federal information processing standard (fips) 140-2 · 2015. 10. 29. · aviat networks getting...
TRANSCRIPT
Federal Information Processing Standard (FIPS) 140-2 What is it? Why should you care?
AVIAT NETWORKS
SECURITY IS BECOMING A GROWING CONCERN
• The migration from TDM to IP communication networks has drastically increased security risks
• Growing volume, types, and intrinsic value of traffic makes it infinitely more interesting for hackers
• New technologies offer hackers an ever growing number of access points
AVIAT NETWORKS
• Lost data (your customer’s and/or your organization’s)
• Communications downtime
• Downtime of critical infrastructure
AN UNSECURED MICROWAVE NETWORK CAN RESULT IN
AVIAT NETWORKS
MICROWAVE REQUIRES MULTI-DIMENSIONAL SECURITY STRATEGY
Eavesdropping
Overhead
Payload
RF site security
Local access
Hacker
Remote access
New employee or contractor
Crypto-officer
Troubleshooting, investigation
AAA Server
Remote access
NOC
Remote access
AVIAT NETWORKS
FIPS Overview
AVIAT NETWORKS
VIDEO
AVIAT NETWORKS
• THE Data Encryption standard for federal government networks
• If federal agency specifies data encryption, then FIPS 197 is mandatory.
• Advanced Encryption Standard (AES) specifies algorithm for encrypting and decrypting information
• Use keys of 128, 192 and 256 bits
FIPS 197: ADVANCED ENCRYPTION STANDARD (AES)
AVIAT NETWORKS
• Encryption security standard for protecting IT systems that carry sensitive but unclassified information
• Validates both hardware and software • FIPS 140-2 Includes FIPS 197 • 4 Levels of increasing physical security and access control
• Includes encryption and secure management and access
FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES
AVIAT NETWORKS
FIPS 140-2 LEVELS
• FIPS validation can be obtained for a chip, a group of chips, a card, a terminal – and includes all hardware and software
• Validation can be done at 4 different levels (1-4) • Level 1: WEAK
• No identity-based authentication, anyone can use the common password to turn off security
• Level 2: STRONG • Mandates identity-based authentication, tamper evidence, etc)
• Level 3 and 4: VERY STRONG • Must be pick-resistant, tamper-proof. Adds large cost and complexity to product to support
Security is balance between level of protection and cost FIPS 140-2 Level 2 is sweet spot for networking equipment
AVIAT NETWORKS
HOW DOES FIPS 140-2 MAKE NETWORKS MORE SECURE?
• Independent validation by an accredited lab
• Assurance that algorithms are secure • Example: Lab can check code submitted by manufacturer. Well known code library function Glibc function is OK for general use but not quite random enough for encryption
• Assurance that algorithms were properly implemented • Example: OpenSSL vulnerability based on SSL heartbeat. This version of OpenSSL was cryptographically secure but not properly implemented
FIPS 140-2 Ensures Strong Security Features Exist, Work and Are Implemented Properly
AVIAT NETWORKS
KEY MICROWAVE SECURITY FEATURES
Should include three complementary security feature sets:
§ Secure Management Secure access & control over unsecured networks; protects against hacking, accidental or intentional misconfiguration and other network-impacting actions
§ Payload Encryption Secures all payload and network management data on airlink; prevents “eavesdropping” and “replay” attacks for example
§ Integrated RADIUS capability Enables centralized access control and remote AAA; centralizes management of Eclipse user accounts
AVIAT NETWORKS
WHAT’S REQUIRED FROM MICROWAVE VENDORS
ADVANCED SECURITY FUNCTIONALITY
(STRONG SECURITY SUITE)
PROVEN TO WORK AND TO BE IMPLEMENTED
PROPERLY
(FIPS 140-2)
AVIAT NETWORKS
ECLIPSE FIPS 140-2 VALIDATION
SECURITY REQUIREMENTS SECTION FIPS 140-‐2 LEVEL
Cryptographic Module Specifica4on 3
Module Ports and Interfaces 2
Roles, Services and Authen4ca4on 2
Finite State Model 2
Physical Security 2
Opera4onal Environment N/A
Cryptographic Key Management 2
EMI/EMC 2
Self-‐Tests 2
Design Assurance 3
Mi4ga4on of Other AJacks N/A
AVIAT HAS ACHIEVED LEVEL 3 IN 2 CRITERIA
MINIMUM LEVEL
ACHIEVED DETERMINES OVERALL VALIDATION
LEVEL
AVIAT NETWORKS
WHAT DOES AVIAT FIPS 140-2 LEVEL 2 VALIDATION COVER
• The entire signal processing unit (INU) • Includes Chassis RACs, DACs, NCC, NPC, 2U chassis, and additional cards like AUX, 2U Fan, NCM, PCC card.
