Corporate Headquarters: Copyright © 2002. Cisco Systems, Inc. All rights reserved. Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Cisco VPN 3000 Concentrator Series Security Policy Introduction This security policy describes how the VPN 3000 Concentrator Series meets the security requirements of FIPS 140-1, and how to operate a VPN 3000 Concentrator using IPSec encryption in secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1 validation of the VPN 3000 Concentrator Series, sometimes referred to in this document as the VPN Concentrator. This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the last page. FIPS 140-1 (Federal Information Processing Standards Publication 140-1—Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available in the following document: Security Requirements for Cryptographic Modules, FIPS Publication 140-1 (http://csrc.nist.gov/publications/fips/fips140-1/fips1401.htm). For information about the FIPS 140-1 validation program, see the following NIST website: http://csrc.nist.gov/cryptval/ This document contains the following sections: “Introduction” section on page 1 “References” section on page 2 “Terminology” section on page 2 “Roles and Services” section on page 4 “Module Interfaces” section on page 6 “Security Relevant Data Items” section on page 6 “Cryptographic Algorithms” section on page 8 “Security Rules (FIPS Mode of Operation)” section on page 8 “Administration Management Access Methods” section on page 10 2 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 References “Tamper Evidence” section on page 11 “Self-Tests” section on page 12 “Appendix A—Cryptographic Algorithms” section on page 13 References This document describes the operations and capabilities of the VPN Concentrator only in the technical terms of FIPS 140-1 cryptographic module security policy. More information is available on VPN 3000 Concentrator Series in the following documents: VPN 3000 Series Concentrator Getting Started, Release 3.1, August 2001—explains how to unpack and install the VPN 3000 Concentrator and how to configure the minimal parameters. VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 3.1, August 2001—explains how to start and use the VPN 3000 Concentrator Manager and how to configure your device beyond the minimal parameters you set during quick configuration. VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 3.1, August 2001—explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager. Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.1 Release Notes for Cisco VPN 3000 Series Concentrator, FIPS Release 3.1.3 Terminology This document uses the following terminology. Cisco VPN 3000 Concentrator Series Cisco VPN 3000 Concentrator Series comprises a family of purpose-built, remote access Virtual Private Network (VPN) platforms that incorporate high availability, high performance, and scalability with the most advanced encryption and authentication techniques available today. FIPS 140-1 Federal Information Processing Standards Publication 140-I—Security Require- ments for Cryptographic Modules details the U.S. Government requirements for cryptographic modules. FIPS Mode A configuration of the VPN 3000 Concentrator Series that allows users to use the VPN Concentrator in a way that is compliant with the government standard FIPS 140-1. IPSec A family of IETF protocols that provide network layer encryption. IKE A key management protocol used by IPSec for authentication and secret key deri- vation. 3 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Terminology The VPN Concentrator includes models to support a range of enterprise customers, from small businesses with 100 or fewer remote access users to large organizations with up to 10,000 simultaneous remote users. The VPN Concentrator is available in both non-redundant and redundant configurations, allowing customers to build the most robust, reliable, and cost-effective networks possible. FIPS 140-1 Applicability The VPN Concentrators are Multiple-Chip Standalone Cryptographic Modules as defined in Security Requirements for Cryptographic Modules, FIPS publication 140-1. The cryptographic boundary for each VPN Concentrator module is the actual physical embodiment of each device. This security policy pertains to the following specific VPN Concentrators: • VPN Concentrator 3005 (Release 3.1 FIPS) • VPN Concentrator 3015 (Release 3.1 FIPS) • VPN Concentrator 3030 (Release 3.1 FIPS) • VPN Concentrator 3060 (Release 3.1 FIPS) • VPN Concentrator 3080 (Release 3.1 FIPS) The VPN Concentrators are intended to meet the overall requirements for FIPS-140 Level 2 security as defined in FIPS-140-1. Table 1 shows the security level requirements met for the VPN Concentrators: Table 1 Security Level Requirements Security Requirements Section FIPS-140 Security Level Cryptographic Module 2 Module Interfaces 2 Roles & Services 2 Finite State Machines 2 Physical Security 2 Software Security 3 Operating System Security N/A Key Management 2 Cryptographic Algorithms 2 EMI/EMC 2 Self Tests 2 4 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Roles and Services Roles and Services VPN Concentrators implement a role-based authentication mechanism. Up to five administrative roles can be defined with the restriction that at least one administrator must