1 Motorola Confidential Proprietary 1 FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation Sameer Kanagala December 15, 2008

1Motorola Confidential Proprietary 1

FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation

Sameer Kanagala

December 15, 2008

RFS7000-GR

AP300

Winner 2008

2Motorola Confidential Proprietary

Agenda

Overview

Feature Descriptions

Feature Summary

Questions


FIPS 140-2 Level 2 and

Common Criteria (CC) EAL4 Overview


Need for FIPS 140-2 Level 2 & CC EAL4: Customer Scenarios

Primary Targets for FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Infrastructure:

Government Agencies like DoD, Veterans Administration

Financial Institutions like Banks, and stock exchanges

Other organizations requiring Highest levels of security like air and seaports


FIPS and CC DeploymentRFS7000 adopts up to 256 AP300sSwitch connection to AAA, Syslog and NTP servers is secured using IPSec TunnelsSwitch connection to other switches in a cluster is secured using IPSec Tunnels

WLAN Corporate: VLAN 100

EAP Exchange

Secure ConnectionsIPsec VPN Tunnels

RADIUS

NTP

AUDIT

RFS7000-GR

Local Console

AP300

EAP Exchange

AP300


Tamper Evident Labels

Tamper-evident Labels with Motorola Logo (Batwings) are produced from a special thin gauge vinyl with self-adhesive backing

The primary goal of the Labels is to detect any attempt to gain access to the internals of the Switch

The Motorola tamper evidence labels have non-repeated serial numbers

The labels may be inspected by the customer for damage and compared against the applied serial numbers to verify that the module has not been tampered

New labels are applied at Manufacturing and after each service hence the customer MUST update his database after each such event


FIPS and CC Feature Descriptions


FIPS 140-2 Level 2 and CC EAL4 Feature Summary

FIPS 140-2 Level 2 FIPS Feature Additions

FIPS Feature Modifications

Common Criteria (CC) EAL4 CC Feature Additions

CC Feature Modifications


RFS7000-GR vs. Regular Switch ReleasesUnsupported Features

Adaptive AP Support Encryption Mechanisms

WEP 40M28 (RC4) KeyGuard WPA-TKIP WPA2 TKIP

Authentication Mechanisms Kerberos

Transport Encryption WEP 40/128 (RC4) KeyGuard WPA-TKIP WPA2-TKIP

IPSEC VPN Gateway Encryption DES

Integrated AAA/RADIUS Server Allowed in FIPS only Mode but not in CC

NAC Support RTLS Engine and RTLS Partner Support

At a G

lance


FIPS - Feature Additions

KAT, CRNG and Power on self tests for QuickSec and OpenSSL libraries

Security between switch and NTP server.

Security between switch and Auth server (Radius)

Security between switch and log server (SYSLOG)

WIPE command to erase all keys and passwords.

Firmware and Writable date integrity check

zeroization of keys.

Introduction of crypto officer and other roles (different from regular roles that we have in our existing CLI)

Upgrade and downgrade support (this includes new digitally signed key to be added which should be through FIPS approved algorithm used)

Authentication strength for management access (CLI)

Role based authentication Test for Hardware components Any test failure- handle the state

machine and reboot the box


FIPS - Feature Modifications

Cert Manager, DHCP, Radius, Stunnel, OpenSSH, Version compatibility and FIPS approved algorithm usage.

Wireless – Power on self-test, KAT test for current AES library.

Removing/Suppressing all non-approved commands as part of FIPS. (including debug and other commands)

Core dump, Panic Dump and Root shell access removal.

VPN and IPSec tunnel for switch to server communication

Display of crypto keys. (Getting more than one confirmation)

QuickSec changes to have approved algorithm.

Disabling SNMP and Applet

FIPS documentation support for security target and protection profile documents.

L3 mobility and Cluster peers formed under IPSec/VPN tunnels


CC - Feature Additions

Audit events generation and configuration

Cryptographic Key destruction

Access Banner – This expects to intercept the EAP and other authentication packets exchanged between MU and Radius server to locate the user-name.

Additional self test requirements based on user request.

Verification of integrity of data on the switch (non binary)

Critical Test for Hardware

Automatic power-up tests when crypto keys generated

Managing audit events and configurations

Switch-lockup when admin reaches max password attempt and allow only the serial port is accessible.


CC - Feature modifications

Packet zeroization and overwriting with three different patters.

Overwriting all inter-mediate, private and plain test keys

Logging on and off for audit events


Robustness Profile - Requirements

“The US Government Wireless Local Area Network (WLAN) Access System Protection Profile For Basic Robustness Environments Mandates that a Secure connection be established with any external Server or Device”

The Motorola Wireless LAN Switches in FIPS and CC mode will establish a IPSec Tunnel for :Security between switch and NTP server.

Security between switch and AAA (Radius)

Security between switch and log server (SYSLOG)

Security between switches in a cluster


Configuration updates

AP300 gets configured by the Switch initially as part of the adoption sequence.

When the configuration is applied on the AP300, the radios will shutdown and reinitialize (this process takes less than 2 seconds) forcing currently associated MUs to be de-authenticated


FIPS and CC Feature Summary


Configuring some Key Features

For a complete list refer to RFS7000 FIPS/CC Service and Support Training Guide Access Banner

Administrator configurable banner that provides all users with a warning about unauthorized use of the TOE

A banner will be presented to all TOE users that allows direct access to the TOE

User roles The user roles provided are administrator and wireless user. Administrator can manage

TOE configuration where a wireless user can associate to the TOE and access the wired resources (ex: browsing the web)

username <name> privilege (crypto-officer|monitor) crypto-officer – Crypto officer and Network (wired/wireless) admin access monitor – Monitor (read-only) access Remote management using SSH 2.0 protocol Self test on demand Zeroization of packets used by both IP stack and data plane (network

interface). Packet zeroization and overwriting with three different patters.


FIPS and CC Added Features

Feature Name

1 Power on self test for RNG, KAT and Key pair generations

2 IPSec/Tunnels between cluster, l3 mobility peers and between switch and external servers (Radius, Syslog and NTP server)

3 Zeroization of keys

4 Switch access authentication strength

5 Audit event generation and management

6 Firmware integrity

7 Data integrity

8 On demand self test execution

9 Access Banner

10 Crypto keys destruction


FIPS and CC Unsupported Features

Feature Name

1 Auto-Install (not FIPS compliant)

2 Wep64, 128 and TKIP (not FIPS compliant)

3 Copy tech support (not FIPS compliant)

4 FTP, tftp, copy commands (not FIPS compliant)

5 Upgrade and downgrade using tftp, ftp, http (not FIPS compliant)

6 External Kerberos server (not FIPS compliant)

7 Applet

8 SNMP

9 OpenSSH 1.0 (not FIPS compliant)

10 Telnet


FIPS and CC Unsupported Features (Continued)

Feature Name

11 Root shell access

12 Help desk user roles

13 NTP client with broadcast discovery server (not FIPS compliant)

14 IPSec/VPN tunnels using Public key crypto-graph protocols (RSA and DSA)

15 CLI Password reset without logging into CLI (not FIPS compliant)

16 GDB, Strace (not FIPS compliant)

17 Debug Commands (not FIPS compliant)

18 RFMS (since no SNMP support)

19 MSP (since No SNMP support)

20 Packet capture


Thank You forYour Time and Attention

Questions/Comments/Feedback?

Documents

1 Motorola Confidential Proprietary 1 FIPS 140-2 Level 2 and CC EAL4 Certified Wireless Solution Training Presentation Sameer Kanagala December 15, 2008