FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 1 of 52 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox M270 M370 M470 M570 M670 Version: 1.5 September 18, 2020 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 2 of 52 WatchGuard Firebox FIPS 140-2 Non-Proprietary Security Policy Hardware: Firebox M270 (hardware model # TL2AE8) Firebox M370 (hardware model # WL6AE8) Firebox M470, M570, M670 (hardware model # WL6AE8 with NIC modules WG8592, WG8593, and WG8594) Firmware Version: Fireware OS v12.3.1 Copyright Notice This document may be copied without WatchGuard’s explicit permission provided that it is copied in its entirety without any modification. Trademarks WatchGuard Firebox Fireware Regulatory compliance FCC Class A Part 15 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 3 of 52 Table of Contents 1 INTRODUCTION.....................................................................................................................................................5 2 FIREBOX MODULE OVERVIEW.......................................................................................................................5 3 SECURITYLEVEL..................................................................................................................................................6 4 ROLES, SERVICES AND AUTHENTICATION...............................................................................................8 4.1 MODULE ACCESS METHODS...............................................................................................................................8 4.1.1 Web UI............................................................................................................................................................8 4.1.2 Command Line Interface...............................................................................................................................8 4.2 ROLES..................................................................................................................................................................8 4.3 SERVICES .............................................................................................................................................................9 4.4 APPROVED ALGORITHMS..................................................................................................................................11 4.5 NON-FIPS APPROVED BUT ALLOWED ALGORITHMS .....................................................................................15 4.6 NON-FIPS APPROVED SERVICES......................................................................................................................15 4.7 NON-FIPS APPROVED ALGORITHMS ...............................................................................................................15 4.8 ALTERNATING BYPASS.....................................................................................................................................16 4.9 AUTHENTICATION .............................................................................................................................................16 5 INTERFACES.........................................................................................................................................................18 5.1 FIREBOX M270..................................................................................................................................................19 5.2 FIREBOX M370..................................................................................................................................................22 5.3 FIREBOX M470, M570,AND M670.................................................................................................................25 6 FIPS140-2 COMPLIANT OPERATION...........................................................................................................30 6.1 SECURITY RULES...............................................................................................................................................30 6.2 SELF-TESTS.......................................................................................................................................................30 6.3 CRYPTOGRAPHIC OFFICER GUIDANCE.............................................................................................................32 6.3.1 Secure Installation.......................................................................................................................................32 6.3.2 Enabling FIPS Mode Operation.................................................................................................................32 6.3.3 Disabling FIPS Mode Operation................................................................................................................33 6.4 USER GUIDANCE ...............................................................................................................................................33 7 TAMPER EVIDENCE...........................................................................................................................................34 7.1 FIREBOX M270..................................................................................................................................................35 7.2 FIREBOX M370..................................................................................................................................................36 7.3 FIREBOX M470,M570, AND M670..................................................................................................................37 8 CRYPTOGRAPHIC KEY MANAGEMENT....................................................................................................38 8.1 CRYPTOGRAPHIC KEYS AND CRITICAL SECURITY PARAMETERS...................................................................38 8.2 PUBLIC KEYS.....................................................................................................................................................45 9 MITIGATIONOF OTHER ATTACKS.............................................................................................................47 9.1 GATEWAY IPS SERVICE....................................................................................................................................47 9.2 GATEWAY ANTIVIRUS SERVICE .......................................................................................................................47 9.3 SPAMBLOCKER SERVICE...................................................................................................................................48 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 4 of 52 9.4 WEBBLOCKER SERVICE....................................................................................................................................48 9.5 APPLICATION CONTROL SERVICE.....................................................................................................................48 9.6 DATA LOSS PREVENTION SERVICE...................................................................................................................49 9.7 ADVANCED PERSISTENT THREAT BLOCKER SERVICE.....................................................................................49 10 DEFINITIONS.........................................................................................................................................................50 