© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Secure Computing Corporation
Secure Firewall (Sidewinder) 4150E
(Hardware Version: 4150 with SecureOS v7.0.1.01)
FIPS 140-2
Non-Proprietary Security Policy
Level 2 Validation
Document Version 1.1
Prepared for: Prepared by:
Secure Computing Corporation Corsec Security, Inc.
12010 Sunset Hills Road, Suite 300
Reston VA 20190
10340 Democracy Lane, Suite 201
Fairfax, VA 22030
Phone: (703) 463-2300 Phone: (703) 267-6050
Fax: (703) 463-2310 Fax: (703) 267-6810
http://www.securecomputing.com http://www.corsec.com
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 2 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Revision History
Version Modification Date Modified By Description of Changes
0.1 2008-10-02 Darryl Johnson Initial draft.
0.2 2009-01-09 Rumman Mahmud Final draft for lab submission.
1.0 2009-02-03 Rumman Mahmud Final version.
1.1 2009-03-11 Rumman Mahmud Incorporated CMVP change requests.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 3 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Table of Contents
1 INTRODUCTION ...................................................................................................................................5
1.1 PURPOSE .......................................................................................................................................5
1.2 REFERENCES..................................................................................................................................5
1.3 DOCUMENT ORGANIZATION .............................................................................................................5
2 SECURE COMPUTING SECURE FIREWALL (SIDEWINDER) 4150E...............................................6
2.1 OVERVIEW......................................................................................................................................6
2.2 MODULE INTERFACES......................................................................................................................8
2.3 ROLES AND SERVICES.....................................................................................................................8
2.3.1 Crypto-Officer Roles..........................................................................................................9
2.3.2 User Role ........................................................................................................................10
2.3.3 Network User Role ..........................................................................................................10
2.3.4 Authentication Mechanism..............................................................................................10
2.4 PHYSICAL SECURITY .....................................................................................................................11
2.5 OPERATIONAL ENVIRONMENT ........................................................................................................11
2.6 CRYPTOGRAPHIC KEY MANAGEMENT.............................................................................................11
2.7 SELF-TESTS .................................................................................................................................15
2.8 DESIGN ASSURANCE .....................................................................................................................15
2.9 MITIGATION OF OTHER ATTACKS ...................................................................................................16
3 SECURE OPERATION........................................................................................................................17
3.1 CRYPTO-OFFICER GUIDANCE ........................................................................................................17
3.1.1 Initialization......................................................................................................................18
3.1.2 Management ...................................................................................................................22
3.1.3 Zeroization.......................................................................................................................22
3.1.4 Disabling FIPS Mode of Operation..................................................................................22
3.2 USER GUIDANCE...........................................................................................................................23
4 ACRONYMS........................................................................................................................................24
Table of Figures
FIGURE 1 – TYPICAL DEPLOYMENT SCENARIO ..................................................................................................6
FIGURE 2 – SECURE COMPUTING (SIDEWINDER) 4150E ...................................................................................7
FIGURE 3 – SERVICE STATUS.........................................................................................................................20
FIGURE 4 – CONFIGURING FOR FIPS .............................................................................................................21
List of Tables
TABLE 1 – SECURITY LEVEL PER FIPS 140-2 SECTION .....................................................................................7
TABLE 2 – FIPS 140-2 LOGICAL INTERFACES ...................................................................................................8
TABLE 3 – MAPPING OF GUI CRYPTO-OFFICER’S SERVICES TO TYPE OF CSP ACCESS......................................9
TABLE 4 – MAPPING OF USER ROLE’S SERVICES TO TYPE OF CSP ACCESS ....................................................10
TABLE 5 – MAPPING OF NETWORK USER ROLE’S SERVICES TO TYPE OF CSP ACCESS ....................................10
TABLE 6 – AUTHENTICATION MECHANISMS EMPLOYED BY THE MODULE...........................................................10
TABLE 7 - ALGORITHM CERTIFICATE NUMBERS FOR CRYPTOGRAPHIC LIBRARIES .............................................12
TABLE 8 – FIPS NON-APPROVED FUNCTIONS IMPLEMENTED IN THE MODULE ...................................................12
TABLE 9 – LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS ..........................13
TABLE 10 – SUMMARY OF SECURE FIREWALL DOCUMENTATION ......................................................................17
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 4 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
TABLE 11 – LABEL APPLICATION INSTRUCTIONS FOR SECURE COMPUTING SECURE FIREWALL (SIDEWINDER)
4150E...................................................................................................................................................18
TABLE 12 – REQUIRED KEYS AND CSPS FOR SECURE OPERATION..................................................................21
TABLE 13 – ACRONYMS .................................................................................................................................24
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 5 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
1 Introduction
1.1 Purpose
This is a non-proprietary Cryptographic Module Security Policy for the Secure Computing Secure Firewall
(Sidewinder) 4150E from Secure Computing Corporation. This Security Policy describes how the Secure
Computing Secure Firewall (Sidewinder) 4150E with SecureOS v7.0.1.01 meets the security
requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the
U.S. Government requirements for cryptographic modules. This document also describes how to run the
module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2
validation of the module.
