Infoblox Trinzic HW
Appliances
FIPS 140-2 Non-Proprietary Security Policy
Security Level 2 Validation
Version 1.1
April 2023
Prepared by:
Accredited Testing & Evaluation Labs
6841 Benjamin Franklin Drive
Columbia, MD 21046
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 1
Table of Contents, Table of Figures, List of Tables
Table of Contents
Table of Contents, Table of Figures, List of Tables 1
Table of Contents 1
Table of Figures 2
Table of Tables 3
1. Overview 4
2. Introduction 5
2.1. Infoblox Trinzic 805 Series Appliances 5
2.2. Infoblox Trinzic 1405 Series Appliances 6
2.3. Infoblox 2205 Series DDI Appliances 8
2.4. Infoblox 4005 Series DDI Appliances 9
3. Cryptographic Module Specification 11
3.1. Security Level Summary 11
3.2. Cryptographic Boundary 11
3.3. Block Diagram 12
3.4. Secure Initialization 12
3.5. Approved Algorithms 13
3.6. Allowed Algorithms 14
3.7. Allowed Algorithms With No Security Claimed 14
3.8. Non-Approved Algorithms Table 15
4. Cryptographic Module Ports and Interfaces 16
4.1. Logical and Physical Interfaces 16
5. Roles, Services, and Authentication 19
5.1. Roles 19
5.2. Services 19
5.2.1. Crypto-Officer Services 19
5.2.2. User Services 25
5.2.3. Unauthenticated Services 29
5.2.4. Non-Approved Services 30
5.3. Authentication 31
6. Physical Security 33
6.1. Tamper Evident Label Placement 33
7. Operational Environment 36
8. Cryptographic Key Management 37
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 2
9. Self-Tests 43
9.1. Power-on Self-Tests 43
9.2. Conditional Self-Tests 43
9.3. Critical Functions Tests 43
A. Appendices 44
Table of Figures
Table of Contents, Table of Figures, List of Tables 1
Table of Contents 1
Table of Figures 2
Table of Tables 3
1. Overview 4
2. Introduction 5
2.1. Infoblox Trinzic 805 Series Appliances 5
2.2. Infoblox Trinzic 1405 Series Appliances 6
2.3. Infoblox 2205 Series DDI Appliances 8
2.4. Infoblox 4005 Series DDI Appliances 9
3. Cryptographic Module Specification 11
3.1. Security Level Summary 11
3.2. Cryptographic Boundary 11
3.3. Block Diagram 12
3.4. Secure Initialization 12
3.5. Approved Algorithms 13
3.6. Allowed Algorithms 14
3.7. Allowed Algorithms With No Security Claimed 14
3.8. Non-Approved Algorithms Table 15
4. Cryptographic Module Ports and Interfaces 16
4.1. Logical and Physical Interfaces 16
5. Roles, Services, and Authentication 19
5.1. Roles 19
5.2. Services 19
5.2.1. Crypto-Officer Services 19
5.2.2. User Services 25
5.2.3. Unauthenticated Services 29
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 3
5.2.4. Non-Approved Services 30
5.3. Authentication 31
6. Physical Security 33
6.1. Tamper Evident Label Placement 33
7. Operational Environment 36
8. Cryptographic Key Management 37
9. Self-Tests 43
9.1. Power-on Self-Tests 43
9.2. Conditional Self-Tests 43
9.3. Critical Functions Tests 43
A. Appendices 44
Table of Tables
Table 1 Hardware Versions...........................................................................................................................5
Table 2 Security Level Summary ................................................................................................................11
Table 3 Approved Algorithms......................................................................................................................14
Table 4 Allowed Algorithms.........................................................................................................................14
Table 4 Allowed Algorithms.........................................................................................................................15
Table 5 Non-Approved Algorithms..............................................................................................................15
Table 6 Logical and Physical Interfaces .....................................................................................................18
Table 7 Crypto-Officer Services..................................................................................................................25
Table 8 User Services.................................................................................................................................29
Table 9 Unauthenticated Services ..............................................................................................................30
Table 10 Non-approved Services ...............................................................................................................30
Table 11 Tamper Evident Labels ................................................................................................................33
Table 12 Infoblox Trinzic 805 series Tamper Evident Label Placement.....................................................34
Table 13 Infoblox Trinzic 1405 Series Tamper Evident Label Placement ..................................................34
Table 14 Infoblox Trinzic 2205 and 4005 series Tamper Evident Label Placement...................................35
Table 15 Cryptographic Keys and CSPs ....................................................................................................42
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 4
1. Overview
This document is a non-proprietary FIPS 140-2 Security Policy for Infoblox’s Trinzic Appliances running
the Network Identity Operating System (NIOS). This policy describes how these Infoblox Trinzic HW
Appliances (hereafter referred to as the “module”) meet the requirements of FIPS 140-2. This document
also describes how to configure the module into the FIPS 140-2 Approved mode. This document was
prepared as part of a FIPS 140-2 overall Security Level 2 validation for a multi-chip standalone hardware
module.
The Federal Information Processing Standards Publication 140-2 - Security Requirements for
Cryptographic Modules (FIPS 140-2) details the United States Federal Government requirements for
cryptographic modules. Detailed information about the FIPS 140-2 standard and validation program is
available on the NIST (National Institute of Standards and Technology) website at
https://csrc.nist.gov/projects/cryptographic-module-validation-program.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 5
2. Introduction
Infoblox Trinzic HW appliances are available in a variety of options to match an organization’s specific
requirements. They integrate with a broad array of automation and orchestration platforms and are simple
to deploy through flexible licensing. Appliances within a given series share the same hardware model,
and are differentiated by licensing features.
The following models were tested as part of this validation with the NIOS version 8.5.2 with Hotfix-
NIOS_8.5.2_409296_J81082-506fbabaabd86fbe9c99de0b49c9a7f8-Mon-Oct-25-08-19-32-2021
firmware.
Trinzic Hardware
Model
Trinzic Appliance CAVP Operational
Environment
805 TE-815
TE-825
TR-805
ND-805
Intel Core i3
(Skylake) with AES-
NI
1405 TE-1415
TE-1425
TR-1405
ND-1405
Intel Xeon E3
(Skylake) with AES-
NI
2205 TE-2215
TE-2225
TR-2205
ND-2205
Intel Xeon E5
(Broadwell) with
AES-NI
4005 TE-4015
TE-4025
TR-4005
ND-4005
Intel Xeon E5
(Broadwell) with
AES-NI
Table 1 Hardware Versions
2.1. Infoblox Trinzic 805 Series Appliances
Figure 1 Trinzic 805 Series Appliance
The Infoblox 805 Series are 1-U platforms that can be installed in a standard equipment rack.
The Trinzic TE-815 and TE-825 network services appliances provide core network services, including
DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), IPAM (IP Address
Management), and NTP (Network Time Protocol). You can configure and manage the Trinzic 805 series
appliances through the Infoblox Grid Manager. The TE-815 and TE-825 appliances are recommended to
operate as Grid members, and can operate with a second appliance of the same model in high availability
(HA) mode.
Key features of the appliances include the following:
 Support for Grid management and all administrative features for Infoblox IPAM, DNS, DDNS, and
DHCP
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 6
 High availability support
 LOM (Lights Out Management) support
The Network Insight ND-805 is a high performance network appliance that provides an expanded device
discovery and network discovery feature set, using SNMP and other protocols to discover, query, and
catalogue network devices such as enterprise Ethernet switches, routers, firewalls and other security
devices, VoIP softswitches, load balancers, and end host devices. You can configure and manage the
ND-805 through the Grid Manager. For more information about Discovery features and licensing, refer to
the Infoblox NIOS Administrator Guide.
