Brocade® MLXe® and Brocade NetIron® CER Series Ethernet Routers FIPS 140-2 Non-Proprietary Security Policy Level 2 with Design Assurance Level 3 Validation Document Version 2.6 March 13, 2013 Revision History Revision Date Revision Summary of Changes 11/27/2012 2.0 Updated Access Control Policy and CSP access table 12/3/12 2.1 Updated DRBG V and C zeroization method. Added tables to list MLXe power supply and fan modules. Added a table to list 2/4/13 2.2 CER power supply modules. Updated information in sections 5.1 and 6.1. Updated Figures 1, 2 and 3. Added MLXe Switch Fabric Module Part Number table. Add power supply SKUs to Power Supply part number table. Added MLXe Switch Fabric Module Part 2/7/13 2.3 Number table. Added Validated MLXe and CER configuration tables. Updated zeroization information. Changed bezel to filler panel in Section 2. In Section 5.1, I changed Firmware 2/13/13 2.4 Integrity Test (128-bit EDC) to Firmware Integrity Test (DSA 1024 bit, SHA-1 Signature Verification). Added DSA 1024 SHA-1 Pairwise Consistency Test (Sign/Verify) to Section 5.1 2/28/13 2.5 para 3 b) Added DES to the non-Approved and not allowed cryptographic methods list in 3/13/13 2.6 Section 6.1.1 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 © 2013 Brocade Communications Systems, Inc. All Rights Reserved. All rights reserved. This Brocade Communications Systems Security Policy for Brocade MLXe and Brocade NetIron CER embodies Brocade Communications Systems' confidential and proprietary intellectual property. Brocade Systems retains all title and ownership in the Specification, including any revisions. This Specification is supplied AS IS and may be reproduced only in its original entirety [without revision]. Brocade Communications Systems makes no warranty, either express or implied, as to the use, operation, condition, or performance of the specification, and any unintended consequence it may on the user environment. Brocade Communications Systems, Inc. Page 2 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Table of Contents GLOSSARY ............................................................................................................................................................. 6 1. INTRODUCTION .............................................................................................................................................. 7 2. OVERVIEW ...................................................................................................................................................... 7 2.1 BROCADE MLXE SERIES .................................................................................................................................... 8 2.2 BROCADE CER 2000 SERIES .......................................................................................................................... 13 2.3 PORTS AND INTERFACES .................................................................................................................................. 17 2.3.1 Brocade MLXe Series ........................................................................................................................ 17 2.3.2 MLX Management Cards ................................................................................................................... 17 2.3.3 Brocade NetIron CER 2000 Series ................................................................................................... 18 2.3.4 Interfaces ........................................................................................................................................... 18 2.4 MODES OF OPERATION .................................................................................................................................... 20 2.5 MODULE VALIDATION LEVEL ............................................................................................................................. 20 3. ROLES ......................................................................................................................................................... 20 4. SERVICES .................................................................................................................................................... 21 4.1 USER ROLE SERVICES ..................................................................................................................................... 22 4.1.1 SSH ..................................................................................................................................................... 22 4.1.2 HTTPS ................................................................................................................................................. 22 4.1.3 SNMP .................................................................................................................................................. 22 4.1.4 Console ............................................................................................................................................... 22 4.2 PORT CONFIGURATION ADMINISTRATOR ROLE SERVICES ...................................................................................... 22 4.2.1 SSH ..................................................................................................................................................... 22 4.2.2 HTTPS ................................................................................................................................................. 23 4.2.3 SNMP .................................................................................................................................................. 23 4.2.4 Console ............................................................................................................................................... 23 4.3 CRYPTO OFFICER ROLE SERVICES ..................................................................................................................... 23 4.3.1 SSH ..................................................................................................................................................... 23 4.3.2 SCP ..................................................................................................................................................... 23 4.3.3 HTTPS ................................................................................................................................................. 23 4.3.4 SNMP .................................................................................................................................................. 23 4.3.5 Console ............................................................................................................................................... 24 4.4 NON-FIPS MODE SERVICES ............................................................................................................................ 24 5. POLICIES ..................................................................................................................................................... 24 5.1 SECURITY RULES ............................................................................................................................................ 24 5.1.1 Cryptographic Module Operational Rules ........................................................................................ 25 5.2 AUTHENTICATION ............................................................................................................................................ 26 Brocade Communications Systems, Inc. Page 3 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 5.2.1 Line Authentication Method .............................................................................................................. 26 5.2.2 Enable Authentication Method ......................................................................................................... 26 5.2.3 Local Authentication Method ............................................................................................................ 26 5.2.4 RADIUS Authentication Method ........................................................................................................ 27 5.2.5 TACACS/TACACS+ Authentication Method ...................................................................................... 27 5.2.6 Strength of Authentication ................................................................................................................ 27 5.3 ACCESS CONTROL AND CRITICAL SECURITY PARAMETER (CSP)............................................................................. 28 5.3.1 CSP Zeroization .................................................................................................................................. 29 5.4 PHYSICAL SECURITY ........................................................................................................................................ 29 6. CRYPTO OFFICER GUIDANCE ...................................................................................................................... 29 6.1 MODE STATUS................................................................................................................................................ 30 6.1.1 FIPS Approved Mode ......................................................................................................................... 31 7. REFERENCES .............................................................................................................................................. 34 APPENDIX A: TAMPER LABEL APPLICATION ........................................................................................................ 35 APPLYING SEALS TO A BROCADE MLXE-4 DEVICE ............................................................................................................ 35 APPLYING SEALS TO A BROCADE MLXE-8 DEVICE ............................................................................................................ 37 APPLYING SEALS TO A BROCADE MLXE-16 DEVICE ......................................................................................................... 39 APPLYING SEALS TO BROCADE NETIRON CER 2024 DEVICES .......................................................................................... 41 APPLYING SEALS TO BROCADE NETIRON CER 2048 DEVICES .......................................................................................... 