SonicWall, Inc. SonicWALL TZ 300/TZ 300W, TZ 400/TZ 400W, TZ 500/TZ 500W, TZ 600, SOHOW, SM 9200, SM 9400, SM 9600 and NSₐ 2650, NSₐ 3600, NSₐ 3650, NSₐ 4600, NSₐ 4650, NSₐ 5600, NSₐ 5650, NSₐ 6600, NSₐ 6650, NSₐ 9250, NSₐ 9450, NSₐ 9650 Non-Proprietary FIPS 140-2 Security Policy Document Version: 1.1 Date: November 13th, 2018 Level 2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 2 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Copyright Notice Copyright © 2018 SonicWall, Inc. Public Material May be reproduced only in its original entirety (without revision). SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 3 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1. Introduction ..................................................................................................................6 1.1 Module Description and Cryptographic Boundary ......................................................................8 1.2 Ports and Interfaces .....................................................................................................................8 1.3 Modes of Operation...................................................................................................................24 1.3.1 FIPS 140-2 Approved mode of Operation.....................................................................................24 1.3.2 Non-Approved mode of Operation...............................................................................................25 2. Cryptographic Functionality ......................................................................................... 25 1.3.3 Non-Approved Algorithms with No Security Claimed ..................................................................30 2.1 Critical Security Parameters.......................................................................................................30 2.2 Public Keys..................................................................................................................................31 3. Roles, Authentication and Services .............................................................................. 31 3.1 Assumption of Roles...................................................................................................................31 3.2 Authentication Methods............................................................................................................32 3.3 Services.......................................................................................................................................33 3.3.1 User Role Services.........................................................................................................................33 3.3.2 Crypto Officer Services..................................................................................................................34 3.3.3 Unauthenticated services .............................................................................................................35 4. Self-tests ..................................................................................................................... 40 5. Physical Security Policy................................................................................................ 41 6. Operational Environment ............................................................................................ 47 7. Mitigation of Other Attacks Policy................................................................................ 47 8. Security Rules and Guidance ........................................................................................ 47 9. References and Definitions .......................................................................................... 48 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 4 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). List of Tables Table 1 – Cryptographic Module List ............................................................................................................6 Table 2 – Security Level of Security Requirements.......................................................................................7 Table 3 – Front Panel Ports and Interfaces for TZ 300/TZ 300W, TZ 400/TZ 400W, TZ 500/TZ 500W, TZ 600 and SOHOW models.............................................................................................................................11 Table 4 – Front Panel Ports and Interfaces for SM9200/SM 9400/SM 9600..............................................12 Table 5 – Back Panel Ports and Interfaces for SM 9200/SM 9400/SM 9600..............................................14 Table 6 – Front Panel Ports and Interfaces for NSa 6600/NSa 5600/NSa 4600/NSa 3600 mapped to Figures 5 and 7 ........................................................................................................................................................15 Table 7 - Back Panel Ports and Interfaces for NSa 6600/NSa 5600/NSa 4600/NSa 3600 mapped to Figures 6 and 7 ........................................................................................................................................................16 Table 8 – Front Panel Ports and Interfaces for NSa 2650/NSa 3650/NSa 4650/NSa 5650/NSa 6650...........20 Table 9 - Back Panel Ports and Interfaces for NSa 2650/3650/4650/5650 mapped to Figure 8 ................21 Table 10 - NSa 9250/NSa 9450/NSa 9650 Front Panel ports and interfaces mapped to Figure 9 ...............22 Table 11 - Back Panel Ports and Interfaces for NSa 9250/NSa 9450/NSa 9650 mapped to Figures 10.......23 Table 12 – Approved Algorithms ................................................................................................................25 Table 13 - Non-Approved but Allowed Cryptographic Functions...............................................................29 Table 14 - Security Relevant Protocols Used in FIPS Mode ........................................................................29 Table 15 – Role Description ........................................................................................................................31 Table 16 – Authentication Description .......................................................................................................32 Table 17 – Authenticated Services..............................................................................................................35 Table 18 – Unauthenticated Services .........................................................................................................35 Table 19 – Security Parameters Access Rights within Services and CSPs...................................................36 Table 20 – Security Parameters Access Rights within Services and Public Keys.........................................38 Table 21 - References..................................................................................................................................48 Table 22 – Acronyms and Definitions .........................................................................................................49 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 5 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). List of Figures Figure 1 – TZ Series Ports............................................................................................................................10 Figure 2 – SOHOW Physical Ports ...............................................................................................................11 Figure 3– Super Massive Front Panel SM9200/SM 9400/SM 9600............................................................12 Figure 4 - Super Massive Back Panel for SM9200/SM 9400/SM 9600 .......................................................14 Figure 5 – NSa 6600 Front Panel .................................................................................................................15 Figure 6 – NSa 6600 Back Panel...................................................................................................................16 Figure 7 – NSa 5600/NSa 4600/NSa 3600 Front and Back Panel..................................................................17 Figure 8 - NSa 9250/NSa 9450/NSa 9650 Front Panel..................................................................................22 Figure 9 - NSa 9250/NSa 9450/NSa 