The Secure Computing Secure Firewall (Sidewinder) 4150E with SecureOS v7.0.1.01 is referred to in this
document as the Sidewinder 4150E, the cryptographic module, the hardware module or the module.
1.2 References
This document deals only with operations and capabilities of the module in the technical terms of a FIPS
140-2 cryptographic module security policy. More information is available on the module from the
following sources:
• The Secure Computing website (http://www.securecomputing.com/) contains information on the
full line of products from Secure Computing.
• The National Institute of Standards and Technology (NIST) Cryptographic Module Validation
Program (CMVP) website (http://csrc.nist.gov/groups/STM/index.html) contains information about
the FIPS 140-2 standard and validation program. It also lists contact information for answers to
technical or sales-related questions for the module.
1.3 Document Organization
The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this
document, the Submission Package contains:
• Vendor Evidence document
• Finite State Machine
• Other supporting documentation as additional references
This Security Policy and the other validation submission documentation were produced by Corsec
Security, Inc. under contract to Secure Computing. With the exception of this Non-Proprietary Security
Policy, the FIPS 140-2 Validation Documentation is proprietary to Secure Computing and is releasable
only under appropriate non-disclosure agreements. For access to these documents, please contact
Secure Computing.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 6 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
2 Secure Computing Secure Firewall (Sidewinder) 4150E
2.1 Overview
Secure Computing® is a global leader in Enterprise Security solutions. The company’s comprehensive
portfolio of Secure Web, Secure Mail, Secure Firewall (Sidewinder), and Secure SafeWord solutions
provide unmatched protection for the enterprise in the most mission-critical and sensitive environments.
Secure Computing's Secure Firewall (Sidewinder) appliances are created to meet the specific needs of
organizations of all types and enable those organizations to reduce costs and mitigate the evolving
risks that threaten today's networks and applications. Consolidating all major perimeter security functions
into one system, the Secure Firewall (Sidewinder) appliance is the strongest self-defending perimeter
firewall in the world. Built with a comprehensive combination of high-speed application proxies,
TrustedSource™ reputation-based global intelligence, and signature-based security services, Secure
Firewall defends networks and Internet-facing applications from all types of malicious threats, both known
and unknown.
Figure 1 – Typical Deployment Scenario
Secure Firewall (Sidewinder) appliances are market-leading, next-generation firewalls that provide
application visibility and control even beyond Unified Threat Management (UTM) for multi-layer security—
and the highest network performance. Global visibility of dynamic threats is the centerpiece of Secure
Firewall and one of the key reasons for its superior ability to detect unknown threats along with the
known. Secure Firewalls deliver the best-of-breed in security systems to block attacks, including:
• Viruses
• Worms
• Trojans
• Intrusion attempts
• Spam and phishing tactics
• Cross-site scripting
• SQL injections
• Denial of service (DoS)
• Attacks hiding in encrypted protocols
A Sidewinder appliance is managed using a proprietary graphical user interface (GUI), referred as Admin
Console, and a command line management interface port. Hundreds of Sidewinder appliances can be
managed centrally using Secure Computing CommandCenter tool. Sidewinder security features include:
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 7 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
• Firewall feature for full application filtering, web application filtering, and Network Address
Translation (NAT)
• Authentication using local database, Active Directory, LDAP1
, RADIUS2
, Windows Domain
Authentication, and more
• High Availability (HA) for remote IP monitoring
• Secure Geo-Location filtering
• Encrypted application filtering using TLS3
and IPSec4
protocols
• Intrusion Prevention System
• Networking and Routing
Secure Computing Secure Firewall (Sidewinder) 4150E is an Enterprise 1U rack mountable appliance
appropriate for mid to large organizations. A front view of the cryptographic module is shown in Figure 2
below.
Figure 2 – Secure Computing (Sidewinder) 4150E
The Sidewinder 4150E is validated at the following FIPS 140-2 section Levels:
Table 1 – Security Level per FIPS 140-2 Section
Section Section Title Level
1 Cryptographic Module Specification 2
2 Cryptographic Module Ports and Interfaces 2
3 Roles, Services, and Authentication 2
4 Finite State Model 2
5 Physical Security 2
6 Operational Environment N/A
7 Cryptographic Key Management 2
8 EMI/EMC
5
2
1
LDAP – Lightweight Directory Access Protocol
2
RADIUS – Remote Authentication Dial-In User Service
3
TLS – Transport Layer Security
4
IPSec – Internet Protocol Security
5
EMI/EMC – Electromagnetic Interference / Electromagnetic Compatibility
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 8 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Section Section Title Level
9 Self-tests 2
10 Design Assurance 2
11 Mitigation of Other Attacks N/A
14 Cryptographic Module Security Policy 2
2.2 Module Interfaces
The Secure Computing Secure Firewall (Sidewinder) 4150E is a multi-chip standalone cryptographic
module that meets overall Level 2 FIPS 140-2 requirements. The cryptographic boundary of the
Sidewinder 4150E is defined by the metal chassis, which surrounds all the hardware and software
components. Ports and interfaces on the module can be categorized as the following FIPS 140-2 logical
interfaces:
• Data Input Interface
• Data Output Interface
• Control Input interface
• Status Output Interface
All ports and interfaces are located at the front or back side of the hardware module. The front bezel of
the chassis exposes a power button and a Liquid Crystal Display (LCD). The rear side of the module is
populated with the following ports and interfaces:
• Four (4) Ethernet ports
• Two (2) Gigabyte Ethernet ports
• Two (2) Universal Serial Bus (USB) ports
• One (1) serial port
• One (1) Video Graphics Array (VGA) port
• Several Light-Emitting Diodes (LEDs)
• Power button
The ports and interfaces on the module’s connector panel are mapped to logical interfaces in Table 2
below.
