Nortel Networks 4500 FIPS User Manual

Contivity™ Extranet Switch 4500

FIPS 140-1 Non-Proprietary

Cryptographic Module Security Policy

Level 2 Validation

February 2000

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Table of Contents

1 Introduction ..................................................................................................................3

1.1 Purpose................................................................................................................... 3

1.2 References............................................................................................................... 3

1.3 Terminology............................................................................................................. 3

1.4 Document Organization............................................................................................ 3

2 The Contivity Extranet 4500 Switch...........................................................................5

2.1 Cryptographic Module.............................................................................................5

2.2 Module Interfaces.................................................................................................... 5

2.3 Redundancy and Physical Security............................................................................ 7

2.4 Roles and Services................................................................................................. 10

2.4.1 Crypto Officer Services................................................................................. 11

2.4.2 User Services................................................................................................. 12

2.5 Key Management .................................................................................................. 13

2.6 Self Tests............................................................................................................... 13

3 Secure Operation of the Contivity Switch................................................................13

1 Introduction

1.1 Purpose

This is a non-proprietary Cryptographic Module Security Policy for the Contivity™ Extranet Switch 4500. This security policy describes how the Contivity™ Extranet Switch 4500 meets the security requirements of FIPS 140-1, and how to operate the Contivity™ Extranet Switch 4500 in a secure FIPS 140-1 mode. This policy was prepared as part of the level 2 FIPS 1401 certification of the Contivity™ Extranet Switch 4500.

FIPS 140-1 (Federal Information Processing Standards Publication 140-1 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available on the NIST web site at http://csrc.nist.gov/cryptval/.

1.2 References

This document deals only with operations and capabilities of the Contivity™ Extranet Switch 4500 in the technical terms of a FIPS 140-1 cryptographic module security policy. More information is available on the Contivity™ Extranet Switch 4500 and the entire line of Contivity™ products from the following sources:

• The Nortel Networks web site contains information on the full line of Contivity

products at www.nortelnetworks.com .

• For answers to technical or sales related questions please refer to the contacts listed

on the Nortel Networks web site at www.nortelnetworks.com .

1.3 Terminology

In this document the Nortel Contivity™ Extranet Switch 4500 is referred to as the switch, the Contivity™ Switch, module, or system.

1.4 Document Organization

The Security Policy document is part of the complete FIPS 140-1 Submission Package. In addition to this document, the complete Submission Package contains:

♦ Vendor Evidence document ♦ Finite State Machine ♦ Module Software Listing ♦ Other supporting documentation as additional references

This document provides an overview of the Contivity™ Switch and explains the secure configuration and operation of the module. This introduction section is followed by Section 2, which details the general features and functionality of the Contivity™ Switch. Section 3 specifically addresses the required configuration for the FIPS-mode of operation.

This Security Policy and other Certification Submission Documentation was produced by Corsec Security, Inc. under contract to Nortel Networks. With the exception of this NonProprietary Security Policy, the FIPS 140-1 Certification Submission Documentation is Nortelproprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Nortel Networks.

2 The Contivity Extranet 4500 Switch

The Nortel Networks Contivity Extranet Switch 4500 provides a scalable, secure, manageable remote access server that meets FIPS 140-1 level 2 requirements. This section will describe the general features and functionality provided by the Contivity Extranet Switch. Section 3 will provide further details on how the Contivity Switch addresses FIPS 140-1 requirements.

2.1 Cryptographic Module

The Contivity Extranet Switch combines remote access protocols, security, authentication, authorization, and encryption technologies into a single solution.

Figure 1 – The Contivity Extranet 4500 Switch

The Switch can support up to 5,000 simultaneous user sessions, allowing each user to exercise a variety of secure connections and services. The Switch supports a number of secure network-layer and data-link-layer protocols including Internet Protocol Security (IPSec), Pointto-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and Layer Two Forwarding (L2F). The architecture for the Switch is user-centric, where an individual user or group of users can be associated with a set of attributes that provide custom access to the Extranet. In effect, you can create a personal Extranet based on the special needs of a user or group.

2.2 Module Interfaces

The interfaces for the Switch are located on the rear panel as shown in Figure 2.

+ 9 hidden pages