9650 Back Panel...................................................................................23 Figure 10: SOHOW (Left).............................................................................................................................41 Figure 11: SOHOW (Right)...........................................................................................................................42 Figure 12: TZ 300 (Top, Left).......................................................................................................................42 Figure 13: TZ 400 (Top, Left) .......................................................................................................................42 Figure 14: TZ 500 (Top, Left) .......................................................................................................................42 Figure 15: TZ 600 (Top, Left) .......................................................................................................................42 Figure 16: TZ 400 Right, Bottom View ........................................................................................................43 Figure 17: TZ 500 Right, Bottom View ........................................................................................................43 Figure 18: TZ 300 Right, Bottom View ........................................................................................................43 Figure 19: TZ 600 Right, Bottom View ........................................................................................................43 Figure 20: NSa 6600/NSa 5600/NSa 4600/NSa 3600 Front and Back Seals..................................................44 Figure 21: SM 9600/SM 9400/SM 9200......................................................................................................45 Figure 22: NSa 2650/NSa 3650/NSa 4650/NSa 5650 Tamper Evident Seal placement................................46 Figure 23: NSa 6650/NSa 9250/NSa 9450/NSa 9650 Front and Rear Panels and Tamper Evident Seal placement...................................................................................................................................................47 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 6 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 1. Introduction This document defines the Security Policy for the SonicWALL TZ 300/300W, 400/400W, 500/500W, 600, SOHOW, SM 9200, 9400, 9600, NSA 3600, 4600, 5600, 6600, NSa 2650, 3650, 4650, 5650, 6650, 9250, 9450, 9650 models, hereafter denoted the Module. The Module is an Internet security appliance, which provides stateful packet filtering firewall, deep packet inspection, virtual private network (VPN), and traffic shaping services. The Module is a multiple-chip standalone cryptographic module, in 23 configurations with hardware part numbers and versions as follows: Table 1 – Cryptographic Module List Module Hardware P/N and Version Firmware Version 1 SOHOW 101-500410-54 Rev. E SonicOS v6.5.2 2 TZ 300 101-500403-55 Rev. F SonicOS v6.5.2 3 TZ 300W 101-500404-54 Rev. E SonicOS v6.5.2 4 TZ 400 101-500405-55 Rev. F SonicOS v6.5.2 5 TZ 400W 101-500406-54 Rev. E SonicOS v6.5.2 6 TZ 500 101-500411-56 Rev. G SonicOS v6.5.2 7 TZ 500W 101-500412-55 Rev. F SonicOS v6.5.2 8 TZ 600 101-500413-56 Rev. G SonicOS v6.5.2 9 NSa 2650 101-500452-50 Rev. A SonicOS v6.5.2 10 NSa 3600 101-500459-54 Rev. E SonicOS v6.5.2 11 NSa 3650 101-500514-50 SonicOS v6.5.2 12 NSa 4600 101-500458-54 Rev. E SonicOS v6.5.2 13 NSa 4650 101-500451-50 SonicOS v6.5.2 14 NSa 5600 101-500457-54 Rev. E SonicOS v6.5.2 15 NSa 5650 101-500517-50 SonicOS v6.5.2 16 NSa 6600 101-500456-54 Rev. E SonicOS v6.5.2 17 SM 9200 101-500455-54 Rev. E SonicOS v6.5.2 18 SM 9400 101-500454-54 Rev. E SonicOS v6.5.2 19 SM 9600 101-500453-54 Rev. E SonicOS v6.5.2 20 NSa 6650 101-5005518-50 Rev A SonicOS v6.5.2 21 NSa 9250 101-500520-50 Rev A SonicOS v6.5.2 22 NSa 9450 101-500519-50 Rev A SonicOS v6.5.2 23 NSa 9650 101-500449-50 Rev A SonicOS v6.5.2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 7 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). The Module firmware version for all models is SonicOS v6.5.2. Note that the different hardware versions vary only in form factor, CPU, number of ports, presence of wireless interfaces, and memory. The Module is intended for use by US Federal agencies and other markets that require FIPS 140-2 validated cryptographic modules. The appliance Encryption technology uses Suite B algorithms. Suite B algorithms are approved by the U.S. government for protecting both Unclassified and Classified data. The FIPS 140-2 security levels for the Module are as follows: Table 2 – Security Level of Security Requirements Security Requirement Security Level Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A Overall 2 The overall FIPS validation level for the module is Security Level 2. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 8 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 1.1 Module Description and Cryptographic Boundary The physical form of the Module is depicted in Figure 1 through Figure 10. The Module is a multi-chip standalone embodiment. The cryptographic boundary is the surfaces and edges of the device enclosure, inclusive of the physical ports. 1.2 Ports and Interfaces The Module’s ports and associated FIPS defined logical interface categories are listed in the tables in this section. The images in Figure 1 and Figure 2 depict the physical ports for TZ 300/TZ 300W, TZ 400/TZ 400W, TZ 500/TZ 500W, TZ 600, and SOHOW. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 9 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). TZ 300W Physical Ports TZ 400W Physical Ports TZ 500W Physical Ports TZ 600 Physical Ports SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 10 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). TZ 300 Physical Ports TZ 400 Physical Ports TZ 500 Physical Ports Figure 1 – TZ Series Ports SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 11 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 2 – SOHOW Physical Ports Table 3 describes the physical ports (mapped to the figures above) and corresponding logical interfaces. Table 3 – Front Panel Ports and Interfaces for TZ 300/TZ 300W, TZ 400/TZ 400W, TZ 500/TZ 500W, TZ 600 and SOHOW models Physical Ports Qty. Description Logical Interfaces Front Panel Status LEDs Varies TZ 300W/TZ 400W/TZ 500W/SOHO-W – 6 status LEDs TZ 300/TZ 400/TZ 500 – 4 status LEDs (No wireless) TZ 600- 5 status LEDs Power: Indicate module is receiving power. Test: Indicates module is initializing and performing self- tests. Service: Unused; for future use Wireless: Unused in Approved mode. M0: Expansion Module (Only for TZ 600) Status output Ethernet LEDs 2/port Ethernet activity: 10/100 activity (top); 1G activity (bottom) Status output USB Varies TZ 300/TZ 300W/TZ 400/TZ 400W/SOHOW – 1 USB TZ 500/TZ 500W/TZ 600 – 2 USB Allows the attachment of an external device. Security N/A SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 12 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces Guidance is “not to be used in FIPS Mode” Rear Panel Reset Button 1 Used to manually reset the appliance to Safe Mode. (Not functional on TZ 600) Control input Power Interface 1 AC power interfaces Power Console 1 Serial console (local) interface. Control In, Status Out Ethernet Interfaces Varies TZ 300/TZ 300W (Qty 5) TZ 400/TZ 400W (Qty 7) TZ 500/TZ 500W (Qty 8) TZ 600 (Qty 10) Control In, Status Out, Data input, Data output Antenna Connectors 3 For Antennas (TZ 300W, TZ400W, TZ500W models only; unused in Approved mode) N/A Expansion 1 (TZ 600 only) Expansion connector, unused, disconnected internally. N/A Figure 3 shows the locations of the physical ports on the front of the SM 9200, SM 9400, and SM 9600. Figure 3– Super Massive Front Panel SM9200/SM 9400/SM 9600 Table 4 describes the physical ports (mapped to Figure 3) and corresponding logical interfaces. Table 4 – Front Panel Ports and Interfaces for SM9200/SM 9400/SM 9600 Physical Ports Qty. Description Logical Interfaces LCD display 1 LCD status display Status output LCD controls 4 Controls for scrolling thru the LCD display options Control input, status output SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 13 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces Serial Console Interface 1 DB-9/RJ-45 serial connector. Provides a serial console which can be used for basic administration functions. Data input, control input and status output Control input and status output USB Interfaces 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Reset (Safe Mode) Button Interface 1 Used to manually reset the appliance to Safe Mode. Control input Status LED Interface 6 Power LEDs: Indicate module is receiving power. Test LED: Indicates module is initializing and performing self-tests. Alarm LED: Indicates alarm condition. M0: Indicates expansion module LAN Bypass LED: Indicates LAN bypass mode Status output Secure Digital High Capacity Port 1 Currently not used and does not provide any service or function. N/A Ethernet Management Interface 1 1Gbps RJ45 interface labeled as MGMT, includes LINK and ACT LEDs Management interface is solely used for Outband management of the device. The management interface provides dedicated access for the system administration via HTTP/HTTPS/SSH/SNMP and is not shared with other types of network traffic. Control In, Status Out, data input and data output Ethernet Interfaces 8 10/100/1000 auto-sensing with an RJ-45/SX/SC multimode fiber connector. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI Administration interface) Ethernet hot- pluggable SFP 8 1GbE SFP interfaces supporting RJ-45/SX/SC multimode fiber connector with LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI Administration interface) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 14 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces Ethernet 10GE hot- pluggable SFP+ 4 10GbE SFP+ interfaces with LINK and ACT LEDs Data input, data output, status output, and control input (via the external GUI Administration interface) Figure 4 shows the locations of the physical ports on the back of the Super Massive modules. Figure 4 - Super Massive Back Panel for SM9200/SM 9400/SM 9600 Table 5 describes the physical ports (mapped to Figure 4) and corresponding logical interfaces. Table 5 – Back Panel Ports and Interfaces for SM 9200/SM 9400/SM 9600 Physical Ports Qty. Description Logical Interfaces Power Interface 2 AC power interfaces Power Expansion Bay 1 Currently not used and does not provide any service or function. N/A Fan Interface 2 Dual removable fan components N/A Figure 5 shows the locations of the physical ports on the front of the NSa 6600 module. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 15 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 5 – NSa 6600 Front Panel Table 6 – Front Panel Ports and Interfaces for NSa 6600/NSa 5600/NSa 4600/NSa 3600 mapped to Figures 5 and 7 Physical Ports Qty. Description Logical Interfaces Serial Console Interface 1 DB-9/RJ-45 serial connector. Provides a serial console which can be used for basic administration functions. Data input, control input and status output Control input and status output only USB Interfaces 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Reset (Safe Mode) Button Interface 1 Used to manually reset the appliance to Safe Mode. Control input Status LED Interface Varies Power LED: Indicate module is receiving power. Test LED: Indicates module is initializing and performing self-tests. Alarm LED: Indicates alarm condition. M0: Indicates expansion module Bypass Status LED: Only on the NSa 6600 Status output Secure Digital High Capacity Port 1 Currently not used and does not provide any service or function. N/A Ethernet Management Interface 1 1Gbps RJ45 interface labeled as MGMT, includes LINK and ACT LEDs Management interface is solely used for Outband management of the device. The management interface provides dedicated Control In, Status Out, Data input, Data output SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 16 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces access for the system administration via HTTP/HTTPS/SSH/SNMP and is not shared with other types of network traffic. Ethernet Interfaces Varies NSa 6600: 8 x 1Gbe Eth interfaces NSa 5600/NSa 4600/NSa 3600: 12 x 1Gbe Eth interfaces 10/100/1000 auto-sensing with an RJ-45/SX/SC multimode fiber connector. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI Administration interface) Ethernet hot- pluggable SFP Varies NSa 6600: 8 x 1Gbe SFP ports NSa 5600/NSa 4600/NSa 3600: 4 x 1Gbe SFP ports 1GbE SFP interfaces supporting RJ-45/SX/SC multimode fiber connector with LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI Administration interface) Ethernet 10GE hot- pluggable SFP Varies NSa 6600: 4 x 10Gbe SFP+ interfaces NSa 5600/NSa 4600/NSa 3600: 2 x 10Gbe SFP+ interfaces 10GbE SFP+ interfaces with LINK and ACT LEDs Data input, data output, status output, and control input (via the external GUI Administration interface) Figure 6 – NSa 6600 Back Panel Table 7 - Back Panel Ports and Interfaces for NSa 6600/NSa 5600/NSa 4600/NSa 3600 mapped to Figures 6 and 7 Physical Ports Qty. Description Logical Interfaces Power Interface 1 AC power interfaces Power Expansion Bay 1 Currently not used and does not provide any service or function. N/A SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 17 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces Fan Interface 2 Dual hot swappable fans (NSa 6600) Dual Fans (NSa 5600/NSa 4600/NSa 3600) N/A Figure 7 – NSa 5600/NSa 4600/NSa 3600 Front and Back Panel SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 18 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). NSa 4650 front Panel NSa 3650 Front Panel NSa 2650 Front Panel SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 19 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). NSa 6650 Front Panel NSa 5650 Front Panel NSa 4650/NSa 5650/NSa 6650 Back Panel SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 20 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 8 - NSa 2650/NSa 3650/NSa 4650/NSa 5650/NSa 6650 Front and Back Panels Table 8 describes the physical ports (mapped in Figure 8) and corresponding logical interfaces for NSa2650/NSa 3650/NSa 4650/NSa 5650/NSa 6650 Table 8 – Front Panel Ports and Interfaces for NSa 2650/NSa 3650/NSa 4650/NSa 5650/NSa 6650 Physical Ports Qty. Description Logical Interfaces Console 1 DB-9/RJ-45 serial connector. Provides a serial console which can be used for basic administration functions. Data input, control input , status output. Control input and status output only USB 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Reset (SafeMode) Button 1 Used to manually reset the appliance to Safe Mode. Control input Status LEDs Varies 2 Power LEDs: Indicate module is receiving power. Test LED: Indicates module is initializing and performing self-tests. Alarm LED: Indicates alarm condition. M0/M1: Expansion Module activity LAN Bypass LED: Only in NSa 4650/NSa 5650/NSa 6650 Status output MGMT 1 1Gbps RJ45 isolated out-of-band management (MGMT) port, with integral LINK and ACT LEDs Control input, status output, data input and data output NSa 2650/NSa 3650 Back Panel SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 21 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces Ethernet [1GE] Varies NSa 2650/NSa 3650: 12 x 1Gb Ethernet interfaces NSa 4650/NSa 5650: 16 x 1Gb Ethernet interfaces NSa 6650: 8 x 1Gb Ethernet Interfaces 10/100/1000 auto-sensing with an RJ-45/SX/SC multimode fiber connector. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, control input Ethernet [1/2.5 GE] Varies NSa 6650: 8 x 1/2.5 Gb Ethernet Interfaces NSa 2650/NSa 3650/NSa 4650/NSa 5650: 4 x 1 / 2.5 Gb Ethernet Interfaces 1/2.5G auto-sensing with an RJ-45. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, control input 1/2.5 GE SFP Varies NSa 2650/NSa 4650/NSa 5650/NSa 6650: 4x 1/2.5 Gb Ethernet interfaces NSa 3650: 8 x 1/2.5Gb Ethernet interfaces 1Gb Ethernet hot-pluggable SFP interfaces supporting RJ-45/SX/SC multimode fiber connector with LINK and ACT LEDs. Data input, data output, status output, control input 10/5/2.5 GE SFP+ 2 NSa 2650 : 0 NSa 3650/NSa 4650/NSa 5650:2 x 10/5/2.5G SFP+ interfaces NSa 6650: 6 x 10/5/2/5G SFP+ interfaces 10Gb Ethernet hot-pluggable SFP+ interfaces with LINK and ACT LEDs Data input, data output, status output, control input 10/5/2.5 GE copper Ports 2 NSa 2650/NSa 3650/NSa 4650: 0 NSa 5650: 2 x 10/5/2.5Gb copper Ethernet interfaces 10/5/2.5 Gb copper Ethernet auto-sensing with an RJ- 45. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, control input Power 1 AC power input and switch Power Table 9 - Back Panel Ports and Interfaces for NSa 2650/3650/4650/5650 mapped to Figure 8 Physical Ports Qty. Description Logical Interfaces Power Interface 1 AC power interfaces Power Redundant power 1 Slot for redundant power supply Power Storage module 1 M0 storage module (covered by a tamper evident seal) Storage Expansion Bay for storage 1 Currently not used and does not provide any service or function. N/A SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 22 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces Fan Interface 2 Dual hot swappable fans (4650/5650/6650) Dual Fans (2650/3650) N/A Figure 8 - NSa 9250/NSa 9450/NSa 9650 Front Panel Table 10 - NSa 9250/NSa 9450/NSa 9650 Front Panel ports and interfaces mapped to Figure 9 Physical Ports Qty. Description Logical Interfaces LCD display 1 LCD status display Status output LCD controls 4 Controls for scrolling thru the LCD display options Control input, status output Console 1 DB-9/RJ-45 serial connector. Provides a serial console which can be used for basic administration functions. Data input, control input , status output. Control input and status output only USB 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Reset (SafeMode) Button 1 Used to manually reset the appliance to Safe Mode. Control input Status LEDs 7 2 Power LEDs: Indicate module is receiving power. Test LED: Indicates module is initializing and performing self-tests. Alarm LED: Indicates alarm condition. M0/M1: Expansion Module activity Status output SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 23 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces LAN Bypass LED: Indicates LAN bypass mode MGMT 1 1Gbps RJ45 isolated out-of-band management (MGMT) port, with integral LINK and ACT LEDs Control input, status output, data input and data output Ethernet [1GE] 8 10/100/1000 auto-sensing with an RJ-45/SX/SC multimode fiber connector. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, control input Ethernet [1/2.5Gbe] 8 1G/2.5G auto-sensing with an RJ-45 connector. Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, control input 10/5/2.5/1GE SFP+ 10 10/5/2.5/1GE SFP+ interfaces 10GbE Ethernet hot-pluggable SFP+ interfaces with LINK and ACT LEDs Data input, data output, status output, control input 10/5/2.5GE copper Ports 2 2 x 10/5/2.5G copper Ethernet interfaces 10/5/2.5 Gbe copper Ethernet auto-sensing with an RJ- 45.Labeled X#..., LAN/WAN/…. Each Ethernet interface includes LINK and ACT LEDs. Data input, data output, status output, control input Power 1 AC power input and switch Power Figure 9 - NSa 9250/NSa 9450/NSa 9650 Back Panel Table 11 - Back Panel Ports and Interfaces for NSa 9250/NSa 9450/NSa 9650 mapped to Figures 10 Physical Ports Qty. Description Logical Interfaces Power Interface 1 AC power interfaces Power Redundant power 1 Slot for redundant power supply Power Storage module 1 M0 storage module (covered with tamper Storage SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 24 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Physical Ports Qty. Description Logical Interfaces evident seal) Expansion Bay for storage 1 SATA storage module N/A Fan Interface 3 Hot swappable fans N/A 1.3 Modes of Operation 1.3.1 FIPS 140-2 Approved mode of Operation The FIPS mode configuration can be determined by an operator, by checking the state of the “FIPS Mode” checkbox on the System/Settings page over the web interface or issuing “show fips” over the console . When the “FIPS Mode” checkbox is selected, the module executes a compliance checking procedure, examining all settings related to the security rules described below. The operator is responsible for updating these settings appropriately during setup and will be prompted by the compliance tool if a setting has been modified taking the module out of compliance. The “FIPS Mode” checkbox and corresponding system flag (“fips”) which can be queried over the console will not be set unless all settings are compliant. The “FIPS Mode” checkbox and fips system flag are indicators that the module is running in the FIPS Approved mode of operation. The module is not configured to operate in FIPS-mode by default. The following steps must be taken during set-up of the module to enable FIPS-mode of operation: 1. The default Administrator and User passwords shall be immediately changed and be at least eight (8) characters. 2. The RADIUS/TACACS+ shared secrets must be at least eight (8) characters. 3. Traffic between the module and the RADIUS/TACACS+ server must be secured via an IPSec tunnel. • Note: this step need only be performed if RADIUS or TACACS+ is supported. • LDAP cannot be enabled in FIPS mode without being protected by TLS • LDAP cannot be enabled in FIPS mode without selecting 'Send LDAP Start TLS request' • LDAP cannot be enabled in FIPS mode without selecting 'Require valid certificate from server' • LDAP cannot be enabled in FIPS mode without valid local certificate for TLS 4. IKE must be configured with 3rd Party Certificates for IPsec Keying Mode when creating VPN tunnels. o RSA Certificates lengths must be 2048-bit or greater in size 5. When creating VPN tunnels, ESP must be enabled for IPSec. 6. FIPS-approved algorithms must be used for encryption and authentication when creating VPN tunnels. 7. Group 14, 19, 20 or 21 must be used for IKE Phase 1 DH Group. SHA-256 must be used for Authentication 8. Bandwidth management must be set to “ON”. 9. “Advanced Routing Services” must not be enabled. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 25 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 10. “Group VPN management” must not be enabled. 11. SNMP or SSH must not be enabled. Note: Once FIPS mode of operation is enabled SonicOS enforces all of the above items. Operators will not be allowed to enable these features while in FIPS mode of operation. The module does not enforce but as a policy User should not enable the below feature while in FIPS mode of operation: • Do not use USB interface • In case the module's power is lost and then restored, a new key for use with the AES GCM encryption/decryption muse be established. 1.3.2 Non-Approved mode of Operation The Cryptographic Module provides the same set of services in the non-Approved mode as in the Approved mode, but allows the following additional administration options and non FIPS-approved algorithms which are not used in the FIPS mode of operation. These services are not enabled by default, if operator selects to enable these services the system will transition to non-approved mode of operation. • 802.11i wireless security • AAA server authentication (the Approved mode requires operation of RADIUS or TACACS+ only within a secure VPN tunnel) • SSH1 • SNMP2 • Wireless interface usage 2. Cryptographic Functionality The Module implements the FIPS Approved and Non-Approved but Allowed cryptographic functions listed in the tables below. Table 12 – Approved Algorithms Cert Algorithm Mode Description Functions/Caveats #5462 AES [197] CBC [38A] Key Sizes: 128, 192, 256 Encrypt, Decrypt CTR [38A] Key Sizes: 128, 192, 256 Encrypt 1 Keys derived using the SSH KDF are not allowed for use in the Approved mode. 2 Keys derived using the SNMP KDF are not allowed for use in the Approved mode. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 26 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Description Functions/Caveats GCM [38D]3 Key Sizes: 128, 192, 256 Tag Len: 128 Authenticated Encrypt, Authenticated Decrypt, Message Authentication Vendor Affirmed AES [IG A.3] AES-CBC Ciphertext Stealing (CBC-CS1) Key Sizes: 128, 192, 256 Encrypt, Decrypt Vendor Affirmed CKG [IG D.12] [133] Section 6.1 Asymmetric signature key generation using unmodified DRBG output Key Generation [133] Section 6.2 Asymmetric key establishment key generation using unmodified DRBG output [133] Section 7.1 Direct symmetric key generation using unmodified DRBG output [133] Section 7.3 Derivation of symmetric keys from a key agreement shared secret. [133] Section 7.4 Derivation of symmetric keys from a pre-shared key [133] Section 7.6 Combining multiple keys and other data #1913 CVL: All of SP800-56A except KDF [56A] FFC (Initiator, Responder)(Hybrid1, Ephem, Hybrid1Flow, OneFlow, Static) FB, FC Key Agreement ECC (Initiator, Responder)(FullUnifi ed, EphemUnified, OnePassUnified, OnePassDH, StaticUnified) P-224, P-256, P-384, P-521 #1915 CVL: IKEv1 [135] DSA, PSK[135] SHA (256, 384, 512) Key Derivation CVL: IKEv2 [135] DH 224-521 bits SHA (256, 384, 512) CVL: TLS [135]4 v1.0, v1.1, v1.2 SHA (256, 384, 512) CVL: SSH [135] v2 SHA-1 3 The module’s AES-GCM implementation conforms to IG A.5 scenario #1 following RFC 5288 for TLS and RFC 4106 and 7296 for IPSec/IKEv1 and IKEv2. Per RFC 5246, if the module is the party that encounters this condition it will trigger a handshake to establish a new encryption key per. 4 SSH, SNMP, TLS 1.0 and 1.1 KDFs were CAVP tested but are not supported in the Approved mode of operation. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 27 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Description Functions/Caveats CVL:SNMP [135] SHA-1 #2144 DRBG [90Arev1] Hash SHA-256 Deterministic Random Bit Generation #1405 DSA [186-4]5 (L = 2048, N = 224) (L = 2048, N = 256) (L = 3072, N= 256) KeyGen (L = 2048, N = 224) SHA(256, 384, 512) (L = 2048, N = 256) SHA(256, 384, 512) (L = 3072, N = 256) SHA(256, 384, 512) PQG Gen (L = 1024, N = 160) SHA(1, 256, 384, 512) (L = 2048, N = 224) SHA(256, 384, 512) (L = 2048, N = 256) SHA(256, 384, 512) (L = 3072, N = 256) SHA(256, 384, 512) PQG Ver (L = 1024, N = 160) SHA(1, 256, 384, 512) (L = 2048, N = 224) SHA(1, 256, 384, 512) (L = 2048, N = 256) SHA(1, 256, 384, 512) (L = 3072, N = 256) SHA(1, 256, 384, 512) SigVer #1460 #1914 (CVL) ECDSA [186-4] P-224, P-256, P-384, P-521, KeyGen P-192, P-224, P-256, P-384, P-521 PKV P-224 6 SHA(1, 256, 384, 512) P-256 SHA(1, 256, 384, 512) P-384 SHA(1, 256, 384, 512) P-521 SHA(1, 256, 384, SigGen 5 DSA was CAVP tested but is only used as a pre-requisite for CVL Cert. #1913. 6 ECDSA P-224 was been CAVP tested but are not supported in the Approved mode of operation. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 28 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Description Functions/Caveats 512) P-192 SHA(1, 256, 384, 512) P-224 SHA(1, 256, 384, 512) P-256 SHA(1, 256, 384, 512) P-384 SHA(1, 256, 384, 512) P-521 SHA(1, 256, 384, 512) SigVer #3620 HMAC [198] SHA-1 Key Sizes: KS < BS λ = 12 Message Authentication, KDF Primitive, Password Obfuscation SHA-256 Key Sizes: KS = BS λ = 32 SHA-384 Key Sizes: KS = BS λ = 48 SHA-512 Key Sizes: KS = BS λ = 64 #5462 #3620 KTS [IG G.8] AES (Cert. #5462); HMAC (Cert. #3620) AES (Key Sizes: 128, 192, 256); HMAC SHA(1, 256, 384, 512) Encryption, Key Transport, Authentication using within TLS 1.2 #2934 RSA [186-4] X9.31 n = 2048 n = 3072 KeyGen PKCS1_v1.5 n = 2048 SHA(256, 384, 512) n = 3072 SHA(256, 384, 512) SigGen PKCS1_v1.5 [186-2 Legacy] n = 1024 SHA-1 n = 1536 SHA-1 n = 2048 SHA-1 SigVer PKCS1_v1.5 [186-4] n = 1024 SHA(1, 256, 384, 512) n = 2048 SHA(1, 256, 384, 512) n = 3072 SHA(256, 384, 512) SigVer #4383 SHS [180-4] SHA-1 SHA-256 SHA-384 SHA-512 Message Digest Generation, Password Obfuscation #2748 Triple-DES TCBC [38A] Key Size: 192 Encrypt, Decrypt SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 29 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Description Functions/Caveats [67]7 Table 13 - Non-Approved but Allowed Cryptographic Functions Algorithm Description DH Diffie-Hellman (key agreement; key establishment methodology provides 112 bits of encryption strength) EC DH EC Diffie-Hellman (key agreement; key establishment methodology provides 128 or 192 bits of encryption strength) RSA RSA (key wrapping; key establishment methodology provides 112 bits of encryption strength) NDRNG (used only to seed the Approved DRBG) NDRNG (internal entropy source) for seeding the Hash_DRBG. The module generates a minimum of 256 bits of entropy for key generation. Table 14 - Security Relevant Protocols Used in FIPS Mode Protocol Key Exchange Auth Cipher Integrity IKEv1 Oakley Group 14, 19, 20, 21 Pre-shared key RSA/ECDSA digital signature AES CBC 128/192/256 AES GCM 16 octet ICV SHA 256/384/512 IKEv2 Oakley Group 14, 19, 20, 21 RSA/ECDA Digital Signature Shared Key Message Integrity Code AES CBC 128/192/256 AES GCM 16 octet ICV HMAC-SHA-1-96 HMAC-SHA-1-160 AES-128-GMAC AES-192-GMAC AES-256-GMAC HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-512-256 IPsec ESP IKEv1 or IKEv2 with optional: Diffie-Hellman (L=2048, N=224, 256) EC Diffie-Hellman P-256, P-384 IKEv1, IKEv2 AES CBC 128/192/256 HMAC-SHA-1-96 HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-512-256 TLS 1.2 or SSL 3.1 RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 7 Triple-DES was CAVP tested but is not available in the Approved mode of operation. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 30 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Note: no parts of these protocols, other than the KDF, have been tested by the CAVP and CMVP. 1.3.3 Non-Approved Algorithms with No Security Claimed The module supports the following non-Approved but allowed algorithms and protocols with no security claimed: • Triple-DES (non-compliant) • MD5 (non-compliant) • PBKDF (non-complaint) The operator must also follow the rules outlined in Section 1.3.1 and consult FIPS 140-2 IG 1.23 for further understanding of the use of functions where no security is claimed. Section 3.3 indicates the module services associated with these functions. 2.1 Critical Security Parameters All CSPs used by the Module are described in this section. All usage of these CSPs by the Module (including all CSP lifecycle states) is described in the services detailed in Section 3.3. The following Critical Security Parameters (CSP) are contained in the cryptographic module: • IKE Shared Secret – Shared secret used during IKE Phase 1 (length 4 ~ 128 bytes) • SKEYID – Secret value used to derive other IKE secrets • SKEYID_d – Secret value used to derive keys for security associations • SKEYID_a – Secret value used to derive keys to authenticate IKE messages • SKEYID_e – Secret value used to derive keys to encrypt IKE messages • IKE Pre-Shared Key – ECDSA P-256, P-384, P-521 used to authenticate IKE connections. • IKE Session Encryption Key – AES 128, 192, 256 key used to encrypt data • IKE Session Authentication Key - HMAC 160 bit key used for data authentication • IKE Private Key – ECDSA P-256, P-384, P-521and RSA 2048 bit key used to authenticate the module to a peer during IKE • IPsec Session Encryption Key – AES 128, 192, 256 key used to encrypt data • IPsec Session Authentication Key – HMAC 160 bit key used for data authentication for IPsec traffic • TLS Master Secret: used for the generation of TLS Session Keys and TLS Integrity Key (384-bits) • TLS Premaster Secret - used for the generation of Master Secret (384 bits) • TLS Session Key - AES 128, 192, 256 key used to protect TLS connection • TLS Integrity Key - HMAC 256/384/512 bit key used to check the integrity of TLS connection • Diffie-Hellman/EC Diffie-Hellman - Diffie-Hellman Private Key (N = 224, 256) or EC DH P-256/P- 384 used within IKE or TLS key agreement • DRBG V and C values – Used to seed the Approved DRBG • Entropy Input: 256-bits seed used to instantiate the DRBG • RADIUS Shared Secret – Used for authenticating the RADIUS server to the module and vice versa • Passwords – Authentication data SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 31 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 2.2 Public Keys The following Public Keys are contained in the cryptographic module: • Root CA Public Key – Used for verifying a chain of trust for receiving certificates • Peer IKE Public Key – ECDSA P-256, P-384, P-521 and RSA 2048 bit key for verifying digital signatures from a peer device • IKE Public Key – ECDSA P-256, P-384, P-521and RSA 2048 bit key for verifying digital signatures created by the module • Firmware Verification Key – P-256 ECDSA key used for verifying firmware during firmware load • Diffie-Hellman/EC Diffie-Hellman Public Key – Diffie-Hellman 2048-bit key, EC Diffie-Hellman P- 256/P-384 used within TLS key agreement • Diffie-Hellman/EC Diffie-Hellman Peer Public Key – Diffie-Hellman 2048-bit key, EC DH P-256/P- 384/P-521 8 used within IKE key agreement • Authentication Public Key – 2048-bit RSA public key used to authenticate the User • TLS Public Key – RSA – 2048-bit public key used in the TLS handshake 3. Roles, Authentication and Services 3.1 Assumption of