FIPS140-1 Level 3 Security 29

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can choose to initialize the HSM cards in either Extended mode or FIPS mode. Extended mode is the default selection, and is appropriate whenever your security policy does not explicitly require that you conform to the FIPS 140-1, Level 3 standard (see the following for more information).

The main difference between Extended mode and FIPS mode involves how private keys are handled. For both modes, all private keys are stored encrypted in the database on the ASA 310 FIPS. When the HSM card is initialized in Extended mode, the encrypted private key needed to perform a specific operation is transferred to the HSM card over the PCI bus. The private key is then decrypted on the HSM card itself, using the wrap key that was generated during the initialization and because stored on the card. The private key is thus never exposed in plain text outside the HSM card.

When the HSM card is initialized in FIPS mode, the encrypted private key needed to perform a specific operation is read from the database into RAM, together with the wrap key from the HSM card. The private key

is then decrypted in RAM, where it remains accessible for subsequent operations.

Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys must be generated on the ASA 310-FIPS device itself. Importing private keys, or certificate files that contain private keys, is not allowed due to the FIPS security requirements. This means that certain CLI commands that are used for importing certificates and keys through a copy and paste operation, or through TFTP/FTP/SCP/SFTP, cannot be used when the ASA 310-FIPS is initialized in FIPS mode.

FIPS140-1 Level 3 Security

The HSM card contains all of the security requirements specified by the FIPS 140-1, Level 3 standards. FIPS 140-1 is a U.S. government standard for implementations of cryptographic modules, that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures).

FIPS 140-1 is binding on U.S. government agencies deploying applications that use cryptography to secure sensitive but unclassified (SBU) information, unless those agencies have been specifically exempted from compliance by the relevant U.S. laws referenced in the standard.

For more information about the FIPS specification, visit http://csrc.nist.gov/ publications/fips/index.htmland scroll down to "FIPS 140-1".

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

Page 29
Image 29
Nortel Networks NN46120-104 manual Extended Mode vs. Fips Mode, FIPS140-1 Level 3 Security

NN46120-104 specifications

Nortel Networks NN46120-104 is a versatile and efficient telecommunications hardware platform designed to meet the demands of modern networking environments. As a part of Nortel’s extensive portfolio, this device showcases the company’s commitment to innovation and reliability in the telecom sector.

One of the main features of the NN46120-104 is its robust performance capabilities. This platform is capable of handling high traffic volumes, making it suitable for medium to large enterprises. With its advanced routing capabilities and support for various protocols, the device ensures seamless communication across multiple network segments, providing efficient data transfer and connectivity.

The NN46120-104 is built upon the foundation of Nortel's renowned Layer 3 switching technology. This allows it to intelligently direct data packets based on their IP addresses, optimizing both speed and reliability. The inclusion of Virtual LAN (VLAN) support enhances network segmentation, improving security and management while reducing broadcast domains.

In terms of interface options, the NN46120-104 supports an array of Ethernet configurations, including Gigabit and Fast Ethernet ports. This flexibility allows organizations to tailor their networking solutions to their specific needs while enabling easy upgrades as technology evolves. The device also supports Power over Ethernet (PoE), facilitating the deployment of powered devices like IP phones and wireless access points without the need for additional power sources.

Another significant characteristic of the NN46120-104 is its robustness in terms of security features. With support for advanced security protocols and features such as Access Control Lists (ACLs), the device helps safeguard sensitive data by controlling traffic flow and restricting unauthorized access.

Additionally, the NN46120-104 is designed for ease of management. It offers an intuitive interface and supports various management protocols, including Simple Network Management Protocol (SNMP), enabling administrators to monitor and configure the device efficiently.

In summary, the Nortel Networks NN46120-104 combines high performance, extensive connectivity options, advanced security features, and ease of management, making it a formidable choice for enterprises looking to enhance their network infrastructure. Its capabilities align well with the rigorous demands of today’s digital communication landscape, ensuring reliability and efficiency in organizational operations.