serve as a superuser (an administrator with the highest level of privileges). The highest level administrator is also known as the Crypto-officer in FIPS 140-1 terminology. There can be up to 10 simultaneous administrative sessions active in the VPN Concentrator at one time. The access methods for the administrative roles as well as the services available for each role are listed below. For detailed descriptions on configuration, see the VPN 3000 Series Concentrator Reference Volume I: Configuration. Administrator (Superuser) Role For the VPN Concentrator, the superuser is the highest level administrator. To access the administrator role, connect through an Ethernet port and use the Web-based administration tool, or connect through the console port. The administrator must enter the correct username/password combination and pass the appropriate IP address checks. The administrator role can access all the services accessible via any management interface. Administrators are responsible for ensuring that VPN Concentrators are configured properly to meet all FIPS 140-1 requirements. Warning There is no way to recover your system if you forget the Administrator password. Take appropriate measures to safeguard your password and remember it. If you forget the Administrator password, you cannot log in to your system and you will have to return the VPN Concentrator to be recovered. The non-crypto services include show status commands and user establishment and authentication initialization. The various non-crypto services available to the administrator role include the following: • Performing general configuration (for example, defining IP addresses, enabling interfaces, enabling network services, and enabling routing protocols) • Reloading and shutting down the VPN Concentrator • Displaying full status of the VPN Concentrator • Shutting down and restarting network services • Displaying the configuration stored in memory, and also the version saved in NVRAM, which is used to initialize the VPN Concentrator following a reboot. • Configuring all administrative roles and privileges. • Managing the event log • Monitoring operations The crypto services include key generation, encryption/decryption, and the power-up self-tests. Some of the specific crypto services available to the administrator role include: • Managing certificate enrollment • Configuring remote access users including groups, user accounts, authentication policy, and encryption policy • Managing remote user address pools • Configuring authentication servers 5 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Roles and Services • Configuring LAN to LAN tunnels including policy management (public key algorithm, encryption, authentication) • Configuring filters and access lists for interfaces and users • Configuring administrator privileges Administrators may not configure static session keys for encrypted tunnels, nor are they allowed to enter static keys for certificate enrollment. These keys are all generated dynamically via the appropriate mechanism (IKE, RSA, DSA). For information on the specific administrator commands, see the section “Administration | Access Rights | Access Settings” in the VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring user guide. Administrator Role (Non-Superuser) You also access the administrator role through an Ethernet port using the Web-based administration tool, or connect through the console port. All administrator roles are entered by supplying the correct username/password combination and passing the appropriate IP address checks. All administrators are responsible for ensuring, that the VPN Concentrators are configured properly to meet all FIPS 140-1 requirements. At some permission levels, an administrator can access only the configuration and monitoring functions that the administrator with the highest level of permissions selects. It is possible to give other administrators the highest level privileges. For more detailed information on the subset descriptions, see the section “Administration | Access Rights | Access Settings” in the VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring user guide. User Role Users are the people or entities that wish to send data or traffic through the VPN Concentrators. Users comprise devices, clients, and anyone passing data through the VPN Concentrators. All user roles are entered by supplying the correct authentication information. Users are authenticated to the VPN Concentrators based on the authentication protocol established by the administrator (for example, security association ID or IP address and preshared secret key combination). Table 2 Services by Module and Role Services Roles Description Encryption/Decryption Crypto-officer/User The module encrypts data being sent by both the crypto-officer and user. Crypto-officer services and data sent are encrypted through HTTPS (TLS) sessions. User-sent data is encrypted/decrypted as defined by the IPSec standard. Show Status Crypto-officer The crypto-officer can view the module status through the module’s administrative interface. 