Key features of the ND-805 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support Device Discovery
features, and one interface (MGMT) designated for device management (the HA port is inactive
and reserved for future use)
 Management through the Infoblox Grid
 LOM (Lights Out Management) support
The Trinzic Reporting TR-805 is a reporting appliance that collects data from Infoblox Grid members,
stores the data in the reporting database, and generates reports that provide statistical information about
IPAM, DNS, DHCP, and system activities and performance. You can configure and manage the TR-805
and view reports through the Grid Manager. For more information about Reporting features and licensing,
refer to the Infoblox NIOS Administrator Guide.
Key features of the TR-805 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to collect data for event
reporting, and one interface (MGMT) designated for device management (the HA port is inactive
and reserved for future use)
 Management through the Infoblox Grid
 LOM (Lights Out Management) support
2.2. Infoblox Trinzic 1405 Series Appliances
Figure 2 Trinzic 1405 Series Appliance
The Infoblox 1405 Series platforms are 1-U appliances that you can efficiently mount in a standard
equipment rack.
The Trinzic TE-1415 and TE-1425 are high performance network appliances that provide core network
services, including DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), IPAM (IP
Address Management), and NTP (Network Time Protocol). A TE-1415 and TE-1425 appliance can be set
up as a Grid member or a Grid Master. The appliance can operate with a second appliance of the same
model in high availability (HA) mode. You configure and manage these appliances through the Infoblox
Grid Manager.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 7
Key features of the appliances are as follows:
 Support for Grid management and all administrative features for Infoblox IPAM, DNS, DDNS,
DHCP, DNS Firewall, Advanced DNS Protection, and Threat Insight.
 High availability support.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives.
 Hot-swappable AC power supplies.
 Additional AC power supply for a redundant 1+1 configuration.
 Optional DC power supplies.
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
The Network Insight ND-1405 is a high performance network appliance that provides powerful device
discovery and network discovery features, using SNMP and other protocols to discover, query, manage
and catalogue network devices such as enterprise Ethernet switches, routers, firewalls and other security
devices, VoIP softswitches, load balancers, and end host devices. You configure and manage ND-1405
appliances through the Grid Manager. For more information about the discovery features and licensing,
refer to the Infoblox NIOS Administrator Guide.
Key features of the Network Insight ND-1405 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support Device Discovery
features, and one interface (MGMT) for device management. (The HA port is reserved for future
use.)
 Management through the Infoblox Grid.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives.
 Hot-swappable AC power supplies.
 Additional AC power supply for a redundant 1+1 configuration.
 Optional DC power supplies.
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
The Trinzic Reporting TR-1405 is a high performance network appliance that collects data from Infoblox
Grid members, stores the data in the reporting database, and generates reports that provide statistical
information about IPAM, DNS, DHCP, and system activities and performance. You configure and manage
the TR-1405 and view reports through the Grid Manager. For more information about Reporting features
and licensing, refer to the Infoblox NIOS Administrator Guide.
Key features of the TR-1405 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support reporting features
across the network, and one interface (MGMT) for device management. (The HA port is reserved
for future use.)
 Management through the Infoblox Grid.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives.
 RAID 1 redundant hard disk array.
 Hot-swappable AC or DC power supplies in a redundant 1+1 configuration.
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 8
2.3. Infoblox 2205 Series DDI Appliances
Figure 3 Trinzic 2205 Series Appliance
The Infoblox 2205 series are 2-U appliances that you can efficiently mount in a standard equipment rack.
Trinzic TE-2215 and TE-2225 are high performance network appliances that provide core network
services, including DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), IPAM (IP
Address Management), and NTP (Network Time Protocol). A TE-2215 and TE-2225 appliance can be set
up as a Grid member or a Grid Master. The appliance can operate with a second appliance of the same
model in high availability (HA) mode. You configure and manage the Trinzic appliances through the
Infoblox Grid Manager.
Key features of the appliances are as follows:
 Support for Grid management and all administrative features for Infoblox IPAM, DNS, DDNS, and
DHCP.
 High availability support.
 LOM (Lights Out Management) support.
 Field replaceable hard disk drives and fan modules.
 Hot-swappable AC or DC power supplies with support for a redundant 1+1 configuration.
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
The Network Insight ND-2205 is a high performance network appliance that provides device discovery
and network discovery features, using SNMP and other protocols to discover, query, manage and
catalogue network devices such as enterprise Ethernet switches, routers, firewalls and other security
devices, VoIP softswitches, load balancers, end host devices and more. You configure the ND-2205
appliance through Infoblox Grid Manager. For more information about the Discovery features, refer to the
Infoblox NIOS Administrator Guide.
Key features of the Network Insight ND-2205 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support Device Discovery
features, and one interface (MGMT) for device management. (The HA port is inactive and
reserved for future use.)
 Management through the Infoblox Grid.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives and fan modules.
 Hot-swappable AC or DC power supplies in a redundant 1+1 configuration.
 Alternative system configurations for the support of copper or fiber SFP 1GbE and SFP+ 10GbE
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 9
interfaces, with support for mixed copper/fiber configurations.
The Trinzic Reporting TR-2205 is a high performance network appliance that collects data from Infoblox
Grid members, stores the data in the reporting database, and generates reports that provide statistical
information about IPAM, DNS, DHCP, and system activities and performance. You configure and manage
the TR-2205 and view its reports through the Infoblox Grid Manager. For more information about
Reporting features and licensing, refer to the Infoblox NIOS Administrator Guide.
Key features of the Trinzic Reporting TR-2205 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support event reporting
features across the network, and one interface (MGMT) designated for device management. (The
HA port is inactive and reserved for future use.)
 Management through the Infoblox Grid.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives and fan modules.
 Hot-swappable AC or DC power supplies in a redundant 1+1 configuration.
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
2.4. Infoblox 4005 Series DDI Appliances
Figure 4 Trinzic 4005 Series Appliance
The Infoblox 4005 Series are 2-U appliances that you can efficiently mount in a standard equipment rack.
The Trinzic TE-4015 and TE-4025 are high performance network appliances that provide core network
services, including DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), IPAM (IP
Address Management), and NTP (Network Time Protocol). A TE-4015 and TE-4025 appliance can be
set up as a Grid member or a Grid Master. The appliance can operate with a second appliance of the
same model in high availability (HA) mode. You configure and manage the Trinzic appliances through the
Infoblox Grid Manager.
Key features of the IB-4015 and IB-4025 include the following:
 Support for Grid management and all administrative features for Infoblox IPAM, DNS, DDNS, and
DHCP.
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
 High availability support.
 LOM (Lights Out Management) support.
 Field replaceable hard disk drives and fan modules.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 10
 Hot-swappable AC supplies.
 Optional DC power supplies.
The Network Insight ND-4005 is a high performance network appliance that supports device discovery
and network discovery features, using SNMP and other protocols to discover, query, manage and
catalogue network devices such as enterprise Ethernet switches, routers, firewalls and other security
devices, VoIP softswitches, load balancers, end host devices and more. You configure the ND-4005
appliance through Infoblox Grid Manager. For more information about the Discovery features, refer to the
Infoblox NIOS Administrator Guide.
Key features of the Network Insight ND-4005 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support Device Discovery
features, and one interface (MGMT) for device management. (The HA port is inactive and
reserved for future use.)
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
 Management through the Infoblox Grid.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives and fan modules.
 Hot-swappable AC or DC power supplies in a redundant 1+1 configuration.