43 Table of Tables Table 1 MLXe Series Firmware Version ...................................................................................................................... 8 Table 2 MLXe Series Part Numbers ............................................................................................................................ 8 Table 3 MLXe Management Module Part Numbers .................................................................................................. 8 Table 4 MLXe Switch Fabric Module Part Numbers .................................................................................................. 8 Table 5 MLXe Power Supply Part Numbers ................................................................................................................ 9 Table 6 MLXe Fan Module Part Numbers .................................................................................................................. 9 Table 7 MLXe Filler Panel Part Numbers ................................................................................................................... 9 Table 8 Validated MLXe Configurations ................................................................................................................... 10 Table 9 CER Series Firmware Version ...................................................................................................................... 13 Table 10 CER 2000 Series Part Numbers ............................................................................................................... 13 Table 11 CER Interface Module Part Numbers ........................................................................................................ 14 Table 12 CER Power Supply Part Numbers .............................................................................................................. 14 Table 13 Validated CER 2000 Series Configurations .............................................................................................. 15 Table 14 Physical/Logical Interface Correspondence ............................................................................................. 18 Table 15 Power and fan status LEDs for the CER 2024 models ............................................................................ 18 Brocade Communications Systems, Inc. Page 4 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Table 16 Power and fan status LEDs for the CER 2048 models ............................................................................ 19 Table 17 Power and fan status LEDs for the NI-MLX-MR Management Module ................................................... 20 Table 18 NetIron Security Levels .............................................................................................................................. 20 Table 19 FIPS Approved Cryptographic Functions .................................................................................................. 21 Table 20 FIPS Non-Approved Cryptographic Functions Allowed in FIPS Approved Mode ..................................... 21 Table 21 Access Control Policy and Critical Security Parameter (CSP) .................................................................. 28 Table 22 Algorithm Certificates ................................................................................................................................ 31 Table of Figures Figure 1 MLXe-4 cryptographic module.................................................................................................................... 11 Figure 2 MLXe-8 cryptographic module.................................................................................................................... 12 Figure 3 MLXe-16 cryptographic module ................................................................................................................. 12 Figure 4 CER 2024C cryptographic module ............................................................................................................. 16 Figure 5 CER 2024F cryptographic module ............................................................................................................. 16 Figure 6 CER 2048C cryptographic module ............................................................................................................. 16 Figure 7 CER 2048CX cryptographic module ........................................................................................................... 17 Figure 8 CER 2048F cryptographic modules ........................................................................................................... 17 Figure 9 CER 2048FX cryptographic module ........................................................................................................... 17 Figure 10 Front view of a Brocade MLXe-4 device with security seals .................................................................. 35 Figure 11 Rear and side view of a Brocade MLXe-4 device with security seals .................................................... 36 Figure 12 Front view of a Brocade MLXe-8 device with security seals .................................................................. 37 Figure 13 Rear and side view of a Brocade MLXe-8 device with security seals .................................................... 38 Figure 14 Front view of a Brocade MLXe-16 device with security seals ................................................................ 39 Figure 15 Rear and side view of a Brocade MLXe-16 device with security seals .................................................. 40 Figure 16 Front, top, and right side view of a Brocade NetIron CER 2024 device with security seals ................ 41 Figure 17 Rear, top, and left side view of a Brocade NetIron CER 2024 device with security seals ................... 42 Figure 18 Front, top, and right side view of a Brocade NetIron CER 2048 device with security seals ................ 43 Figure 19 Rear, top and left side view of a Brocade NetIron CER 2048 device with security seals .................... 44 Brocade Communications Systems, Inc. Page 5 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Glossary Term/Acronym Description AES Advanced Encryption Standard CBC Cipher-Block Chaining CER Carrier Ethernet Router CLI Command Line Interface CSP Critical Security Parameter DES Data Encryption Standard DH Diffie-Hellman DRBG Deterministic Random Bit Generator DSA Digital Signature Algorithm ECB Electronic Codebook mode ECDSA Elliptic Curve Digital Signature Algorithm FI FastIron platform GbE Gigabit Ethernet HMAC Keyed-Hash Message Authentication Code KDF Key Derivation Function LED Light-Emitting Diode LP Line Processor Mbps Megabits per second MP Management Processor NDRNG Non-Deterministic Random Number Generator NI NetIron platform OC Optical Carrier PRF pseudo-random function RADIUS Remote Authentication Dial in User Service RSA Rivest Shamir Adleman SCP Secure Copy SFM Switch Fabric Module SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SONET Synchronous Optical Networking SSH Secure Shell TACACS Terminal Access Control Access-Control System TDEA Triple-DES Encryption Algorithm TFTP Trivial File Transfer Protocol TLS Transport Layer Security Brocade Communications Systems, Inc. Page 6 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 1. Introduction Brocade MLXe Series routers feature industry-leading 100 Gigabit Ethernet (GbE), 10 GbE, and 1 GbE wire- speed density; rich IPv4, IPv6, Multi-VRF, MPLS, and Carrier Ethernet capabilities without compromising performance; and advanced Layer 2 switching. Built upon Brocade's sixth-generation architecture and terabit- scale switch fabrics, the Brocade MLXe Series has a proven heritage with more than 9000 routers deployed worldwide. Internet Service Providers (ISPs), transit networks, Content Delivery Networks (CDNs), hosting providers, and Internet Exchange Points (IXPs) rely on these routers to meet skyrocketing traffic requirements and reduce the cost per bit. By leveraging the Brocade MLXe Series, mission-critical data centers can support more traffic, achieve greater virtualization, and provide cloud services using less infrastructure—thereby simplifying operations and reducing costs. Moreover, the Brocade MLXe Series can reduce complexity in large campus networks by collapsing core and aggregation layers, as well as providing connectivity between sites using MPLS/VPLS. The Brocade NetIron CER 2000 Series is a family of compact 1U routers that are purpose-built for high- performance Ethernet edge routing and MPLS applications. These fixed-form routers can store a complete Internet table and support advanced MPLS features such as Traffic Engineering and VPLS. They are ideal for supporting a wide range of applications in Metro Ethernet, data center and campus networks. The NetIron CER 2000 is available in 24- and 48-port 1 Gigabit Ethernet (GbE) copper and hybrid fiber configurations with two optional 10 GbE uplink ports. To help ensure high performance, all the ports are capable of forwarding IP and MPLS packets at wire speed without oversubscription. With less than 5 watts/Gbps of power consumption, service providers can push up to 136 Gbps of triple-play services through the NetIron CER 2000 while reducing their carbon footprint. 