6 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Module Interfaces Module Interfaces As mentioned above, the cryptographic boundary encompasses the physical encasing of the VPN Concentrator. Table 3 maps the FIPS 140 logical interfaces to the physical interfaces of the VPN Concentrator. Table 3 FIPS 140-1 Logical Interfaces Security Relevant Data Items The following is a list of all security relevant data items used by VPN Concentrators. This section describes all keys that VPN Concentrators use. Key Encryption Keys The VPN Concentrator uses Key Encryption Keys (KEK) to protect all persistent and ephemeral cryptographic keys that the VPN Concentrator stores. The VPN Concentrator uses two KEKs (KEK1 and KEK2). KEK1 is a triple DES key that protects all traffic keys, HMAC keys, and Diffie-Hellman private keys. KEK1 is used to decrypt the appropriate cryptographic key prior to use. KEK1 is stored in RAM in plaintext form. KEK2 is a DES key that protects DSA private keys, RSA private keys, and the Diffie-Hellman shared secret (gxy ) private keys. KEK2 is used to decrypt the appropriate cryptographic keys prior to use by the module. KEK2 is stored in RAM in plaintext form. Self-Tests Crypto-officer The crypto-officer can perform self-tests and review self-test results. System Configuration Crypto-officer The crypto-officer can configure user and administrator privileges, and other system parameters. Key Entry Crypto-officer The crypto-officer must enter all IPSec preshared keys. Services Roles Description FIPS 140-1 Logical Interfaces VPN Concentrator’s Physical Interfaces Data input Ethernet ports, Console port Data output Ethernet ports, Console port Control input Ethernet ports, Console port Status output Ethernet ports, LEDs 7 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Security Relevant Data Items Authentication Keys This section describes authentication keys. DSA Key Pair The VPN Concentrator uses DSA key pairs for authentication in establishing an IKE session. DSA key pairs are stored encrypted with KEK2. RSA Key Pairs The VPN Concentrator uses RSA key pairs for authentication in establishing an IKE session. RSA key pairs are stored encrypted with KEK2. IKE—Preshared Keys The VPN Concentrator uses IKE preshared keys for authentication in establishing an IKE session. IKE preshared keys are stored in plaintext form. HMAC Keys The VPN Concentrator uses HMAC keys for authenticating and verifying the integrity of packets as a part of the IPSec protocol. These keys, generated during IKE negotiation, are used when the AH or ESP is chosen and are stored encrypted with KEK1. Diffie-Hellman Key Pairs The VPN Concentrator uses Diffie-Hellman key pairs for authentication in establishing an IKE session. Diffie-Hellman private keys and shared secrets (gxy ) are encrypted and stored using KEK2. Traffic Keys All traffic keys are encrypted with KEK1. IPSec DES/3DES Keys The IPSec DES/3DES keys are the traffic encryption keys that protect information passing through the VPN Concentrators. These keys are generated during the IKE negotiation process. Once these keys are no longer in use for encrypting/decrypting traffic, they are zeroized. TLS Traffic Keys TLS traffic keys provide protection of data during administration of the VPN Concentrator via HTTPS. These keys are generated ephemerally and are zeroized after the TLS session has ceased. 8 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Cryptographic Algorithms SSL Traffic Keys SSL traffic keys provide protection of data during administration of the VPN Concentrator via HTTPS. These keys are generated ephemerally and are zeroized after the SSL session has ceased. PPP Traffic Keys PPP traffic keys are traffic keys that provide protection of information passing through the VPN Concentrators. These keys are generated ephemerally during the PPTP negotiation process, and discarded after they are used. Public Keys The following public keys are stored within a VPN Concentrator. All public keys used by the VPN Concentrators are stored within a certificate and signed by the issuing authority, thus protecting certificates from modification. Issuing/Root Certificate Authority The VPN Concentrators might be loaded with the root CA certificate and any subordinate CA’s within a PKI. These public keys verify the identity of any certificates issued within a particular PKI. SSL Server An SSL certificate might also be loaded onto the VPN Concentrator. The SSL certificate authenticates the VPN Concentrator when an administrator establishes a secure connection (HTTPS) for configuration. Server Identity A Server identity certificate binds the public key(s) to the VPN Concentrator. This certificate authenticates the VPN Concentrator during the IKE process. Cryptographic Algorithms For a list of all cryptographic algorithms supported by the VPN Concentrator, see Appendix A. Security Rules (FIPS Mode of Operation) This section defines how to use and configure the VPN Concentrators to ensure compliance with the FIPS 140-1 standard. The administrators are jointly responsible for configuring the VPN Concentrator in FIPS mode. The following list is a summary of the security rules that the administrator must configure and enforce on the VPN Concentrators: • Only FIPS approved cryptographic algorithms to be used • TFTP administrative access method must be disallowed 9 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Security Rules (FIPS Mode of Operation) • Only the IPSec protocol may be enabled for