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 5 of 52 1 Introduction This document is a FIPS 140-2 Security Policy for WatchGuard’s FireboxSecurity System. This policy describes how the Firebox M270, M370, M470, M570, and M670models (hereafter referred to as the ‘module’ or the ‘Firebox module’) meets the FIPS 140-2 securityrequirements and how to operatethe module in a FIPS compliant manner. This policy was createdas part of the Level 2 FIPS 140-2 validation of the Firebox module. The Federal Information Processing Standards Publication 140-2 – SecurityRequirementsfor Cryptographic Modules (FIPS 140-2) details the United States FederalGovernment requirements for cryptographicmodules. Detailedinformation about the FIPS 140-2 standardand validation programis available on the NIST (National Instituteof Standards and Technology) websiteat http://csrc.nist.gov/groups/STM/cmvp/index.html. 2 FireboxModuleOverview WatchGuard®Firebox appliances arebuilt for enterprise-grade performancewith blazing throughput and numerous connectivity options. Advanced networking features include clustering, high availability (active/active), VLANsupport, multi-WAN load balancing and enhanced VoIP security, plus inbound and outbound HTTPS inspection, to give the strong security enterprises need. And the Firebox appliances are completely configurable – turn on or off components and services tofit different network security deployment requirements. WatchGuard’s Firebox product family spans the full rangeof network environments, from SOHO to serviceprovider, offering cost effectivesystems for any sizeof application. They detect and eliminate the most damaging, content-basedthreats fromemail and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time — without degrading network performance. The Firebox module delivers a full rangeof application level firewalland network-level services — application control, data loss prevention, advanced persistent threats blocker, VPN, intrusion prevention, web filtering, antivirus, antispamand trafficshaping — in dedicated, easilymanaged platforms. The Firebox securitysystememploys the powerful, secure, FirewareOS to achieve breakthrough price/performance. This systemprovides a criticallayer of real-time, network-basedantivirus protection that complements host-basedantivirus softwareand supports “defense-in-depth” strategies without compromising performanceor cost. They can be easily configured to provide antivirus protection, antispamprotection and content filtering in conjunction with existing firewall, VPN, and related devices, or as complete network protection systems. The Firebox module supports the IPSec industry standardfor VPN, allowing VPNs to be configured between a Firebox module and any client or gateway/firewallthat supports IPSecVPN. TheFirebox module alsoprovides SSLVPN services. The Firebox module is defined as a multi-chip standalone cryptographicmodule consisting of production gradecomponents contained in a physically protected enclosure. The entireenclosure is defined as the FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 6 of 52 cryptographicboundary of thecryptographic module. The cryptographicboundary for FIPS 140-2 certification is equivalent to the TOE boundary for Common Criteria (CC)certification. Figure 1: Cryptographic ModuleBlock Diagram 3 Security Level The WatchGuardFirebox appliances meet the overall requirements applicable to Level 2 securityof FIPS 140-2. Table1: ModuleSecurity LevelSpecification Security Requirements Section Level CryptographicModule Specification 2 CryptographicModule Ports Specification 2 Roles, Services, and Authentication 2 Finite StateMachine 2 Physical Security 2 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 7 of 52 Operational Environment N/A CryptographicKey Management 2 EMI/EMC 2 Self-Tests 2 DesignAssurance 2 Mitigationof Other Attacks 2 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 8 of 52 4 Roles, Services andAuthentication 4.1 Module Access Methods There aretwo convenient and secureways to connect, configure and managethemodule. 4.1.1 Web UI The Firebox module provides a web based GUI basedaccess tothe module, which is the convenient way to configure the module. The Web UI requires a web browser on themanagement computer and an Ethernet connection between the module and themanagement computer. A web-browser that supports Transport Layer Security (TLS) 1.2 is required for remoteaccess tothe Web UI when the modules areoperating in FIPS mode. The web browser is not part of the validatedmodule boundary. 4.1.2 Command Line Interface The Command Line Interface(CLI)is a rich, text based management toolfor the module. The CLI provides access toall of the possible services and configuration options in themodules. The CLI uses a console or a network (Ethernet)connection betweenthe module and the management computer. The console connection is a direct serial connection. Terminal emulation softwareis required on the management computer using either method. For network access, a Telnet orSSH client that supports the SSH v2.0 protocol is required. SSH v1.0 is not supported in FIPS mode. The Telnet or SSH client is not part of the validated module boundary. 4.2 Roles The module implements role-based authentication. Themodule provides two pre-defined roles for users: User (status)andCryptographic Officer (admin) role. One of theseroles can be assumedby an operatorafter authenticating tothe module remotelyor througha console connection using a username/passwordcombination. The module does not allow the creationof additional operator accounts or roles. An operator assuming theCryptographic Officer role has full read/writeaccess toall of the functions and services of the module, including configuration, resetting or shutting down the module. This alsoimplies that the Cryptographic Officer role includes all the accesses andprivileges theUser has. The User is not allowed to make any changes tothe configuration of themodule. The User role is only for viewing and reporting the configuration and status of the module and its functions. Operatoraccounts are differentiatedby the usernameduring authentication. Morethan one operator with User role can be connected to the module at any given time. However, therecan be only one Cryptographic Officer login at any given time. Concurrent login attempts bythe Cryptographic Officer arerefused by the module. It is not possible to changeroles without re-authentication. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 9 of 52 4.3 Services The following table details the FIPS approved services available for each role, the types of access for each role, and the Keys or CSPs they affect. The role names areabbreviated as follows: CryptographicOfficer - CO User - U R=ReadAccess, W=Write/DeleteAccess, X=ExecuteAccess The Key/CSP is documented in section“CryptographicKey Management” on page 38. Table2: FIPS approved servicesin Command LineInterfaceand Web UI access mode Service U CO Key/ CSP authenticatetomodule X X 2, 3, 4, 5, 6, 7, 14, 15, 16, 17, 18, 19, 20, 21, 24, 25, 29, 30, 31, 32, 33, 34 show systemstatus R R 16, 17, 19, 20 show FIPS mode enabled/disabled R R 16, 17, 19, 20 enable FIPS mode N/A W 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 disable FIPS mode N/A W 1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 26, 28, 29, 34, 35 execute FIPS on-demand self-tests N/A X 2, 3, 16, 17, 19, 20, 26 set/reset password N/A WX 16, 17, 19, 20, 24 executefirmware download1 N/A X 16, 17, 19, 20, 25 executesystemreboot N/A WX 1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 26, 28, 29, 34, 35 executesystemshutdown N/A WX 1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 26, 28, 29, 34, 35 changesystemtime N/A WX 16, 17, 19, 20 read/modify system/networkconfiguration R RWX 16, 17, 19, 20 read/modify firewall policies. R RWX 16, 17, 19, 20 read/modify GatewayAVconfiguration R RWX 16, 17, 19, 20 read/modify spamBlocker configuration R RWX 16, 17, 19, 20 read/ modify WebBlocker configuration R RWX 16, 17, 19, 20 read/modify APTBlocker configuration R RWX 16, 17, 19, 20 read/ modify VPN configuration R RWX 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 28, 31, 32 read/modify IPS configuration R RWX 16, 17, 19, 20 read/ modify logging configuration R RWX 16, 17, 19, 20, 27 read log data R R 16, 17, 19, 20 FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 10 of 52 manual GatewayAV/IPSsignatureupdate N/A RX 16, 17, 19, 20 restorefactorydefault N/A W 1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 15, 17, 18, 19, 20, 22, 23, 26, 28, 29, 34, 35 1 Any firmware loaded into this module that is not shown on the modulecertificate, is out of the scope of this validation and requires a separate FIPS 140-2 validation. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 11 of 52 4.4 Approved Algorithms The cryptographicmodule implements the following FIPS approved algorithms: • Hardware: - Triple-DES - AES - SHS - HMAC Table3: FIPS approved algorithms forhardware CAVP Cert Algorithm Standard Mode/Method Key Lengths, Curves, or Moduli Use 2880, 2881, 2882 Triple-DES2 SP 800-67 TCBC 192 Data Encryption/Decryption 5921, 5922, 5923 AES FIPS 197, SP 800-38A CBC 128, 192, 256 Data Encryption/Decryption 5921, 5922, 5923 AES FIPS 197, SP 800-38D GCM3 128, 256 Data Encryption/Decryption 4677 SHS FIPS 180-4 SHA-1, SHA-256, SHA-512 MessageDigest 4678, 4679 SHS FIPS 180-4 SHA-1, SHA-256, SHA-384 SHA-512 MessageDigest 3901 HMAC FIPS 198-1 HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-512 Key sizes < block size MessageAuthentication 3902, 3903 HMAC FIPS 198-1 HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 HMAC-SHA-512 Key sizes < block size MessageAuthentication Note: The algorithms listedabove areimplemented by themodule when operating in a FIPS approved mode of operation. The certificates list additionalmodes and key sizes that arenot accessiblethroughthe cryptographicmodule interfaces. 2 Theuser shallnot usethe sameTriple-DESkey for more than 216 encryption operations. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 12 of 52 3 Themodule generates AESGCMIVin accordanceto SP 800-38D in compliance with IG A.5scenario 1. - The GCMIVgenerationin theTLS context is in compliance with RFC 5288 and used for the TLS 1.2 protocol. - The GCMIVgenerationin theIPseccontext is in compliance with RFC 4106 and shall only be used with IPsecand IKEv2(RFC 7296) to be compliant with IG A.5. - The implementation of the 64-bit nonce_explicit (TLS)/nonce (IPsec)part of the IV is deterministicand management logicis inside the module. By the designof the module and by virtue of the data sizelimit set, the maximum number possible value of 264 - 1 for nonce_explicit/nonce (IPsec)part of the IVis never reached. Inevent that the module’s power is lost and then restored, thekey used for the AES GCMencryption or decryption shall be re- distributed. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 13 of 52 • Firmware: - Triple-DES - AES - SHS - HMAC - RSA - DRBG - IKEv1 KDF - IKEv2 KDF - TLS KDF - SSH KDF - SNMP KDF Table4: FIPS approved algorithms forfirmware CAVP Cert Algorithm Standard Mode/Method Key Lengths, Curves, or Moduli Use 2875, 2876, 2877, 2878, 2879 Triple-DES4 SP 800-67 TCBC Data Encryption/Decryption 5913, 5914, 5918, 5919, 5920 AES FIPS 197, SP 800-38A CBC 128, 192, 256 Data Encryption/Decryption 5913, 5914, 5918, 5919, 5920 AES FIPS 197, SP 800-38D GCM5 128, 192, 256 Data Encryption/Decryption 4671, 4672, 4674, 4675, 4676 SHS FIPS 180-4 SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 MessageDigest 3895, 3896, 3898, 3899, 3900 HMAC FIPS 198-1 HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384 HMAC-SHA-512 Key sizes < block size, Key sizes = block size, Key sizes > block size Message Authentication FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 14 of 52 3102, 3103, 3104, 3105, 3106 RSA FIPS 186-2 SHA-1 ANSI X9.31 PKCS v1.5 1024, 1536, 2048, 3072, 4096 DigitalSignature Verification 3102, 3103, 3104, 3105, 3106 RSA FIPS 186-4 Probable Primes (B.3.3) 2048, 3072 Key Generation 3102, 3103, 3104, 3105, 3106 RSA FIPS 186-4 SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 ANSI X9.31 PKCS v1.5 2048, 3072, 4096 DigitalSignature Generationand Verification 2475, 2476, 2478, 2479, 2480 DRBG SP 800-90A AES CTR based 128, 192, 256 DeterministicRandom Bit Generation 2144, 2145, 2146, 2147, 2148 CVL IKEv1 IKEv2 TLS 1.2 SSH SNMP SP 800- 135rev1 Key Derivation Vendor Affirmation CKG SP 800-133 Key Generation6 Note: The algorithms listedabove areimplemented by themodule when operating in a FIPS approved mode of operation. The certificates list additionalmodes and key sizes that arenot accessiblethroughthe cryptographicmodule interfaces. 4 Theuser shallnot usethe sameTriple-DESkey for more than 216 encryption operations. 5 Themodule generates AESGCMIVin accordanceto SP 800-38D in compliance with IG A.5scenario 1. 6 Resulting symmetrickeys and seeds usedfor asymmetrickey generationarean unmodified output from the approved DRBG. - The GCMIVgenerationin theTLS context is in compliance with RFC 5288 and used for the TLS 1.2 protocol, and themodule supports acceptableGCMciphersuites form SP 800-52 Rev1, Section 3.3.1. - The GCMIVgenerationin theIPseccontext is in compliance with RFC 4106 and shall only be used with IPsecand IKEv2(RFC 7296) to be compliant with IG A.5. The module uses theRFC FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 15 of 52 7296 compliant IKEv2 to establishthesharedsecret SKEYSEED from which theAES GCM encryption keys are derived. - The implementation of the 64-bit nonce_explicit (TLS)/nonce (IPsec)part of the IV is deterministicand management logicis inside the module. By the designof the module and by virtue of the data sizelimit set, the maximum number possible value of 264 for nonce_explicit/nonce (IPsec)part of the IVis never reached. Inevent that the module’s power is lost and then restored, thekey used for the AES GCMencryption or decryption shall be re- distributed. The IKEv1, IKEv2, TLS, SSH, and SNMP protocols have not been testedby the CMVPor CAVP. The minimum encryption strengthof symmetrickeys is 112 bits and the maximum is 256 bits. 4.5 Non-FIPS Approved But Allowed Algorithms The cryptographicmodule implements the following non-FIPS approved but allowed algorithms: • RSA key transport (with 2048 bit keys) - Key wrapping, key establishment methodology provides 112 bits of equivalent encryption strength • Diffie Hellman (CVL Certs. #2144, #2145, #2146, #2147and #2148, key agreement; key establishment methodology provides 112 or 128 bits of encryption strength) • EC Diffie-Hellman (CVL Certs. #2144, #2145, #2146, #2147and #2148, key agreement; key establishment methodology provides 128 or 192 bits of encryption strength) • NDRNG 4.6 Non-FIPS Approved Services The cryptographicmodule provides the following non-FIPS approved services: • Mobile VPN with PPTP • PPPoE • Backup imageto USB • Authenticateto module7 • Read/modify VPN configuration7 7 When used with a non-compliant Diffie-Hellman key size. If any of theseservices areused, thecryptographic module is not operating in a FIPS approved mode of operation. 