2. Overview Brocade routers provide high-performance routing to service providers, metro topologies, and Internet Exchange Points. Each router is a multi-chip standalone cryptographic module. Each device has an opaque enclosure with tamper detection tape for detecting any unauthorized physical access to the device. The NetIron family includes both chassis and fixed-port devices. Brocade MLXe series devices are chassis devices. A NetIron chassis contains slots for management card(s), Switch Fabric Module(s) (SFM), and interface modules. The SFM pass data packets between the various modules. The interface modules themselves forward data without any cryptographic operation or pass data packets to the management module, if any cryptographic operation has to be performed. The cryptographic boundary of a Brocade MLXe series device is a chassis with one management card with tamper detection tape for detecting any unauthorized physical access to the device. The power supplies and fan tray assemblies are part of the cryptographic boundary and can be replaced in the field. Unpopulated power supply locations are covered by opaque filler panels, which are part of the cryptographic boundary when the secondary redundant power supplies not used. Opaque filler panels are not available for installation in place of a fan tray assembly in the field. Opaque filler panels cover all unpopulated management module, switch fabric module and interface module slots. The cryptographic boundary of a CER 2000 series device is an opaque enclosure with tamper detection tape for detecting any unauthorized physical access to the device. Within the NetIron family, the CER 2000 series are fixed-port devices. Brocade Communications Systems, Inc. Page 7 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 2.1 Brocade MLXe series Table 1 MLXe Series Firmware Version Firmware IronWare Release R05.1.01a Table 2 MLXe Series Part Numbers SKU MFG Part Number Brief Description Brocade MLXe-4 AC system with 2 high speed switch fabric modules, 1 1200W AC power supply, BR-MLXE-4-MR-M-AC 80-1006853-01 4 exhaust fan assembly kits and air filter. MLX management module included. Brocade MLXe-4 DC system with 2 high speed switch fabric modules, 1 1200W DC power BR-MLXE-4-MR-M-DC 80-1006854-01 supply, 4 exhaust fan assembly kits and air filter. MLX management module included. Brocade MLXe-8 AC system with 2 high speed switch fabric modules, 2 1200W AC power BR-MLXE-8-MR-M-AC 80-1004809-04 supplies, 2 exhaust fan assembly kits and air filter. MLX management module included. Brocade MLXe-8 DC system with 2 high speed switch fabric modules, 2 1200W DC power BR-MLXE-8-MR-M-DC 80-1004811-04 supplies, 2 exhaust fan assembly kits and air filter. MLX management module included Brocade MLXe-16 AC system with 3 high speed switch fabric modules, 4 1200W AC power BR-MLXE-16-MR-M-AC 80-1006820-02 supplies, 2 exhaust fan assembly kits and air filter. MLX management module included. Brocade MLXe-16 DC system with 3 high speed switch fabric modules, 4 1200W DC power BR-MLXE-16-MR-M-DC 80-1006822-02 supplies, 2 exhaust fan assembly kits and air filter. MLX management module included. Table 3 MLXe Management Module Part Numbers SKU MFG Part Number Brief Description NetIron MLX Series management module with 1 GB ECC memory, dual PCMCIA slots, EIA/TIA-232 (RS- NI-MLX-MR 80-1006778-01 232) serial console port and 10/100/1000 Ethernet port for out-of band management Table 4 MLXe Switch Fabric Module Part Numbers SKU MFG Part Number Brief Description MLXe/MLX/XMR high speed switch fabric module NI-X-4-HSF 80-1003891-02 for 4-slot chassis MLXe/MLX/XMR high speed switch fabric module NI-X-16-8-HSF 80-1002983-01 for 8-slot and 16-slot chassis Brocade Communications Systems, Inc. Page 8 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Table 5 MLXe Power Supply Part Numbers SKU MFG Part Number Brief Description NI-X-ACPWR-A 80-1003812-02 4-slot MLX AC power supply, 1200W NI-X-DCPWR-A 80-1003813-02 4-slot MLX DC power supply, 1200W NI-X-ACPWR 80-1003811-02 16-slot and 8-slot MLX AC power supply, 1200W NI-X-DCPWR 80-1002756-03 16-slot and 8-slot MLX DC power supply, 1200W Table 6 MLXe Fan Module Part Numbers SKU MFG Part Number Brief Description BR-MLXE-4-FAN 80-1004114-01 MLXe-4 exhaust fan assembly kit 80-1004113-01 BR-MLXE-8-FAN MLXe-8 exhaust fan assembly kit 80-1004112-01 BR-MLXE-16-FAN MLXe-16 exhaust fan assembly kit Table 7 MLXe Filler Panel Part Numbers SKU MFG Part Number Brief Description NI-X-MPNL 80-1004760-02 NetIron XMR/MLX Series management module blank panel NI-X-IPNL 80-1006511-02 NetIron XMR/MLX Series interface module blank panel NetIron XMR/MLX switch fabric module blank panel for 16- and 8- NI-X-SF3PNL 80-1004757-02 slot chassis NetIron XMR/MLX switch fabric module blank panel for 4-slot NI-X-SF1PNL 80-1003009-01 chassis NetIron XMR/MLX power supply blank panel for 16-and 8-slot NI-X-PWRPNL 80-1003052-01 chassis NI-X-PWRPNL-A 80-1003053-01 NetIron XMR/MLX power supply blank panel for 4-slot chassis Brocade Communications Systems, Inc. Page 9 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Table 8 Validated MLXe Configurations Validated MLXe Configurations MLXe Model SKUs (Count) Chassis: BR-MLXE-4-MR-M-AC Management Module: NI-MLX-MR (1) Management Module Filler Panels: NI-X-MPNL (1) Switch Fabric Modules: NI-X-4-HSF (2) Switch fabric Module Filler Panels: NI-X-SF1PNL (1) Interface Modules: None Interface Module Filler Panels: NI-X-IPNL (4) Fan Modules: BR-MLXE-4-FAN (4) AC Power Supply Modules: NI-X-ACPWR-A (1) Power Supply Filler Panels: NI-X-PWRPNL-A (3) MLXe-4 Chassis: BR-MLXE-4-MR-M-DC Management Module: NI-MLX-MR (1) Management Module Filler Panels: NI-X-MPNL (1) Switch Fabric Modules: NI-X-4-HSF (2) Switch fabric Module Filler Panels: NI-X-SF1PNL (1) Interface Modules: None Interface Module Filler Panels: NI-X-IPNL (4) Fan Modules: BR-MLXE-4-FAN (4) DC Power Supply Modules: NI-X-DCPWR-A (1) Power Supply Filler Panels: NI-X-PWRPNL-A (3) Chassis: BR-MLXE-8-MR-M-AC Management Module: NI-MLX-MR (1) Management Module Filler Panels: NI-X-MPNL (1) Switch Fabric Modules: NI-X-16-8-HSF (2) Switch fabric Module Filler Panels: NI-X-SF3PNL (1) Interface Modules: None Interface Module Filler Panels: NI-X-IPNL (8) Fan Modules: BR-MLXE-8-FAN (2) AC Power Supply Modules: NI-X-ACPWR (2) Power Supply Filler Panels: NI-X-PWRPNL (2) MLXe-8 Chassis: BR-MLXE-8-MR-M-DC Management Module: NI-MLX-MR (1) Management Module Filler Panels: NI-X-MPNL (1) Switch Fabric Modules: NI-X-16-8-HSF (2) Switch fabric Module Filler Panels: NI-X-SF3PNL (1) Interface Modules: None Interface Module Filler Panels: NI-X-IPNL (8) Fan Modules: BR-MLXE-8-FAN (2) DC Power Supply Modules: NI-X-DCPWR (2) Power Supply Filler Panels: NI-X-PWRPNL(2) Brocade Communications Systems, Inc. Page 10 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Validated MLXe Configurations MLXe Model SKUs (Count) Chassis: BR-MLXE-16-MR-M-AC Management Module: NI-MLX-MR (1) Management Module Filler Panels: NI-X-MPNL (1) Switch Fabric Modules: NI-X-16-8-HSF (3) Switch fabric Module Filler Panels: NI-X-SF3PNL (1) Interface Modules: None Interface Module Filler Panels: NI-X-IPNL (16) Fan Modules: BR-MLXE-16-FAN (2) AC Power Supply Modules: NI-X-ACPWR (4), Power Supply Filler Panels: NI-X-PWRPNL (4) MLXe-16 Chassis: BR-MLXE-16-MR-M-DC Management Module: NI-MLX-MR (1) Management Module Filler Panels: NI-X-MPNL (1) Switch Fabric Modules: NI-X-16-8-HSF (3) Switch fabric Module Filler Panels: NI-X-SF3PNL (1) Interface Modules: None Interface Module Filler Panels: NI-X-IPNL (16) Fan Modules: BR-MLXE-16-FAN (2) DC Power Supply Modules: NI-X-DCPWR (4), Power Supply Filler Panels: NI-X-PWRPNL (4) Figure 1 illustrates the MLXe-4 cryptographic module. Table 8 defines the configuration of the validated MLXe-4. The management module, switch fabric module and power supply module locations are defined by the red ovals in Figure 1. Figure 1 MLXe-4 cryptographic module Switch Fabric Switch Fabric Module 2 Module 1 Management Module Power Supply Module Brocade Communications Systems, Inc. Page 11 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 2 illustrates the MLXe-8 cryptographic module. Table 8 defines the configuration of the validated MLXe- 8. The management module, switch fabric module and power supply module locations are defined by the red ovals in Figure 2. Figure 2 MLXe-8 cryptographic module Switch Fabric Module 1 Switch Fabric Module 2 Management Module Power Supply 2 Power Supply 1 Figure 3 illustrates the MLXe-16 cryptographic module. Table 8 defines the configuration of the validated MLXe-16. The management module, switch fabric module and power supply module locations are defined by the red ovals in Figure 3. Figure 3 MLXe-16 cryptographic module Switch Fabric Modules 1 & 3 Switch Fabric Management Module Module 2 Power Supplies 1-4 Brocade Communications Systems, Inc. Page 12 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 2.2 Brocade CER 2000 series Brocade NetIron CER 2000 series devices are single CPU devices that can have one plug-in module depending upon the system configuration. The cryptographic boundary of a Brocade NetIron CER device is the entire unit. Table 9 CER Series Firmware Version Firmware IronWare Release R05.1.01a Table 10 CER 2000 Series Part Numbers CER 2000 Series Part Numbers SKU MFG Part Number Brief Description NetIron CER 2048F includes 48 SFP ports of 100/1000 Mbps Ethernet. The router also includes NI-CER-2048F-ADVPREM-AC 80-1003769-07 500W AC power supply (RPS9), and ADV_PREM (Advanced Services software NetIron CER 2048F includes 48 SFP ports of 100/1000 Mbps Ethernet. The router also includes NI-CER-2048F-ADVPREM-DC 80-1003770-08 500W DC power supply (RPS9DC), and ADV_PREM (Advanced Services software NetIron CER 2048FX includes 48 SFP ports of 100/1000 Mbps Ethernet with 2 ports of 10 Gigabit NI-CER-2048FX-ADVPREM-AC 80-1003771-07 Ethernet XFP for uplink connectivity. The router also includes 500W AC power supply (RPS9), and ADV_PREM (Advanced Services software NetIron CER 2048FX includes 48 SFP ports of 100/1000 Mbps Ethernet with 2 ports of 10 Gigabit NI-CER-2048FX-ADVPREM-DC 80-1003772-08 Ethernet XFP for uplink connectivity. The router also includes 500W DC power supply (RPS9DC), and ADV_PREM (Advanced Services software NetIron CER 2024F includes 24 SFP ports of 100/1000 Mbps Ethernet with 4 combination RJ45/SFP Gigabit Ethernet for uplink connectivity. NI-CER-2024F-ADVPREM-AC 80-1006902-02 Optional slot for 2 ports of 10 Gigabit Ethernet XFP, 500W AC power supply (RPS9), and Advanced Services software NetIron CER 2024F includes 24 SFP ports of 100/1000 Mbps Ethernet with 4 combination RJ45/SFP Gigabit Ethernet for uplink connectivity. NI-CER-2024F-ADVPREM-DC 80-1006904-02 Optional slot for 2 ports of 10 Gigabit Ethernet XFP, 500W DC power supply (RPS9DC), and Advanced Services software NetIron CER 2024C includes 24 RJ45 ports of 10/100/1000 Mbps Ethernet with 4 combination RJ45/SFP Gigabit Ethernet for uplink connectivity. NI-CER-2024C-ADVPREM-AC 80-1007032-02 Optional slot for 2 ports of 10 Gigabit Ethernet XFP, 500W AC power supply (RPS9), and Advanced Services software Brocade Communications Systems, Inc. Page 13 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 CER 2000 Series Part Numbers SKU MFG Part Number Brief Description NetIron CER 2024C includes 24 RJ45 ports of 10/100/1000 Mbps Ethernet with 4 combination RJ45/SFP Gigabit Ethernet for uplink connectivity. NI-CER-2024C-ADVPREM-DC 80-1007034-02 Optional slot for 2 ports of 10 Gigabit Ethernet XFP, 500W DC power supply (RPS9DC), and Advanced Services software NetIron CER 2048C includes 48 RJ45 ports of 10/100/1000 Mbps Ethernet with 4 combination NI-CER-2048C-ADVPREM-AC 80-1007039-02 RJ45/SFP Gigabit Ethernet