3 Motorola Confidential Proprietary FIPS Level 2 and Common Criteria (CC) EAL4 Overview
4 Motorola Confidential Proprietary Need for FIPS Level 2 & CC EAL4: Customer Scenarios Primary Targets for FIPS Level 2 and CC EAL4 Certified Wireless Infrastructure: Government Agencies like DoD, Veterans Administration Financial Institutions like Banks, and stock exchanges Other organizations requiring Highest levels of security like air and seaports
5 Motorola Confidential Proprietary FIPS and CC Deployment RFS7000 adopts up to 256 AP300s Switch connection to AAA, Syslog and NTP servers is secured using IPSec Tunnels Switch connection to other switches in a cluster is secured using IPSec Tunnels WLAN Corporate: VLAN 100 EAP Exchange Secure Connections IPsec VPN Tunnels RADIUS NTP AUDIT RFS7000-GR Local Console AP300 EAP Exchange AP300
6 Motorola Confidential Proprietary Tamper Evident Labels Tamper-evident Labels with Motorola Logo (Batwings) are produced from a special thin gauge vinyl with self-adhesive backing The primary goal of the Labels is to detect any attempt to gain access to the internals of the Switch The Motorola tamper evidence labels have non-repeated serial numbers The labels may be inspected by the customer for damage and compared against the applied serial numbers to verify that the module has not been tampered New labels are applied at Manufacturing and after each service hence the customer MUST update his database after each such event
7 Motorola Confidential Proprietary FIPS and CC Feature Descriptions
8 Motorola Confidential Proprietary FIPS Level 2 and CC EAL4 Feature Summary FIPS Level 2 FIPS Feature Additions FIPS Feature Modifications Common Criteria (CC) EAL4 CC Feature Additions CC Feature Modifications
9 Motorola Confidential Proprietary RFS7000-GR vs. Regular Switch Releases Unsupported Features Adaptive AP Support Encryption Mechanisms WEP 40M28 (RC4) KeyGuard WPA-TKIP WPA2 TKIP Authentication Mechanisms Kerberos Transport Encryption WEP 40/128 (RC4) KeyGuard WPA-TKIP WPA2-TKIP IPSEC VPN Gateway Encryption DES Integrated AAA/RADIUS Server Allowed in FIPS only Mode but not in CC NAC Support RTLS Engine and RTLS Partner Support At a Glance
10 Motorola Confidential Proprietary FIPS - Feature Additions KAT, CRNG and Power on self tests for QuickSec and OpenSSL libraries Security between switch and NTP server. Security between switch and Auth server (Radius) Security between switch and log server (SYSLOG) WIPE command to erase all keys and passwords. Firmware and Writable date integrity check zeroization of keys. Introduction of crypto officer and other roles (different from regular roles that we have in our existing CLI) Upgrade and downgrade support (this includes new digitally signed key to be added which should be through FIPS approved algorithm used) Authentication strength for management access (CLI) Role based authentication Test for Hardware components Any test failure- handle the state machine and reboot the box
11 Motorola Confidential Proprietary FIPS - Feature Modifications Cert Manager, DHCP, Radius, Stunnel, OpenSSH, Version compatibility and FIPS approved algorithm usage. Wireless – Power on self-test, KAT test for current AES library. Removing/Suppressing all non-approved commands as part of FIPS. (including debug and other commands) Core dump, Panic Dump and Root shell access removal. VPN and IPSec tunnel for switch to server communication Display of crypto keys. (Getting more than one confirmation) QuickSec changes to have approved algorithm. Disabling SNMP and Applet FIPS documentation support for security target and protection profile documents. L3 mobility and Cluster peers formed under IPSec/VPN tunnels
12 Motorola Confidential Proprietary CC - Feature Additions Audit events generation and configuration Cryptographic Key destruction Access Banner – This expects to intercept the EAP and other authentication packets exchanged between MU and Radius server to locate the user-name. Additional self test requirements based on user request. Verification of integrity of data on the switch (non binary) Critical Test for Hardware Automatic power-up tests when crypto keys generated Managing audit events and configurations Switch-lockup when admin reaches max password attempt and allow only the serial port is accessible.
13 Motorola Confidential Proprietary CC - Feature modifications Packet zeroization and overwriting with three different patters. Overwriting all inter-mediate, private and plain test keys Logging on and off for audit events
14 Motorola Confidential Proprietary Robustness Profile - Requirements The US Government Wireless Local Area Network (WLAN) Access System Protection Profile For Basic Robustness Environments Mandates that a Secure connection be established with any external Server or Device The Motorola Wireless LAN Switches in FIPS and CC mode will establish a IPSec Tunnel for : Security between switch and NTP server. Security between switch and AAA (Radius) Security between switch and log server (SYSLOG) Security between switches in a cluster
15 Motorola Confidential Proprietary Configuration updates AP300 gets configured by the Switch initially as part of the adoption sequence. When the configuration is applied on the AP300, the radios will shutdown and reinitialize (this process takes less than 2 seconds) forcing currently associated MUs to be de- authenticated
16 Motorola Confidential Proprietary FIPS and CC Feature Summary
17 Motorola Confidential Proprietary Configuring some Key Features For a complete list refer to RFS7000 FIPS/CC Service and Support Training Guide Access Banner Administrator configurable banner that provides all users with a warning about unauthorized use of the TOE A banner will be presented to all TOE users that allows direct access to the TOE User roles The user roles provided are administrator and wireless user. Administrator can manage TOE configuration where a wireless user can associate to the TOE and access the wired resources (ex: browsing the web) username privilege (crypto-officer|monitor) crypto-officer – Crypto officer and Network (wired/wireless) admin access monitor – Monitor (read-only) access Remote management using SSH 2.0 protocol Self test on demand Zeroization of packets used by both IP stack and data plane (network interface). Packet zeroization and overwriting with three different patters.
18 Motorola Confidential Proprietary FIPS and CC Added Features Feature Name 1Power on self test for RNG, KAT and Key pair generations 2IPSec/Tunnels between cluster, l3 mobility peers and between switch and external servers (Radius, Syslog and NTP server) 3Zeroization of keys 4Switch access authentication strength 5Audit event generation and management 6Firmware integrity 7Data integrity 8On demand self test execution 9Access Banner 10Crypto keys destruction
19 Motorola Confidential Proprietary FIPS and CC Unsupported Features Feature Name 1Auto-Install (not FIPS compliant) 2Wep64, 128 and TKIP (not FIPS compliant) 3Copy tech support (not FIPS compliant) 4FTP, tftp, copy commands (not FIPS compliant) 5Upgrade and downgrade using tftp, ftp, http (not FIPS compliant) 6External Kerberos server (not FIPS compliant) 7Applet 8SNMP 9OpenSSH 1.0 (not FIPS compliant) 10Telnet
20 Motorola Confidential Proprietary FIPS and CC Unsupported Features (Continued) Feature Name 11Root shell access 12Help desk user roles 13NTP client with broadcast discovery server (not FIPS compliant) 14IPSec/VPN tunnels using Public key crypto-graph protocols (RSA and DSA) 15CLI Password reset without logging into CLI (not FIPS compliant) 16GDB, Strace (not FIPS compliant) 17Debug Commands (not FIPS compliant) 18RFMS (since no SNMP support) 19MSP (since No SNMP support) 20Packet capture
21 Motorola Confidential Proprietary Thank You for Your Time and Attention Questions/Comments/Feedback?