Table 2 – FIPS 140-2 Logical Interfaces
FIPS 140-2 Logical Interface Sidewinder 4150E Ports/Interfaces
Data Input Ethernet port
Data Output Ethernet port
Control Input Ethernet port, serial port, USB port, power button
Status Output Ethernet port, serial port, USB port, VGA port, LEDs
2.3 Roles and Services
The module supports role-based authentication. There are three authorized roles in the module that an
operator may assume: a Crypto-Officer (CO) role, a User role, and a Network User role.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 9 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
2.3.1 Crypto-Officer Roles
The Crypto-Officer role performs administrative services on the module, such as initialization,
configuration, and monitoring of the module. Before accessing the module for any administrative service,
the operator must authenticate to the module. The module offers management interfaces in two ways:
• Administration Console
• Command Line Interface
The Administration Console (or Admin Console) is the graphical software that runs on a Windows
computer within the protected network. Admin Console is Secure Computing’s proprietary GUI
management software tool that needs to be installed on a Windows based workstation. This is the
primary management tool. All Admin Console sessions to the module are protected over secure TLS
channel. Authentication of the administrator is through a username/password prompt checked against a
local password database.
Command Line Interface (CLI) sessions are offered by the module for troubleshooting. The CLI is
accessed locally over the serial port, while remote access is via Secure Shell (SSH) session. The CO
authenticates to the module using a username and password.
Services provided to the Crypto-Officer are provided in Table 3 below.
Table 3 – Mapping of GUI Crypto-Officer’s Services to Type of CSP Access
Service Description Type of Access
Authenticate to the local CLI Used when administrators log into the appliance
using the Sidewinder Admin CLI
Write, execute
Change password Allows external users to use a browser to change
their Sidewinder, SafeWord PremierAccess, or
LDAP login password
Write, execute
Configure cluster
communication
Services required to communicate with each
other in Sidewinder multi-appliance
configurations
Read, write, execute
Configure and monitor VPN
accounts
Used to generate and exchange keys for VPN
sessions and configure the user accounts
Read, write, execute
Create and configure
bypass mode
Create and monitor IPSec policy table that
governs alternating bypass mode
Read, write, execute
Manage mail services Used when running ‘sendmail’ service on a
Sidewinder appliance
Read, write, execute
Manage web filter Manages configuration with the SmartFilter Read, write, execute
Manage CommandCenter
communication
Verifies registration and oversees
communication among the CommandCenter and
managed Sidewinder appliances
Read, write, execute
Monitor status on SNMP Monitors non security relevant status of the
module via SNMP
Read
Remote management Manage the module remotely via SSH protocol Read, write, execute
Perform self-test Run self-tests on demand Execute
Enable FIPS mode Configures the module in FIPS mode Read, write, execute
Show status Allows Crypto-Officer to check whether FIPS
mode is enabled
Write, execute
Zeroize Zerioizes the module to the factory default state Write, execute
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 10 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
2.3.2 User Role
The User role has the ability to utilize the module’s data transmitting functionalities via Ethernet port.
Descriptions of the services available to the Users are provided in the table below.
Table 4 – Mapping of User Role’s Services to Type of CSP Access
Service Description Type of Access
Encrypt/decrypt Allow secure VPN into corporate network over
IPSec tunnel
Execute
Bypass Access bypass capabilities of the module Execute
2.3.3 Network User Role
The Network User role is defined as users within the secured network who have been given access to the
device by a security policy rule granted by the Crypto-Officer. The crypto-officer defines security policy
rules as to how a Network User is to communicate with other devices or computers.
Table 5 – Mapping of Network User Role’s Services to Type of CSP Access
Service Description Type of Access
Communicate within the
network
Communicate with other devices or computers
within the network
Read
2.3.4 Authentication Mechanism
The module employs the following authentication methods to authenticate Crypto-Officer, Users, and
Network Users.