The Infoblox Reporting TR-4005 is a high performance network appliance that collects data from Infoblox
Grid members, stores the data in the reporting database, and generates reports that provide statistical
information about IPAM, DNS, DHCP, and system activities and performance. You configure and manage
the TR-4005 and view its reports through the Infoblox Grid Manager. For more information about
Reporting features and licensing, refer to the Infoblox NIOS Administrator Guide.
Key features of the Trinzic Reporting TR-4005 appliance include the following:
 Three (3) active 1GbE Ethernet interfaces: two (2) active interfaces to support event reporting
features across the network, and one interface (MGMT) designated for device management. (The
HA port is inactive and reserved for future use.)
 Optional 10GbE or 1GBE SFP+/SFP system configurations for fiber or copper support.
 Management through the Infoblox Grid.
 LOM (Lights Out Management) support.
 Replaceable hard disk drives and fan modules.
 Hot-swappable AC or DC power supplies in a redundant 1+1 configuration.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 11
3. Cryptographic Module Specification
3.1. Security Level Summary
The security level claimed for each section of the FIPS 140-2 standard is as follows:
Section Title Level
1 Cryptographic Module Specification 2
2 Module Ports and Interfaces 2
3 Roles, Services, and Authentication 2
4 Finite State Model 2
5 Physical Security 2
6 Operational Environment Not Applicable
7 Cryptographic Key Management 2
8 EMI/EMC 2
9 Self-Tests 2
10 Design Assurance 2
11 Mitigation of Other Attacks Not Applicable
Overall 2
Table 2 Security Level Summary
3.2. Cryptographic Boundary
The cryptographic boundary for the module is the edge (front, back, left, right, top, and bottom surfaces)
of the physical enclosure.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 12
3.3. Block Diagram
Figure 5 Block Diagram
3.4. Secure Initialization
The following steps should be followed to initialize the module into the FIPS Approved mode of operation:
● The module must be running NIOS version 8.5.2 with Hotfix-NIOS_8.5.2_409296_J81082-
506fbabaabd86fbe9c99de0b49c9a7f8-Mon-Oct-25-08-19-32-2021.bin2.
● Tamper evident labels must be applied according to Section 6.1 of this document.
● FIPS mode must be enabled in the NIOS CLI via command ‘set fips_mode’.
● The password policy must be set such that the Minimum Password Length is at least 6
characters. This can be accomplished via the procedures outlined in the Infoblox NIOS
Administrator Guide, section “Managing Passwords”
● The BloxTools feature must not be enabled when operating in the FIPS Approved mode.
● The Support Access feature must not be enabled when operating in the FIPS Approved mode.
● RADIUS Authentication must not be used in the FIPS Approved mode.
● TACACS+ Authentication must not be used in the FIPS Approved mode.
● Cisco ISE Integration must not be used in the FIPS Approved mode.
● Microsoft Server Integration must not be used in the FIPS Approved mode.
● SNMPv1/v2 must not be used in the FIPS Approved mode.
● The module must not be connected to a NIOS grid in the FIPS Approved mode.
● The HTTPS protocol must be used for the vDiscovery service.
● Keys/CSPs generated in FIPS mode cannot be used in non-FIPS mode and vice-versa.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 13
Failure to follow the above procedures will result in the module operating in a non-approved mode.
3.5. Approved Algorithms
The module supports the following approved algorithms for use in the approved mode. Although the
module’s cryptographic implementation supports more options than listed below, only those listed are
usable by the module.
CAVP Cert Algorithm Standard Mode/Method Key Lengths,
Curves or
Moduli
Use
A2507 AES FIPS 197 CBC,
CBC-CS3,
CFB128
128,
256
Data
Encryption /
Decryption
Vendor
Affirmed
CKG SP 800-133r2 Sections 5.1,
5.2, and 6.1
Key Generation
A2507 KAS-ECC-SSC SP 800-56A
Rev3
KAS ECC
(ephemeralUnifi
ed)
P-256 , P-384,
P-521
Key Agreement
A2507 KAS-FFC-SSC SP 800-56A
Rev3
KAS FFC
(dhEphem)
MODP-2048,
FFDHE2048
Key Agreement
A2507 CVL
(TLS1
1.0/1.1/1.2)
SP 800-135
Rev1
TLS 1.2:
SHA-256, SHA-
384
Key Derivation
A2505 CVL (SNMP) SP 800-
135Rev1
Key Derivation
A2506 CVL (SSH) SP 800-
135Rev1
SHA-1, SHA-
256, SHA-384,
SHA-512
Key Derivation
KAS-SSC Cert.
#A2507, CVL
Cert. #A2506
KAS SP 800-56A
Rev3
KAS-FFC and
KAS-ECC with
SSH KDF
2048 bits (KAS
FFC), 256, 384,
and 521 bits
(KAS ECC)
Key
establishment
methodology
provides 112
bits (KAS-FFC)
or between 128
and 256 bits
(KAS-ECC) of
encryption
strength.
KAS-SSC Cert.
#A2507, CVL
Cert. #A2507
KAS SP 800-56A
Rev3
KAS-FFC with
TLS 1.0/1.1/1.2
KDF
2048 bits Key
establishment
methodology
provides 112
bits of
encryption
strength.
A2503 DRBG SP 800-90A
Rev1
HMAC-SHA-
256
Deterministic
Random Bit
Generation
1 No parts of the TLS, SSH, SNMP protocols other than the KDF have been reviewed or tested by the
CAVP and CMVP
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 14
A2507 DRBG SP 800-90A
Rev1
HMAC-SHA-
256
Deterministic
Random Bit
Generation
N/A ENT (NP) SP 800-90B Entropy Source
A2507 ECDSA FIPS 186-4 P-256 , P-384,
P-521 (w/ SHA-
224, SHA-256,
SHA-384, or
SHA-512)
ECC Key
Generation2,
Digital
Signature
Verification
A2507 HMAC FIPS 198-1 HMAC-SHA-1-
96
HMAC-SHA-1,
HMAC-SHA-
256,
160,
256
Message
Authentication
A2507 KTS SP 800-38F AES-CBC,
HMAC-SHA-1
AES: 128, 256
HMAC: 160
Key Transport.
Key
establishment
methodology
provides 128 or
256 bits of
encryption
strength.
A2507 RSA FIPS 186-4 X9.31
PKCS1_V1_5
PSS
2048, 3072,
4096 (w/ SHA-
224, SHA-256,
SHA-384, or
SHA-512)
Key
Generation,
Digital
Signature
Generation and
Verification
A2507 SHS FIPS 180-4 SHA-1,
SHA-256
Message
Digest
Table 3 Approved Algorithms
3.6. Allowed Algorithms
The following algorithms are non-approved but allowed for use in the approved mode.
Algorithm Caveat Use
RSA Key Wrapping, key
establishment methodology
provides between 112 and 150
bits of encryption strength
Key Wrapping
Table 4 Allowed Algorithms
3.7. Allowed Algorithms With No Security Claimed
The following algorithms are non-approved but allowed for use in the approved mode with no security
claimed.
Algorithm Caveat Use
HMAC-MD5 Only allowed for use with TLS
protocol.
TLS 1.0/1.1, Internals (i.e.
objects comparison)
2 The ECC keys used for EC-Diffie-Hellman are generated according to FIPS 186-4
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 15
HMAC for cookie.
MD5 Only allowed for use with TLS
protocol.
TLS 1.0/1.1, Internals (i.e.
objects comparison)
HMAC for cookie.
Table 5 Allowed Algorithms With No Security Claimed
3.8. Non-Approved Algorithms Table
The following algorithms are non-approved for use in the approved mode.