4.7 Non-FIPS Approved Algorithms The cryptographicmodule implements the following non-FIPS approved algorithms: • DES • MD5 • TKIP FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 16 of 52 • The AES algorithmis non-compliant when used in CCMmode or when invoking the non-FIPS Approved “Backupimageto USB” service • Useof HMAC-SHA-1for MAC generationwith key length>= 80 bits and < 112, and use of HMAC- SHA-1 for MAC verification with key length >= 80 bits and < 112 bits • Useof SHA-1 for digital signaturegeneration • PasswordBasedKey DerivationFunction (for 128 bit AES key). Keys derived using a PBKDF cannot be used in a FIPS approved mode of operation • Diffie Hellman - Key establishment, keyagreement method is non-compliant when using key sizes withless than 112 bits of equivalent encryption strength 4.8 Alternating Bypass The primary cryptographicfunction of the module is to act as a firewall, and as a VPN device. Encrypt and decrypt operations are performed on trafficbasedon firewall policies. The cryptographic module implements analternating bypass featurebasedon VPN tunnels and firewall policies. Traffic canbe encrypted/decrypted or passedas plaintext, depending on the VPN tunnel and selectedpolicy. Two actions must be taken by theCryptographicOfficer to transition betweenVPN bypass states. The CryptographicOfficer must first createthe VPN gateway. TheCryptographicOfficer must then createthe VPN tunnel and tunnel route, and associatetheVPN tunnel with a VPN policy. Whether VPN bypass is enabled or not can be determined by examining the list of VPN gateways and VPN tunnels. 4.9 Authentication CryptographicOfficer or User (referred to as Operator)must authenticatewitha username and passwordcombination to access themodules remotely or locally via theconsole. Remoteoperator authenticationis done over HTTPS(TLS 1.2) or SSH (v2.0). The access tothe module is basedon firewall policy and authenticationby IP address. For end users (including COor U) using module functionality and invoking the SSLVPN or IPSec encrypt/decrypt services, themodule supports authenticationwith a username/passwordcombination. The authenticationis done over HTTPSover a dedicated port and it does not allow access tothemodule for any of the administrativepurposes whatsoever. The minimum passwordlengthis 8 characters whenin FIPS mode. Using a strong passwordpolicy, where operatorand end user passwords areat least 8 characters inlengthand use a mix of alphanumeric (printable) characters fromthe ASCII character set, theodds of guessing a passwordare1 in 948 , which is far less than 1 in 1,000,000. Thetotal passwordspaceis sufficiently largesuch that exceeding a 1 in 100,000 probability of correctly guessing the passwordin one minute would require approximately 6.1x 1010 attempts per minute, which is beyond theoperational capability of themodule. For end users invoking theIPSec encrypt/decrypt services, themodule acts on behalf of the end user and negotiates a VPN connection with a remote module. Thestrengthof authentication for IPSec services is based on the authenticationmethod defined in thespecific firewall policy: IKE pre-sharedkey or IKE RSAkey (RSA certificate). The odds of guessing theauthenticationkey for eachIPSec method is: FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 17 of 52 • 1 in 948 for the IKE presharedkey (based on an 8 character, ASCII printable key) • 1 in 2112 for theIKE RSA key (basedon a 2048 bit RSAkey size, whichis equivalent to 112 bits of security) Therefore theminimum odds of guessing theauthenticationkey for IPSec is 1 in 948 based on the IKE presharedkey, or 1 in 2112 basedonthe IKE RSA key, which is far less than 1 in 1,000,000. Thekey sizeis sufficiently largesuch that exceeding a 1 in 100,000 probability of correctlyguessing thekey in one minute would require approximately 6.1x 1010 attempts per minute(for presharedkey) or 5.2 x 1028 attempts per minute (for RSAkey) , which is beyond theoperational capability of themodule. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 18 of 52 5 Interfaces Physical ports and interfaces on the Firebox module canbe categorizedintothe following logicalinterfaces: - Data Input - Data Output - Control Input - Status Output All of the physical ports and interfaces areseparatedintothe FIPS 140-2 logicalinterfaces, as describedin thefollowing tables. Thelogical interfaces maysharea physical port. The firmware in the Firebox module separates androutes data to the appropriateinternal firmwaretask associatedwitha logicalinterfacebased on port number, session, and/or command context. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 19 of 52 5.1 Firebox M270 Figure 2: M270 Front View FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 20 of 52 Table5: Front Panel Access PORTNAME/TYPE Number Description Data Input Data Output Control Input Status Output RJ45Ethernet Interfaces withlink lights 8 Configurable ports can be data input or data output for External, LAN, or Optional. Link lights show connection speedand activity. ✓ ✓ ✓ ✓ RJ45ConsoleInterface 1 Serial port for CLI access. ✓ ✓ ✓ ✓ USB Interfaces 2 Usedfor backup, or to storea support snapshot. ✓ Power LED 1 Lit greenwhen the module is powered on. ✓ Arm/DisarmLED 1 This light is red after power-on or reboot. It turns greenafter successfulmodule initialization. ✓ Storage LED 1 Lit yellow when there is activity on the mSATA card. ✓ Reset Button 1 Usedto reset the module. ✓ Power Button 1 Controls power supplied to device. ✓ FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 21 of 52 Figure 3: M270 Rear View Table6: Rear Panel Access PORTNAME/TYPE Number Description Data Input Data Output Control Input Status Output Power Interface 1 Auto-sensing AC power supply. Power Switch 1 Controls power supplied to device. ✓ FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 22 of 52 5.2 Firebox M370 Figure 4: M370 Front View FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 23 of 52 Table7: Front Panel Access PORTNAME/TYPE Number Description Data Input Data Output Control Input Status Output RJ45Ethernet Interfaces withlink lights 8 Configurable ports can be data input or data output for External, LAN, or Optional. Link lights show connection speedand activity. ✓ ✓ ✓ ✓ RJ45ConsoleInterface 1 Serial port for CLI access. ✓ ✓ ✓ ✓ USB Interfaces 2 Usedfor backup, or to storea support snapshot. ✓ Power LED 1 Lit greenwhen the module is powered on. ✓ Arm/DisarmLED 1 This light is red after power-on or reboot. It turns greenafter successfulmodule initialization. ✓ StorageLED 1 Lit yellow when there is activity on themSATA card. ✓ Reset Button 1 Usedto reset the module. ✓ Power Button 1 Controls power supplied to device. ✓ FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 24 of 52 Figure 5: M370 Rear View Table8: Rear Panel Access PORTNAME/TYPE Number Description Data Input Data Output Control Input Status Output Power Interface 1 Auto-sensing AC power supply. Power Switch 1 Controls power supplied to device. ✓ FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 25 of 52 5.3 Firebox M470, M570, and M670 FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 26 of 52 8 x 1 Gb RJ45CopperModule(WG8592) 8 x 1 Gb SFP Fiber Module (WG8593) 4 x 10 Gb SFP+ Fiber Module (WG8594) Figure 6: M470, M570, and M670Front View FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 27 of 52 Table9: Front Panel Access PORTNAME/TYPE Number Description Data Input Data