• All RF Units • All RF units connectable to INU are automatically covered
• IRU 600, ODU 600, WTM 3xxx
• Secure Management, Payload Encryption, and RADIUS
In Short… It Covers Everything
Bill of Materials
1. Software Feature License 2. Firmware upload (07.07.10) for NCC 3. NCC EXN-004 card 4. RAC card 5. Eclipse INUe chassis with std cards
AVIAT NETWORKS
THE INDUSTRY’S MOST SECURE MICROWAVE RADIO… IS NOW THE ONLY CARRIER GRADE RADIO WITH FIPS 140-2 LEVEL 2 VALIDATION
WWW.AVIATNETWORKS.COM
AVIAT NETWORKS
WHERE IS FIPS 140-2 NEEDED?
Mandatory for federal government (if information must be cryptographically protected) Critical for any organization wanting the highest level of network security
AVIAT NETWORKS
• Specifies 11 areas related to the secure design and implementation of a cryptographic module.
• Cryptographic module specification • Cryptographic module ports and interfaces • Roles, services, and authentication • Finite state model • Physical security • Operational environment • Cryptographic key management • Electromagnetic interference/electromagnetic compatibility (EMI/EMC) • Self-tests • Design assurance • Mitigation of other attacks
FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES
AVIAT NETWORKS
WHAT IS FIPS?
• Federal Information Processing Standards
• Published by NIST (National Institute of Standards and Technology)
• 2 Main Standards • CAVP: Cryptographic Algorithm Validation Program (FIPS 197 a.k.a. AES)
• CMVP: Cryptographic Module Validation Program (FIPS 140-2)
Publicly announced standardizations developed by the United States federal government The strictest security standards on the market today!
AVIAT NETWORKS
GETTING FIPS 140-2 VALIDATED
• Testing performed by 1 of 21 NVLAP accredited labs around the world (13 US labs)
• Lab issues test report to CMVP (NIST)
• CMVP (NIST) evaluates report, asks questions
• Lab and manufacturer provide additional information as required
• CMVP (NIST) issues validation certificate: • Validation lists at http://csrc.nist.gov/groups/STM/cmvp/validation.html#01 • Similarly for CAVP (FIPS 197): http://csrc.nist.gov/groups/STM/cavp/validation.html
AVIAT NETWORKS
Aviat Strong Security Overview
AVIAT NETWORKS
Aviat has Achieved FIPS 140-2 Level 2 Validation (which includes FIPS 197)
AVIAT NETWORKS
FIPS VALIDATION FOR ECLIPSE PLATFORM
AVIAT NETWORKS
Aviat ALU Exalt NEC Dragonwave Cambium Ceragon Huawei SIAE Ericsson
Access Control
Configurable User Priveliges Multi-factor support Radius Client Authentication to backup RADIUS server Local caching of user accounts Strong password enforcement Mechanized attack prevention Pre-login and post-login banners Secure Management FIPS 140-2
Level 1 Only
TDD Radio Only
ACL for craft tool and NMS/RADIUS/Syslog access Traffic segregation: VLAN (802.11Q) Disable unused ports/services on NMS & interfaces Secure Syslog via TLS Logging of all user activity SSH for shell based access TLS v1.2 for web based access SNMPv3 OSPF authentication Remote backup of software & config files Encrypted configuration files Disable DHCP server Payload EncrypNon FIPS 197 AES 256 bit symmetric keys Automatically scheduled key renewal Diffie-Hellman key agreement
MICROWAVE VENDOR SECURITY LANDSCAPE
AVIAT NETWORKS
AVIAT: THE ONLY CARRIER GRADE RADIO WITH FIPS 140-2 LEVEL 2 VALIDATION THE ONLY OTHER VENDORS WITH SOME TYPE OF FIPS 140-2 VALIDATION ARE:
• NEC • FIPS 140-2 Level 1 ONLY • NEC implementation covers 1 card, not entire solution
• No Secure Management & RADIUS (means can log in and turn off Payload Encryption!)
• Level 1 means no identity-based authentication: anyone can log in with the common password and turn off security!
If the vendor is not listed here, they’re not “validated”: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
• Cambium (TDD Radios) • PTP 800 is FIPS 140-2 Level 1 ONLY • Level 1 means no identity-based authentication: anyone can log in with the common password and turn off security!
• No opacity protection, no tamper evidence • PTP 600 is FIPS 140-2 Level 2 Validated - however is a TDD Radio (not for mission critical or latency sensitive applications)