Enterasys X-pedition xsr-1805 User manual

XSR-1805, XSR-1850, and XSR-3250

(Hardware Version: REV 0A-G, Software Version: REL 6.3, Firmware Version: REL 6.3)

FIPS 140-2 Non-Proprietary

Security Policy

Level 2 Validation

Version 1.00

September 2003

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Table of Contents

INTRODUCTION............................................................................................................. 3

PURPOSE....................................................................................................................... 3

REFERENCES ................................................................................................................. 3

DOCUMENT ORGANIZATION ............................................................................................. 3

ENTERASYS NETWORKS XSR-1805, XSR-1850, AND XSR-3250 ............................. 5

OVERVIEW ..................................................................................................................... 5

CRYPTOGRAPHIC MODULE .............................................................................................. 6

MODULE INTERFACES ..................................................................................................... 8

ROLES AND SERVICES................................................................................................... 11

Crypto Officer Role.................................................................................................. 11

User Role ................................................................................................................ 14

Authentication Mechanisms .................................................................................... 14

PHYSICAL SECURITY ..................................................................................................... 14

OPERATIONAL ENVIRONMENT ........................................................................................ 14

CRYPTOGRAPHIC KEY MANAGEMENT ............................................................................. 16

Key Generation ....................................................................................................... 18

Key Establishment................................................................................................... 18

Key Entry and Output .............................................................................................. 18

Key Storage ............................................................................................................ 19

Key Zeroization ....................................................................................................... 19

SELF-TESTS................................................................................................................. 20

DESIGN ASSURANCE ..................................................................................................... 21

MITIGATION OF OTHER ATTACKS.................................................................................... 21

SECURE OPERATION ................................................................................................. 22

CRYPTO OFFICER GUIDANCE......................................................................................... 22

Initial Setup ............................................................................................................. 22

Management ........................................................................................................... 23

USER GUIDANCE .......................................................................................................... 24

ACRONYMS ................................................................................................................. 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Introduction

Purpose

This document is a nonproprietary Cryptographic Module Security Policy

for the Enterasys Networks XSR-1805, XSR-1850, and XSR-3250

appliances. This security policy describes how the XSR-1805, XSR-1850,

and XSR-3250 meet the security requirements of FIPS 140-2 and how to

run the modules in a secure FIPS 140-2 mode. This policy was prepared

as part of the Level 2 FIPS 140-2 validation of the module.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2

— Security Requirements for Cryptographic Modules) details the U.S.

Government requirements for cryptographic modules. More information

about the FIPS 140-2 standard and validation program is available on the

NIST Web site at http://csrc.nist.gov/cryptval/.

The Enterasys Networks XSR-1805, XSR-1850, and XSR-3250

appliances are referenced in this document as X-Pedition Security

Routers, XSR modules, and the modules. The XSR-1805 and XSR-1850

modules are also referenced as the XSR-18xx modules. The differences

between the three modules are cited where appropriate.

References

This document deals only with operations and capabilities of the module in

the technical terms of a FIPS 140-2 cryptographic module security policy.

More information is available on the module from the following sources:

The Enterasys Networks Web site (http://www.enterasys.com/) contains

information on all Enterasys Networks products.

The NIST Validated Modules Web site (http://csrc.ncsl.nist.gov/cryptval/)

contains contact information for answers to technical or sales-related

questions for the module.

Document Organization

The Security Policy document is one document in a FIPS 140-2

Submission Package. In addition to this document, the Submission

Package contains:

 Vendor Evidence document

 Finite State Machine

 Other supporting documentation as additional references

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

This Security Policy and the other validation submission documentation

were produced by Corsec Security, Inc. under contract to Enterasys

Networks. With the exception of this Non-Proprietary Security Policy, the

FIPS 140-2 Validation Documentation is proprietary to Enterasys

Networks and can be released only under appropriate non-disclosure

agreements. For access to these documents, please contact Enterasys

Networks.

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

ENTERASYS NETWORKS XSR-1805, XSR-1850, AND XSR-3250

Overview

Part of the Enterasys Networks X-Pedition Security Router (XSR) series,

the XSR-1805, XSR-1850, and XSR-3250 modules are networking

devices that combine a broad range of IP routing features, a broad range

of WAN interfaces and a rich suite of network security functions, including

site-to-site and remote access VPN connectivity and policy managed,

stateful-inspection firewall functionality.