Roles The cryptographic module provides the roles described in Table 15. The cryptographic module does not provide a Maintenance role. The “Administrator” user is a local account on the SonicWALL appliance, and the name used to login as this account may be configured by the Cryptographic Officer role; the default name for the “Administrator” account is “admin”. The User role is authenticated using the credentials of a member of the “Limited Administrators” user group. The User role can query status and non-critical configuration. The user group, “SonicWALL Read-Only Admins,” satisfies neither the Cryptographic Officer nor the User Role, and should not be used in FIPS mode operations. The configuration settings required to enable FIPS mode are specified in Section 1.3.1 of this document. Table 15 – Role Description Role ID Role Description Authentication Type Authentication Data CO Referred to as “Administrator” (individual user) or “SonicWALL Administrators” (user group) in the vendor documentation Role-based and identity-based Username and Password User Referred to as “Limited Administrator” (individual user) or “Limited Administrators” (user group) in the vendor documentation Identity-based Username and Password or Digital Signature The Module supports concurrent operators. Separation of roles is enforced by requiring users to authenticate using either a username and password, or digital signature verification. The User role requires the use of a username and password or possession of a private key of a user entity belonging to 8 P-521 curve only available for IKEv1 and IKEv2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 32 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). the “Limited Administrators” group. The Cryptographic Officer role requires the use of the “Administrator” username and password, or the username and password of a user entity belonging to the “SonicWALL Administrators” group. Multiple users may be logged in simultaneously, but only a single user-session can have full configuration privileges at any time, based upon the prioritized preemption model described below: 1. The Admin user has the highest priority and can preempt any users. 2. A user that is a member of the “SonicWALL Administrators” user group can preempt any users except for the Admin. 3. A user that is a member of the “Limited Administrators” user group can only preempt other members of the “Limited Administrators" group. Session preemption may be handled in one of two ways, configurable from the System > Administration page, under the “On admin preemption” setting: 1. “Drop to non-config mode” – the preempting user will have three choices: a. “Continue” – this action will drop the existing administrative session to a “non-config mode”, and will impart full administrative privileges to the preempting user. b. “Non-Config Mode” – this action will keep the existing administrative session intact, and will login the preempting user in a “non-config mode” c. “Cancel” – this action will cancel the login, and will keep the existing administrative session intact. 2. “Log-out” – the preempting user will have two choices: a. “Continue” – this action will log out the existing administrative session, and will impart full administrative privileges to the preempting user. b. “Cancel” – this action will cancel the login, and will keep the existing administrative session intact. “Non-config mode” administrative sessions will have no privileges to cryptographic functions making them functionally equivalent to User role sessions. The ability to enter “Non-config mode” may be disabled altogether from the System > Administration page, under the “On admin preemption” setting by selecting “Log out” as the desired action. 3.2 Authentication Methods The cryptographic module provides authentication relying upon username/passwords or an RSA 2048- bit (at a minimum) digital signature verification. Table 16 – Authentication Description Authentication Method Probability Justification SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 33 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Authentication Method Probability Justification CO and User password The probability is 1 in 96^8, which is less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur for each attempt (This is also valid for RADIUS shared secret keys). After three (3) successive unsuccessful password verification tries, the cryptographic module pauses for one second before additional password entry attempts can be reinitiated. This makes the probability approximately 180/96^8 = 2.5E-14, which is less than one in 100,000, that a random attempt will succeed or a false acceptance will occur in a one- minute period. Passwords must be at least eight (8) characters long each, and the password character set is ASCII characters 32-127, which is 96 ASCII characters, hence, the probability is 1 in 96^8. User RSA 2048-bit (minimum) digital signature The probability that a random attempt will succeed or a false acceptance will occur is 1/2^112, which is less than 1 in 1,000,000. Due to processing and network limitations, the module can verify at most 300 signatures in a one minute period. Thus, the probability that a random attempt will succeed or a false acceptance will occur in a one minute period is 300/2^112 = 5.8E-32, which is less than 1 in 100,000. A 2048-bit RSA digital signature has a strength of 112-bits, hence the probability is 1/2^112. 3.3 Services 3.3.1 User Role Services • Show Status – Monitoring, pinging, traceroute, viewing logs. • Show Non-critical Configuration – “Show” commands that enable the User to view VPN tunnel status and network configuration parameters. • Session Management – Limited commands that allow the User to perform minimal VPN session management, such as clearing logs, and enabling some debugging events. This includes the following services: 1. Log On 2. Monitor Network Status 3. Log Off (themselves and guest users) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 34 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 4. Clear Log 5. Export Log 6. Filter Log 7. Generate Log Reports 8. Configure DNS Settings • TLS – TLS used for the https configuration tool or network traffic over a TLS VPN • IPsec VPN – Network traffic over an IPsec VPN 3.3.2 Crypto Officer Services The Cryptographic Officer role is authenticated using the credentials of the “Administrator” user account (also referred to as “Admin”), or the credentials of a member of the “SonicWALL Administrators” user group. The use of the latter allows for identification of specific users (i.e., by username) upon whom is imparted full administrative privileges through their assigned membership to the “SonicWALL Administrators” group by the Admin user, or other user with full administrative privileges. The Cryptographic Officer role can show all status and configure cryptographic algorithms, cryptographic keys, certificates, and servers used for VPN tunnels. The Crypto Officer sets the rules by which the module encrypts and decrypts data passed through the VPN tunnels. The authentication mechanisms are discussed in Section 3.1 and 3.2. • Show Status - Monitoring, pinging, traceroute, viewing logs. • Configuration Settings – System configuration9 , network configuration, User settings, Hardware settings, Log settings, and Security services including initiating encryption, decryption, random number generation, key management, and VPN tunnels. This includes the following services: 1. Configure VPN Settings 2. Set Content Filter 3. Import/Export Certificates 4. Upload Firmware10 5. Configure DNS Settings 6. Configure Access • Session Management – Management access for VPN session management, such as setting and clearing logs, and enabling debugging events and traffic management. This includes the following services: 1. Log On 2. Import/Export Certificates 3. Clear Log 4. Filter Log 5. Export Log 6. Setup DHCP Server 9 Non-compliant Triple-DES implementation associated with the configuration setting is used to encrypt/decrypt signature files (internal to the module only). This function is considered obfuscation and cannot be used to compromise the module or store/transmit sensitive information. 10 Note: Only validated firmware versions shall be loaded using the firmware upload service. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 35 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 7. Generate Log Reports • Zeroize – Zeroizing cryptographic keys • TLS – TLS used for the https configuration tool or network traffic over a TLS VPN • IPsec VPN 11 – Network traffic over an IPsec VPN The cryptographic module also supports unauthenticated services, which do not disclose, modify, or substitute CSP, use approved security functions, or otherwise affect the security of the cryptographic module. 3.3.3 Unauthenticated services • Module Reset - Firmware removal with configuration return to factory state • NoAuth Function - Authenticates the operator and establishes secure channel. • Show Status – LED activity and console message display • Self-test Initiation – power cycle Note: The same services are available in the non-Approved mode of operation. In the non-Approved mode of operation, the non-Approved functions listed in Section 1.3.2 can be utilized. The cryptographic module provides several security services including VPN and IPsec. The cryptographic module provides the Cryptographic Officer role the ability to configure VPN tunnels and network settings. All services implemented by the Module are listed in the table(s) below. Table 17 – Authenticated Services Service Description CO U Status Information Viewing Logs, viewing network interface settings X X Configuration management Setting up VPN, setup filters, upload firmware, Auth directory configuration, creating user accounts X Session Management Audit configuration, Certificate management, DHCP setup X X Zeroize Destroys all CSPs. Upon system all CSP in transient memory are erased X TLS TLS used for HTTPS management of the module/ network traffic over TLS X X IPsec VPN Module can configure/run traffic over IPsec VPN using certificates X X Table 18 – Unauthenticated Services Service Description 11 MD5 (no security claimed) and keys derived from the non-conformant PBKDF are always encapsulated by the IPsec VPN service. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 36 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Service Description Module Reset Reset the Module by activating the reset switch NoAuth Function Authenticates the operator and establishes secure channel. Show Status LCD Display available on only SM Series Self-test Initiation Power Cycle Note: The same services are available in the non-Approved mode of operation. In the non-Approved mode of operation, the non-Approved functions listed in Section 1.3.2 can be utilized. Table 19 defines the relationship between access to Security Parameters and the different module services. Table 20 defines the relationship between access to Public Keys and the different module services. The modes of access shown in the tables are defined as: • G = Generate: The module generates the CSP. • I = Import: The CSP is entered into the module from an external source. • R = Read: The module reads the CSP for output. • E = Execute: The module executes using the CSP. • W = Write: The module writes the CSP to persistent storage. • Z = Zeroize: The module zeroizes the CSP. In the tables below, TLS and IPsec listings are inclusive of functions that can be operated with IPsec or TLS communications active. Table 19 – Security Parameters Access Rights within Services and CSPs Service CSPs IKE Shared Secret SKEYID SKEYID_d SKEYID_a SKEYID_e Preshared Key IKE Session Encryption Key IKE Session Authentication Key IKE Private Key IPsec Session Encryption Key IPsec Session Authentication Key TLS Master Secret TLS Premaster Secret TLS Session Key TLS Integrity Key DH/EC DH Private Key DRBG V and C values RADIUS Shared Secret Entropy Input Passwords Show Status - - - - - - - - - - - - - - - - - - Show Non- critical Configuration - - - - - - - - - - - - - - - - - - SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 37 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Service CSPs IKE Shared Secret SKEYID SKEYID_d SKEYID_a SKEYID_e Preshared Key IKE Session Encryption Key IKE Session Authentication Key IKE Private Key IPsec Session Encryption Key IPsec Session Authentication Key TLS Master Secret TLS Premaster Secret TLS Session Key TLS Integrity Key DH/EC DH Private Key DRBG V and C values RADIUS Shared Secret Entropy Input Passwords Monitor Network Status - - - - - - - - - - - - - - - - - - Log On - - - - - - - - - - - - - - - - - E Log Off - - - - - - - - - - - - - - - - - - Clear Log - - - - - - - - - - - - - - - - - - Export Log - - - - - - - - - - - - - - - - - - Import/Export Certificates - - - - - - - - - - - - - - - - - - Filter Log - - - - - - - - - - - - - - - - - - Setup DHCP Server12 - - - - - - - - - - - - - - - - - - Generate Log Reports - - - - - - - - - - - - - - - - - - Configure VPN Settings - - - - - IE - - IG - - - - - - IG - - - IPsec VPN GE GE GE GE GE - GE GE GE GE GE - - - - GE GE GE - TLS - - - - - - - - - - GE GE GE GE - - - - Set Content Filter - - - - - - - - - - - - - - - - - - Upload Firmware - - - - - - - - - - - - - - - - - - Configure DNS Settings - - - - - - - - - - - - - - - - - - 12 DHCP setup does not use CSPs, but DHCP server setup is performed with IPsec active. See below for IPsec VPN CSP usage. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 38 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Service CSPs IKE Shared Secret SKEYID SKEYID_d SKEYID_a SKEYID_e Preshared Key IKE Session Encryption Key IKE Session Authentication Key IKE Private Key IPsec Session Encryption Key IPsec Session Authentication Key TLS Master Secret TLS Premaster Secret TLS Session Key TLS Integrity Key DH/EC DH Private Key DRBG V and C values RADIUS Shared Secret Entropy Input Passwords Configure Access - - - - - - - - - - - - - - - - - IE Zeroize Z Z Z Z Z z Z Z Z Z Z Z Z Z Z Z Z Z Z Table 20 – Security Parameters Access Rights within Services and Public Keys Service Public Keys Root CA Public Key IKE Public Key TLS Public Key Peer IKE Public Key TLS Peer Public Key Authentication Public Key Firmware Verification Key TLS Public Key Show Status - - - - - - - - Show Non-critical Configuration - - - - - - - - Monitor Network Status - - - - - - - - Log On - - - - - - - - Log Off - - - - - - - - Clear Log - - - - - - - - Export Log - - - - - - - - Import/Export Certificates - - - - - - - - Filter Log - - - - - - - - SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 39 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 13 DHCP setup does not use CSPs, but DHCP server setup is performed with IPsec active. See below for IPsec VPN CSP usage. Setup DHCP Server13 - - - - - - - - Generate Log Reports - - - - - - - - Configure VPN Settings I IG IG - - - - - IPsec VPN E E E IE IE IE - - TLS - - E - IE IE - E Set Content Filter - - - - - - - - Upload Firmware - - - - - - E - Configure DNS Settings - - - - - - - - Configure Access - - - - - - - - Zeroize - - - - - - - - SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 40 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 4. Self-tests The module performs self-tests to ensure the proper operation of the module. Per FIPS 140-2 these are categorized as either power-up self-tests or conditional self-tests. Power up self–tests are available on demand by power cycling the module. The module performs the following algorithm KATs on power-up. • Firmware Integrity: 16 bit CRC performed over all code in EEPROM • AES: KATs: Encryption, Decryption; Modes: ECB and GCM; Key sizes: 128 bits • DRBG : KATs: HASH DRBG; Security Strengths: 256 bits • ECDSA: PCT: Signature Generation, Signature Verification; Curves/Key sizes: P-256 • HMAC: KATs: Generation, Verification; SHA sizes: SHA-1, SHA-256, SHA-384, SHA-512 • RSA: KATs: Signature Generation, Signature Verification; Key sizes: 1024, 2048, 3072 bits • SHA: KATs: SHA-1, SHA-256, SHA-384, SHA-512 • TDES: KATs: Encryption, Decryption; Modes: CBC; Key sizes: 2-key, 3-key14 • AES-CBC Ciphertext Stealing (CS): KATs: Encryption, Decryption; Modes: CBC-CS1; Key sizes: 128, 192, 256 bits • DSA: KATs: Signature Generation, Signature Verification; Key sizes: 1024, 2048, 3072bits • KDFs: IKEv1, IKEv2, TLS, SSH, SNMP15 The module performs the following conditional self-tests as indicated. • DRBG and NDRNG Continuous Random Number Generator Tests per IG 9.8 • RSA Pairwise Consistency Test on RSA key pair generation • ECDSA Pairwise Consistency Test on ECDSA key pair