
Download Presentation

FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FIPS 140-2 Level 2 and CC EAL4 Certified Wireless SolutionTraining Presentation RFS7000-GR AP300 Winner 2008 December 15, 2008 Sameer Kanagala 1

  2. Agenda Overview Feature Descriptions Feature Summary Questions

  3. FIPS 140-2 Level 2 and Common Criteria (CC) EAL4 Overview

  4. Need for FIPS 140-2 Level 2 & CC EAL4: Customer Scenarios Primary Targets for FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Infrastructure: • Government Agencies like DoD, Veterans Administration • Financial Institutions like Banks, and stock exchanges • Other organizations requiring Highest levels of security like air and seaports

  5. FIPS and CC DeploymentRFS7000 adopts up to 256 AP300sSwitch connection to AAA, Syslog and NTP servers is secured using IPSec TunnelsSwitch connection to other switches in a cluster is secured using IPSec Tunnels RFS7000-GR Secure Connections IPsec VPN Tunnels RADIUS Local Console NTP AP300 AUDIT AP300 EAP Exchange EAP Exchange WLAN Corporate: VLAN 100

  6. Tamper Evident Labels • Tamper-evident Labels with Motorola Logo (Batwings) are produced from a special thin gauge vinyl with self-adhesive backing • The primary goal of the Labels is to detect any attempt to gain access to the internals of the Switch • The Motorola tamper evidence labels have non-repeated serial numbers • The labels may be inspected by the customer for damage and compared against the applied serial numbers to verify that the module has not been tampered • New labels are applied at Manufacturing and after each service hence the customer MUST update his database after each such event

  7. FIPS and CC Feature Descriptions

  8. FIPS 140-2 Level 2 and CC EAL4 Feature Summary • FIPS 140-2 Level 2 • FIPS Feature Additions • FIPS Feature Modifications • Common Criteria (CC) EAL4 • CC Feature Additions • CC Feature Modifications

  9. RFS7000-GR vs. Regular Switch ReleasesUnsupported Features • Adaptive AP Support • Encryption Mechanisms • WEP 40M28 (RC4) • KeyGuard • WPA-TKIP • WPA2 TKIP • Authentication Mechanisms • Kerberos • Transport Encryption • WEP 40/128 (RC4) • KeyGuard • WPA-TKIP • WPA2-TKIP • IPSEC VPN Gateway Encryption • DES • Integrated AAA/RADIUS Server • Allowed in FIPS only Mode but not in CC • NAC Support • RTLS Engine and RTLS Partner Support At a Glance

  10. KAT, CRNG and Power on self tests for QuickSec and OpenSSL libraries Security between switch and NTP server. Security between switch and Auth server (Radius) Security between switch and log server (SYSLOG) WIPE command to erase all keys and passwords. Firmware and Writable date integrity check zeroization of keys. Introduction of crypto officer and other roles (different from regular roles that we have in our existing CLI) Upgrade and downgrade support (this includes new digitally signed key to be added which should be through FIPS approved algorithm used) Authentication strength for management access (CLI) Role based authentication Test for Hardware components Any test failure- handle the state machine and reboot the box FIPS - Feature Additions

  11. FIPS - Feature Modifications • Cert Manager, DHCP, Radius, Stunnel, OpenSSH, Version compatibility and FIPS approved algorithm usage. • Wireless – Power on self-test, KAT test for current AES library. • Removing/Suppressing all non-approved commands as part of FIPS. (including debug and other commands) • Core dump, Panic Dump and Root shell access removal. • VPN and IPSec tunnel for switch to server communication • Display of crypto keys. (Getting more than one confirmation) • QuickSec changes to have approved algorithm. • Disabling SNMP and Applet • FIPS documentation support for security target and protection profile documents. • L3 mobility and Cluster peers formed under IPSec/VPN tunnels

  12. CC - Feature Additions • Audit events generation and configuration • Cryptographic Key destruction • Access Banner – This expects to intercept the EAP and other authentication packets exchanged between MU and Radius server to locate the user-name. • Additional self test requirements based on user request. • Verification of integrity of data on the switch (non binary) • Critical Test for Hardware • Automatic power-up tests when crypto keys generated • Managing audit events and configurations • Switch-lockup when admin reaches max password attempt and allow only the serial port is accessible.

  13. CC - Feature modifications • Packet zeroization and overwriting with three different patters. • Overwriting all inter-mediate, private and plain test keys • Logging on and off for audit events

  14. Robustness Profile - Requirements “The US Government Wireless Local Area Network (WLAN) Access System Protection Profile For Basic Robustness Environments Mandates that a Secure connection be established with any external Server or Device” The Motorola Wireless LAN Switches in FIPS and CC mode will establish a IPSec Tunnel for : • Security between switch and NTP server. • Security between switch and AAA (Radius) • Security between switch and log server (SYSLOG) • Security between switches in a cluster

  15. Configuration updates • AP300 gets configured by the Switch initially as part of the adoption sequence. • When the configuration is applied on the AP300, the radios will shutdown and reinitialize (this process takes less than 2 seconds) forcing currently associated MUs to be de-authenticated

  16. FIPS and CC Feature Summary

  17. Configuring some Key Features For a complete list refer to RFS7000 FIPS/CC Service and Support Training Guide • Access Banner • Administrator configurable banner that provides all users with a warning  about unauthorized  use of the TOE • A banner will be presented  to all TOE users that allows direct access to the TOE • User roles • The user roles provided are administrator and wireless user. Administrator can manage TOE configuration where a wireless user can associate to the TOE and access the wired resources (ex: browsing the web) • username <name> privilege (crypto-officer|monitor) • crypto-officer – Crypto officer and Network (wired/wireless) admin access • monitor – Monitor (read-only) access • Remote management using SSH 2.0 protocol • Self test on demand • Zeroization of packets used by both IP stack and data plane (network interface). • Packet zeroization and overwriting with three different patters.

  18. FIPS and CC Added Features

  19. FIPS and CC Unsupported Features

  20. FIPS and CC Unsupported Features (Continued)

  21. Thank You forYour Time and Attention Questions/Comments/Feedback?

More Related