Output Control Input Status Output RJ45Ethernet Interfaces withlink lights 8 Configurable ports can be data input or data output for External, LAN, or Optional. Link lights show connection speedand activity. ✓ ✓ ✓ ✓ Swappable Network Module Bays 1 Swapable NIC modules (8 x 1Gb RJ45, 8 x 1Gb SFP, and 4 x 10Gb SFP+). Configurableports can be data input or data output for External, LAN, or Optional. Link lights showconnection speed and activity. ✓ ✓ ✓ ✓ RJ45ConsoleInterface 1 Serial port for CLI access. ✓ ✓ ✓ ✓ USB Interfaces 2 Usedfor backup, or to storea support snapshot. ✓ Power LED 1 Lit greenwhen the module is powered on. ✓ Arm/DisarmLED 1 This light is red after power-on or reboot. It turns greenafter successfulmodule initialization. ✓ StorageLED 1 Lit yellow when there is activity on themSATA card. ✓ Reset Button 1 Usedto reset the module. ✓ Power Button 1 Controls power supplied to device. ✓ FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 28 of 52 FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 29 of 52 Figure 7: M470, M570, and M670Rear View Table10: Rear Panel Access PORTNAME/TYPE Number Description Data Input Data Output Control Input Status Output Power Interface 1 Auto-sensing AC power supply. Power Switch 1 Controls power supplied to device. ✓ FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 30 of 52 6 FIPS 140-2 Compliant Operation The Firebox module meets FIPS 140-2 Level 2 requirements. This sectiondescribes how to place and keep the Firebox module in a FIPS approved mode of operation. 6.1 Security Rules The cryptographicmodule has the following securityrules: • The cryptographicmodule provides two distinct operator roles. Thesearethe User role, and the CryptographicOfficer role. • The cryptographicmodule provides role-based authenticationrelying upon usernames and passwords. • The cryptographicmodule provides pre-sharedkey and RSA certificates forauthenticationwhen configuring VPN tunnels. 6.2 Self-Tests • The cryptographicmodule performs thefollowing self-tests at power-up: Hardwarecryptographicalgorithmtests: - Triple-DES encrypt KAT - Triple-DES decrypt KAT - AES encrypt KAT - AES decrypt KAT - SHA-1 KAT - HMAC-SHA-1KAT - HMAC-SHA-256KAT - HMAC-SHA-384KAT - HMAC-SHA-512KAT - AES-GCMencrypt KAT - AES-GCMdecrypt KAT Firmwarecryptographic algorithmtests: - Triple-DES encrypt KAT - Triple-DES decrypt KAT - AES encrypt KAT - AES decrypt KAT - AES-GCMencrypt KAT - AES-GCMdecrypt KAT - SHA-1 KAT - HMAC-SHA-1KAT - HMAC-SHA-224KAT FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 31 of 52 - HMAC-SHA-256KAT - HMAC-SHA-384KAT - HMAC-SHA-512KAT - RSA Sign KAT - RSA Verify KAT - DRBG KAT Firmwareintegrity test: - Firmware integritytest (using HMAC-SHA-1) The results of the power-up self-tests aredisplayed on the console during the power-up sequence. The self-tests arerunautomaticallyat power-up without any operator intervention. The power-up self-tests arerunbefore any networking interfaces arestarted, sothat data output is inhibited while self-tests arerunning. The power-up self-tests canalsobe initiatedon demand by issuing the CLI command fips selftest. 1. Sample output (FIPS mode currently enabled): The box will reboot, Please wait for a moment… If any of the power-up tests fail, thecryptographic module enters the error state. Errors are displayed on theconsole. The following errorindicator is displayed on the console: “FIPS self-test failure: shutting down”. No securityservices areprovided in the error stateanddata output is inhibited (the Firebox module is shutdown). • The cryptographicmodule performs thefollowing conditional tests: - RSA pairwiseconsistencytest - DRBG continuous PRNG test - DRBG Instantiate,Reseed,Generate,andUninstantiatehealthtests - Bypass test - Firmware load test (using HMAC-SHA-1) If the RSApairwiseconsistencytest, DRBG continuous PRNG test, orbypass test fails, the cryptographicmodule enters the errorstate. Errors aredisplayedon theconsole or internallogs. The following errorindicator is displayed on theconsole: “FIPS self-test failure: shutting down”. No securityservices areprovided in theerror stateanddata output is inhibited (the Firebox module is shutdown). If the firmwareload test fails, thecryptographic module enters thefirmwareload test failurestate. The firmwareload error indicator has the following unique indicator: “Upload failure: -2 failed with - 2”. The new firmwareimage is not loaded. The Firebox module resumes normaloperation after the error is logged. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 32 of 52 6.3 Cryptographic Officer Guidance This sectiondescribes theresponsibilities of the CryptographicOfficer for installing, configuring, and ensuring proper operation of the validated Firebox module. 6.3.1 Secure Installation The Cryptographic Officer must ensure that: - The Firebox module is installed in a securephysical location. - Physical access tothe Firebox module is restrictedtoauthorized personnel only. 6.3.2 Enabling FIPS Mode Operation The cryptographicmodule is not configured to operatein FIPS mode by default. To operatein FIPS mode, do the following: • IssuetheCLI command fips enableto enable FIPS mode operation. • Chooseoperator passwords (for CryptographicOfficer and User roles)with a minimum of 8 characters. • Run fips selftest before making changes to theVPN configuration. • SSLVPN tunnels use TLS 1.2. When configuring SSLVPN tunnels, only choose FIPS-approved authenticationand encryption algorithms (SHA-1, SHA-256, SHA-512, Triple-DES, AES-128, AES-192, AES-256). • When configuring IPSec VPN tunnels, only choose FIPS-approved authenticationand encryption algorithms (SHA-1, SHA-256, SHA-384, SHA-512, Triple-DES, AES-128, AES-192, AES-256). • When configuring IPSEc VPN tunnels, choose Diffie-Hellman Group 14 (2048 bit), Group 15 (3072 bit), Group 19 (256 bit elliptic curve), or Group 20 (384 bit elliptic curve) for IKE Phase1 negotiation. • When configuring IPSecVPN tunnels, use pre-sharedkeys or RSA certificates forauthentication. • Only useRSA certificates forTLS. • Usea minimum of 2048-bits for all RSA keys. • Do not use Mobile VPN with PPTP. • Do not use PPPoE. • Do not use WatchGuardSystemManager tomanagethe appliance. • Do not use RADIUSserver authentication. • Web browsers must be configured to only useTLS 1.2 and FIPS approved cipher suites. • Telnet and SSH clients must be configured to use theSSH V2.0protocol and RSAauthentication. If the SSH client uses Diffie-Hellman key exchange, configure the client to use DH 2048 bit or greater. • Do not use thewireless interfaces. Note that if the module’s power is lost and then restored, thekey used for theAES GCMencryption or decryption shall be re-distributed. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 33 of 52 6.3.3 Disabling FIPS Mode Operation To disable FIPS mode, do the following: • IssuetheCLI command restorefactory-default all(to disable FIPS mode and zeroizeall keys and CSPs). 6.4 User Guidance This sectiondescribes theresponsibilities for Users of the validated Firebox module. The User can determineif thecryptographic module is operating in FIPS mode by issuing the CLI command showFIPS. 