Table 6 – Authentication Mechanisms Employed by the Module
Role Type of Authentication Authentication Strength
Crypto-Officer Password Passwords are required to be at least 6
characters long. The password requirement is
enforced by the Security Policy. The maximum
password length is 64 characters. Alphanumeric
characters can be used with repetition, which
gives a total of 62 characters to choose from.
The chance of a random attempt falsely
succeeding is 1 in (62
6
=) 56,800,235,584.
User Password Passwords are required to be at least 6
characters long. The password requirement is
enforced by the Security Policy. The maximum
password length is 64 characters. Alphanumeric
characters can be used with repetition, which
gives a total of 62 characters to choose from.
The chance of a random attempt falsely
succeeding is 1 in (62
6
=) 56,800,235,584.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 11 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Role Type of Authentication Authentication Strength
Network User Password, Certificate, or IP Address Passwords are required to be at least 6
characters long. The password requirement is
enforced by the Security Policy. The maximum
password length is 64 characters. Alphanumeric
characters can be used with repetition, which
gives a total of 62 characters to choose from.
The chance of a random attempt falsely
succeeding is 1 in (626
=) 56,800,235,584.
Certificates used as part of TLS, SSH, and
IKE/IPSec are at a minimum 1024 bits. The
chance of a random attempt falsely succeeding
is 1 in (2
80
= ) 1,20893 x 10
24
. The module also
authenticates network users by IP address via
firewall rules.
2.4 Physical Security
The Secure Computing Secure Firewall (Sidewinder) 4150E is a multi-chip standalone cryptographic
module. The module is contained in hard metal chassis which is defined as the cryptographic boundary
of the module. The module’s chassis is opaque within the visible spectrum. The enclosure of the module
has been designed to satisfy level 2 physical security requirements. There are only a limited set of
louvered vent holes provided in the cases, and these holes obscure the view of the internal components
of the module. Tamper-evident labels are applied to the case to provide physical evidence of attempts to
remove the case. The placement of tamper-evident labels can be found in Secure Operation section of
this document.
The Sidewinder systems were tested and found conformant to the Electromagnetic
Interference/Electromagnetic Compatibility (EMI/EMC) requirements specified by 47 Code of Federal
Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (i.e., for business use).
2.5 Operational Environment
The operational environment requirements do not apply to the Secure Computing Secure Firewall
(Sidewinder) 4150E, because the module does not provide a general-purpose operating system (OS) to
the user. The OS is a proprietary system branded as SecureOS® version 7.0.1.01. The OS has limited
operational environment and only the module’s custom written image can be run on the system. The
module provides a method to update the firmware in the module with a new version. This method
involves downloading a digitally signed firmware update to the module.
2.6 Cryptographic Key Management
The module implements three firmware cryptographic libraries to offer secure networking protocols and
cryptographic functionalities. The firmware libraries are the Cryptographic Library for SecureOS®
(CLSOS) Version 7.0.1 for 32/64-bit systems and the Kernel Cryptographic Library for SecureOS®
(KCLSOS) Version 7.0.1. Security functions offered by the libraries in FIPS mode of operation map to the
certificates listed in
Table 7.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 12 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Table 7 - Algorithm Certificate Numbers for Cryptographic Libraries
Approved or Allowed Security Functions 64-bit
Cryptographic
Library for
SecureOS®
32-bit
Cryptographic
Library for
SecureOS®
Kernel
Cryptographic
Library for
SecureOS®
Symmetric Key Algorithm
Advanced Encryption Standard (AES) 128-, 192-, 256-bit
in CBC6
and ECB
7
modes
972 973 974
Triple-DES – 112- and 192-bit in CBC mode 765 766 767 (192-bit only)
Secure Hashing Algorithm (SHA)
SHA-1, SHA-256, SHA-384, and SHA-512 941 942 943
Message Authentication Code (MAC) Function
HMAC using SHA-1, SHA-256, SHA-384, and SHA-512 544 545 546
Pseudo Random Number Generator (PRNG)
ANSI
8
X9.31 Appendix A.2.4 PRNG with 256-bit AES 549 550 551
Asymmetric Key Algorithm
RSA
9
PKCS
10
#1 sign/verify: 1024-, 2048-, 4096-bit 469 470 Not implemented
RSA ANSI X9.31 key generation: 1024-, 2048-, 4096-bit 469 470 Not implemented
Digital Signature Algorithm (DSA) sign/verify – 1024-bit 338 339 Not implemented
Diffie-Hellman key agreement: 1024 and 2048 bits
11
N/A N/A Not implemented
The module also implements the following non-approved algorithms to be used in non-FIPS mode of
operation.
Table 8 – FIPS Non-approved Functions Implemented in the Module
Approved or Allowed
Security Functions
64-bit Cryptographic
Library for SecureOS®
32-bit Cryptographic
Library for SecureOS®
Kernel Cryptographic
Library for SecureOS®
Blowfish Implemented Implemented Not implemented
RC4 Implemented Implemented Not implemented
RC2 Implemented Implemented Not implemented
MD5 Implemented Implemented Not implemented
Single DES Implemented Implemented Not implemented
RSA encrypt/decrypt
12
N/A N/A Not implemented
6
CBC – Cipher-Block Chaining
7
ECB – Electronic Codebook
8
ANSI – American National Standards Institute
9
RSA – Rivest, Shamir, and Adleman
10
PKCS – Public Key Cryptography Standard
11
Caveat: Diffie-Hellman (key agreement; key establishment methodology provides 80 or 112 bits of encryption strength.)
