Enterasys Networks XSR-1805, XSR-1850, XSR-3250 manual Physical Security, Operational Environment

Page 15

 

 

mechanism is as strong as the RSA

 

 

algorithm using a 1024 bit key pair.

Pre-shared key-based

User

HMAC SHA-1 generation and verification is

authentication (IKE)

 

used to authenticate to the module during

 

 

IKE with preshared keys. This mechanism

 

 

is as strong as the HMAC with SHA-1

 

 

algorithm. Additionally, preshared keys

 

 

must be at least six characters long. Even if

 

 

only uppercase letters were used without

 

 

repetition for a six character preshared key,

 

 

the probability of randomly guessing the

 

 

correct sequence is one in 165,765,600.

Table 6 – Estimated Strength of Authentication Mechanisms

The firewall mechanism can only be configured by the Crypto-Officer who authorizes the traffic that flows through the module.

Physical Security

The XSR modules are multi-chip standalone cryptographic modules, which were tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.

The modules are entirely contained within hard metal enclosures. The enclosure is resistant to probing and is opaque within the visible spectrum. The enclosures have been designed to satisfy level 2 physical security requirements. The ventilation holes on all three modules have been designed with baffling and less than 1/16th an inch diameter. Additionally, for the XSR-1850 and the XSR-3250, as soon as a cover (top or bottom) is removed, the nonvolatile RAM of the Real Time Clock chip is cleared, causing the master encryption key, which is used to encrypt user, certificate, and host key database files, to be zeroized.

All three modules require tamper-evident labels to be applied to protect and to notify of any tampering with the modules. Depending on whether the NIM slots are used, the XSR-1805 requires a minimum of seven and a maximum of nine labels to be applied, the XSR-1850 requires a minimum of five and a maximum of seven labels, and the XSR-3250 requires a minimum of four and a maximum of six labels. The labels are employed by the Crypto Officer as described in the Installation Guide: Attaching XSR Security Labels.

Operational Environment

The operational environment requirements do not apply to these modules. The XSR modules do not provide a general-purpose operating system, but rather a non-modifiable and embedded operating system.

© Copyright 2003 Enterasys Networks Page 15 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Image 15
Contents Fips 140-2 Non-Proprietary Security Policy Table of Contents Copyright 2003 Enterasys Networks Page 3 PurposeReferences Document OrganizationCopyright 2003 Enterasys Networks Page 4 Copyright 2003 Enterasys Networks Page 5 OverviewCryptographic Module Copyright 2003 Enterasys Networks Page 7 Copyright 2003 Enterasys Networks Page 8 Module InterfacesEMI/EMC Self-tests Design Assurance Mitigation of Other AttacksCopyright 2003 Enterasys Networks Page 9 Copyright 2003 Enterasys Networks Page 10 Module Physical Ports Fips 140-2 Logical InterfaceCopyright 2003 Enterasys Networks Page 11 Roles and ServicesSnmp SSHVPN Authenticate to the module during IKE. This IKECopyright 2003 Enterasys Networks Page 14 Mechanism is as strong as the RSA Algorithm using a 1024 bit key pairPhysical Security Operational EnvironmentCryptographic Key Management Fips 186-2 Prng Copyright 2003 Enterasys Networks Page 18 Copyright 2003 Enterasys Networks Page 19 Copyright 2003 Enterasys Networks Page 20 Self-TestsDesign Assurance Mitigation of Other AttacksCopyright 2003 Enterasys Networks Page 21 Copyright 2003 Enterasys Networks Page 22 Crypto Officer GuidanceCopyright 2003 Enterasys Networks Page 23 Enter copy running-config startup-configCopyright 2003 Enterasys Networks Page 24 User GuidanceCopyright 2003 Enterasys Networks Page 25 XSR