Security Guide
Page 5
...module to service or install these internal components. The Nokia VPN Appliances run the Nokia proprietary, security-hardened IPSO operating system along with Tamper seals (see Section 3.1.1.1) ...of the Nokia VPN Appliance configurations and was performed and validation certificates obtained for Field Replaceable Unit (FRU) upgrades to internal network interface cards, hard drives, FLASH memory, and other...packaged into each module. The IP260 and IP265 hardware versions do not support FRU options. The following hardware versions: IP260 / IP265 - The IPSO OS and the module's...
...module to service or install these internal components. The Nokia VPN Appliances run the Nokia proprietary, security-hardened IPSO operating system along with Tamper seals (see Section 3.1.1.1) ...of the Nokia VPN Appliance configurations and was performed and validation certificates obtained for Field Replaceable Unit (FRU) upgrades to internal network interface cards, hard drives, FLASH memory, and other...packaged into each module. The IP260 and IP265 hardware versions do not support FRU options. The following hardware versions: IP260 / IP265 - The IPSO OS and the module's...
Security Guide
Page 13
... and configuration data (policy files) Status of commands and configuration data (policy files) Initialization of Secure Internal Commands Status of © Copyright 2005, 2006, 2007 Nokia Page 13 of 43 This document may be freely reproduced and distributed whole and intact including this ...: configure and install security policies that govern the communications flowing into and out of the module, and provide the Crypto Officer with a means to control the types of traffic permitted to flow through the CLI: configure CPU utilization reports, memory utilization reports, interface linkstate...
... and configuration data (policy files) Status of commands and configuration data (policy files) Initialization of Secure Internal Commands Status of © Copyright 2005, 2006, 2007 Nokia Page 13 of 43 This document may be freely reproduced and distributed whole and intact including this ...: configure and install security policies that govern the communications flowing into and out of the module, and provide the Crypto Officer with a means to control the types of traffic permitted to flow through the CLI: configure CPU utilization reports, memory utilization reports, interface linkstate...
Security Guide
Page 21
using X9.31 PRNG Internal - The module supports the following critical security parameters: Table 6 - Listing CSPs for the Module CSPs Host RSA v1...IKE Client authentication during IKE Client and server authentication during IKE © Copyright 2005, 2006, 2007 Nokia Page 21 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright ...PRNG Internal - using X9.31 PRNG External Storage Stored in plaintext on disk Stored in plaintext in memory Stored in plaintext on disk Stored in plaintext on disk Stored in plaintext on disk Authorized RSA v2...
using X9.31 PRNG Internal - The module supports the following critical security parameters: Table 6 - Listing CSPs for the Module CSPs Host RSA v1...IKE Client authentication during IKE Client and server authentication during IKE © Copyright 2005, 2006, 2007 Nokia Page 21 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright ...PRNG Internal - using X9.31 PRNG External Storage Stored in plaintext on disk Stored in plaintext in memory Stored in plaintext on disk Stored in plaintext on disk Stored in plaintext on disk Authorized RSA v2...
Security Guide
Page 22
... traffic Secure TLS traffic Secure IPSec traffic IPSO pseudorandom number generator for RSA, DSA, and DiffieHellman keys Check Point pseudo-random number generator for Diffie-Hellman keys © Copyright 2005, 2006, 2007 Nokia Page 22 of 43 This document may be freely reproduced and distributed...entropy Storage Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Cached to disk Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory, but entropy used to generate ...
... traffic Secure TLS traffic Secure IPSec traffic IPSO pseudorandom number generator for RSA, DSA, and DiffieHellman keys Check Point pseudo-random number generator for Diffie-Hellman keys © Copyright 2005, 2006, 2007 Nokia Page 22 of 43 This document may be freely reproduced and distributed...entropy Storage Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory Cached to disk Stored in plaintext in memory Stored in plaintext in memory Stored in plaintext in memory, but entropy used to generate ...
Security Guide
Page 23
...1024-bit keys, or higher, should be generated by rebooting. Two types of 43 This document may be used for RSA in memory. 2.8.5 Key Zeroization Ephemeral keys can be zeroized by the modules are electronically entered. The TLS session keys and the gathered entropy for...External Storage Stored in FIPS mode. 1024/160-bit DSA and Diffie-Hellman keys provide 80-bit equivalent security as calculated by overwriting or deleting them. © Copyright 2005, 2006, 2007 Nokia Page 23 of key establishment techniques are cached to generate these keys. 2.8.2 Key Establishment The modules ...