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 13 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
The module supports the critical security parameters listed in Table 9 below.
Table 9 – List of Cryptographic Keys, Cryptographic Key Components, and CSPs
Key/CSP Type
Generation /
Input
Output Storage Use
Firewall
Authentication
public/private
keys
RSA 1024-, 2048-
, 4096-bit keys or
DSA 1024-bit key
Internally
generated or
imported
electronically in
plaintext via local
management port
Encrypted form
over Network port
or local
management port
in plaintext
Stored in plaintext
on the hard disk
- Peer
Authentication of
TLS, IKE, and
SSH sessions
- Audit log signing
Peer public keys RSA 1024-, 2048-
, 4096-bit keys,
DSA 1024-bit
keys
Imported
electronically in
plaintext during
handshake
protocol
Never exit the
module
Resides in
plaintext on
volatile memory
Peer
Authentication for
SSH and IKE
sessions
Local CA
public/private
keys
RSA
1024,2048,4096-
bit keys,
DSA 1024-bit
keys
Internally
generated
Public key
certificate
exported
electronically in
plaintext via local
management port
Stored in plaintext
on the hard disk
Local signing of
firewall
certificates and
establish trusted
point in peer
entity
Key
Establishment
keys
Diffie-Hellman
1024,2048-bit
keys, RSA
1024,2048,4096-
bit keys
Internally
generated
Public exponent
electronically in
plaintext, private
component not
exported
Resides in volatile
memory in
plaintext
Key
exchange/agreem
ent for TLS,
IKE/IPSec and
SSH sessions
TLS Session
Authentication
Key
HMAC SHA-1 key Internally
generated
Never exits the
module
Resides in volatile
memory in
plaintext
Data
authentication for
TLS sessions
TLS Session Key Triple-DES, AES-
128, AES-256
Internally
generated
Never exits the
module
Resides in volatile
memory in
plaintext
Data
encryption/decryp
tion for TLS
sessions
IKE Session
Authentication
Key
HMAC SHA-1 key Internally
generated
Never exists the
module
Resides in volatile
memory in
plaintext
Data
authentication for
IKE sessions
IKE Session Key Triple-DES, AES-
128, AES-256
Internally
generated
Never exits the
module
Resides in volatile
memory in
plaintext
Data
encryption/decryp
tion for IKE
sessions
IKE Preshared
Key
Triple-DES, AES-
128, AES-256
Imported in
encrypted form
over Network port
or local
management port
in plaintext
Never exits the
module
Stored in plaintext
on the hard disk
Data
encryption/decryp
tion for IKE
sessions
12
Caveat: RSA (key wrapping; key establishment methodology provides between 80 and 150 bits of encryption strength)
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 14 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Key/CSP Type
Generation /
Input
Output Storage Use
Imported in
encrypted form
over Network port
or local
management port
in plaintext
Stored in plaintext
on the hard disk
IPSec Session
Authentication
Key
HMAC SHA-1 key
Internally
generated
Never exits the
module
Resides in volatile
memory
Data
authentication for
IPSec sessions
IPSec Session
Key
Triple-DES, AES-
128, AES-256
Internally
generated
Never exits the
module
Resides in volatile
memory in
plaintext
Data
encryption/decryp
tion for IPSec
sessions
IPSec Preshared
Session Key
Triple-DES, AES-
128, AES-256
Imported in
encrypted form
over Network port
or local
management port
in plaintext
Exported
electronically in
plaintext
Stored in plaintext
on the hard disk
Data
encryption/decryp
tion for IPSec
sessions
SSH Session
Authentication
Key
HMAC-SHA1 key Internally
generated
Never exists the
module
Resides in volatile
memory in
plaintext
Data
authentication for
SSH sessions
SSH Session Key Triple-DES, AES-
128, AES-256
Internally
generated
Never exists the
module
Resides in volatile
memory in
plaintext
Data
encryption/decryp
tion for SSH
sessions
Package
Distribution Public
Key
DSA 1024-bit
public key
Externally
generated and
hard coded in the
image
Never exits the
module
Hard coded in
plaintext
Verifies the
signature
associated with a
firewall update
package
License
Management
Public Key
DSA 1024-bit
public key
Externally
generated and
hard coded in the
image
Never exits the
module
Hard coded in
plaintext
Verifies the
signature
associated with a
firewall license
Administrator
Passwords
PIN Manually or
electronically
imported
Never exits the
module
Stored on the
hard disk through
one-way hash
obscurement
Standard Unix
authentication for
administrator
login
ANSI X9.31
PRNG seed
16 bytes of seed
value
Internally
generated
Never exits the
module
Resides in volatile
memory in
plaintext
Generates FIPS
approved random
number
ANSI X9.31
PRNG key
AES-128 Internally
generated
Never exits the
module
Resides in volatile
memory in
plaintext
Generates FIPS
approved random
number
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 15 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
2.7 Self-Tests
The Sidewinder 4150E performs the following self-tests at power-up:
• Firmware integrity check using SHA-1 Error Detection Code (EDC)
• Approved algorithm tests
o AES Known Answer Test (KAT)
o Triple-DES KAT
o SHA-1 KAT, SHA-256 KAT, SHA-384 KAT, and SHA-512 KAT
o HMAC KAT with SHA-1, SHA-256, SHA-384, and SHA-512
o RSA KAT for sign/verify and encrypt/decrypt
o DSA pairwise consistency check
o ANSI X9.31 Appendix A.2.4 PRNG KAT for all implementations
If any of the tests listed above fails to perform successfully, the module enters into a critical error state
where all cryptographic operations and output of any data is prohibited. An error message is logged for
the CO to review and requires action on the Crypto-Officer’s part to clear the error state.