1. Sample output (FIPS mode currently not enabled): -- -- Current FIPS status -- FIPS status : disabled 2. Sample output (FIPS mode currently enabled): -- -- Current FIPS status -- FIPS status : enabled FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 34 of 52 7 TamperEvidence All CriticalSecurity Parameters arestoredandprotected within each appliance’s tamper evident enclosure. Tamper evident labels must be applied for the module to operatein a FIPS approved mode of operation. It is the responsibility of the Cryptographic Office to properly place all tamper evident labels as described in this section, and theCryptographicOfficer should maintain control of unused labels in a securelocation. The securitylabels recommended for FIPS 140-2 compliance are separatelyordered (SKU WG8566). Thesesecuritylabels are designed to be very fragileand cannot be removed without visible signs of damagetothe labels. Note that theselabels are designedto be applied to a clean surface at 10C or above. The CryptographicOfficer must apply tamper evident labels at the locations shown in theFigures. Before thelabels areapplied, the CryptographicOfficer should ensure that the surfaceis clean, and that the airtemperatureis at 10C or above. The surfaceshould be cleaned using isopropyl alcohol and dried before applying the labels. After the labels are placed, the Cryptographic Officer should inspect the tamper evident labels periodically to verify they areintact. If the tamper evident seals arefound to be damagedor broken during inspection, theCryptographic Officer can return thecryptographic module to a FIPS approved mode of operation by restoring the module to a factory default state, reinstalling, andapplying new tamper evident labels. Any attempt toopen thedevice will damagethe tamper evident seals or thematerialof the security appliance cover. Tamper evident seals canalso be inspectedfor signs of tampering, which include the following: curled corners, rips, and slices. The following is a photograph of thetamper evident labels that are used. Figure 8: WatchGuard FireboxTamperEvident Label FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 35 of 52 7.1 Firebox M270 Two tamperevident labels arerequired. Figure 9: M270 TamperEvident Label1 Placement Figure 10: M270 TamperEvident Label2 Placement FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 36 of 52 7.2 Firebox M370 Two tamperevident labels arerequired. Figure 11: M370 TamperEvident Label1 Placement Figure 12: M370 TamperEvident Label2 Placement FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 37 of 52 7.3 Firebox M470, M570, and M670 Two tamperevident labels arerequired. Figure 13: M470, M570, and M670TamperEvident Label1 Placement Figure 14: M470, M570, and M670TamperEvident Label2 Placement FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 38 of 52 8 CryptographicKey Management 8.1 Cryptographic Keys and Critical Security Parameters The following tablelists the cryptographickeys and CriticalSecurity Parameters (CSPs)usedby the cryptographicmodule: Table11: Cryptographic Keys and CriticalSecurity Parameters # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 1 DRBG seed SP800-90A CTR_DRBG / 384 bits Seed value for DRBG. RAM (plain text) Initial generationvia entropy.8 Power off the appliance. 2 DRBG V SP800-90A CTR_DRBG / 128 bits InternalV value used by SP800-90A DRBG. RAM (plain text) Initial generationvia DRBG. Power off the appliance. 3 DRBG key SP800-90A CTR_DRBG / 256 bits Internalkey value used by SP800-90A DRBG. RAM (plain text) Initial generationvia DRBG. Power off the appliance. 4 DRBG entropy input SP800-90A CTR_DRBG / 128, 192, 256 bits Entropy input string for DRBG. RAM (plain text) Initial generationvia DRBG. Power off the appliance. 5 DRBG personalization string SP800-90A CTR_DRBG / 128 bits Personalization string for DRBG. Local storage and RAM (plain text) Compiled into the firmware. Installpatch that deletes the firmware. 6 Diffie-Hellman sharedsecret DH / 2048, 3072 bits Shared secret used in Diffie- Hellman key exchangefor IKE, TLS, and SSH sessions. RAM (plain text) Generated internally using Diffie-Hellman key exchange. Terminatethe session, or power off the appliance. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 39 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 7 Diffie-Hellman private key DH / 224, 256 bits The private exponent used in Diffie- Hellman key exchangefor IKE, TLS, and SSH sessions. RAM (plain text) Generated internally using DRBG. Terminatethe session, or power off the appliance. 8 EC Diffie- Hellman shared secret ECDH / P-256, P-384 Shared secret used in EC Diffie-Hellman key exchange for IKE and TLS sessions. RAM (plain text) Generated internally using EC Diffie- Hellman key exchange. Terminatethe session, or power off the appliance. 9 EC Diffie- Hellman private key ECDH / 256, 384 bits The private exponent used in EC Diffie- Hellman key exchangefor IKE and TLS sessions. RAM (plain text) Generated internally using DRBG. Terminatethe session, or power off the appliance. 10 IKE pre-shared secret Shared secret / 8 or more characters Usedby IKE for session authentication. Local storage and RAM (plain text) ✓ ✓ Enteredby Cryptographic Officer.9 Deletethe IPSec VPN configuration. Power off the appliance. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 40 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 11 IKE SKEYSEED Shared secret / 160, 256, 384, 512 bits Usedby IKE during phase-1 exchange. RAM (plain text) Generated internally using the negotiated pseudo random function (PRF) as defined in SP800-135 during IKE phase-1 exchange. Terminatethe session, or power off the appliance. 12 IKE session authentication key HMAC-SHA1/ 160 bits HMAC-SHA-256/ 256 bits HMAC-SHA-384/ 384 bits HMAC-SHA-512/ 512 bits Usedto authenticate IKE negotiations. RAM (plain text) Generated internally using the negotiated pseudo random function (PRF) as defined in SP800-135 during IKE phase-1 exchange. Terminatethe session, or power off the appliance. 13 IKE session encryption key Triple-DES / 192 bits AES / 128,192,256bits Usedto encrypt IKE negotiations. RAM (plain text) Generated internally using the negotiated pseudo random function (PRF) as defined in SP800-135 during IKE phase-1 exchange. Terminatethe session, or power off the appliance. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 41 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 14 IPSec session authentication key HMAC-SHA1/ 160 bits HMAC-SHA-256/ 256 bits HMAC-SHA-384/ 384 bits HMAC-SHA-512/ 512 bits Exchanged using theIKE protocol. Used to authenticate IPSec traffic. RAM (plain text) Generated internally using the negotiated pseudo random function (PRF) as defined in SP800-135 during IKE phase-2 exchange. Terminatethe session, or power off the appliance. 15 IPSec session encryption key Triple-DES / 192 bits AES / 128,192,256bits Exchanged using theIKE protocol. Used to encrypt IPSec traffic. RAM (plain text) Generated internally using the negotiated pseudo random function (PRF) as defined in SP800-135 during IKE phase-2 exchange. Terminatethe session, or power off the appliance. 16 RSA privatekey RSA / 2048, 3072, 4096 bits The RSA private key used for IKE session authentication. Local storage and RAM (plain text) ✓ Generated internally using DRBG or imported across an encrypted tunnel. Restorethe device to its factory default configuration. 17 TLS pre-master secret Shared secret / 384 bits (using RSA), variable (using DH and ECDH) Shared secret used in TLS exchangefor TLS sessions. RAM (plain text) Generated internally using TLS protocol exchange. Terminatethe session, or power off the appliance. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 42 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 18 TLS master secret Shared secret / 384 bits Shared secret used in TLS exchangefor TLS sessions. RAM (plain text) Generated internally using TLS protocol exchange. Terminatethe session, or power off the appliance. 