The XSR-18xx modules were designed to meet the requirements of the

branch office, while the XSR-3250 was specifically designed for the

regional office. A typical deployment of the modules is shown in Figure 1

below.

Figure 1 – Typical Deployment of the XSR Modules

The XSR-1805 is an entry-level, modular router in a desktop form factor

delivering powerful performance and features to address the WAN, VPN,

and firewall needs of remote offices.

The XSR-1850 varies mainly in its performance and type of enclosure,

when compared to the XSR-1805. Delivering faster performance; a rack-

mount form factor; and the option for redundant power, the XSR-1850 is

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

ideal to support mission- critical applications extending to the branch

office.

The XSR-3250 offers nearly ten times the performance speed of the XSR-

1850 and approximately 15 times more VPN tunnels. Coupling these

features with the six network interface module (NIM) slots makes the XSR-

3250 ideally suited to a regional office required to terminate up to six

T3/E3 or 24 T1/E1 connections. A redundant power supply is included.

The features of each XSR module are summarized in Table 1.

XSR Model XSR-1805 XSR-1850 XSR-3250

NIM Slots 2 2 6

Fixed 10/100/1000 LAN

Ports

2 10/100 2 10/100 3

Optional Gigabit

Ethernet

N/A N/A Mini-GBIC

Redundant Power

Supplies

No Option Standard

VPN Accelerator Embedded Embedded Embedded

Flash Memory 8 MB

(upgradeable)

8 MB

(upgradeable)

8 MB

DRAM 32 MB

(upgradeable)

64 MB

(upgradeable)

256 MB

(upgradeable)

External Compact Flash Yes Yes Yes

Table 1 - Features At-a-Glance

Some highlighted security features of the XSR modules are:

• Telnet over IPSec or SSHv2-secured remote management of the

modules

• Site-to-Site application VPN using IPSec

• Remote access VPN using L2TP over IPSec

• Access control through assigned privilege level

• User, certificate, and host key database files encrypted with a

master encryption key

Cryptographic Module

The XSR modules were evaluated as multi-chip standalone cryptographic

modules. The metal enclosure physically encloses the complete set of

hardware and software components, and represents the cryptographic

boundary of each module.

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

The hardware components for the XSR-18xx modules vary slightly to meet

the performance level for each module. The XSR-1850 is an enhancement

of the XSR-1805 consisting of the following additional features:

• Two fans

• External power source connector

• One PMC slot for PPMC card

• 19” 1.5 U rack-mount chassis

• 64 MB of DRAM

Due to the large difference in performance levels, the XSR-3250 hardware

components vary quite significantly, when compared to the XSR-18xx

modules. The main differences include the following:

• Different processor with two CPU cores

• Different hardware encryption accelerator

• Two extra NIM Carrier Cards (NCC) slots with two NIM slots on

each card

• One extra Ethernet port connected to both a miniGBIC module and

a RJ45 connector

• Dual load-sharing power supplies

• Redundant fans

• 256 MB of DRAM

XSR NIMs will operate on all three XSR modules.

All three modules use the software version XSR Release 6.3. The

modules software components consists of three separate executables

linked individually:

• Bootrom

• Power-up Diagnostics

• Software image

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

The software image is contained in a single file with the power-up

diagnostics. It is based on the Nortel Open IP design model and runs on

top of the VxWorks operating system.

The modules are intended to meet overall FIPS 140-2 Level 2

requirements (see Table 2).

Section Section Title Level

1 Cryptographic Module Specification 2

2 Cryptographic Module Ports and Interfaces 2

3 Roles, Services, and Authentication 2

4 Finite State Model 2

5 Physical Security 2

6 Operational Environment N/A

7 Cryptographic Key Management 2

8 EMI/EMC 2

9 Self-tests 2

10 Design Assurance 2

11 Mitigation of Other Attacks N/A

Table 2 – Intended Level Per FIPS 140-2 Section

Module Interfaces

The XSR-1805 provides a number of physical ports:

• Two 10/100BaseT FastEthernet LAN ports

• One console port

• Two PCM slots

• One PCMCIA slot for the optional CompactFlash card

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

• Ten status LEDs

• One power connector

• One power switch

• One default configuration button

The XSR-1850 implements the same physical ports as the XSR-1805 and

the following additional ones:

• External power source connector

• PPMC slot for Processor

The XSR-3250 varies to the XSR-1805 modules as follows:

• One additional power source connector

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

• Three 10/100/1000BaseT GigabitEthernet LAN ports with two LEDs

on each port, instead of the two 10/100BaseT FastEthernet LAN

ports

• Mini-Gigabit Interface Converter (MGBIC) fiberoptic port plus two

LEDs

• Two NCC slots with two NIM slots on each card

• No power switch

• No default configuration button

All of these physical ports are separated into logical interfaces defined by

FIPS 140-2, as described in Table 3:

Module Physical Ports FIPS 140-2 Logical Interface

Network ports Data input interface

Network ports Data output interface

Network ports, console port,

power switch (XSR-18xx only),

default button (XSR-18xx only)

Control input interface

Network ports, console port,

LEDs

Status output interface

Power connector(s) Power interface

Table 3 – FIPS 140-2 Logical Interfaces

Data input and output, control input, and status output are defined as

follows:

• Data input and output are the packets that use the firewall, VPN,

and routing functionalities of the modules.

• Control input consists of manual control inputs for power and reset

through the power and reset switch. It also consists of all of the

data that is entered into the module while using the management

interfaces.

• Status output consists of the status indicators displayed through the

LEDs and the status data that is output from the modules while

using the management interfaces.

The modules distinguish between different forms of data, control, and

status traffic over the network ports by analyzing the packets header

information and contents.

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Other manuals for X-Pedition XSR-1805

This manual suits for next models

Table of contents

Other Enterasys Network Router manuals

Enterasys

Enterasys SmartSwitch 2H252 Owner's manual

Enterasys

Enterasys Matrix 6H352-25 User manual

Enterasys

Enterasys 802.1Q User manual

Enterasys

Enterasys XSR-XPEDITION User manual

Enterasys

Enterasys Enterasys D2 D2G124-12P Instruction Manual

Enterasys

Enterasys X-Pedition XSR-1805 User manual

Enterasys

Enterasys D2G124-12 Manual

Enterasys

Enterasys X-Pedition XSR-1805 User manual

Enterasys

Enterasys G3G170-24 Instruction Manual

Enterasys

Enterasys X-Pedition XSR-3020 User manual

Enterasys

Enterasys K-Series User manual

Enterasys

Enterasys D2G124-12 User manual

Enterasys

Enterasys Matrix-V V2H124-24P User manual

Enterasys

Enterasys G3G124-24 Manual

Enterasys

Enterasys C5G124-24 User manual

Enterasys

Enterasys Security Router X-PeditionTM User manual

Enterasys

Enterasys SecureStack C3G124-24P User manual

Enterasys

Enterasys X-Pedition XSR-3020 User manual

Enterasys

Enterasys X-Pedition XSR-1805 User manual

Enterasys

Enterasys SecureStack A2H124-24FX Manual

Enterasys

Enterasys X-Series X8 User manual

Enterasys

Enterasys SecureStack C2K122-24 Manual

Enterasys

Enterasys X-Pedition XSR-1850 User manual

Enterasys

Enterasys X-PEDITION E9.1.7.0 How to use

Popular Network Router manuals by other brands

TRENDnet

TRENDnet TEW-435BRM - 54MBPS 802.11G Adsl Firewall M Quick installation guide

Siemens

Siemens SIMOTICS CONNECT 400 manual

Alfa Network

Alfa Network ADS-R02 Specifications

Barracuda Networks

Barracuda Networks Link Balancer quick start guide

ZyXEL Communications

ZyXEL Communications ES-2024PWR Support notes

HPE

HPE FlexNetwork 5510 HI Series Openflow configuration guide

Allied Telesis

Allied Telesis AT-AR236E quick start guide

ADTRAN

ADTRAN NetVanta 3458-PoE quick start

C&H Technologies

C&H Technologies EM405-8 manual

Huawei

Huawei WiFi Mesh 3 Product description

Addonics Technologies

Addonics Technologies ISC8P2G-S Quick install guide

Atel

Atel W02 Arch+ Faqs

Allnet

Allnet ALL0333AU user guide

Sercomm

Sercomm Genesis OC3505D Quick installation guide

Billion

Billion BIPAC 5102 Series user manual

TP-Link

TP-Link TD-8817 QIG

Motorola

Motorola MR1900 user guide

Cisco

Cisco SOHO Series Regulatory compliance and safety information