The Sidewinder 4150E also performs the following conditional self-tests:
• Continuous PRNG Test all implementations of FIPS-Approved and non-FIPS-Approved random
number generator
• RSA pairwise consistency test upon generation of an RSA keypair
• DSA pairwise consistency test upon generation of an DSA keypair
• Manual key entry test
• Bypass test using SHA-1
• Firmware Load Test using DSA signature verification
Failure in any of the tests listed above leads the module to a soft error state and logs an error message.
2.8 Design Assurance
Secure Computing’s configuration management system is supported by a set of software tools referred to
as the Secure Computing CVS13
Tools. The CVS Tools are based on the widely-used Concurrent
Versions System (CVS) software tools. Configuration management for Secure Computing consists of the
following four separate tasks:
• Identification
• Control
• Configuration status accounting
• Configuration auditing
For every change to the Sidewinder, the design and requirements of the changed version of the system
are identified with a unique number. The control task is performed by subjecting every change to
approval by an authorized authority. Configuration status accounting is responsible for recording and
reporting on the configuration of the product throughout the change. Finally, through the process of a
configuration audit, the completed change can be verified to be functionally correct and consistent with
the security policy of the system. Configuration management is a sound engineering practice that
provides assurance that the system in operation is the system that is supposed to be in use. The primary
13
CVS – Concurrent Versions System
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 16 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
goals of the configuration management system are to ensure the integrity of the product and to make its
evolution more manageable and traceable.
Additionally, Microsoft Visual SourceSafe version 6.0 is used to provide configuration management for the
module’s FIPS documentation. Visual SourceSafe provides access control, versioning, and logging.
2.9 Mitigation of Other Attacks
The module does not claim to mitigate any additional attacks in an approved FIPS mode of operation.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 17 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
3 Secure Operation
The Sidewinder 4150E meets the Level 2 requirements for FIPS 140-2. The sections below describe how
to place and keep the module in FIPS-approved mode of operation.
3.1 Crypto-Officer Guidance
The Crypto-Officer is responsible for initialization and security-relevant configuration and management of
the module. Please see Secure Computing’s Administration Guide for more information on configuring
and maintaining the module. The Crypto-Officer receives the module from the vendor via trusted delivery
services (UPS, FedEx, etc.). The shipment should contain the following:
• Secure Computing Secure Firewall (Sidewinder) 4150E appliance
• Media and Documents
o Activation Certificate
o Setup Guide
o Port Identification Guide
o Management Tools CD
o Secure Firewall Installation Media USB drive (for appliances without a CD-ROM drive)
• Power cord
• Rack mount kit
The Crypto-Officer is responsible for the proper initial setup of the Admin Console Management Tool
software and the Sidewinder 4150E. Setup of the Admin Console software is done by installing the
software on an appropriate Windows® workstation.
When you install the Management Tool, a link to the documents page is added to the “Start” menu of the
computer. To view the Secure Firewall documents on the Secure Computing web site, select
Start > Programs > Secure Computing > Secure Firewall (Sidewinder) > Online Manuals
Table 10 provides a list of available Secure Firewall documents.
Table 10 – Summary of Secure Firewall Documentation
Document Description
Secure Firewall Setup Guide Leads through the initial firewall configuration.
Secure Firewall Administration Guide Complete administration information on all firewall functions and features.
Secure Firewall FIPS 140-2 Level 2 Includes procedures for hardware modifications, software updates, and
configuration changes that meet FIPS 140-2 security requirements.
Secure Firewall CommandCenter
Setup Guide
Leads through the initial CommandCenter configuration.
Secure Firewall CommandCenter
Administration Guide
Complete administration information on all CommandCenter functions and
features. This guide is supplemented by the Secure Firewall Administration
Guide.
Online help Online help is built into Secure Firewall Management Tools programs.