for uplink connectivity. The router also includes 500W AC power supply (RPS9), and Advanced Services software NetIron CER 2048C includes 48 RJ45 ports of 10/100/1000 Mbps Ethernet with 4 combination NI-CER-2048C-ADVPREM-DC 80-1007040-02 RJ45/SFP Gigabit Ethernet for uplink connectivity. The router also includes 500W DC power supply (RPS9DC), and Advanced Services software NetIron CER 2048CX includes 48 RJ45 ports of 10/100/1000 Mbps Ethernet with 2 ports of 10 NI-CER-2048CX-ADVPREM-AC 80-1007041-02 Gigabit Ethernet XFP for uplink connectivity. The router also includes 500W AC power supply (RPS9), and ADV_PREM (Advanced Services software NetIron CER 2048CX includes 48 RJ45 ports of 10/100/1000 Mbps Ethernet with 2 ports of 10 NI-CER-2048CX-ADVPREM-DC 80-1007042-02 Gigabit Ethernet XFP for uplink connectivity. The router also includes 500W DC power supply (RPS9DC), and ADV_PREM (Advanced Services software Table 11 CER Interface Module Part Numbers SKU MFG Part Number Brief Description NI-CER-2024-2X10G 80-1003719-03 NetIron CER 2000 Series 2x10G XFP uplink Table 12 CER Power Supply Part Numbers SKU MFG Part Number Brief Description RPS9 80-1003868-01 AC POWER SUPPLY FOR NI CER SERIES, 500W RPS9DC 80-1003869-02 DC POWER SUPPLY FOR NI CER SERIES, 500W Brocade Communications Systems, Inc. Page 14 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Table 13 Validated CER 2000 Series Configurations Validated CER 2000 Series Configurations CER Model SKUs (Count) Base: NI- CER-2048F-AC Interface module: None NI-CER-2048F-ADVPREM-AC License: SW-CER-2048-ADVU (1) Power supply: RPS9(1) Base: NI-CER-2048F-DC Interface module: None NI-CER-2048F-ADVPREM-DC License: SW-CER-2048-ADVU (1) Power supply: RPS9DC(1) Base: NI-CER-2048FX-AC Interface module: NI-CER-2024-2X10G (1) NI-CER-2048FX-ADVPREM-AC License: SW-CER-2048-ADVU (1) Power supply: RPS9(1) Base: NI-CER-2048FX-DC Interface module: NI-CER-2024-2X10G NI-CER-2048FX-ADVPREM-DC License: SW-CER-2048-ADVU (1) Power supply: RPS9DC(1) Base: NI-CER-2024F-AC Interface module: None NI-CER-2024F-ADVPREM-AC License: SW-CER-2024-ADVU (1) Power supply: RPS9(1) Base: NI-CER-2024F-DC Interface module: None NI-CER-2024F-ADVPREM-DC License: SW-CER-2024-ADVU (1) Power supply: RPS9DC(1) Base: NI-CER-2024C-AC Interface module: None NI-CER-2024C-ADVPREM-AC License: SW-CER-2024-ADVU (1) Power supply: RPS9(1) Base: NI-CER-2024C-DC Interface module: None NI-CER-2024C-ADVPREM-DC License: SW-CER-2024-ADVU (1) Power supply: RPS9DC(1) Base: NI-CER-2048C-AC Interface module: None NI-CER-2048C-ADVPREM-AC License: SW-CER-2048-ADVU (1) Power supply: RPS9(1) Base: NI-CER-2048C-DC Interface module: None NI-CER-2048C-ADVPREM-DC License: SW-CER-2048-ADVU (1) Power supply: RPS9DC(1) Brocade Communications Systems, Inc. Page 15 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Validated CER 2000 Series Configurations CER Model SKUs (Count) Base: NI-CER-2048CX-AC Interface module: NI-CER-2024-2X10G (1) NI-CER-2048CX-ADVPREM-AC License: SW-CER-2048-ADVU (1) Power supply: RPS9(1) Base: NI-CER-2048CX-DC Interface module: NI-CER-2024-2X10G (1) NI-CER-2048CX-ADVPREM-DC License: SW-CER-2048-ADVU (1) Power supply: RPS9DC(1) Figure 4 illustrates the CER 2024C cryptographic module. Table 13 defines the configuration of the validated CER 2024C modules. Figure 4 CER 2024C cryptographic module Figure 5 illustrates the CER 2024F cryptographic module. Table 13 defines the configuration of the validated CER 2024F modules. Figure 5 CER 2024F cryptographic module Figure 6 illustrates the CER 2048C cryptographic module. Table 13 defines the configuration of the validated CER 2048C modules. Figure 6 CER 2048C cryptographic module Brocade Communications Systems, Inc. Page 16 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 7 illustrates the CER 2048CX cryptographic module. Table 13 defines the configuration of the validated CER 2048CX modules. Figure 7 CER 2048CX cryptographic module Figure 8 illustrates the CER 2048F cryptographic module. Table 13 defines the configuration of the validated CER 2048F modules. Figure 8 CER 2048F cryptographic modules Figure 9 illustrates the CER 2048FX cryptographic module. Table 13 defines the configuration of the validated CER 2048FX modules. Figure 9 CER 2048FX cryptographic module 2.3 Ports and Interfaces Each NetIron device provides network ports, management connectors, and status LED. This section describes the physical ports and the interfaces they provide for Data Input, Data Output, Control Input, and Control Output. 2.3.1 Brocade MLXe Series Although not part of this validation, the Brocade MLXe series chassis supports a variety of interface modules. Interface modules are available to provide Ethernet and Synchronous Optical Networking (SONET) ports with multiple connector types and transmission rates. Models in the series can provide up to:  256 10 Gigabit Ethernet ports per chassis  1536 Gigabit Ethernet ports per chassis,  64 OC-192 SONET ports per chassis, or  256 OC-48 SONET ports per chassis See section Interface modules for supported interface modules, the ports each provides, and the corresponding status indicators. 2.3.2 MLX Management Cards Each management module provides physical ports and status indicators. These are: Brocade Communications Systems, Inc. Page 17 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6  Dual PCMCIA slots for external storage.  EIA/TIA-232 Serial port for a console terminal, and  10/100/1000 Mbps Ethernet port for out-of-band management. See [53-1001966-01] section Management Modules for detailed descriptions of management card ports and status indicators. 2.3.3 Brocade NetIron CER 2000 Series Models in the Brocade NetIron CER 2000 series provide either 24 or 48 Gigabit Ethernet ports. The series supports both copper and fiber connecters with some models supporting combination ports. Some models support 10 Gigabit Ethernet uplink ports. All models have an out-of-band Ethernet management port and a console management port (Gigabit Ethernet RJ-45 connector and serial connector, respectively). See [53-1001966-01] section Hardware features for detailed descriptions of network ports (including combination ports), management ports, and status indicators provided by each model. 2.3.4 Interfaces Table 14 shows the correspondence between the physical interfaces of NetIron devices and logical interfaces defined in FIPS 140-2. Table 14 Physical/Logical Interface Correspondence Physical Interface Logical Interface Networking ports Data input Console Networking ports Data output Console Networking ports Console Control input PCMCIA Networking ports Console Status output LED PCMCIA Power plugs Power 2.3.4.1 Status LEDs Table 15 Power and fan status LEDs for the CER 2024 models LED Position State Meaning The fan tray is powered on and is Green operating normal Amber or Right side of front Fan (labeled Fn) Green The fan tray is not plugged in. panel blinking The fan tray is plugged in but one or Amber more fans are faulty. Brocade Communications Systems, Inc. Page 18 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 LED Position State Meaning Power supply 1 is not installed or is not Off providing power. Right side of front Power supply 1 is installed, but not AC PS1 (labeled P1) Amber panel connected or a fault is detected. Power supply 1 is installed and is Green functioning normally. Power supply 2 is not installed or is not Off providing power. Right side of front Power supply 2 is installed, but not AC PS2 (labeled P2) Amber panel connected or a fault is detected. Power supply 2 is installed and is Green functioning normally Table 16 Power and fan status LEDs for the CER 2048 models1 LED Position State Meaning The fan tray is powered on and is Green operating normal Amber or Left side of front Fan (labeled Fn) green The fan tray is not plugged in. panel blinking The fan tray is plugged in but one or Amber more fans are faulty. Power supply 1 is not installed or is not Off providing power. Left side of front Power supply 1 is installed, but not PS1 (labeled P1) Amber panel connected or a fault is detected. Power supply 1 is installed and is Green functioning normally. Power supply 2 is not installed or is not Off providing power. Left side of front Power supply 2 is installed, but not PS2 (labeled P2) Amber panel connected or a fault is detected. Power supply 2 is installed and is Green functioning normally Off No DC Power The power supply has DC power, but the Amber output is disabled or the power supply is over temperature or the fan failed Right side of front DC panel Power supply has DC power, is enabled Green and is operating normal. Green Power supply has input power, but the blinking DC output is disabled The LEDs for the CER 2048CX, 2048F, and 2048FX models are just below the management Ethernet port on the left 1 side of the front panel, labeled P1, P2, and Fn, left to right. The LEDs for the 2048C are just below the console connector on the left side of the front panel, labeled P1, P2, and Fn, left to right. Brocade Communications Systems, Inc. Page 19 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Table 17 Power and fan status LEDs for the NI-MLX-MR Management Module LED State Meaning The module is functioning as the active On management module Active The module is not managing the switch Off fabric and interface modules in the chassis. On The module is receiving power Pwr Off The module is not receiving power Green A link is established with a remote port 10/100/1000 The port is not transmitting or receiving Ethernet Port Off packets 2.4 Modes of Operation The NetIron cryptographic module has two modes of operation: FIPS Approved mode and non-FIPS Approved mode. Section 4 describes services and cryptographic algorithms available in FIPS-Approved mode. In non- FIPS Approved mode, the module runs without these FIPS policy rules applied. Section 6.1.1 FIPS Approved Mode describes how to invoke FIPS-Approved mode. The module does not support bypass. 2.5 Module Validation Level The module meets an overall FIPS 140-2 compliance of security level 2 with Design Assurance level 3. Table 18 NetIron Security Levels Security Requirements Section Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Cryptographic Key Management 2 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A Operational Environment N/A 3. Roles In FIPS Approved mode, NetIron supports three roles: Crypto Officer, Port Configuration Administrator, and User: 1. Crypto Officer Role: The Crypto Officer role on the device in FIPS Approved mode is equivalent to administrator or super-user in non-FIPS mode. Hence, the Crypto Officer role has complete access to the system. 