Algorithm Caveat Use
DES Encryption/Decryption
KAS-FFC Non-compliant when used with
key sizes less than 2048 bits in
length
Key Agreement
DSA (non-compliant) Key Generation
Signature Generation
Signature Verification
HMAC-MD5 Keyed Hash
MD5 Message Digest
OpenVPN KDF Key Derivation for OpenVPN
protocol.
RSA Non-compliant when used with
key sizes less than 2048 bits in
length
Key Wrapping
Table 6 Non-Approved Algorithms
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 16
4. Cryptographic Module Ports and Interfaces
4.1. Logical and Physical Interfaces
The module’s interfaces can be categorized under the following FIPS 140-2 logical interfaces.
 Data Input
 Data Output
 Control Input
 Status Output
 Power Input Interface
The following table provides a mapping of the module’s interfaces to the FIPS 140-2 defined interface
categories.
Physical Interface3
Logical Interface(s) Description Notes
Network Interfaces Data Input, Data Output,
Control Input, Status
Output
Trinzic 805, 1405,
2205, and 4005 series:
● Two 10/100/1000
Base-T Ethernet
(LAN ports)
● One 10/100/1000
Base-T Ethernet (HA
port)
● One 10/100/1000
Base-T Ethernet
(MGMT port)
Trinzic 1405, 2205, and
4005 series:
● Four 10GbE
SFP/SFP+ ports in
expansion slot
LED link lights are part
of status output.
Serial Port Data Input, Data Output,
Control Input, Status
Output
Trinzic 805, 1405,
2205, and 4005 series:
● DB-9 (9600/8n1,
Xon/Xoff)
Unit Identification Control Input, Status
Output
Trinzic 805, 1405,
2205, and 4005 series:
3 Although the module includes a USB port, this port is disabled and unused by the module as of the most
recent FIPS 140-2 validation.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 17
● Front and back
AC Power Supply Power Input, Status
Output
Trinzic 805 series:
● Input voltage: 100–
240 VAC switchable,
50–60 Hz
● Output power: 350W
Trinzic 1405 series:
● One hot-swappable
PSU
● Input voltage: 100–
240 VAC switchable,
50–60 Hz
● Output power: 600W
Trinzic 2205 and 4005
series:
● Two hot-swappable
PSUs
● Input voltage: 100-
240 VAC switchable,
50-60 Hz
● Output power: 600W
FIPS kit Tamper Evident
Label required
DC Power Supply Power Input, Status
Output
Trinzic 1405 series:
● One hot-swappable
PSU
● Input voltage: -44–
65DC; 600W
Trinzic 2205 and 4005
series:
● Two hot-swappable
PSUs
● Input voltage: -44-
65DC; 600W
FIPS kit Tamper Evident
Label required
Chassis Ground Power Input Trinzic 805, 1405,
2205, and 4005 series:
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 18
● Included (ground
lug)
System Power Switch Control Input Trinzic 805, 1405,
2205, and 4005 series:
● Pin-Hole access “pc
standard” Soft
Power Switch
System Power LED Status Output Trinzic 805, 1405,
2205, and 4005 series:
● LED indicating
system power status
Table 7 Logical and Physical Interfaces
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 19
5. Roles, Services, and Authentication
5.1. Roles
The module defines user permissions based on roles. Roles are assigned to user groups. Custom roles
can be created to restrict access to particular services.
FIPS Role Trinzic Role Description
Crypto-Officer Superuser The Superuser role has full access to
all resources on the appliance.
Superusers can create limited-
access admin groups and grant them
specific permissions for Crypto
Officer services.
Limited-Access Admin An admin belonging to a limited-
access group which has been
granted permissions to Crypto Officer
services.
User Limited-Access User An admin belonging to a limited-
access group which has only been
granted read permissions to Grid
Manager services.
5.2. Services
Listed below are the services for each of the module’s roles that are approved for use in the FIPS
approved mode.
Key/CSP Access is specified as:
 Generate (G) – The module generates the Key/CSP
 Read (R) – The module reads the Key/CSP
 Write (W) – The module writes/modifies the Key/CSP
 Execute (E) – The module uses the Key/CSP
 Delete (D) – The module deletes the Key/CSP
5.2.1.Crypto-Officer Services
Name Description Inputs Outputs Key/CSP Access (G/R/W/E/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 20
Infoblox Console Access NIOS CLI
via console to
manage appliance.
Commands and
configuration data
Status of commands
and configuration
data
 Superuser/Admin Password (E)
Infoblox Remote
Console
Access NIOS CLI
via SSH to manage
appliance.
SSH inputs,
commands, and
data
SSH outputs,
commands, and
data
 Superuser/Admin Password (E)
 DRBG CSPs (G/E/D)
 SSHv2 private key (E)
 SSHv2 public key (E)
 SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public Key
(G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
 SSHv2 Authentication
Key(G/E/D)
Infoblox Grid
Manager
Access NIOS web
interface to manage
appliance
TLS inputs,
commands, and
data
TLS outputs,
commands, and
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private
Key(G/E/D)
 TLS Diffie-Hellman Public
Key(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 Superuser/Admin Password (E)
 X. 509 User Certificate (E)
 X. 509 CA Certificate (E)
Show Status View currently
logged in user in
Grid Manager
N/A Status and data None
Configure
Dashboards
Home page in Grid
Manager providing
quick access to task,
grid and network
status.
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Smart
Folders
Organize core
networking service
data in Grid
Manager.
Commands and
configuration data
Status of commands
and configuration
data
None
Manage Licenses Manage appliance
licenses from CLI or
Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Manage Users Setting up users,
groups, roles, and
permissions from
Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
 Superuser/Admin/User Password
(W/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 21
Manage Remote
Authentication
Services
Configure remote
authentication
services for Active
Directory, LDAPS,
or Certificate
Authentication from
Grid Manager.
Commands and
configuration data
Status of commands
and configuration
data
 LDAPS Bind User Password
(W/D)
 X. 509 CA Certificate (R/W/D)
Deploy
Independent
appliances
Deploy Infoblox
appliance as a
standalone via Grid
Manager and CLI.
Commands and
configuration data
Status of commands
and configuration
data
• Superuser/Admin Password (E/D)
Deploy Cloud
Network
Automation
Configuring Cloud
platform appliances
to provide DNS and
DHCP service in the
cloud from Grid
Manager.
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Syslog
Backups
Configure Syslog to
backup over FTP or
SCP in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public Key
(G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
 SSHv2 Authentication Key
(G/E/D)
Capture and
Export Network
Traffic
Capture network
traffic on appliance
interfaces and export
capture file via SCP
or TLS.
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public Key
(G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
 SSHv2 Authentication Key
(G/E/D)
Manage NTP Manage network
time protocol service
in Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 22
Manage Captive
Portal
Manage network
captive portal in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Manage IPAM Managing IP address
management services
in Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Manage File
Distribution
Service
Managing transfer of
files through TFTP,
FTP and HTTP in
Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Managing NIOS
Software and
Configuration Files
Performing software
upgrades and
downgrades in Grid
Manager.
(New firmware
versions within the
scope of this
validation must be
validated through the
FIPS 140-2 CMVP.
Any other firmware
loaded into this
module is out of the
scope of this
validation and
requires a separate
FIPS 140-2
validation.)
Commands and
configuration data
Status of commands
and configuration
data
 Software/Firmware Load Test
Public Key (W/E)
Configure RIR
Registration
Updates
Managing Regional
Internet Registries in
Grid Manager.