• The Quick Start Wizard provides help for each configuration window.
• The Admin Console program provides help for each window, as well as
comprehensive topic-based help.
Note: A browser with a pop-up blocker turned on, must allow blocked content
to view the Secure Firewall help.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 18 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Document Description
Release Notes Software updates include release notes, which describe any new features as
well as fixes and enhancements to the software. Release notes are located at:
http://www.securecomputing.com/goto/updates
Application Notes Detailed instructions for setting up specific configurations, such as setting up a
firewall to work with another vendor's product or environment. Application
notes are located at:
http://www.securecomputing.com/goto/appnotes
Knowledge Base Supplemental information for all other SecureFirewall documentation. Articles
include troubleshooting tips and commands. All manuals and application
notes are also posted here. The Knowledge Base is located at:
http://www.securecomputing.com/goto/kb
3.1.1 Initialization
The Crypto-Officer is responsible for initialization and security-relevant configuration and management
activities for the module through the management interfaces. Installation and configuration instructions
for the module can also be found in the Secure Firewall Setup Guide, Secure Firewall Administration
Guide, and Secure Firewall FIPS 140-2 Level 2 documents. The initial Administration account including
username and password for login authentication to the module, is created during the startup configuration
using the Quick Start Wizard.
The Crypto-Officer must perform three activities to ensure that the module is running in an approved FIPS
mode of operation:
• Apply tamper-evident labels
• Setting FIPS environment
• Set FIPS mode enforcement
3.1.1.1 Applying Tamper-Evident Labels
The CO must put tamper-evident labels on the module as described in the table below. Prior to affixing the labels,
the front bezel must be attached and the module powered up. The front bezel protects the removable components
(hard drives and bays) at the front side. Additionally, the 4150E has removable power supplies and top panel.
Labels should be placed on the appliance as shown in the
Table 11 below (indicated by the red circles).
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 19 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Table 11 – Label Application Instructions for Secure Computing Secure Firewall (Sidewinder)
4150E
Procedure Figure
1. Place a tamper-evident label
overlapping front bezel and
metal cover at the top to secure
the disk drives and bays.
2. Place a tamper-evident label
overlapping the top cover and
case on right side near back.
This protects the top cover to
slide back and be removed.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 20 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Procedure Figure
3. The removable power
supplies at the rear of the
module require tamper-evident
labels. Labels should be applied
covering right side of the power
supplies and chassis.
After the labels are placed as instructed above, the module can be powered up and the Crypto-Officer
may proceed with initial configuration.
3.1.1.2 Setting FIPS Environment
The Crypto-Officer must first check the firmware to ensure they are running version 7.0.1.01. If this
version is not running, the Crypto-Officer must take measures to upgrade the module to 7.0.1.01 to
comply with FIPS 140-2. If required, this upgrade can be performed through the GUI based
administrative console. If the module is being newly built from the onboard virtual disk, then the Crypto-
Officer will first need to set up the network configuration and enable the admin account with a new
password.
To check if the module is currently running version 7.0.1.01, the Crypto-Officer must open the GUI based
administrative console provided with the module. Under the software management and manage
packages table, the Crypto-Officer can see which firmware upgrades have been installed along with their
versions.
To update the module to 7.0.1.01, the Crypto-Officer must:
1. Under "Software Management / Manage Packages" table, select "70101";
2. Select download;
3. Select install;
4. Verify that the "Manage Packages" tab states that "70101" is installed.
Before enforcing FIPS on the module, the Admin Console CO must check that no non-FIPS approved
service is running on the module. To view the services that are currently used in enabled rules, select
“Monitor / Service Status”. The Service Status window appears as shown in Figure 3 below. If the
window lists any non-FIPS-Approved protocols (such as telnet as shown below), then those protocols
must be disabled before the module is considered to be in an approved FIPS mode of operation.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 21 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Figure 3 – Service Status
The process to enable FIPS mode is provided below:
1. Under “Policy/Application Defences/ Defenses/HTTPS”, disable all non-Approved versions of
SSL, leaving only TLS 1.0 operational.
2. Under “Maintenance / Certificate Management”, ensure that the certificates only use FIPS
approved cryptographic algorithms.
3. Select “Maintenance / FIPS”. The FIPS check box appears in the right pane (shown in Figure 4).
4. Select Enforce US Federal Information Processing Standard.
5. Save the configuration change.
6. Select “Maintenance / System Shutdown” to reboot the firewall to the Operational kernel to
activate the change.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 22 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Figure 4 – Configuring For FIPS
Whether the module has been upgraded to 7.0.1.01 from an earlier firmware, or shipped with 7.0.1.01
already present, it is required to delete and recreate all required cryptographic keys and CSPs necessary
for the module's secure operation. The keys and CSPs existing on the module were generated outside of
FIPS mode of operation, and they must now be re-created for use in FIPS mode. CO must replace the
following keys and CSPs listed in Table 12.