protection of traffic. All other protocols for protecting data must be disabled. • When using HTTPS to protect administrative functions, only the TLS protocol may be used for key derivation. The SSL protocol is not compliant with the FIPS 140-1 standard. The following sections describe in more detail the security rules summarized above. Cryptographic Algorithms VPN Concentrators support many different cryptographic algorithms. However, to properly use VPN Concentrators in FIPS mode, only the FIPS approved algorithms may be used. The following cryptographic algorithms are to be used for encrypting traffic, hashing, or signing/verifying digital signatures: • DES encryption/decryption Note Use the DES algorithm only for protecting low sensitivity information. Cisco recommends that you use Triple DES to protect highly sensitive information. • Triple DES encryption/decryption • SHA-1 hashing • DSA signing and verifying • RSA digital signature signing and verifying The administrator must configure VPN Concentrators to use only the cryptographic algorithms listed above for all services that they provide. Security Relevant Data Items VPN Concentrators store many security relevant data items, such as authentication keys (Preshared keys, DSA or RSA private keys, etc.) and traffic encryption keys. All security data items are stored and protected within the VPN Concentrator tamper evident enclosure (see section “Tamper Evidence” for details on applying tamper evident labels). In addition, most security data items are stored encrypted on VPN Concentrators. The superuser or administrator can zeroize all critical security parameters by issuing the zeroize command through the administrative interface. Security Protocols VPN Concentrators, by design, support many Internet security tunneling protocols for protecting data transfer. However, to ensure that the device operates in FIPS mode, the administrator must ensure that the VPN Concentrator is configured such that only the IPSec protocol is used to protect data transmission. All other tunneling protocols supported by a VPN Concentrator may not be used if compliance with the FIPS 140-1 standard is required. 10 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Administration Management Access Methods VPN Concentrators support the capability to update the firmware in a secure manner. The administrator must first zeroize all critical security parameters prior to loading new firmware. Because the VPN Concentrator stores two images of firmware, the administrator must load the firmware successfully twice to ensure that both images stored contain the firmware that is being loaded. Please note that the administrator is responsible for acquiring the firmware image from a valid Cisco distribution center and for ensuring that this firmware is a FIPS 140-1 validated module. Administration Management Access Methods The VPN 3000 Concentrator allows the following administrative access methods: • FTP • HTTP • TFTP • Console/TELNET (clear text password) • HTTPS (SSL protocol or TLS protocol) • SSH • SNMP (clear text password but only used for monitoring – writes are not allowed) Each access method requires that the administrator enter a password for access. The password is checked against a clear-text password stored in RAM on the VPN Concentrator. The VPN Concentrator also can restrict access based on the IP address of the administrator. For the protocol-based access methods, the source IP address is checked against a configured list of addresses stored on the VPN Concentrator. In addition, all VPN Concentrators can be administered remotely. An administrator can manage the VPN Concentrator through a direct connection to the console port or through any of the Ethernet interfaces. The administrator can administer and configure the VPN Concentrator through either a command-line interface or through the web-based administration application. Although all of the access modes listed above are supported, based on the rules of the FIPS 140-1 standard, the only access method that may be used to provide encrypted protection of all data and configuration information is HTTPS (using the TLS protocol). All other access methods supported by the VPN Concentrators either use nonFIPS approved cryptographic algorithms for encryption (HTTPS (SSL), SSH, and SNMP) or do not support any encryption mechanism at all (FTP, Telnet/Console). Therefore to operate in FIPS mode, you must configure the VPN 3000 Concentrator as follows: • Enable HTTPS only. • Configure SSL to use only FIPS compliant encryption algorithms (DES, 3DES, or SHA-1) and set SSL version to TLS V1. • Configure the Event subsystem to avoid sending events to the console. • Disable Telnet server. • Disable FTP server. • Disable TFTP server. • Disable PPTP • Disable L2TP • Disable all external authentication servers such as RADIUS, TACACS, and so on. 11 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Tamper Evidence • Deactivate any IKE proposals using algorithms that are not FIPS compliant. • Ensure that installed digital certificates are signed using FIPS compliant algorithms (SHA-1). • Configure digital certificates to require FIPS compliant algorithms. Once configured, you can use the Show FIPS status command to tell whether the VPN 3000 Concentrator is operating