19 TLS session authentication key HMAC-SHA1/ 160 bits HMAC-SHA-256/ 256 bits HMAC-SHA-384/ 384 bits HMAC-SHA-512/ 512 bits Usedto authenticate TLS traffic. RAM (plain text) Generated internally using the KDF as defined in SP800-135 during TLS protocol exchange. Terminatethe session, or power off the appliance. 20 TLS session encrypton key Triple-DES / 192 bits AES / 128, 192, 256 bits Usedto encrypt TLS traffic. RAM (plain text) Generated internally using the KDF as defined in SP800-135 during TLS protocol exchange. Terminatethe session, or power off the appliance. 21 RSA privatekey RSA / 2048, 3072, 4096 bits The RSA private key used for TLS authentication. Local storage and RAM (plain text) Generated internally using DRBG. Restorethe device to its factory default configuration. 22 SSH session authentication key HMAC-SHA1/ 160 bits Usedby SSH for data integrity. RAM (plain text) Generated internally using the KDF as defined in SP800-135 during SSH protocol exchange. Terminatethe session, or power off the appliance. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 43 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 23 SSH sessionkey AES / 128, 192, 256 bits Usedby SSH for session encryption. RAM (plain text) Generated internally using the KDF as defined in SP800-135 during SSH protocol exchange. Terminatethe session, or power off the appliance. 24 SSH RSA private key RSA / 2048 bits The RSA private key used for SSH authentication. Local storage and RAM (plain text) Generated internally using DRBG. Restorethe device to its factory default configuration. 25 SNMP password Password/ 8 or more characters Usedfor deriving keys for SNMP authentication and encryption. Local storage and RAM (plain text) ✓ ✓ Enteredby Cryptographic Officer or User.9 Overwritewith new password. 26 SNMP session key AES / 128 Usedby SNMP for session encryption. RAM (plain text) Generated internally using the KDF as defined in SP800-135. Terminatethe session, or power off the appliance. 27 Passwords Password/ 8 or more characters Usedto authenticate Crypto-Officer and User logins. Local storage and RAM (plain text) ✓ ✓ Enteredby Cryptographic Officer or User.9 Overwritewith new password. 28 Firmwareload integritykey HMAC-SHA1/ 160 bits Usedfor firmwareload test. RAM (plain text) Compiled into the firmware. Installpatch that deletes the firmware. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 44 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 29 Firmware integritykey HMAC-SHA1/ 160 bits Usedfor firmware integritytest. RAM (plain text) Compiled into the firmware. Installpatch that deletes the firmware. 30 Dimension Log Server pre- sharedsecret Shared secret / 8 or more characters Used to authenticate connections to the log server. Local storage and RAM (plain text) ✓ ✓ Enteredby Cryptographic Officer.9 Deletethe log server configuration. Power off the appliance. 8 The minimum number of bits of entropy generatedby themodule for usein key generationis 259. 9 Canbe entered into the module in plain text over the serialconsole port from a non-networked computer. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 45 of 52 8.2 Public Keys The following tablelists the public keys used by the cryptographicmodule: Table12: Public Keys # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 31 RSA public key RSA / 2048, 3072, 4096 bits Usedby IKE for session authentication. Local storage and RAM (plain text) ✓ ✓ Generated using DRBG or imported across an encrypted tunnel. Deletethe IPSec VPN configuration. Power off the appliance. 32 RSA public key RSA / 2048, 3072, 4096 bits Usedby Web UI clients for TLS authentication. Local storage and RAM (plain text) ✓ Generated internally using DRBG. Restorethe device to its factory default configuration. 33 SSH RSA public key RSA / 2048 bits Usedby SSH for authentication. Local storage and RAM (plain text) ✓ Generated internally using DRBG. Restorethe device to its factory default configuration. 34 Diffie-Hellman public key DH / 2048, 3072 bits The public key used in Diffie- Hellman key exchangefor IKE, TLS, and SSH sessions. RAM (plain text) Generated internally using Diffie-Hellman key exchange. Terminatethe session, or power off the appliance. 35 EC Diffie- Hellman public key ECDH / P-256, P-384 The public key used in EC Diffie-Hellman key exchange for IKE and TLS sessions. RAM (plain text) Generated internally using EC Diffie- Hellman key exchange. Terminatethe session, or power off the appliance. FIPS 140-2 Non-Proprietary Security Policy for WatchGuardTechnologies Inc. Firebox Page 46 of 52 # Key/CSP Type/Size Usage Storage Input Output Generation Zeroization 36 SSLVPN RSA public key RSA / 2048, 3072, 4096 bits Usedby SSLVPN clients for authentication. Local storage and RAM (plain text) ✓ Generated internally using DRBG. Restorethe device to its factory default configuration. 37 HTTPSproxy RSA public key RSA / 2048, 3072, 4096 bits Usedby HTTPS proxy clients for authentication. Local storage and RAM (plain text) ✓ Generated internally using DRBG. Restorethe device to its factory default configuration. 38 HTTPSproxy authority RSA public key RSA / 2048, 3072, 4096 bits Usedby the module for HTTPSproxy deep content inspection. Local storage and RAM (plain text) ✓ Generated internally using DRBG. Restorethe device to its factory default configuration. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 47 of 52 9 Mitigation ofOtherAttacks The Firebox module includes optional capabilities of IntrusionPrevention System (IPS), Antivirus protection, Antispam, URL Filtering, Application Control, Data Loss Prevention, and Advanced Persistent Threats detection, in addition to capabilities described earlier. Thesecapabilities arebacked up by the WatchGuardproprietary proxy technology. The proprietaryProxy technology enables the blocking of oversized files, supports blocking by file extension and blocking of trafficbased on any Protocol Anomaly Detection(PAD). The module offers an inbuilt default threat protection that protects the internal networks by performing behavioral analysis of traffic passing throughthe module. This can protect the module from direct attacks, basedonTCP, ICMP, UDP, andIP protocols, such as Denial of Service (DoS), DistributedDenialof Service (DDoS), Synflood, and ping of death, etc. Access is denied or packets are dropped when an attackis detected. Attackparameters canbemodified by the CryptographicOfficer to ensurethat normal network trafficis not considered an attack. Whenever a GatewayIPS, GatewayAntivirus, Antispam, WebBlocker, Application Control, Data Loss Prevention, or Advanced Persistent Threat event occurs, themodule can record the event in the log and/or send an alarmto a CryptographicOfficer via a configured notification mechanism. The rest of this sectionprovides additional information on different services of the Firebox module. 