Table 12 – Required Keys and CSPs for Secure Operation
Services Cryptographic Keys/CSPs
Admin Console (TLS) Firewall Certificate/private key
Command Center (TLS) Firewall Certificate/private key
HTTPS Decryption (TLS) Firewall Certificate/private key
TrustedSource (TLS) Firewall Certificate/private key
Firewall Cluster Management (TLS) Firewall Certificate/private key
Local CA/private key
Passport Authentication (TLS) Firewall Certificate/private key
IPSec/IKE certificate authentication Firewall Certificate/private key
Audit log signing Firewall Certificate/private key
SSH server Firewall Certificate/private key
Administrator Passwords Firewall Certificate/private key
The module is now operating in the FIPS Approved mode of operation.
For troubleshooting or assistance with enabling FIPS mode, the CO may opt to download the Setup guide
at the following location: http://www.securecomputing.com/techpubsRC.cfm.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 23 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
3.1.2 Management
The module can run in two different modes: FIPS-Approved and non-FIPS-Approved. While in a FIPS-
Approved mode, only FIPS-Approved and Allowed algorithms may be used. Non-FIPS-Approved
services are disabled in FIPS mode of operation. The Crypto-Officer is able to monitor and configure the
module via the web interface (GUI over TLS), SSH, serial port, or VGA port. Detailed instructions to
monitor and troubleshoot the systems are provided in the Secure Firewall Administration Guide. The
Crypto-Officer should monitor the module’s status regularly for FIPS mode of operation and active bypass
mode. The CO also monitor that only FIPS approved algorithms as listed in
Table 7 are being used for TLS and SSH sessions.
The show status for FIPS mode of operation can be invoked by checking if the checkbox, shown in Figure
4, is checked. The show status service as it pertains to bypass is shown in the GUI under VPN
Definitions and the module column. For the CLI, the Crypto-Officer may enter “cf ipsec q
type=bypass” to get a listing of the existing bypass rules.
If any irregular activity is noticed or the module is consistently reporting errors, then Secure Computing
customer support should be contacted.
3.1.3 Zeroization
In order to zeroize the module of all keys and CSPs, it is necessary to first rebuild the module’s image
essentially wiping out all data from the module. Once a factory reset has been performed, there will be
some default keys and CSPs which were setup as part of the renewal process. These keys must be
recreated as per the instructions found in Table 12. Failure to recreate these keys will result in a non-
compliant module.
For more information about resetting the module to a factory default, please consult the documentation
that shipped with the module.
3.1.4 Disabling FIPS Mode of Operation
To take the module out of FIPS mode of operation, the Crypto-Officer must zeroize the CSPs as
described in section 3.1.3 of this document. FIPS mode can be disabled from Admin Console window:
1. Select “Maintenance / FIPS”. The FIPS check box appears in the right pane.
2. Unselect Enforce US Federal Information Processing Standard (shown in Figure 4).
3. Save the configuration change.
4. Select “Maintenance / System Shutdown” and reboot the firewall to the Operational kernel to
activate the change.
3.2 User Guidance
When using key establishment protocols (RSA and DH) in the FIPS-Approved mode, the User is
responsible for selecting a key size that provides the appropriate level of key strength for the key being
transported.
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 24 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
4 Acronyms
Table 13 – Acronyms
Acronym Definition
AES Advanced Encryption Standard
ANSI American National Standards Institute
CBC Cipher-Block Chaining
CFB Cipher Feedback
CLI Command Line Interface
CLSOS Cryptographic Library for SecureOS®
CMVP Cryptographic Module Validation Program
CO Crypto-Officer
CSP Critical Security Parameter
CVS Concurrent Versions System
DES Digital Encryption Standard
DH Diffie-Hellman
DoS Denial of Service
DSA Digital Signature Algorithm
ECB Electronic Codebook
EDC Error Detection Code
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FIPS Federal Information Processing Standard
GUI Graphical User Interface
HMAC (Keyed-) Hash Message Authentication Code
IPSec Internet Protocol Security
KAT Known Answer Test
KCLSOS Kernel Cryptographic Library for SecureOS®
LCD Liquid Crystal Display
LDAP Lightweight Directory Access Protocol
LED Light Emitting Diode
MAC Message Authentication Code
NAT Network Address Translation
NIST National Institute of Standards and Technology
OFB Output Feedback
OS Operating System
PGP Pretty-Good-Privacy
Non-Proprietary Security Policy, Version 1.1 March 11, 2009
Secure Computing Secure Firewall (Sidewinder) 4150E Page 25 of 25
© 2009 Secure Computing Corporation
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Acronym Definition
PKCS Public Key Cryptography Standard
PRNG Pseudo Random Number Generator
RADIUS Remote Authentication Dial-In User Service
RIP Routing Information Protocol
RNG Random Number Generator
RSA Rivest Shamir and Adleman
SHA Secure Hash Algorithm
SSH Secure Shell
TDES Triple Digital Encryption Standard
TLS Transport Layer Security
UTM Unified Threat Management
VGA Video Graphics Array
VSS Visual SourceSafe