2. Port Configuration Administrator Role: The Port Configuration Administrator role on the device in FIPS Approved mode is equivalent to the port-config, a port configuration user in non-FIPS Approved mode. Brocade Communications Systems, Inc. Page 20 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Hence, the Port Configuration Administrator role has read-and-write access for specific ports but not for global (system-wide) parameters. 3. User Role: The User role on the device in FIPS Approved mode has read-only privileges and no configuration mode access (user). 4. Unauthenticated Role: The unauthenticated role on the device in FIPS mode is possible while using serial console to access the device. Console is considered as a trusted channel. The scope of the role is same as the User Role without authentication. The enable command allows user to authenticate using a different role. Based on the authentication method mentioned in section 5.2, the role would change to one of Crypto Officer, Port Configuration Administrator or User role. The User role has read-only access to the cryptographic module while the Crypto Officer role has access to all device commands. NetIron modules do not have a maintenance interface. See section 4 Services, section Password Assignment in [53-1001966-01], and section Assigning Permanent Passwords in [53-1001967-03] for details of role capabilities. Within this document, Section 5.2 Authentication describes the authentication policy for the user roles. 4. Services The services available to an operator depend on the operator’s role. Unauthenticated operators may view externally visible status LED. LED signals indicate status that allows operators determine if the network connections are functioning properly. Unauthenticated operators can also perform self-test via power-cycle. They can also view the module status via “fips show”. For all other services, an operator must authenticate to the device as described in section 5.2 Authentication. NetIron devices provide services for remote communication (SSH, SCP, HTTPS, SNMPv3 and Console) for management and configuration of cryptographic functions. The following subsections describe services available to operators based on role. Each description includes lists of cryptographic functions and critical security parameter (CSP) associated with the service. Table 19 summarizes the available FIPS-Approved cryptographic functions. Table 20 lists cryptographic functions that while not FIPS-Approved are allowed in FIPS Approved mode of operation. Table 19 FIPS Approved Cryptographic Functions Label Cryptographic Function AES Advanced Encryption Algorithm Triple-DES Triple Data Encryption Algorithm SHA Secure Hash Algorithm HMAC Keyed-Hash Message Authentication code DRBG Deterministic Random Bit Generator DSA Digital Signature Algorithm RSA Rivest Shamir Adleman Signature Algorithm Table 20 FIPS Non-Approved Cryptographic Functions Allowed in FIPS Approved Mode Label Cryptographic Functions KW RSA Key Wrapping DH Diffie-Hellman key agreement SNMP SNMPv3 MD5 Message-Digest algorithm 5 KDF SSHv2 Key Derivation Function Brocade Communications Systems, Inc. Page 21 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 4.1 User Role Services 4.1.1 SSH This service provides a secure session between a NetIron device and a SSH client. The NetIron device authenticates a SSH client and provides an encrypted communication channel. An operator may use a SSH session for managing the device via the command line interface. NetIron devices support two kinds of SSH client authentication: password and keyboard interactive. For password authentication, an operator attempting to establish a SSH session provides a password through the SSH client. The NetIron device authenticates operator with passwords stored on the device, on a TACACS or TACACS+ server, or on a RADIUS server. Section 5.2 Authentication provides authentication details. The keyboard interactive (KI) authentication goes one-step ahead. It allows multiple challenges to be issued by the NetIron device, using the backend RADIUS or TACACS+ server, to the SSH client. Only after the SSH client responds correctly to the challenges, will the SSH client get authenticated and proper access is given to the NetIron device. In User Role access, the client is given access to three commands: enable, exit and terminal. The enable command allows user to reauthenticate using a different role. If the role is same, based on the credentials given during the enable command, the user has access to a small subset of commands that can perform ping, traceroute, outbound telnet client in addition to show commands. 4.1.2 HTTPS This service provides a graphical user interface for managing a NetIron MLXe device over a secure communication channel. The HTTPS service is not supported on CER 2000 Series devices. Using a web browser, an operator connects to a designated port on a NetIron device. The device negotiates a TLS connection with the browser and authenticates the operator. The device uses HTTP over TLS with cipher suites TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, and TLS_RSA_WITH_3DES_EDE_CBC_SHA. In User role, after successful login, the default HTML page is same for any role. The user can surf to any page after clicking on any URL. However, this user is not be allowed to make any modifications. If the user presses the ‘Modify’ button within any page, the user will be challenged to reenter the crypto officer’s credentials. The challenge dialog box does not close unless the user provides the crypto-officer’s access credentials. After three failed attempts, the page ‘Protected Object’ is displayed, in effect disallowing any changes from the web. 4.1.3 SNMP The SNMP service within user role allows read-only access to the SNMP MIB within the NetIron device, using SNMPv1, v2c or v3 versions. The device does not provide SNMP access to CSPs when operating in FIPS Approved mode. These CSP MIB objects are a small subset of MIB that represent the security parameters like passwords, secrets and keys. Other MIB objects are made available for read-only access (status output). 4.1.4 Console Console connection occurs via a directly connected RS-232 serial cable. Once authenticated as the User, the module provides console commands to display information about a NetIron device and perform basic tasks (such as pings). The User role has read-only privileges and no configuration mode access. The list of commands available are same as the list mentioned in the SSH service. 4.2 Port Configuration Administrator Role Services 4.2.1 SSH Section 4.1.1, above, describes this service. The port configuration administrator will have 7 commands, which allows this user to run show commands, run ping or traceroute and the enable command which allows this user to reauthenticate as described in section 4.1.1. Within the configuration mode, this role provides access to all the port configuration commands, e.g. All sub-commands within “interface eth 1/1” command. This operator can transfer and store software images and configuration files between the network and the system, and review the configuration Brocade Communications Systems, Inc. Page 22 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 4.2.2 HTTPS Section 4.1.2, above, describes this service. Like the User role, the Port Configuration Administrator role user is allowed to view all the web pages. In addition, this user is allowed to modify any configuration that is related to an interface. For example, the Configuration->Port page will allow this operator to make changes to individual port properties within the page. 4.2.3 SNMP Section 4.1.3, above, describes this service. The SNMP service is not available for a port configuration under the administrator role. 4.2.4 Console Section 4.1.4, above, describes this service. Console access as the Port Configuration Administrator provides an operator with the same capabilities as User Console commands plus configuration commands associated with a network port on the device. The list of commands available are same as those mentioned in the SSH service. 4.3 Crypto Officer Role Services 4.3.1 SSH In addition to the two methods of authentication, password and keyboard interactive, described in section 4.1.1, SSH service in this role supports public key authentication, in which the device stores a collection of client public keys. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH. After a client’s public key is found to match one of the stored public keys, the device will give crypto officer access to the entire module. The Crypto Officer can perform configuration changes to the module. This role has full read and write access to the NetIron device. 4.3.2 SCP This is a secure copy service. The service supports both outbound and inbound copies of configuration, binary images, or files. Binary files can be copied and installed similar to TFTP operation (that is, upload from device to host and download from host to device, respectively). SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH. For example, if password authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to be transferred. One use of SCP on NetIron devices is to copy user digital certificates and host public-private key pairs to the device in support of HTTPS. Other use could be to copy configuration to/from the cryptographic module. 4.3.3 HTTPS Section 4.1.2, above, describes this service. In addition to Port Configuration Administrator-role capabilities, the crypto-officer has complete access to all the web pages and is allowed to make configuration updates through the web pages that support config changes. 4.3.4 SNMP Section 4.1.3, above, describes this service. The SNMP service within crypto-officer role allows read access to the SNMP MIB within the NetIron device, using SNMPv1, v2c or v3 versions. The device does not provide SNMP access to CSPs when operating in FIPS Approved mode. These CSP MIB objects are a small subset of MIB that represent the security parameters like passwords, secrets and keys. Other MIB objects are made available for read-only access (status output). Brocade Communications Systems, Inc. Page 23 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 4.3.5 Console This service is described in Section 4.1.4 above. Console commands provide an authenticated Crypto Officer complete access to all the commands within the NetIron device. This operator can enable, disable and perform status checks. This operator can also enable any service by configuring the corresponding command. For example, to turn on SSH service, the operator would create a pair of DSA host keys, configure the authentication scheme for SSH access. To enable the Web Management service, the operator would create a pair of RSA host keys and a digital certificate using corresponding commands, and enable the HTTPS server. 