...1024-bit keys, or higher, should be generated by rebooting. Two types of 43 This document may be used for RSA in memory. 2.8.5 Key Zeroization Ephemeral keys can be zeroized by the modules are electronically entered. The TLS session keys and the gathered entropy for...External Storage Stored in FIPS mode. 1024/160-bit DSA and Diffie-Hellman keys provide 80-bit equivalent security as calculated by overwriting or deleting them. © Copyright 2005, 2006, 2007 Nokia Page 23 of key establishment techniques are cached to generate these keys. 2.8.2 Key Establishment The modules ...
Security Guide
Page 26
... install one or more tamper-evident seals (also called "FIPS Tape") provided in a FIPS-approved mode of operation. External Flash memory (optional on both sides of operation. The User can use the module after the Crypto Officer changes the mode of the module ... may be freely reproduced and distributed whole and intact including this Copyright Notice. Refer to Section 2.2 for FIPS 140-2. 3 SECURE OPERATION (APPROVED MODE) The Nokia VPN Appliances meet Level 2 requirements for a list of operation to FIPS-Approved. The following sections. 3.1.1 Hardware Setup The Crypto Officer ...
... install one or more tamper-evident seals (also called "FIPS Tape") provided in a FIPS-approved mode of operation. External Flash memory (optional on both sides of operation. The User can use the module after the Crypto Officer changes the mode of the module ... may be freely reproduced and distributed whole and intact including this Copyright Notice. Refer to Section 2.2 for FIPS 140-2. 3 SECURE OPERATION (APPROVED MODE) The Nokia VPN Appliances meet Level 2 requirements for a list of operation to FIPS-Approved. The following sections. 3.1.1 Hardware Setup The Crypto Officer ...
Security Guide
Page 27
...Seal Location for the Nokia VPN appliances. Record the serial number of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Tamper Seal Locations for a 2U Chassis (8 Seals) © Copyright 2005, 2006, 2007 Nokia Page 27 of the applied seal(s) in a security log. 4. For... chassis at the front, top, or rear of unit) Figure 3 - Allow 24 hours for placement of tamper seals over the Flash memory bays when configuring the module in Figure 4 depending on top of the module as shown in Approved mode. Affix one or more tamper ...
...Seal Location for the Nokia VPN appliances. Record the serial number of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Tamper Seal Locations for a 2U Chassis (8 Seals) © Copyright 2005, 2006, 2007 Nokia Page 27 of the applied seal(s) in a security log. 4. For... chassis at the front, top, or rear of unit) Figure 3 - Allow 24 hours for placement of tamper seals over the Flash memory bays when configuring the module in Figure 4 depending on top of the module as shown in Approved mode. Affix one or more tamper ...
Security Guide
Page 28
...by entering the boot command. 8. At the prompt, re-enter the new password for PCMCIA Flash Memory Bay (a 1U Half-Width Chassis with 2 Seals shown in the appropriate Appliance Installation Guide. 3.1.2 Installing, Upgrading or Downgrading the Module Firmware New modules come preinstalled with Hotfix HFA...-03. © Copyright 2005, 2006, 2007 Nokia Page 28 of the appliance. 2. The current FIPS 140-2 conformant configuration consists of IPSO 4.1 and Check Point VPN-1 version NGX (R60) with the Nokia IPSO operating system and a version of the cable to the VT100...
...by entering the boot command. 8. At the prompt, re-enter the new password for PCMCIA Flash Memory Bay (a 1U Half-Width Chassis with 2 Seals shown in the appropriate Appliance Installation Guide. 3.1.2 Installing, Upgrading or Downgrading the Module Firmware New modules come preinstalled with Hotfix HFA...-03. © Copyright 2005, 2006, 2007 Nokia Page 28 of the appliance. 2. The current FIPS 140-2 conformant configuration consists of IPSO 4.1 and Check Point VPN-1 version NGX (R60) with the Nokia IPSO operating system and a version of the cable to the VT100...
Security Guide
Page 43
... Technology Open Shortest Path First Pseudo Random Number Generator Random Access Memory Routing Information Protocol Rivest Shamir and Adleman Security Association Secure Hash Algorithm Secure Internal Communications Simple Network Management Protocol Secure Shell Secure Socket Layer Transport Layer Security Virtual Private Network © Copyright 2005, 2006, 2007 Nokia Page 43 of 43 This document may be freely reproduced...
... Technology Open Shortest Path First Pseudo Random Number Generator Random Access Memory Routing Information Protocol Rivest Shamir and Adleman Security Association Secure Hash Algorithm Secure Internal Communications Simple Network Management Protocol Secure Shell Secure Socket Layer Transport Layer Security Virtual Private Network © Copyright 2005, 2006, 2007 Nokia Page 43 of 43 This document may be freely reproduced...