|
This security policy describes how the VPN 3000 Concentrator Series meets the security requirements of FIPS 140-1, and how to operate a VPN 3000 Concentrator using IPSec encryption in secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1 validation of the VPN 3000 Concentrator Series, sometimes referred to in this document as the VPN Concentrator.
This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the last page.
FIPS 140-1 (Federal Information Processing Standards Publication 140-1Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available in the following document:
Security Requirements for Cryptographic Modules, FIPS Publication 140-1 (http://csrc.nist.gov/publications/fips/fips140-1/fips1401.htm).
For information about the FIPS 140-1 validation program, see the following NIST website:
http://csrc.nist.gov/cryptval/
This document contains the following sections:
"Security Relevant Data Items" section
"Cryptographic Algorithms" section
"Security Rules (FIPS Mode of Operation)" section
"Administration Management Access Methods" section
"Appendix ACryptographic Algorithms" section
This document describes the operations and capabilities of the VPN Concentrator only in the technical terms of FIPS 140-1 cryptographic module security policy. More information is available on VPN 3000 Concentrator Series in the following documents:
VPN 3000 Series Concentrator Getting Started, Release 3.1, August 2001explains how to unpack and install the VPN 3000 Concentrator and how to configure the minimal parameters.
VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 3.1, August 2001explains how to start and use the VPN 3000 Concentrator Manager and how to configure your device beyond the minimal parameters you set during quick configuration.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 3.1, August 2001explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager.
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.1
Release Notes for Cisco VPN 3000 Series Concentrator, FIPS Release 3.1.3
This document uses the following terminology.
FIPS 140-1 | Federal Information Processing Standards Publication 140-ISecurity Requirements for Cryptographic Modules details the U.S. Government requirements for cryptographic modules. |
FIPS Mode | A configuration of the VPN 3000 Concentrator Series that allows users to use the VPN Concentrator in a way that is compliant with the government standard FIPS 140-1. |
IPSec | A family of IETF protocols that provide network layer encryption. |
IKE | A key management protocol used by IPSec for authentication and secret key derivation. |
Cisco VPN 3000 Concentrator Series comprises a family of purpose-built, remote access Virtual Private Network (VPN) platforms that incorporate high availability, high performance, and scalability with the most advanced encryption and authentication techniques available today.
The VPN Concentrator includes models to support a range of enterprise customers, from small businesses with 100 or fewer remote access users to large organizations with up to 10,000 simultaneous remote users. The VPN Concentrator is available in both non-redundant and redundant configurations, allowing customers to build the most robust, reliable, and cost-effective networks possible.
The VPN Concentrators are Multiple-Chip Standalone Cryptographic Modules as defined in Security Requirements for Cryptographic Modules, FIPS publication 140-1. The cryptographic boundary for each VPN Concentrator module is the actual physical embodiment of each device.
This security policy pertains to the following specific VPN Concentrators:
The VPN Concentrators are intended to meet the overall requirements for FIPS-140 Level 2 security as defined in FIPS-140-1. Table 1 shows the security level requirements met for the VPN Concentrators:
Security Requirements Section | FIPS-140 Security Level |
Cryptographic Module | 2 |
Module Interfaces | 2 |
Roles & Services | 2 |
Finite State Machines | 2 |
Physical Security | 2 |
Software Security | 3 |
Operating System Security | N/A |
Key Management | 2 |
Cryptographic Algorithms | 2 |
EMI/EMC | 2 |
Self Tests | 2 |
VPN Concentrators implement a role-based authentication mechanism. Up to five administrative roles can be defined with the restriction that at least one administrator must serve as a superuser (an administrator with the highest level of privileges). The highest level administrator is also known as the Crypto-officer in FIPS 140-1 terminology.
There can be up to 10 simultaneous administrative sessions active in the VPN Concentrator at one time. The access methods for the administrative roles as well as the services available for each role are listed below. For detailed descriptions on configuration, see the VPN 3000 Series Concentrator Reference Volume I: Configuration.
For the VPN Concentrator, the superuser is the highest level administrator. To access the administrator role, connect through an Ethernet port and use the Web-based administration tool, or connect through the console port.
The administrator must enter the correct username/password combination and pass the appropriate IP address checks. The administrator role can access all the services accessible via any management interface. Administrators are responsible for ensuring that VPN Concentrators are configured properly to meet all FIPS 140-1 requirements.