4.4 Non-FIPS Mode Services Certain services are available within non-FIPS mode of operation, which are otherwise not available in FIPS mode of operation. They are: 1. TFTP Trivial File Transfer Protocol (TFTP) is a file transfer protocol notable for its simplicity. It is generally o used for automated transfer of configuration or boot files between machines in a local environment. Compared to FTP, TFTP is extremely limited, providing no authentication, and is rarely used interactively by a user. 2. Telnet Telnet is a network protocol used on the Internet or local area networks to provide a o bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). 3. SNMP Allows access to Critical Security Parameter (CSP) MIB objects o 4. HTTP This service provides a graphical user interface for managing a NetIron MLXe device over an o unsecure communication channel. The HTTP service is not supported on CER 2000 Series devices. 5. Policies 5.1 Security Rules The cryptographic modules’ design corresponds to the cryptographic module’s security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS140-2 Level 2 module. 1) The cryptographic module provides role-based authentication. 2) Until the module is placed in a valid role, the operator does not have access to any cryptographic services. 3) The cryptographic module performs the following tests: a) Power up Self-Tests: i) Cryptographic algorithm tests: (1) RC2-40bit key size KAT (encrypt/decrypt) (2) RC4-40bit key size KAT (encrypt/decrypt) (3) DES-56bit key size KAT (encrypt/decrypt) (4) Triple DES-56bit key size KAT (encrypt/decrypt) (5) AES-128,192,256-bit key sizes KAT (encrypt/decrypt) (6) MD2 KAT (Hashing) Brocade Communications Systems, Inc. Page 24 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 (7) MD5 KAT (Hashing) (8) SHA-1,256,384,512 KAT (Hashing) (9) HMAC-SHA-1,256,384,512 KAT (Hashing) (10) RSA 2048 bit key size KAT (encrypt/decrypt) (11) RSA 2048 bit key size, SHA-256,384,512 Hash KAT (signature/verification) (12) DSA 1024 bit key size, SHA-1 KAT (signature/verification) (13) DRBG KAT ii) Firmware Integrity Test (DSA 1024 bit, SHA-1 Signature Verification) iii) If the module does not detect an error during the Power on Self-Test (POST), at the conclusion of the test, the console displays the message shown below. Crypto module initialization and Known Answer Test (KAT) Passed. iv) If the module detects an error during the POST, at the conclusion of the test, the console displays the message shown below. After displaying the failure message, the module reboots. Crypto Module Failed b) Conditional Self-Tests: i) Continuous Random Number Generator (RNG) test – performed on non-approved RNG. ii) Continuous Random Number Generator test – performed on DRBG. iii) RSA 1024/2048 SHA-1 Pairwise Consistency Test (Sign/Verify) iv) RSA 1024/2048 Pairwise Consistency Test (Encrypt/Decrypt) v) DSA 1024 SHA-1 Pairwise Consistency Test (Sign/Verify) vi) Firmware Load Test (DSA 1024 bit, SHA-1 Signature Verification) vii) Bypass Test: N/A viii) Manual Key Entry Test: N/A 4) At any time the cryptographic module is in an idle state, the operator can command the module to perform the power-up self-test. 5) Data output is inhibited during key generation, self-tests, zeroization, and error states. 6) Status information does not contain CSPs or sensitive data that if used could compromise the module. 5.1.1 Cryptographic Module Operational Rules In order to operate an MLXe and CER 2000 series device securely, an operator should be aware of the following rules for FIPS Approved mode of operation. External communication channels/ports are not be available before initialization of an MLXe and CER 2000 series device. MLXe and CER 2000 series devices use a FIPS Approved random number generator implementing Algorithm Hash DRBG based on hash functions. MLXe and CER 2000 series ensures that the random number seed and seed key input do not have same value. The devices generate seed keys and do not accept a seed key entered manually. MLXe and CER 2000 series devices use FIPS Approved key generation methods:  DSA public and private keys in accordance with [FIPS 186-2+]  RSA public and private keys in accordance with [RSA PKCS #1] MLXe and CER 2000 series devices test the prime numbers generated for both DSA and RSA keys using Miller- Rabin test. See [RSA PKCS #1] Appendix 2.1 A Probabilistic Primality Test. MLXe and CER 2000 series devices use NIST Approved key establishment techniques: Brocade Communications Systems, Inc. Page 25 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6  Diffie-Hellman  RSA Key Wrapping MLXe and CER 2000 series devices restrict key entry and key generation to authenticated roles. MLXe and CER 2000 series devices do not display plaintext secret or private keys. The device displays “…” in place of plaintext keys. MLXe and CER 2000 series devices use automated methods to realize session keys for SSHv2 and HTTPS. MLXe and CER 2000 series perform only “get” operations using SNMP. 5.2 Authentication NetIron devices support role-based authentication. A device can perform authentication and authorization (that is, role selection) using TACACS/TACACS+, RADIUS and local configuration database. Moreover, NetIron supports multiple authentication methods for each service. To implement one or more authentication methods for securing access to the device, an operator in the Crypto Officer role configures authentication-method lists that set the order in which a device consults authentication methods. In an authentication-method list, an operator specifies an access method (SSH, Web, SNMP, and so on) and the order in which the device tries one or more of the following authentication methods: 1. Line password authentication, 2. Enable password authentication, 3. Local user authentication, 4. RADIUS authentication with exec authorization and command authorization, and 5. TACACS/TACACS+ authentication with exec authorization and command authorization When a list is configured, the device attempts the first method listed to provide authentication. If that method is not available, (for example, the device cannot reach a TACACS+ server) the device tries the next method until a method in the list is available or all methods have been tried. NetIron devices allow multiple concurrent operators through SSH and the console. One operator’s configuration changes can overwrite the changes of another operator. See [53-1001966-01] Single user in CONFIG mode. 5.2.1 Line Authentication Method The line method uses the Telnet password to authenticate an operator. To use line authentication, a Crypto Officer must set the Telnet password. See Setting the Telnet password in [53-1001966-01]. Please note that when operating in FIPS mode, Telnet is disabled and Line Authentication is not available. 5.2.2 Enable Authentication Method The enable method uses a password corresponding to each role to authenticate an operator. An operator must enter the read-only password to select the User role. An operator enters the port-config password to the Port Configuration Administrator role. An operator enters the super-user password to select the Crypto Officer Role. To use enable authentication, a Crypto Officer must set the password for each privilege level. See Setting passwords for management privilege levels in [53-1001966-01]. 5.2.3 Local Authentication Method The local method uses a password associated with a user name to authenticate an operator. An operator enters a user name and corresponding password. The NetIron device assigns the role associated with the user name to the operator when authentication is successful. To use local authentication, a Crypto Officer must define user accounts. The definition includes a user name, password, and privilege level (which determines role). See Setting up local user accounts in [53-1001966-01]. Brocade Communications Systems, Inc. Page 26 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 5.2.4 RADIUS Authentication Method The RADIUS method uses one or more RADIUS servers to verify user names and passwords. The NetIron device prompts an operator for user name and password. The device sends the user name and password to the RADIUS server. Upon successful authentication, the RADIUS server returns the operator’s privilege level, which determines the operator’s role. If a RADIUS server does not respond, the NetIron device will send the user name and password information to the next configured RADIUS server. NetIron series devices support additional command authorization with RADIUS authentication. The following events occur when RADIUS command authorization takes place. 1. A user previously authenticated by a RADIUS server enters a command on the NetIron device. 2. The NetIron device looks at its configuration to see if the command is at a privilege level that requires RADIUS command authorization. 3. If the command belongs to a privilege level that requires authorization, the NetIron device looks at the list of commands returned to it when RADIUS server authenticated the user. NOTE: After RADIUS authentication takes place, the command list resides on the NetIron device. The device does not consult the RADIUS server again once the operator has been authenticated. This means that any changes made to the operator’s command list on the RADIUS server are not reflected until the next time the RADIUS server authenticates the operator, and the server sends a new command list to the NetIron device. To use RADIUS authentication, a Crypto Officer must configure RADIUS server settings along with authentication and authorization settings. See RADIUS configuration procedure in [53-1001966-01]. 