Commands and
configuration data
Status of commands
and configuration
data
None
Configure IP
Address
Management
Managing network
and IP addresses in
Grid Manager and
CLI.
Commands and
configuration data
Status of commands
and configuration
data
None
Configure IP
Discovery and
vDiscovery
IP discovery for
detecting and
obtaining
information about
active hosts in
predefined networks
in Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 23
Configure Infoblox
Network Insight
Configure united
network discovery
for geographically
dispersed networks
in Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Advisor
Discovery
Properties
Configure Advisor
properties to monitor
lifecycle and
vulnerabilities of
discovered devices in
Grid Manager.
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Configure DNS Configuring DNS
services in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure
DNSSEC
Configure DNSSEC
services in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 DNSSEC KSK Private Key
(G/E/D)
 DNSSEC KSK Public Key
(G/W/E/D)
 DNSSEC ZSK Private Key
(G/W/E/D)
 DNSSEC ZSK Public Key
(G/W/E/D)
Configure DHCP Configuring DHCP
services in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure
Authenticated
DHCP
Configure DHCP to
authenticate users
using configured
Remote
Authentication
servers in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure
Appliance
Monitoring
Configure
monitoring state of
appliance, service,
database capacity,
and ports in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure DHCP
Fingerprint
Detection
DHCP fingerprint
detection to identify
IPv4 and IPv6
devices in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure SNMPv3 Configure SNMPv3
in Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
 SNMPv3 Auth Password (W/D)
 SNMPv3 Privacy Password (W/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 24
Configure SMTP Configure SMTP
Notifications in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Configure Infoblox
Reporting and
Analytics
Configure automated
collection, analysis
and presentation of
core networking data
in Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Infoblox
Advanced DNS
protection
Configure threat
protection rules to
detect, report and
stop DoS, DDoS and
other network attacks
targeting DNS in
Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Infoblox
DNS Firewall
Configure DNS
Resource policy
zones to control
DNS lookups in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Infoblox
Threat Insight
Configure for
protecting mission
critical DNS
infrastructure in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure
Ecosystem –
Outbound
Notifications
Using RESTful API
and DXL for
obtaining core
network service
information
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 Superuser/Admin Password (E)
 X. 509 User Certificate (E)
 X. 509 CA Certificate (E)
Configure
Informational GUI
Banner
Configure
informational banner
to display in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
None
Configure Dynamic
DNS Services
Configure Kerberos
Authenticated
Dynamic DNS
services in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
 GSS-TSIG Encryption Key (W/D)
 GSS-TSIG Authentication Key
(W/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 25
Configure Proxy
Server
Configure
HTTP/HTTPS proxy
server in Grid
Manager
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Download Support
Bundle
Export support
bundle for
configuration
troubleshooting in
Grid Manager
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Backup
Configuration
Backup module
configuration via
HTTPS or SCP in
Grid Manager.
Commands and
configuration data
Status of commands
and configuration
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public
Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
 SSHv2 Authentication Key
(G/E/D)
Zeroization Zeroize all
keys/CSPs
Commands and
configuration data
Status of commands
and configuration
data
All (D)
Table 8 Crypto-Officer Services
5.2.2.User Services
Name Description Inputs Outputs Key/CSP Access
Authenticated
DHCP
Authenticate to
DHCP server via
Remote Access
Server
Remote
authentication
inputs and data.
Status and Client
network
configuration
 User Password (E)
 LDAPS Bind User Password (E)
 X. 509 CA Certificate (E)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 26
Infoblox Grid
Manager
Access NIOS web
interface over TLS.
TLS inputs,
commands, and
data
TLS outputs,
commands, and
data
 DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 Superuser/Admin Password (E)
 X. 509 User Certificate (E)
 X. 509 CA Certificate (E)
Show Status View currently
logged in user in
Grid Manager
N/A Status and data None
Change User
Password
Change password of
currently
authenticated user
Commands and
configuration data
Command status
and data
 User Password (W/D)
Configure
Dashboards
Configure home
page in Grid
Manager providing
quick access to task,
grid and network
status.
Commands and
configuration data
Status and data None
View Dashboards Home page in Grid
Manager providing
quick access to task,
grid and network
status.
Commands and
data
Status and data None
Access Smart
Folders
Organize core
networking service
data in Grid
Manager.
Commands and
data
Status and data None
View Licenses View appliance
licenses from Grid
Manager
Commands and
data
Status and data None
Infoblox Advanced
DNS protection
Utilize threat
protection rules to
detect, report and
stop DoS, DDoS and
other network attacks
targeting DNS in
Grid Manager
Commands and
data
Status and data  None
DNSSEC Utilize signed DNS
queries.
Commands and
data
Status and data  DRBG CSPs (G/E/D)
 DNSSEC KSK Private Key
(G/E/D)
 DNSSEC KSK Public Key
(G/W/E/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 27
 DNSSEC ZSK Private Key
(G/W/E/D)
 DNSSEC ZSK Public Key
(G/W/E/D)
Discovery (without
Network Insight)
IP discovery for
detecting and
obtaining
information about
active hosts in
predefined networks
in Grid Manager
Commands and
data
Status and data None
vDiscovery Discovery of assets
in AWS, Azure,
OpenStack or
VMWare
environments in Grid
Manager
Commands and
data
Status and data  DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Advisor Discovery Monitor equipment
lifecycle and
vulnerability data for
devices discovered
by Network Insight
Commands and
data
Status and data  DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Cloud Network
Automation
Manage devices
discovered by
vDiscovery
Commands and
data
Status and data  DRBG CSPs (G/E/D)
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
Port Scanning Nmap scans of
network.
Commands and
data
Status and data None
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 28
NetBIOS Scanning NetBIOS scan of
network.
Commands and
data
Status and data None
View and Export
Log Files
View and export log
files from Grid
Manager.
Commands and
data
Status and data  X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public
Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
SSHv2 Authentication Key
(G/E/D)
Export Syslog
Backups
Export syslog to
external syslog
server via FTP or
SCP.
Commands and
data
Status and data  SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public
Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
 SSHv2 Authentication Key
(G/E/D)
Capture and
Export Network
Traffic
Capture network
traffic on appliance
interfaces and export
capture file via SCP
or TLS.
Commands and
data
Status and data  X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 SSHv2 Diffie-Hellman Private
Key (G/E/D)
 SSHv2 Diffie-Hellman Public
Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Private Key (G/E/D)
 SSHv2 Elliptic-Curve Diffie-
Hellman Public Key (G/E/D)
 SSHv2 Encryption Key (G/E/D)
 SSHv2 Authentication Key
(G/E/D)
SNMPv3 Send SNMPv3 traps SNMPv3 inputs,
commands, and
data
SNMPv3 outputs,
status, and data
 SNMPv3 encryption key (G/E/D)
 SNMPv3 authentication key
(G/E/D)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 29
Infoblox Reporting
and Analytics
Collect automated
collection, analysis
and presentation of
core networking
data.
Commands and
data
Status and data None
Ecosystem –
Outbound
Notifications
Using RESTful API
and DXL for
obtaining core
network service
information
TLS inputs,
commands, and
data
TLS outputs, status,
and data
 X.509 HTTPS Certificate (E)
 TLS Diffie-Hellman Private Key
(G/E/D)
 TLS Diffie-Hellman Public Key
(G/E/D)
 TLS pre-master secret (G/E/D)
 TLS master secret (G/E/D)
 TLS encryption key (G/E/D)
 TLS authentication key (G/E/D)
 Superuser/Admin Password (E)
 X. 509 User Certificate (E)
 X. 509 CA Certificate (E)
Table 9 User Services
5.2.3.Unauthenticated Services
Name Description Inputs Outputs
Captive Portal Access captive portal. Commands and data Command status and
data
DNS Domain Name
Service queries.