Warning There is no way to recover your system if you forget the Administrator password. Take appropriate measures to safeguard your password and remember it. If you forget the Administrator password, you cannot log in to your system and you will have to return the VPN Concentrator to be recovered. |
The non-crypto services include show status commands and user establishment and authentication initialization. The various non-crypto services available to the administrator role include the following:
The crypto services include key generation, encryption/decryption, and the power-up self-tests. Some of the specific crypto services available to the administrator role include:
Administrators may not configure static session keys for encrypted tunnels, nor are they allowed to enter static keys for certificate enrollment. These keys are all generated dynamically via the appropriate mechanism (IKE, RSA, DSA).
For information on the specific administrator commands, see the section "Administration | Access Rights | Access Settings" in the VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring user guide.
You also access the administrator role through an Ethernet port using the Web-based administration tool, or connect through the console port.
All administrator roles are entered by supplying the correct username/password combination and passing the appropriate IP address checks. All administrators are responsible for ensuring, that the VPN Concentrators are configured properly to meet all FIPS 140-1 requirements.
At some permission levels, an administrator can access only the configuration and monitoring functions that the administrator with the highest level of permissions selects. It is possible to give other administrators the highest level privileges. For more detailed information on the subset descriptions, see the section "Administration | Access Rights | Access Settings" in the VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring user guide.
Users are the people or entities that wish to send data or traffic through the VPN Concentrators. Users comprise devices, clients, and anyone passing data through the VPN Concentrators. All user roles are entered by supplying the correct authentication information. Users are authenticated to the VPN Concentrators based on the authentication protocol established by the administrator (for example, security association ID or IP address and preshared secret key combination).
Services | Roles | Description |
---|---|---|
Encryption/Decryption | Crypto-officer/User | The module encrypts data being sent by both the crypto-officer and user. Crypto-officer services and data sent are encrypted through HTTPS (TLS) sessions. User-sent data is encrypted/decrypted as defined by the IPSec standard. |
Show Status | Crypto-officer | The crypto-officer can view the module status through the module's administrative interface. |
Self-Tests | Crypto-officer | The crypto-officer can perform self-tests and review self-test results. |
System Configuration | Crypto-officer | The crypto-officer can configure user and administrator privileges, and other system parameters. |
Key Entry | Crypto-officer | The crypto-officer must enter all IPSec preshared keys. |
As mentioned above, the cryptographic boundary encompasses the physical encasing of the VPN Concentrator. Table 3 maps the FIPS 140 logical interfaces to the physical interfaces of the VPN Concentrator.
FIPS 140-1 Logical Interfaces | VPN Concentrator's Physical Interfaces |
---|---|
Data input | Ethernet ports, Console port |
Data output | Ethernet ports, Console port |
Control input | Ethernet ports, Console port |
Status output | Ethernet ports, LEDs |
The following is a list of all security relevant data items used by VPN Concentrators. This section describes all keys that VPN Concentrators use.
The VPN Concentrator uses Key Encryption Keys (KEK) to protect all persistent and ephemeral cryptographic keys that the VPN Concentrator stores. The VPN Concentrator uses two KEKs (KEK1 and KEK2).
KEK1 is a triple DES key that protects all traffic keys, HMAC keys, and Diffie-Hellman private keys. KEK1 is used to decrypt the appropriate cryptographic key prior to use. KEK1 is stored in RAM in plaintext form.
KEK2 is a DES key that protects DSA private keys, RSA private keys, and the Diffie-Hellman shared secret (gxy) private keys. KEK2 is used to decrypt the appropriate cryptographic keys prior to use by the module. KEK2 is stored in RAM in plaintext form.
This section describes authentication keys.
The VPN Concentrator uses DSA key pairs for authentication in establishing an IKE session. DSA key pairs are stored encrypted with KEK2.
The VPN Concentrator uses RSA key pairs for authentication in establishing an IKE session. RSA key pairs are stored encrypted with KEK2.
The VPN Concentrator uses IKE preshared keys for authentication in establishing an IKE session. IKE preshared keys are stored in plaintext form.