5.2.5 TACACS/TACACS+ Authentication Method The TACACS/TACACS+ method use one or more TACACS/TACACS+ servers to verify user names and passwords. For TACACS, the NetIron device prompts an operator for user name and password. The device sends the user name and password to the TACACS server. Upon successful authentication, the NetIron device selects the operator’s role implicitly based on the action requested (for example, User role for a login request or Crypto Officer role for a configure terminal command). For TACACS+ authentication, the NetIron device prompts an operator for a user name, which the device uses to get a password prompt from the TACACS+ server. The operator enters a password, which the device relays to the server for validation. Upon successful authentication, the TACACS+ server supports both exec and command authorization similar to RADIUS authorization described above. To use TACACS/TACACS+ authentication, a Crypto Officer must configure TACACS/TACACS+ server settings along with authentication and authorization settings. See TACACS configuration procedure and TACACS+ configuration procedure in [53-1001966-01]. 5.2.6 Strength of Authentication NetIron devices minimize the likelihood that a random authentication attempt will succeed. The probability that a random guess of a password will succeed is less than 1 in 10,000,000. The probability of a successful random guess of a password during a one-minute period is less than 6 in 1,000,000. Brocade Communications Systems, Inc. Page 27 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 5.3 Access Control and Critical Security Parameter (CSP) Table 21 Access Control Policy and Critical Security Parameter (CSP) summarizes the access operators in each role have to critical security parameters. Grayed out table cells indicate that the intersection of the role the CSP have not security relevance. The table entries have the following meanings:  r – operator can read the value of the item,  w – operator can write a new value for the item,  x – operator can use the value of the item (for example encrypt with an encryption key), and  d – operator can delete the value of the item by executing a fips zeroize all command. See item 3a in Section 6.1.1.1 and Section 6.1.1.2 for further details. Table 21 Access Control Policy and Critical Security Parameter (CSP) Port User Crypto Officer Administrator Service Console Console Console HTTPS HTTPS HTTPS SNMP SNMP SSH SSH SSH SCP CSP SSH host RSA or x x xwd x wd DSA private key SSH host RSA or x x xrwd xrw rwd DSA public key SSH session key x x x x TLS host RSA x x wd x wd private key TLS host RSA x x rwd x rwd digital certificate TLS pre-master x x x secret TLS session key x x x TLS authentication x x xd key DH Private x x x x Exponent DH Public Key x x x x User Password x x x x xrwd xrwd xrwd x xrwd Port Administrator x x x xrwd xrwd xrwd xrwd Password Crypto Officer xrwd xrwd xrwd xrwd Password RADIUS Secret x x x x x x xrwd xrwd xrwd xrwd TACACS+ Secret x x x x x x xrwd xrwd xrwd xrwd Firmware Integrity / x x x Firmware Load DSA public key DRBG Seed x x x x x x x Brocade Communications Systems, Inc. Page 28 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Port User Crypto Officer Administrator Service Console Console Console HTTPS HTTPS HTTPS SNMP SNMP SSH SSH SSH SCP CSP DRBG Value V x x x x x x x x x x x x DRBG Constant C x x x x x x x x x x x x Hash DRBG x x x x x x x x x x x x Entropy 5.3.1 CSP Zeroization The SSH session key is transient. It is zeroized at the end of a session and recreated at the beginning of a new session. The TLS pre-master secret is generated during the TLS handshake. It is destroyed after it is used. The TLS session key is generated for every HTTPS session. The TLS session key is deleted after the session is closed. The DRBG seed and Hash DRBG Entropy is recomputed periodically on 100 millisecond intervals. Each time this occurs, four bytes of the seed are written into an 8K buffer. When the buffer is full the DRBG V and C values are regenerated. The DH private exponent is generated at the beginning of DH KEX. A new random number overwrites the memory location used to store the value each time a new session is initiated. The DSA public key cannot be written, read or deleted. The key pair is prebuilt within the code binary. The key pair is destroyed and recreated each time new firmware is installed. For SSH, the RSA private key is stored in a locally generated file on flash during the key generation process. The file is removed during zeroization. The crypto key zeroize command removes the keys. Executing the no fips enable command zeroizes all RSA private keys. 5.4 Physical Security NetIron devices require the Crypto Officer to install tamper evident labels (TELs) in order to meet FIPS 140-2 Level 2 Physical Security requirements. The TELs are available from Brocade by ordering FIPS Kit (P/N Brocade XBR-000195). The Crypto Officer shall follow the Brocade FIPS Security Seal application procedures prior to operating the module in FIPS mode. The FIPS seal application procedure is available in Appendix A of this document and defined within Brocade document 53-1002118-02. The procedure can be download at http://my.brocade.com (See “Documentation>Technical Documentation>Federal Information Process Standard (FIPS). 6. Crypto Officer Guidance For each module to operate in a FIPS approved mode of operation, the tamper evident seals supplied in the FIPS Kit (P/N Brocade XBR-000195) must be installed, as defined in Appendix A. The FIPS Security Seal Procedures for Brocade MLXe Series and NetIron CER 2000 Series document [53-1002118-02] provides instructions on the proper installation of the tamper evident seals. The security officer is responsible for storing and controlling the inventory of any unused seals. The unused seals shall be stored in plastic bags in a cool, dry environment between 60° and 70° F (15° to 20° C) and less than 50% relative humidity. Rolls should be stored flat on a slit edge or suspended by the core. Brocade Communications Systems, Inc. Page 29 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 The security officer shall maintain a serial number inventory of all used and unused tamper evident seals. The security officer shall periodically monitor the state of all applied seals for evidence of tampering. A seal serial number mismatch, a seal placement change, a checkerboard destruct pattern that appears in peeled film and adhesive residue on the substrate are evidence of tampering. The security officer shall periodically view each applied seal under a UV light to verify the presence of a UV wallpaper pattern. The lack of a wallpaper pattern is evidence of tampering. The security officer is responsible for returning a module to a FIPS approved state after any intentional or unintentional reconfiguration of the physical security measures. The Brocade MLX Series and NetIron Family Configuration Guide [53-1001965-01] and Brocade MLX Series and NetIron Family Federal Information Processing Standards Guide [53-1002735-01]. In particular, the NetIron family FIPS guide provides configuration instructions specific to operating a NetIron devices in FIPS 140-2 approved mode. 6.1 Mode Status NetIron devices provide the fips show command to display status information about the device’s FIPS mode. This information includes the status of administrative commands for security policy, the status of security policy enforcement, and security policy settings. The fips enable command changes the status of administrative commands; see also section 6.1.1 FIPS Approved Mode. The following example shows the output of the fips show command before an operator enters a fips enable command. Administrative commands for security policy are unavailable (administrative status is off) and the device is not enforcing a security policy (operational status is off). FIPS mode: Administrative Status: OFF, Operational Status: OFF The following example shows the output of the fips show command after an operator enters the fips enable command. Administrative commands for security policy are available (administrative status is on) but the device is not enforcing a security policy yet (operational status is off). The command displays the security policy settings. FIPS mode: Administrative Status: ON, Operational Status: OFF Some shared secrets inherited from non-fips mode may not be fips compliant and has to be zeroized. The system needs to be reloaded to operationally enter FIPS mode. System Specific: OS monitor mode access: Disabled Management Protocol Specific: Telnet server: Disabled TFTP Client: Disabled HTTPS SSL 3.0: Disabled SNMP Access to security objects: Disabled Critical Security Parameter Updates across FIPS Boundary: Protocol shared secret and host passwords: Clear SSH DSA Host Keys: Clear HTTPS RSA Host Keys and Signature: Clear The following example shows the output of the fips show command after the device reloads successfully in the default strict FIPS mode. Administrative commands for security policy are available (administrative status is on) and the device is enforcing a security policy (operational status is on): The command displays the policy settings. FIPS mode: Administrative Status: ON, Operational Status: ON System Specific: OS monitor mode access: Disabled Management Protocol Specific: Brocade Communications Systems, Inc. Page 30 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Telnet server: Disabled TFTP Client: Disabled HTTPS SSL 3.0: Disabled SNMP Access to security objects: Disabled Critical Security Parameter Updates across FIPS Boundary: Protocol shared secret and host passwords: Clear SSH DSA Host Keys: Clear HTTPS RSA Host Keys and Signature: Clear 6.1.1 FIPS Approved Mode This section describes FIPS Approved mode of operation and the sequence of actions that put a NetIron device in FIPS Approved mode. FIPS Approved mode disables the following: 1. Telnet access including the telnet server command 2. AAA authentication for the console including the enable aaa console command 3. Command ip ssh scp disable 4. TFTP access 5. SNMP access to CSP MIB objects 6. Access to all commands within the monitor mode 7. HTTP access including the web-management http command (applies to Brocade MLXe series only) 8. HTTPS SSL 3.0 access and RC4 cipher (applies to Brocade MLXe series only) 9. Command web-management allow-no-password (applies to Brocade MLXe series only) Entering FIPS Approved mode also clears: 1. Protocol shared secret and host passwords 2. SSH DSA host keys 3. HTTPS RSA host keys and certificate (applies Brocade MLXe series only) FIPS Approved mode enables: 1. SCP 2. HTTPS TLS version 1.0 and greater (applies to Brocade MLXe series only) In FIPS Approved mode, NetIron devices provide FIPS-Approved cryptographic algorithms as well as non- Approved security functions. Table 22 Algorithm Certificates Algorithm Supports Certificate Advanced Encryption Algorithm (AES) 128-, 192, and 256-bit keys, ECB and CBC mode Cert. #1615 Triple Data Encryption Algorithm (Triple- KO 1,2 ECB and CBC mode Cert. #1056 DES) Secure Hash Algorithm SHA-1, SHA-256, SHA-384, and SHA-512 Cert. #1424 Keyed-Hash Message Authentication code HMAC SHA-1, HMAC SHA-256, HMAC SHA-384, Cert. #947 (HMAC) HMAC SHA-512 Deterministic Random Bit Generator SHA-256 Based SP 800-90 DRBG Cert. #84 (DRBG) Digital Signature Algorithm (DSA) 1024-bit keys Cert. #503 Rivest Shamir Adleman Signature 1024-bit and 2048-bit keys Cert. #793 Algorithm (RSA) Brocade Communications Systems, Inc. Page 31 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 The following non-Approved but allowed cryptographic methods are allowed within limited scope in the FIPS Approved mode of operation: 1. RSA Key Wrapping (key establishment methodology; 1024-bit keys provide 80 bits strength) 2. Diffie-Hellman (DH) (key agreement, key establishment methodology provides 80 bits of encryption strength) 3. SNMPv3 (Cryptographic function does not meet FIPS requirements and is considered plaintext) 4. MD5 – Used in the TLS v1.0 pseudo-random function (PRF) in FIPS mode (MD5 not exposed to the operator). Also used in TACACS+ packets for message integrity verification (MD5 not exposed to the operator). 