Figure 1 illustrates the cryptographic boundary of the MNR S2500 router. In the photo, blank plates cover slots that can hold optional network interface cards. The FIPS validated firmware versions are XS-15.1.0.75, XS-15.1.0.76, XS- 15.2.0.20, and XS-15.4.0.60.
AES - CBC mode(128, 192, 256 bit) for IPsec and FRF.17 encryption (Cert. #625) c. HMAC-SHA-1 for IPsec and FRF.17 authentication (Cert. #342) d. SHA-1 for message hash (Cert. #693) MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Level...
Page 5
DSA 1024 bit – for public/private key pair generation and digital signatures (Cert. #237) g. ANSI X9.31 Deterministic Random Number Generator (DRNG) (Cert .#349) The MNR S2500 router supports the commercially available IKE and Diffie-Hellman protocols for key establishment, IPsec (ESP) and FRF.17 protocols to provide data confidentiality using FIPS-approved encryption and authentication algorithms and SSHv2 for secure remote access.
Page 6
For each port for which encryption is required, enable encryption on that port using SETDefault [!<portlist>] –CRYPTO CONTrol = Enabled FIPS-140-2 mode achieved Table 3 – FIPS Approved mode configuration To review the cryptographic configuration of the router, use the following command: MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 6...
Page 7
MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 SHOW –CRYPTO CONFiguration This command shows a detailed summary of the cryptographic configuration and allows a user to verify that encryption is enabled on user-determined ports and that only FIPS-Approved algorithms are used for encryption and authentication.
Table 4 below provides a listing of the physical ports and logical interfaces for the MNR S2500 router. The MNR S2500 base unit provides a single 10/100 Mbps Ethernet interface and a console port. The MNR S2500 router incorporates two I/O slots for WAN and LAN connectivity and one slot for analog connectivity.
Page 9
Strength of Mechanism The probability that a random attempt will succeed or a false acceptance will occur is 1/94^7 which is less than 1/1,000,000. MNR S2500 Security Policy Description The owner of the cryptographic module with full access to services of the module.
LEDs on the front panel. • Power-up Self-tests: execute the suite of self-tests required by FIPS 140-2 during power- up not requiring operator intervention. • Monitor: Perform various hardware support services MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 10...
SSHv2 Reboot Zeroization Crypto Configuration Network Configuration Enable Ports File System Authenticated Show Status Unauthenticated Show Status Power-up Self-Tests Monitor Access Control Table 7 – Services to Roles mapping MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 11...
7 (to 15 ) character password used to authenticate to the CO Role Officer 7 (to 15) character password used to authenticate to the User Role 7 (to 15) character password used to authenticate accounts created on the module MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Crypto Page 12...
Generated for IKE Phase 1 key establishment Phase 2 Diffie Hellman public keys used in PFS for key renewal (if configured) Generated for SSH key establishment Table 9 – Public Keys MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 Page 13...
Admin, Network Manager, User, and Maintenance. The Crypto Officer role uses the root account. 2. The MNR S2500 router encrypts message traffic using the AES or TDES algorithm. 3. The MNR S2500 router performs the following tests: A. Power up Self-Tests: 1.
DSA) e. Manual key entry test 4. At any time the MNR S2500 router is in an idle state, the operator can command the router to perform the power-up self-test by power-cycling or rebooting the router. 5. Data output is inhibited during key generation, self-tests, zeroization, and error states.
10. Physical Security Policy Physical Security Mechanisms The MNR S2500 router is composed of industry standard production-grade components. 11. Mitigation of Other Attacks Policy The module has not been designed to mitigate against other attacks outside the scope of FIPS 140-2.
Page 18
MNR S2500 Security Policy Version 1.3, Revision Date: 1/13/2009 PFS – Perfect Forward Secrecy RNG – Random Number Generator SHA – Secure Hash Algorithm SSH – Secure Shell SNMP – Simple Network Management Protocol Tanapa - The part number that is built and stocked for customer orders.