The VPN Concentrator uses HMAC keys for authenticating and verifying the integrity of packets as a part of the IPSec protocol. These keys, generated during IKE negotiation, are used when the AH or ESP is chosen and are stored encrypted with KEK1.
The VPN Concentrator uses Diffie-Hellman key pairs for authentication in establishing an IKE session. Diffie-Hellman private keys and shared secrets (gxy) are encrypted and stored using KEK2.
All traffic keys are encrypted with KEK1.
The IPSec DES/3DES keys are the traffic encryption keys that protect information passing through the VPN Concentrators. These keys are generated during the IKE negotiation process. Once these keys are no longer in use for encrypting/decrypting traffic, they are zeroized.
TLS traffic keys provide protection of data during administration of the VPN Concentrator via HTTPS. These keys are generated ephemerally and are zeroized after the TLS session has ceased.
SSL traffic keys provide protection of data during administration of the VPN Concentrator via HTTPS. These keys are generated ephemerally and are zeroized after the SSL session has ceased.
PPP traffic keys are traffic keys that provide protection of information passing through the VPN Concentrators. These keys are generated ephemerally during the PPTP negotiation process, and discarded after they are used.
The following public keys are stored within a VPN Concentrator. All public keys used by the VPN Concentrators are stored within a certificate and signed by the issuing authority, thus protecting certificates from modification.
The VPN Concentrators might be loaded with the root CA certificate and any subordinate CA's within a PKI. These public keys verify the identity of any certificates issued within a particular PKI.
An SSL certificate might also be loaded onto the VPN Concentrator. The SSL certificate authenticates the VPN Concentrator when an administrator establishes a secure connection (HTTPS) for configuration.
A Server identity certificate binds the public key(s) to the VPN Concentrator. This certificate authenticates the VPN Concentrator during the IKE process.
For a list of all cryptographic algorithms supported by the VPN Concentrator, see Appendix A.
This section defines how to use and configure the VPN Concentrators to ensure compliance with the FIPS 140-1 standard. The administrators are jointly responsible for configuring the VPN Concentrator in FIPS mode. The following list is a summary of the security rules that the administrator must configure and enforce on the VPN Concentrators:
The following sections describe in more detail the security rules summarized above.
VPN Concentrators support many different cryptographic algorithms. However, to properly use VPN Concentrators in FIPS mode, only the FIPS approved algorithms may be used. The following cryptographic algorithms are to be used for encrypting traffic, hashing, or signing/verifying digital signatures:
Note Use the DES algorithm only for protecting low sensitivity information. Cisco recommends that you use Triple DES to protect highly sensitive information. |
The administrator must configure VPN Concentrators to use only the cryptographic algorithms listed above for all services that they provide.
VPN Concentrators store many security relevant data items, such as authentication keys (Preshared keys, DSA or RSA private keys, etc.) and traffic encryption keys. All security data items are stored and protected within the VPN Concentrator tamper evident enclosure (see section "Tamper Evidence" for details on applying tamper evident labels). In addition, most security data items are stored encrypted on VPN Concentrators.
The superuser or administrator can zeroize all critical security parameters by issuing the zeroize command through the administrative interface.
VPN Concentrators, by design, support many Internet security tunneling protocols for protecting data transfer. However, to ensure that the device operates in FIPS mode, the administrator must ensure that the VPN Concentrator is configured such that only the IPSec protocol is used to protect data transmission.
All other tunneling protocols supported by a VPN Concentrator may not be used if compliance with the FIPS 140-1 standard is required.
VPN Concentrators support the capability to update the firmware in a secure manner. The administrator must first zeroize all critical security parameters prior to loading new firmware. Because the VPN Concentrator stores two images of firmware, the administrator must load the firmware successfully twice to ensure that both images stored contain the firmware that is being loaded.
Please note that the administrator is responsible for acquiring the firmware image from a valid Cisco distribution center and for ensuring that this firmware is a FIPS 140-1 validated module.
The VPN 3000 Concentrator allows the following administrative access methods:
Each access method requires that the administrator enter a password for access. The password is checked against a clear-text password stored in RAM on the VPN Concentrator.
The VPN Concentrator also can restrict access based on the IP address of the administrator. For the protocol-based access methods, the source IP address is checked against a configured list of addresses stored on the VPN Concentrator.
