Related Manuals for Motorola S2500
Summary of Contents for Motorola S2500
-
Page 1: Security Policy
Motorola Network Router (MNR) S2500 Security Policy Document Version 1.3 Revision Date: 1/13/2009 Copyright © Motorola, Inc. 2009. May be reproduced only in its original entirety [without revision]. -
Page 2: Table Of Contents
8. SECURITY RULES ...15 9. CRYPTO OFFICER GUIDANCE...16 10. PHYSICAL SECURITY POLICY ...17 HYSICAL ECURITY ECHANISMS 11. MITIGATION OF OTHER ATTACKS POLICY...17 12. DEFINITIONS AND ACRONYMS...17 (CSP )...12 ARAMETERS ...13 CCESS ...17 MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 2... -
Page 3: Module Overview
Figure 1 illustrates the cryptographic boundary of the MNR S2500 router. In the photo, blank plates cover slots that can hold optional network interface cards. The FIPS validated firmware versions are XS-15.1.0.75, XS-15.1.0.76, XS- 15.2.0.20, and XS-15.4.0.60. -
Page 4: Security Level
AES - CBC mode(128, 192, 256 bit) for IPsec and FRF.17 encryption (Cert. #625) c. HMAC-SHA-1 for IPsec and FRF.17 authentication (Cert. #342) d. SHA-1 for message hash (Cert. #693) MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Level... - Page 5 DSA 1024 bit – for public/private key pair generation and digital signatures (Cert. #237) g. ANSI X9.31 Deterministic Random Number Generator (DRNG) (Cert .#349) The MNR S2500 router supports the commercially available IKE and Diffie-Hellman protocols for key establishment, IPsec (ESP) and FRF.17 protocols to provide data confidentiality using FIPS-approved encryption and authentication algorithms and SSHv2 for secure remote access.
- Page 6 For each port for which encryption is required, enable encryption on that port using SETDefault [!<portlist>] –CRYPTO CONTrol = Enabled FIPS-140-2 mode achieved Table 3 – FIPS Approved mode configuration To review the cryptographic configuration of the router, use the following command: MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 6...
- Page 7 MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 SHOW –CRYPTO CONFiguration This command shows a detailed summary of the cryptographic configuration and allows a user to verify that encryption is enabled on user-determined ports and that only FIPS-Approved algorithms are used for encryption and authentication.
-
Page 8: Ports And Interfaces
Table 4 below provides a listing of the physical ports and logical interfaces for the MNR S2500 router. The MNR S2500 base unit provides a single 10/100 Mbps Ethernet interface and a console port. The MNR S2500 router incorporates two I/O slots for WAN and LAN connectivity and one slot for analog connectivity. - Page 9 Strength of Mechanism The probability that a random attempt will succeed or a false acceptance will occur is 1/94^7 which is less than 1/1,000,000. MNR S2500 Security Policy Description The owner of the cryptographic module with full access to services of the module.
-
Page 10: Access Control Policy
LEDs on the front panel. • Power-up Self-tests: execute the suite of self-tests required by FIPS 140-2 during power- up not requiring operator intervention. • Monitor: Perform various hardware support services MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 10... -
Page 11: Roles And Services
SSHv2 Reboot Zeroization Crypto Configuration Network Configuration Enable Ports File System Authenticated Show Status Unauthenticated Show Status Power-up Self-Tests Monitor Access Control Table 7 – Services to Roles mapping MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 11... -
Page 12: Definition Of Critical Security Parameters (Csps)
7 (to 15 ) character password used to authenticate to the CO Role Officer 7 (to 15) character password used to authenticate to the User Role 7 (to 15) character password used to authenticate accounts created on the module MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Crypto Page 12... -
Page 13: Definition Of Csps Modes Of Access
Generated for IKE Phase 1 key establishment Phase 2 Diffie Hellman public keys used in PFS for key renewal (if configured) Generated for SSH key establishment Table 9 – Public Keys MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 13... - Page 14 Keys FRF.17 Session Keys SSH-RSA Private SSH-DSA Private SSH Session Keys SSH DH Private Root Password User(Admin) User Accounts RNG Seed Table 10 – Services to CSP Access mapping Version 1.3, Revision Date: 1/13/2009 MNR S2500 Security Policy Page 14...
-
Page 15: Operational Environment
Admin, Network Manager, User, and Maintenance. The Crypto Officer role uses the root account. 2. The MNR S2500 router encrypts message traffic using the AES or TDES algorithm. 3. The MNR S2500 router performs the following tests: A. Power up Self-Tests: 1. -
Page 16: Crypto Officer Guidance
DSA) e. Manual key entry test 4. At any time the MNR S2500 router is in an idle state, the operator can command the router to perform the power-up self-test by power-cycling or rebooting the router. 5. Data output is inhibited during key generation, self-tests, zeroization, and error states. -
Page 17: Physical Security Policy
10. Physical Security Policy Physical Security Mechanisms The MNR S2500 router is composed of industry standard production-grade components. 11. Mitigation of Other Attacks Policy The module has not been designed to mitigate against other attacks outside the scope of FIPS 140-2. - Page 18 MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 PFS – Perfect Forward Secrecy RNG – Random Number Generator SHA – Secure Hash Algorithm SSH – Secure Shell SNMP – Simple Network Management Protocol Tanapa - The part number that is built and stocked for customer orders.