9.1 Gateway IPS Service The WatchGuardGatewayIPSis a signaturebasedcomponent for detecting attacks passing throughthe module. Signature basedattackdetectionmechanismworks by identifying transmissionpatterns and other codes that indicatethat a system might be under attack. Eachsignature is designedto detect a particulartype of attack. Thesignatures forreal-timeIPS service areupdated through the WatchGuard GatewayIntrusionPrevention Service. The module can be configured to securelyautomaticallycheck for and download updated IPS packages from the WatchGuardservers, orthey can be downloaded manually by the CryptographicOfficer. The IPS packageis signed with the WatchGuardserver’s private key and verified by themodule using the WatchGuardserver’s public key. 9.2 Gateway Antivirus Service The Firebox Antivirus servicescans web (HTTP), file transfer (FTP), Instant Messagingandemail(POP3, IMAP, and SMTP) traffic passing throughthe module and removes and can optionally quarantine the infected content. The quarantined files and content are storedon the separateserver outsidethe module. The Cryptographic Officer can review and deletequarantined files from the server. When any attachment is removed from the email, it is replaced witha replacement message that goes tothe intended recipient of the emailmessage. The module canbe configured to automaticallycheck for and download updated AV signatureand engine packages fromthe WatchGuardservers, orthey can be downloaded manually by the CryptographicOfficer. The AV packageis signedwith the WatchGuardserver’s private key and verified FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 48 of 52 by themodule using the WatchGuard server’s public key. The module alsois capableof updating the latest Antivirus engine securelythrough the GatewayAntivirus service. GatewayAntivirus service also detects andremoves malware suchas adware, spyware, etc. Quarantine Server which stores theemails and content is externalto the module and not part of FIPS compliant module boundary. 9.3 spamBlocker Service WatchGuardspamBlocker servicecan scanemails over SMTP, IMAPor POP3 protocols and cantag or discardemail messages determinedtobe spam. Basedon Recurrent PatternDetectiontechnology, optionally, this servicecan alsoquarantine the spamemails for administrators review. Spam detection methods alsoinclude black/white lists and returnemail DNS check. ThespamBlocker Service also provides IP checking, URI address checking and emailchecksum analysis. Quarantine Server which stores theemails and content is externalto the module and is not part of the FIPS compliant module boundary. 9.4 WebBlocker Service WatchGuardWebBlocker serviceoffers URL filtering technology. WebBlocker service canbe configured to scanHTTPand HTTPS protocol streams for banned URLs or web pagecontent. The WebBlocker service uses a large databaseofURLs to block access tobanned web sites and URLs basedon content categories. TheCryptographicOfficer can decide which categories ofURLs areallowed by organization’s securitypolicy. TheCryptographicOfficer can also configure URL filtering to block all or just some of the pages on a specific web site by using regularexpressions. This featurecanbe used to deny access to parts of a web site without denying access toit completely. Also, the CryptographicOfficer can configure white and black lists to staticallyallow legitimateweb pages or deny illegitimateweb pages. When a certainweb page is blocked by the service, theend user is displayed a messagethat canbe customizedby theCryptographicOfficer using Web UI or Command Line Interface. 9.5 Application Control Service WatchGuardApplication Control, allows administrators toenforce acceptableusepolicies for users and groups by category, application, and application sub-functions. Using over 2,500signatures and behavioral techniques, Application Controlgives theadministratorreal-timeand historicalvisibility into the useof applications on the network. The control and visibility given to the IT pro by WatchGuard Application Control helps organizations enforceacceptableuse policies that aremandated by industry regulation, legaland political jurisdictions, corporate goals or culture. WatchGuard's Application Control enables policy basedmonitoring, tracking, and blocking of over 1,800 unique web 2.0 and business applications. For example, administors can have granularcontrol over the most important applications like Facebook and popular instant messaging applications e.g. allowMSN instant messaging, but disallowfile transfer over MSN IM. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 49 of 52 9.6 Data Loss Prevention Service WatchGuardDLP prevents data breaches by scanning text and common file types to detect sensitive information. All data in motion, whether transferredvia email, web, or FTP, is automaticallyinspected. Unlike other UTM DLPvendors, WatchGuard’s subscription-basedserviceincludes a predefined library of more than200 rules for 18 countries, covering personally identifiable information (PII), financial data, and healthcareinformation. Rule sets areupdatedmonthly to staycurrent with data definitions and compliance mandates around the world. 9.7 Advanced Persistent Threat Blocker Service WatchGuardAPT Blocker focuses on behavior analysis to determineif a file is malicious. APT Blocker identifies and submits suspicious files to a cloud-based next-generationsandbox, a virtual environment where code is analyzed, emulated, andexecuted to determine its threat potential. Modern malwareincluding Advanced Persistent Threats (APTs)is designedto recognizedand evade traditionaldefenses. APT Blocker’s full systememulation – which simulates thephysical hardware including CPUand memory – provides themost comprehensive level of protection against malware. APT Blocker analyzes file types such as: Adobe PDF, Rich Text Format, Microsoft Office, Windows executablefiles, Android executable files, and Proxies (including POP3). FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 50 of 52 10 Definitions AC – Alternating Current AES – Advanced Encryption Standard ANSI – AmericanNational Standards Institute ASCII - AmericanStandard Code for Information Interchange AV – AntiVirus CA– CertificateAuthority CBC –Cipher-Block Chaining CC – Common Criteria CF – Compact Flash CFast –CompactFast CLI – CommandLine Interface CO – CryptographicOfficer CSP – CriticalSecurity Parameter DES – Data EncryptionStandard DH – Diffie-Hellman DRBG –DeterministicRandomBit Generator ECDSA– Elliptic CurveDigitalSignatureAlgorithm EEPROM – ElectricallyErasableProgrammableRead-OnlyMemory FIPS – Federal Information Processing Standards FTP – File Transfer Protocol GUI – GraphicalUser Interface HMAC – HashMessageAuthenticationCode HTTPS– HyperText Transfer Protocol Secure IMAP– Internet MessageAccess Protocol FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 51 of 52 IKE – Internet Key Exchange IP – Internet Protocol IPS – IntrusionPrevention System IPSec – Internet Protocol Security KAT – Known Answer Test LAN – LocalArea Network LED – Light-Emitting Diode MAC – MessageAuthenticationCode mSATA – Mini Serial AT Attachment NIC – NetworkInterfaceController NIST – National Instituteof Standards and Technology NOR – NegatedOR flash OS –Operating System POP3 – Post Office Protocol 3 PPPoE – Point-to-Point Protocol over Ethernet PPTP – Point-to-Point Tunneling Protocol QSFP – Quad Small Form-factor Pluggable RADIUS– RemoteAuthenticationDial InUser Service RC4– Rivest Cipher 4 RSA – Rivest, Shamir, & Adelman algorithm SFP – Small Form-factor Pluggable SHA – Secure HashAlgorithm SMTP – Simple MailTransfer Protocol SoHo – Small Office Home Office SSH – Secure Shell protocol FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. Firebox Page 52 of 52 SSLVPN – Secure Sockets Layer Virtual PrivateNetwork TKIP –Temporal Key IntegrityProtocol TLS – Transport Layer Security TOE – Target ofEvaluation Triple-DES – Triple Data EncryptionAlgorithm UI – User Interface USB – UniversalSerial Bus VLAN –Virtual Local Area Network VoIP – Voice over Internet Protocol VPN – VirtualPrivate Network WAN – Wide Area Network WAP – Wireless Access Point