In addition, all VPN Concentrators can be administered remotely. An administrator can manage the VPN Concentrator through a direct connection to the console port or through any of the Ethernet interfaces. The administrator can administer and configure the VPN Concentrator through either a command-line interface or through the web-based administration application.
Although all of the access modes listed above are supported, based on the rules of the FIPS 140-1 standard, the only access method that may be used to provide encrypted protection of all data and configuration information is HTTPS (using the TLS protocol). All other access methods supported by the VPN Concentrators either use nonFIPS approved cryptographic algorithms for encryption (HTTPS (SSL), SSH, and SNMP) or do not support any encryption mechanism at all (FTP, Telnet/Console).
Therefore to operate in FIPS mode, you must configure the VPN 3000 Concentrator as follows:
Once configured, you can use the Show FIPS status command to tell whether the VPN 3000 Concentrator is operating in FIPS mode.
The VPN Concentrator protects all critical security parameters through the use of tamper evident labels. The administrator is responsible for properly placing all tamper evident labels. The security labels recommended for FIPS 140-1 compliance are provided in the FIPS Kit (CVPN3000FIPS/KIT), which you can order for any validated model. These security labels are very fragile and cannot be removed without clear signs of damage to the labels.
The following sections describe where to apply the tamper evident labels to the VPN Concentrators.
VPN Concentrator Model 3005 has a smaller and more compact encasing (1U) than that of the VPN Concentrator models 3015-3080. The main encasing of the VPN Concentrator Model 3005 may be removed like the encasing of a personal computer. The VPN Concentrator's encasing is attached with four screws at the rear of the device. In addition, the VPN Concentrator also has a removable front panel.
Both the main encasing and front panel of the VPN Concentrator must be protected through the use of tamper evident labels.
The encasing of the VPN Concentrator Models 3015-3080 is very similar to that of the VPN Concentrator Model 3005. The 3015-3080 models have a larger encasing (2U) and use Scalable Encryption Processing modules (SEPs). The main encasing of the VPN Concentrator models 3015-3080 may be removed like the encasing of a personal computer. The VPN Concentrator encasing is attached with four screws at the rear of the device. In addition, the VPN Concentrator also has a removable front panel.
The main encasing, front panel, and side panel of the VPN Concentrator must be protected through the use of tamper evident labels.
In addition, VPN Concentrator Models 3015-3080 employ SEPs to accelerate IPSec cryptographic operations. The SEPs are located at the back panel of the VPN Concentrators. The SEP devices are attached to the VPN Concentrator by two screws. Security labels must be applied across the SEPs to ensure that these devices are not tampered with.
A VPN Concentrator implements both power-up and conditional self-tests to ensure that the module is functioning properly at all times. Since some VPN Concentrator models (3015, 3030, 3060, and 3080) use the SEP modules (hardware components) to accelerate cryptographic operation, self-tests are performed for both the hardware and software implementations.
The VPN Concentrator performs all power-up self-tests automatically each time it starts. All power-up self-tests must be passed before allowing any operator to perform any cryptographic services. The power-up self-tests are performed after the cryptographic systems are initialized, but prior to the initialization of the LANs. This prevents the module from passing any data during a power-up self-test failure. In the unlikely event a power-up self-test fails, an event is displayed indicating the error and then the module transitions into the FAILURE state. This state does not allow the module to perform any additional operations. The operator may power cycle the module to attempt to clear the error.
Each VPN Concentrator performs the following power-up self-tests as defined in the FIPS 140-1 standard:
Each VPN Concentrator also performs the following conditional self-tests:
In the unlikely event a conditional self-test fails, an event is displayed indicating the error and then the module transitions into the HALTED state. This state does not allow the module to perform any additional operations. The operator may power cycle the module to attempt to clear the error.
This appendix lists cryptographic algorithms that are approved for FIPS and others that are not FIPS approved.
The following cryptographic algorithms are approved for FIPS operation.
Encryption Algorithms
Hashing/Authentication Algorithms
Digital Signature Algorithms
The following cryptographic algorithms are not FIPS compliant algorithms.
Encryption Algorithms
Hashing/Authentication Algorithms
CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R)
Cisco VPN 3000 Concentrator Series Security Policy
Copyright © 2002, Cisco Systems, Inc.
All rights reserved.
Note This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the this page. |
Posted: Mon Apr 8 13:39:13 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.