in FIPS mode. Tamper Evidence The VPN Concentrator protects all critical security parameters through the use of tamper evident labels. The administrator is responsible for properly placing all tamper evident labels. The security labels recommended for FIPS 140-1 compliance are provided in the FIPS Kit (CVPN3000FIPS/KIT), which you can order for any validated model. These security labels are very fragile and cannot be removed without clear signs of damage to the labels. The following sections describe where to apply the tamper evident labels to the VPN Concentrators. VPN Concentrator Model 3005 VPN Concentrator Model 3005 has a smaller and more compact encasing (1U) than that of the VPN Concentrator models 3015-3080. The main encasing of the VPN Concentrator Model 3005 may be removed like the encasing of a personal computer. The VPN Concentrator’s encasing is attached with four screws at the rear of the device. In addition, the VPN Concentrator also has a removable front panel. Both the main encasing and front panel of the VPN Concentrator must be protected through the use of tamper evident labels. VPN Concentrator Models 3015-3080 The encasing of the VPN Concentrator Models 3015-3080 is very similar to that of the VPN Concentrator Model 3005. The 3015-3080 models have a larger encasing (2U) and use Scalable Encryption Processing modules (SEPs). The main encasing of the VPN Concentrator models 3015-3080 may be removed like the encasing of a personal computer. The VPN Concentrator encasing is attached with four screws at the rear of the device. In addition, the VPN Concentrator also has a removable front panel. The main encasing, front panel, and side panel of the VPN Concentrator must be protected through the use of tamper evident labels. In addition, VPN Concentrator Models 3015-3080 employ SEPs to accelerate IPSec cryptographic operations. The SEPs are located at the back panel of the VPN Concentrators. The SEP devices are attached to the VPN Concentrator by two screws. Security labels must be applied across the SEPs to ensure that these devices are not tampered with. 12 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Self-Tests Self-Tests A VPN Concentrator implements both power-up and conditional self-tests to ensure that the module is functioning properly at all times. Since some VPN Concentrator models (3015, 3030, 3060, and 3080) use the SEP modules (hardware components) to accelerate cryptographic operation, self-tests are performed for both the hardware and software implementations. Power-up Tests The VPN Concentrator performs all power-up self-tests automatically each time it starts. All power-up self-tests must be passed before allowing any operator to perform any cryptographic services. The power-up self-tests are performed after the cryptographic systems are initialized, but prior to the initialization of the LANs. This prevents the module from passing any data during a power-up self-test failure. In the unlikely event a power-up self-test fails, an event is displayed indicating the error and then the module transitions into the FAILURE state. This state does not allow the module to perform any additional operations. The operator may power cycle the module to attempt to clear the error. Each VPN Concentrator performs the following power-up self-tests as defined in the FIPS 140-1 standard: • DES/TDES Known Answer Test • SHA-1 Known Answer Test • DSA Algorithm Test • RSA Algorithm Test • Software/Firmware Test Conditional Tests Each VPN Concentrator also performs the following conditional self-tests: • Pairwise Consistency Test (DSA and RSA) • Continuous Random Number Generator Test In the unlikely event a conditional self-test fails, an event is displayed indicating the error and then the module transitions into the HALTED state. This state does not allow the module to perform any additional operations. The operator may power cycle the module to attempt to clear the error. 13 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Appendix A—Cryptographic Algorithms Appendix A—Cryptographic Algorithms This appendix lists cryptographic algorithms that are approved for FIPS and others that are not FIPS approved. FIPS Approved Cryptographic Algorithms The following cryptographic algorithms are approved for FIPS operation. Encryption Algorithms • 56-bit DES – Firmware – Certificate 147 – Hardware – Certificate 100 • 168-bit Triple DES – Firmware – Certificate 86 – Hardware – Certificate 32 Hashing/Authentication Algorithms • SHA-1) – Firmware – Certificate 73 – Hardware – Certificate 38 (DSA Certificate) • HMAC with SHA-1 (Cert# 73: vendor affirmed) Digital Signature Algorithms • DSA – Firmware – Certificate 54 – Hardware – Certificate 38 • RSA (Vendor affirmed) Non-FIPS Approved Cryptographic Algorithms The following cryptographic algorithms are not FIPS compliant algorithms. Encryption Algorithms • 40- and 128-bit RC4 Hashing/Authentication Algorithms • MD5 • HMAC with MD5 14 Cisco VPN 3000 Concentrator Series Security Policy OL-1709-01 Appendix A—Cryptographic Algorithms CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R) Cisco VPN 3000 Concentrator Series Security Policy Copyright © 2002, Cisco Systems, Inc. All rights reserved. Note This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the this page.