Commands and data Command status and
data
DHCP Receive network
configuration from
appliance DHCP
server.
Commands and data Command status and
data
File Distribution
Service
Appliance hosted
FTP, TFTP, or HTTP
file distribution
service.
*Cannot be used to
distribute keys or
CSPs.
Commands and data Command status and
data
NTP Receive network time
protocol updates from
appliance NTP
service.
Commands and data Command status and
data
View Console
Status
DB-9 Console Output. None Status and data
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 30
On-Demand Self-
Tests
On-demand self-tests
invoked by rebooting
the module.
None Status and data
Table 10 Unauthenticated Services
5.2.4.Non-Approved Services
The following services are non-approved for use in the FIPS approved mode.
Name Description
Support Access Support Access SSH service
bloxTools Pre-installed environment to host custom webbased applications
RADIUS
Authentication
Remote user authentication using RADIUS protocol
TACACS+
Authentication
Remote user authentication using TACACS+ protocol
Cisco ISE
Integration
Authenticating to Cisco Identity Services Engine
Microsoft Server
Integration
Managing Microsoft DNS/DHCP servers using BIND
SNMPv1/v2 Simple Network Management Protocol versions 1 and 2
Deploy Grid Creating and managing Grid master and members via Grid Manager and
CLI.
Table 11 Non-approved Services
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 31
5.3. Authentication
The module has the following methods of role based authentication:
● Local password-based authentication
● Remote password-based authentication (Active Directory, LDAPS)
● Remote SAML-based authentication
● Certificate authentication
● Two-Factor authentication
Local password-based authentication, Remote password-based authentication
Assuming that the Secure Initialization routine is followed, Infoblox enforces a 6 character minimum
password, using a 72 character set of a-z, A-Z, 0-9, and “!@#%^&*()”. This results in a bare minimum of
139,314,069,504 (72^6) possible passwords. Thus the FIPS 140-2 requirement that for a single random
password attempt the probability of success must be less than 1 in 1,000,000 is satisfied.
FIPS 140-2 requires that in a 1-minute span, the probability of guessing the password correct (at random)
must be less than 1 in 100,000.
The web interface only allows 5 unsuccessful login attempts per minute. This calculates to a 1 in
27,862,813,900.8 ((72^6)/5) chance of a successful password attempt in a minute, which is less than the
1 in 100,000 requirement.
The SSH interface implements a maximum of 3 tries per login attempt with each failed attempt adding an
incremented delay of 5 seconds. 3 failed attempts will take 30 seconds (5 + 10 + 15), therefore, in 1
minute only 6 attempts can be made. This calculates to a 1 in 23,219,011,584 ((72^6)/6) chance of a
successful password attempt in a minute, which is less than the 1 in 100,000 requirement.
The console interface implements a delay of three seconds per invalid login attempt. As such, a
maximum of 20 invalid login attempts are possible per minute. This calculates to a 1 in 6965703475.2
((72^6)/20) chance of a successful password attempt in a minute, which is less than the 1 in 100,000
requirement.
For remote password-authentication the module defers password verification to a trusted authenticator
(Active Directory, or LDAPS). This connection is protected by TLS.
Certificate authentication/Two-Factor authentication (Password + X.509 certificate authentication)
If Certificate authentication or Two-Factor authentication is used, the calculations are based on the
security-strength of the algorithm of the X.509 certificate. For example, if the X.509 certificate is RSA-
2048 w/ SHA-256, then the security-strength is 112 bits (based on SP 800-57). Based on this, a 1 in
2^112 chance is much less than 1 in 1,000,000 per single attempt. With the worst case assumption that
the network interface can support up to 29,296,875 ((1,000,000,000 bps / 2048 bits) * 60 seconds)
connection attempts per minute. The chance of a successful authentication attempt in a minute calculates
to a (2^112)/29,296,875, which satisfies the 1 in 100,000 requirement.
Infoblox Two-Factor authentication provides option 'Username/password request'. If you select this option
NIOS populates the username from the certificate and requests password from the user. If you do not
select this option, only the certificate is necessary to log in to the appliance.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 32
NIOS performs lookup against local users by default. You can enable remote lookup for user membership
(Active Directory or LDAPS). A password must not be empty.
Certificates are validated by an OCSP responder.
Remote SAML-based authentication
NIOS uses SAML (Security Assertion Markup Language) 2.0 authentication support for Single-Sign-On in
NIOS. SAML provides a standard vendor-independent grammar and protocol for transferring information
about a user from one web server to another independent of the server DNS domains. NIOS as a Service
Provider uses SAML to defer authentication of users to a trusted authenticator called an Identity Provider
(IDP). The IDP provides NIOS with a public-key signed authentication assertion. Refer to the certificate
authentication strength justification above.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 33
6. Physical Security
The module must be opaque within the visible spectrum and have tamper evident labels for doors or
removable covers in order to be compliant with FIPS 140-2 Security Level 2 requirements. Infoblox
provides tamper evident labels (TELs) which must be installed for the module to operate in the FIPS
approved mode. The Crypto Officer is responsible for inspecting the TELs regularly4 for signs of tamper,
and should contact Infoblox customer support if any signs of tamper are found.
Label Kit – Description
Label Kit - Part
Number
Infoblox Tamper Evident Seal Kit IB-FIPS
Table 12 Tamper Evident Labels
6.1. Tamper Evident Label Placement
The tamper evident labels must be affixed to the module by the Crypto Officer at the following locations
after ensuring the applying surface is clean.
Infoblox Trinzic 805 Series Tamper Evident Label Placement (3 labels)
Front Rear
Left Right
Top Bottom
4 The inspection interval for the TELs is at the discretion of the Crypto Officer, and their standard
operating procedures.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 34
Table 13 Infoblox Trinzic 805 series Tamper Evident Label Placement
Infoblox Trinzic 1405 Series Tamper Evident Label Placement (6 labels)
Front Rear
Left Right
Top Bottom
Table 14 Infoblox Trinzic 1405 Series Tamper Evident Label Placement
Infoblox Trinzic 2205 and 4005 Series Tamper Evident Label Placement (12 labels)
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 35
Front Rear
Left Right
Top Bottom
Table 15 Infoblox Trinzic 2205 and 4005 series Tamper Evident Label Placement
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 36
7. Operational Environment
The module is a multi-chip standalone hardware module operating with a non-modifiable operational
environment.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 37
8. Cryptographic Key Management
Key/CSP
Name
Key/CSP
Type
Key/CSP
Size
Generation/
Input5
Output Storage Zeroization Use6
Superuser /
Admin /
User
Password
Password 6 (or more)
characters,
a-z, A-Z, 0-
9, or
“!@#%^&*()
”
Input into
module
encrypted
(via SSH or
TLS)
N/A The
password is
stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
Authenticati
on for
Superuser,
Limited-
Access
Admin, or
User
LDAPS
Bind User
Password
Password 6 (or more)
characters,
a-z, A-Z, 0-
9, or
“!@#%^&*()
”
Input into
module
encrypted
(via TLS)
N/A The
password is
stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
Authenticati
on for
credential
for remote
LDAPS
server.
Integrity
Test Public
Key
RSA Public
Key (with
SHA256
Signature
Algorithm)
4096 bits Generated
internally.
N/A Stored in the
module’s
persistent
memory
Via
zeroization
service.
Integrity
Test
Integrity
Test Private
Key
RSA Private
Key
4096 bits Generated
internally.
N/A Stored in the
module’s
persistent
memory
Via
zeroization
service.