generation • Firmware Load Test: 2048-bit ECDSA (P-256) signed SHA-256 hash When a new firmware image is loaded, the cryptographic module verifies the 2048-bit ECDSA signed SHA-256 hash of the image. If this verification fails, the firmware image loading is aborted. If any of the tests described above fail, the cryptographic module enters the error state. No security services are provided in the error state. Upon successful completion of the Diagnostic Phase, the cryptographic module enters the Command and Traffic Processing State. Security services are only provided in the Command and Traffic Processing State. No VPN tunnels are started until all tests are successfully completed. This effectively inhibits the data output interface. When all tests are completed successfully, the Test LED is turned off. 14 Triple-DES KATs are performed even if they are not supported in the Approved mode of operation 15 The SSH and SNMP KDF KATs are performed if they are not supported in the Approved mode of operation SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 41 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). The module performs the following critical self-tests. These critical function tests are performed for the SP 800-90A DRBG: • SP 800-90A Instantiation Test • SP 800-90A Generate Test • SP 800-90A Reseed Test • SP 800-90A Uninstantiate Test 5. Physical Security Policy The chassis of all the modules are sealed with one (1) or two (2) tamper-evident seals, applied during manufacturing. The physical security of the module is intact if there is no evidence of tampering with the seal. The locations of the tamper-evident seals are indicated by the red rectangles below in Figures 15 – 21. The Cryptographic Officer shall inspect the tamper seals for signs of tamper evidence once every six months. If evidence of tamper is found, the Cryptographic Officer is requested to follow their internal IT policies which may include either replacing the unit or resetting the unit to factory defaults. For further instructions on resetting to factory defaults, please review SonicWALL guidance documentation. Figure 10: SOHOW (Left) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 42 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 11: SOHOW (Right) Figure 12: TZ 300 (Top, Left) Figure 13: TZ 400 (Top, Left) Figure 14: TZ 500 (Top, Left) Figure 15: TZ 600 (Top, Left) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 43 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 16: TZ 400 Right, Bottom View Figure 17: TZ 500 Right, Bottom View Figure 18: TZ 300 Right, Bottom View Figure 19: TZ 600 Right, Bottom View SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 44 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). NSa 6600 Front NSa 6600 Tamper Seal Location on underside, Front NSa 6600 Tamper-Evident Seal Location on Left Side NSa3600/NSa 4600/NSa 5600 Rear with Two Seals Figure 20: NSa 6600/NSa 5600/NSa 4600/NSa 3600 Front and Back Seals SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 45 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Super Massive with Tamper-Evident Seal on Left Super Massive with Seal on underside, Front Figure 21: SM 9600/SM 9400/SM 9200 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 46 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 22: NSa 2650/NSa 3650/NSa 4650/NSa 5650 Tamper Evident Seal placement SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 47 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 23: NSa 6650/NSa 9250/NSa 9450/NSa 9650 Front and Rear Panels and Tamper Evident Seal placement 6. Operational Environment Area 6 of the FIPS 140-2 requirements does not apply to this module as the module only allows the loading of firmware through the firmware load test, which ensures the image is appropriately ECDSA signed by SonicWall, Inc. 7. Mitigation of Other Attacks Policy Area 11 of the FIPS 140-2 requirements do not apply to this module as it has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2 requirements. 8. Security Rules and Guidance This section documents the security rules for the secure operation of the cryptographic module to implement the security requirements of FIPS 140-2. 1. The module provides two distinct operator roles: User and Cryptographic Officer. 2. The module provides identity-based authentication. 3. The module clears previous authentications on power cycle. 4. An operator does not have access to any cryptographic services prior to assuming an authorized role. 5. The module allows the operator to initiate power-up self-tests by power cycling power or resetting the module. 6. Power up self-tests do not require any operator action. 7. Data output are inhibited during key generation, self-tests, zeroization, and error states. 8. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. 10. The module does not support a maintenance interface or role. 11. The module does not support manual key entry. 12. The module does not have any proprietary external input/output devices used for entry/output of data. 13. The module does not enter or output plaintext CSPs. 14. The module does not output intermediate key values. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 48 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 9. References and Definitions The following standards are referred to in this Security Policy. Table 21 - References Abbreviation Full Specification Name [FIPS140-2] Security Requirements for Cryptographic Modules, May 25, 2001 [IG] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [108] NIST Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions (Revised), October 2009 [131A] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, January 2011 [132] NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation, Part 1: Storage Applications, December 2010 [133] NIST Special Publication 800-133, Recommendation for Cryptographic Key Generation, December 2012 [135] National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, Special Publication 800-135rev1, December 2011. [186] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July, 2013. [186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, January 2000. [197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 26, 2001 [198] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [180] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August, 2015 [202] FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, FIPS PUB 202, August 2015 [38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 [38B] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Special Publication 800- 38B, May 2005 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 49 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Abbreviation Full Specification Name [38C] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, Special Publication 800-38C, May 2004 [38D] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800-38D, November 2007 [56A] NIST Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007 [56Ar2] NIST Special Publication 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, May 2013 [56Br1] NIST Special Publication 800-56A Revision 1, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography, September 2014 [67] National Institute of Standards and Technology, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, May 2004 [90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, June 2015. Table 22 – Acronyms and Definitions Acronym Definition AES Advanced Encryption Standard FIPS Federal Information Processing Standard CSP Critical Security Parameter VPN Virtual Private Network EMC Electromagnetic Compatibility EMI Electromagnetic Interference Triple-DES Triple Data Encryption Standard DES Data Encryption Standard CBC Cipher Block Chaining DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator RSA Rivest, Shamir, Adleman asymmetric algorithm IKE Internet Key Exchange RADIUS Remote Authentication Dial-In User Service SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2018 Version 1.1 Page 50 of 50 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Acronym Definition IPSec Internet Protocol Security LAN Local Area Network DH Diffie-Hellman GUI Graphical User Interface SHA Secure Hash Algorithm HMAC Hashed Message Authentication Code MSCHAP Microsoft Challenge Handshake Authentication Protocol