Integrity
Test
Software /
Firmware
Load Test
Public Key
RSA Public
Key (with
SHA256
Signature
Algorithm)
2048 bits This key is
not
generated
by the
module.
N/A This key is
hard-coded
into the
module;
stored in the
module’s
persistent
memory.
N/A Software /
Firmware
Load Test
X.509 CA
Certificate
x.509
Certificate
with
ECDSA, or
RSA Public
Key (with
SHA-224,
SHA-256,
SHA-384, or
SHA-512
Signature
Algorithm)
ECDSA:
P-256 (256
bits),
P-384 (384
bits),
P-521 (521
bits)
RSA:
2048 bits,
3072 bits,
4096 bits
Generated
Externally
Encrypted
(via TLS)
Stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
External
Trusted CA
Certificate
5
For all keys marked as “generated internally”, the resulting symmetric key or the generated seed to be used in the asymmetric key
generation is an unmodified output from the DRBG unless otherwise noted.
6
Keys/CSPs generated in FIPS mode cannot be used in non-FIPS mode and vice-versa.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 38
X.509
HTTPS
Certificate
X.509
Certificate
with RSA
Public Key
(with SHA-
256
Signature
Algorithm)
2048 bits,
4096 bits
Generated
internally, or
input into
module
encrypted
(via TLS)
Encrypted
(via TLS)
Stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
HTTPS
Server
Certificate
X.509
HTTPS
Certificate
Private Key
RSA 2048 bits,
4096 bits
Generated
Internally
N/A Stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
Private key
for HTTPS
Server
Certificate
X. 509
Client
Certificate
X.509
Certificate
with RSA
Public Key
(with SHA-
256
Signature
Algorithm)
2048 bits Generated
Internally
Encrypted
(via TLS)
Stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
Authenticati
ng the
Module to
an external
server.
X. 509
Client
Certificate
Private Key
RSA 2048 bits Generated
Internally
N/A Stored in the
module’s
persistent
memory
(DB)
Via
zeroization
service.
Private Key
for Client
Certificate
X. 509 User
Certificate
X.509
Certificate
with RSA
Public Key
(with SHA-
256 or SHA-
512
Signature
Algorithm)
2048 bits
3072 bits
4096 bits
Generate
Externally
Plaintext Stored in the
module’s
dynamic
memory
After user is
authenticate
d
Authenticate
user to
module.
SSHv2
Private Key
RSA 2048 bits Generated
internally
N/A Stored in the
module’s
persistent
memory.
Upon
session re-
key or
termination.
This is the
private host
key used for
SSHv2
authenticatio
n
SSHv2
Public Key
RSA 2048 bits Generated
internally
Plaintext Stored in the
module’s
persistent
memory.
Via
zeroization
service.
This is the
public host
key used for
SSHv2
authenticatio
n
SSHv2
Diffie-
Hellman
Private Key
KAS-FFC 2048 bits Generated
internally
N/A Stored in
dynamic
memory.
Upon
negotiation
of shared
secret
SSH Key
Agreement
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 39
SSHv2
Diffie-
Hellman
Public Key
KAS-FFC 2048 bits Generated
internally
Plaintext Stored in
dynamic
memory
Upon
negotiation
of shared
secret
SSH Key
Agreement
SSHv2
Elliptic-
Curve
Diffie-
Hellman
Private Key
KAS-ECC 256 bits,
384 bits,
521 bits
Generated
internally
N/A Stored in
dynamic
memory
Upon
negotiation
of shared
secret
SSH Key
Agreement
SSHv2
Elliptic-
Curve
Diffie-
Hellman
Public Key
KAS-ECC P-256 (256
bits),
P-384 (384
bits),
P-521 (521
bits)
Generated
internally
Plaintext Stored in
dynamic
memory
Upon
negotiation
of shared
secret
SSH Key
Agreement
SSHv2
Encryption
Key
AES-128-
CBC, AES-
256-CBC
128 bits,
256 bits
Derived via
the SP800-
135 KDF
N/A Ephemeral Upon
session re-
key or
termination.
This is the
SSHv2
session key;
used to
encrypt
SSHv2 data
traffic
SSHv2
Authenticat
ion Key
HMAC-
SHA1
160 bits Derived via
the SP800-
135 KDF
N/A Ephemeral Upon
session re-
key or
termination.
This is the
SSHv2
authenticatio
n key; used
to
authenticate
SSHv2 data
traffic
snmpEngin
eID
Unique ID 32-byte
maximum
length
Generated
externally
Plaintext Hardcoded,
stored in the
module’s
persistent
memory.
N/A This is the
SnmpEngine
ID as
defined in
RFC3411,
used to
identify the
SNMP
engine
SNMPv3
Auth
Password
Password 6 (or more)
characters,
a-z, A-Z, 0-
9, or
“!@#%^&*()
”
Input into
module
encrypted
(via SSH or
TLS)
N/A This
password is
stored in the
module’s
persistent
memory
(DB) in AES
encrypted
form
Via
zeroization
service.
Authenticati
on for
SNMPv3
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 40
SNMPv3
Privacy
Password
Password 6 (or more)
characters,
a-z, A-Z, 0-
9, or
“!@#%^&*()
”
Input into
module
encrypted
(via SSH or
TLS)
N/A This
password is
stored in the
module’s
persistent
memory
(DB) in AES
encrypted
form
Via
zeroization
service.
Privacy for
SNMPv3
SNMPv3
Encryption
Key
AES-128
CFB
128 bits Derived via
the SP800-
135 KDF
N/A Ephemeral Upon
session re-
key or
termination.
Encryption
for SNMPv3
SNMPv3
Authenticat
ion Key
HMAC-SHA-
1-96
160 bits Derived via
the SP800-
135 KDF
N/A Ephemeral Upon
session re-
key or
termination.
Encryption
for SNMPv3
TLS Diffie-
Hellman
Private Key
KAS-FFC 2048 bits Generated
internally
N/A Stored in
dynamic
memory.
Upon
negotiation
of shared
secret
TLS Key
Agreement
TLS Diffie-
Hellman
Public Key
KAS-FFC 2048 bits Generated
internally
Plaintext Stored in
dynamic
memory
Upon
negotiation
of shared
secret
TLS Key
Agreement
TLS Pre-
master
Secret
Key Material 384 bits
(RSA Key
Transport),
2048 bits
(KAS-FFC
Key
Agreement)
Entered into
the module
protected by
RSA, or
derived via
KAS-FFC
N/A Ephemeral Upon
completion
of key
derivation.
Used to
derive TLS
master
secret
TLS Master
Secret
Key Material 48 bytes
(384 bits)
Derived from
pre-master
secret
N/A Ephemeral Upon
completion
of key
derivation.
Used to
produce
keys in TLS
handshake
TLS
Encryption
Key
AES-128
CBC, AES-
256 CBC
128 bits,
256 bits
Derived via
the SP800-
135 KDF
N/A Ephemeral Upon
session re-
key or
termination.
Used to
encrypt
traffic in TLS
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 41
TLS
Authenticat
ion Key
HMAC-SHA-
1
160 bits Derived via
the SP800-
135 KDF
N/A Ephemeral Upon
session re-
key or
termination.
Used to
authenticate
traffic in TLS
DNSSEC
KSK Private
Key
RSA Private
Key
2048 bits,
3072 bits,
4096 bits
Generated
Internally
N/A Stored in
persistent
memory
Via
zeroization
service.
Used to sign
all DNSKEY
records
DNSSEC
KSK Public
Key
RSA Public
Key (with
SHA-256 or
SHA-512
signatures)
2048 bits,
3072 bits,
4096 bits
Generated
Internally
Plaintext Stored in
persistent
memory
Via
zeroization
service.
Used to sign
all DNSKEY
records
DNSSEC
ZSK Private
Key
RSA Private
Key
2048 bits,
3072 bits,
4096 bits
Generated
Internally
N/A Stored in
persistent
memory
Via
zeroization
service.
Used to sign
each RRset
in a zone
DNSSEC
ZSK Public
Key
RSA Public
Key (with
SHA-256 or
SHA-512
signatures)
2048 bits,
3072 bits,
4096 bits
Generated
Internally
Plaintext Stored in
persistent
memory
Via
zeroization
service.
Used to sign
each RRset
in a zone
HMAC
DRBG
entropy
input
2400-bit
entropy
input for
DRBG Cert.
#A25037,
256-bit for
DRBG Cert.
#A25078
Generated
by the
module’s
Entropy
Source
N/A Ephemeral Upon reseed
and
shutdown.
Random
Number
Generation
HMAC
DRBG seed
Seed 440-bits Derived via
the SP800-
90A
Mechanisms
N/A Ephemeral Upon reseed
and
shutdown.
DRBG Seed
HMAC
DRBG V
Internal
State Value
256 bits Derived via
the SP800-
90A
Mechanisms
N/A Ephemeral Upon reseed
and
shutdown.
DRBG
Internal
State
7 The module’s entropy source, ENT (NP), provides an estimated 58 bits of entropy per 64-bit output.
DRBG Cert. #A2503 requests 2400-bits of output from the ENT (NP). Therefore, DRBG Cert. #A2503 is
seeded with at least 2175 bits of entropy and fully seeded.
8 DRBG Cert. #A2507 requests 256-bits of entropy output from DRBG Cert. #A2503, which is considered
a vetted conditioner providing full entropy per FIPS 140-2 IG 7.19.
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 42
HMAC
DRBG Key
Internal
State Value
256 bits Derived via
the SP800-
90A
Mechanisms
N/A Ephemeral Upon reseed
and
shutdown.
Random
Number
Generation
GSS-TSIG
Encryption
Key
AES-128-
CTS, AES-
256-CTS
Kerberos
Key
128 bits,
256 bits
Generated
externally.
Input into
module
encrypted
(via TLS)
Output
encrypted
(via TLS)
Stored
encrypted in
persistent
memory.
Via
zeroization
service.
Used for
Secure
DDNS
Updates
GSS-TSIG
Authenticat
ion Key
HMAC-SHA-
1-96
Kerberos
Key
160 bits Generated
externally.
Input into
module
encrypted
(via TLS)
Output
encrypted
(via TLS)
Stored
encrypted in
persistent
memory.
Via
zeroization
service.
Used for
Secure
DDNS
Updates
Key
Encryption
Key (KEK)
AES-128-
CBC key
128 bits Generated
internally
N/A Stored in
persistent
memory.
Via
zeroization
service.
Used for
encrypting
database
keys.
Table 16 Cryptographic Keys and CSPs
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 43
9. Self-Tests
Output via the Data Output interface is inhibited during the performance of self-tests. The module enters
the error state upon any self-test failure. The following self-tests are executed automatically without any
need for input or actions from the user.
9.1. Power-on Self-Tests
The results of the power-on self-tests are output via the console and to the system syslog.
● Integrity Test
● SHA-1 Known Answer Test
● HMAC-SHA-1/256/384/512 Known Answer Tests
● AES ECB encrypt / decrypt Known Answer Test (128-bit key)
● RSA sign / verify Known Answer Test (2048-bit key, PKCS #1 v1.5 with SHA-256)
● ECDSA sign / verify Known Answer Test (P-256 with SHA-256)
● HMAC_DRBG w/ SHA-256 Known Answer Tests (Instantiate, Reseed, Generate)9
● Primitive “Z” Computation Known Answer Test for KAS-FFC
● Primitive “Z” Computation Known Answer Test for KAS-ECC
● SP 800-90B Startup Health Tests (Repetition Count Test and Adaptive Proportion Test)
● SP 800-135 TLS 1.0/1.1 KDF Known Answer Test
● SP 800-135 TLS 1.2 KDF Known Answer Test
● SP 800-135 SSH KDF Known Answer Test
9.2. Conditional Self-Tests
● Continuous Random Number Generator Test (CRNGT) on the SP800-90A HMAC_DRBG w/
SHA-256
● Health Tests (Instantiate, Reseed, Generate) on the SP800-90A HMAC_DRBG’s w/ SHA-256
● SP800-90B Health Tests (Repetition Count Test and Adaptive Proportion Test)
● ECDSA Pair-wise Consistency Test
● RSA Pair-wise Consistency Test
● KAS-FFC Pair-wise Conditional Test
● KAS-ECC Pair-wise Conditional Test
● Conditional Tests for Assurances (as specified in SP800-56A Sections 5.5.2, 5.6.2 and 5.6.3)
● Firmware Load Test
9.3. Critical Functions Tests
● Memory test – All memory is tested and isolated faulty memory is disabled
9 Tested for DRBG Certs. #A2503 and #A2507
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 44
A. Appendices
Table of Acronyms:
Acronym Definition
8N1 Eight Data Bits, No Parity Bit, One Stop Bit
AC Alternating Current
AES Advanced Encryption Standard
CA Certificate Authority
CVL Component Validation List
DB9/DB-9 D-Subminiature 9
DC Direct Current
DDI DNS, DHCP, and IPAM
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
DRBG Deterministic Random Bit Generator
DSA Digital Signature Algorithm
DTC DNS Traffic Control
ECDSA Elliptic Curve Digital Signature Algorithm
EMI Electromagnetic Interference
EMC Electromagnetic Compatibility
FIPS Federal Information Processing Standard
FTP File Transfer Protocol
HA High Availability
HMAC Hash-based Message Authentication Code
HSM Hardware Security Module
IKE Internet Key Exchange
IP Internet Protocol
IPAM Internet Protocol Address Management
IPMI Intelligent Platform Management Interface
IPsec Internet Protocol Security
KAS Key Agreement Scheme
KDF Key Derivation Function
LAN Local Area Network
LBDN Load Balanced Domain Name
LDAP Lightweight Directory Access Protocol
LCD Liquid-Crystal Display
LOM Lights-Out Management
MAC Media Access Control
MD5 Message Digest 5
MGMT Management
NEBS Network Equipment-Building System
NDRNG Non-Deterministic Random Number Generator
PKI Public Key Infrastructure
PRNG Pseudo-Random Number Generator
PSU Power Supply Unit
RADIUS Remote Authentication Dial-In User Service
RAID Redundant Array of Independent Disks
RC4 Rivest Cipher 4
RSA Rivest, Shamir and Adleman (cryptosystem)
SAML Security Assertion Markup Language
SHA Secure Hash Algorithm
SHS Secure Hash Standard
SNMP Simple Network Management Protocol
Infoblox Trinzic DDI Appliances | FIPS 140-2 Non-Proprietary Security Policy 45
SSH Secure Shell
TACACS+ Terminal Access Controller Access-Control System
TLS Transport Layer Security
TFTP Trivial File Transfer Protocol
USB Universal Serial Bus
VAC Voltage in Alternating Current
XOFF Pause Transmission
XON Resume Transmission
© 2023 Infoblox Inc. All rights reserved. This material may be reproduced in its entirety, without modification, and freely distributed
in written or electronic form. Permission is required for any other use.
Corporate Headquarters: +1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | info@infoblox.com | www.infoblox.com