5. HMAC-MD5 – Used to support RADIUS authentication 6. SSHv2 Key Derivation Function (KDF) - This is a legacy implementation. 7. Non-approved RNG is allowed to be run in the Approved mode The following non-Approved and not allowed cryptographic methods are not allowed within limited scope in the FIPS Approved mode of operation: 1. MD2 2. RC2 3. RC4 4. DES 6.1.1.1 Invoking FIPS Approved Mode for Brocade MLXe Series Devices To invoke the FIPS Approved mode of operation, perform the following steps from the console terminal. 1. Assume Crypto Officer role 2. Enter command: fips enable a. The device enables FIPS administrative commands. The device is not in FIPS Approved Mode of operation yet. Do not change the default strict FIPS security policy, which is required for FIPS Approved mode. 3. Enter command: fips zeroize all a. The device zeros out the shared secrets use by various networking protocols including host access passwords, SSH host keys, and HTTPS host keys with the digital signature. 4. Save the running configuration: write memory 5. The device saves the running configuration as the startup configuration 6. Reload the device a. The device resets and begins operation in FIPS Approved mode. 7. Enter command: fips show a. The device displays the FIPS-related status, which should confirm the security policy is the default security policy. 8. Inspect the physical security of the module, including placement of tamper evident labels according to Section 6. 6.1.1.2 Invoking FIPS Approved Mode for Brocade NetIron CER 2000 Series Devices To invoke the FIPS Approved mode of operation, perform the following steps from the console terminal. 1. Assume Crypto Officer role 2. Enter command: fips enable Brocade Communications Systems, Inc. Page 32 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 a. The device enables FIPS administrative commands. The device is not in FIPS Approved Mode of operation yet. Do not change the default strict FIPS security policy, which is required for FIPS Approved mode. 3. Enter command: fips zeroize all a. The device zeros out the shared secrets used by various networking protocols including host access passwords, SSH host keys, and HTTPS host keys with the digital signature. 4. Save the running configuration: write memory 5. The device saves the running configuration as the startup configuration 6. Reload the device a. The device resets and begins operation in FIPS Approved mode. 7. Enter command: fips show a. The device displays the FIPS-related status, which should confirm the security policy is the default security policy. 8. Inspect the physical security of the module, including placement of tamper evident labels according to Section 6. 6.1.1.3 Negating FIPS Approved Mode for Brocade MLXe Series Devices To exit the FIPS Approved mode of operation, perform the following steps from the console terminal. 1. Enter command: no fips enable a. This will return the device back to normal, non-FIPS mode by enabling the networking protocols that were disallowed in FIPS mode of operation. For example, Telnet, HTTP, TFTP will be enabled again. In addition, the restrictions against the non-approved cryptographic algorithms will also be lifted. For example, MD5, DES algorithms would be allowed. b. The device zeroes out the shared secrets used by various networking protocols including host access passwords, SSH host keys, and HTTPS host keys with the digital signature. c. Reload the device to begin non-FIPS mode of operation. 6.1.1.4 Negating FIPS Approved Mode for Brocade CER 2000 Series Devices To exit the FIPS Approved mode of operation, perform the following steps from the console terminal. 1. Enter command: no fips enable a. This will return the device back to normal, non-FIPS mode by enabling the networking protocols that were disallowed in FIPS mode of operation. For example, Telnet, TFTP will be enabled again. In addition, the restrictions against the non-approved cryptographic algorithms will also be lifted. For example, MD5, DES algorithms would be allowed. b. The device zeroes out the shared secrets used by various networking protocols including host access passwords, SSH host keys, and HTTPS host keys with the digital signature. c. Reload the device to begin non-FIPS mode of operation. Brocade Communications Systems, Inc. Page 33 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 7. References [53-1001965-01] Brocade MLX Series and NetIron Family Configuration Guide, Brocade Communications Systems, Inc., Publication number 53-1001965-02, 4 January 2011 [53-1001966-01] Brocade NetIron CES 2000 and NetIron CER 2000 Hardware Installation Guide, Brocade Communications Systems, Inc., Publication number 53-1001966-01, 07 September 2010 [53-1001967-03] Brocade MLX Series and NetIron XMR Hardware Installation Guide, Brocade Communications Systems, Inc., Publication Number 53-1001967-03, 01 December 2010 [53-1002118-02] FIPS Security Seal Procedures for Brocade MLXe Series and Brocade NetIron CER 2000 Series, Brocade Communications Systems, Inc., Publication number 53-1002118-02, XX August 2012 [53-1002735-01] Brocade MLX Series and NetIron Family Federal Information Processing Standards Guide, Brocade Communications Systems, Inc., Publication number 53-1002735-01, August 2012 [FIPS 186-2+] Federal Information Processing Standards Publication 186-2 (+Change Notice), Digital Signature Standard (DSS), 27 January 2000 [RSA PKCS #1] PKCS #1: RSA Cryptography Specifications Version 2.1, http://tools.ietf.org/html/rfc3447] [SP800-90] National Institute of Standards and Technology Special Publication 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised), March 2007 Brocade Communications Systems, Inc. Page 34 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Appendix A: Tamper Label Application The FIPS Kit (P/N Brocade XBR-000195) contains the following items:  Tamper Evident Security Seals o Count 120 o Checkerboard destruct pattern with ultraviolet visible “Secure” image  53-1002458-02 : FIPS Pointer Document Guideline o This document provides instructions on how to access the [53-1002118-02] FIPS Security Seal Procedures for Brocade MLXe Series and Brocade NetIron CER 2000 Series, document on the MyBrocade website. Use 99% isopropyl alcohols to clean the surface area at each tamper evident seal placement location. Isopropyl alcohol is not provided in the kit. However, 99% isopropyl alcohol is readily available for purchase from a chemical supply company. Prior to applying a new seal to an area, that shows seal residue, use consumer strength adhesive remove to remove the seal residue. Then use additional alcohol to clean off any residual adhesive remover before applying a new seal. Applying seals to a Brocade MLXe-4 device Use the figures in this section as a guide for security seal placement on a Brocade MLXe-4 device. Each Brocade MLXe-4 device requires the placement of fourteen seals:  Front: Affix one seal from the top of the Management Module (MM) to the front panel of the chassis. Affix nine more seals—one from each module to the front panel of the chassis. See Figure 10 for correct seal orientation and positioning.  Rear: Affix four seals from the top panel of the chassis covering a portion of the fan unit lip. You must bend these seals to place them correctly. See Figure 11 for correct seal orientation and positioning. Figure 10 Front view of a Brocade MLXe-4 device with security seals Brocade Communications Systems, Inc. Page 35 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 11 Rear and side view of a Brocade MLXe-4 device with security seals Brocade Communications Systems, Inc. Page 36 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Applying seals to a Brocade MLXe-8 device Use the figures in this section as a guide for security seal placement on a Brocade MLXe-8 device. Each Brocade MLXe-8 device requires the placement of seventeen seals:  Front: Affix fifteen seals—one seal from each module to the front panel of the chassis. The seal for the Management Module (MM) is vertically oriented and is positioned so that half is affixed to the top panel of the chassis and half of the seal is affixed to the control module. You must bend this seal to position it correctly. See Figure 12 for correct seal orientation and positioning.  Rear: Affix two vertically-oriented seals from the top panel of the chassis covering a portion of the fan unit lip. One seal will be to the left of the upper leftmost securing post; and the other seal will be to the right of the rightmost securing post. You must bend these seals to position them correctly. See Figure 13 for correct seal orientation and positioning. Figure 12 Front view of a Brocade MLXe-8 device with security seals Brocade Communications Systems, Inc. Page 37 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 13 Rear and side view of a Brocade MLXe-8 device with security seals Brocade Communications Systems, Inc. Page 38 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Applying seals to a Brocade MLXe-16 device Use the figures in this section as a guide for security seal placement on a Brocade MLXe-16 device. Each Brocade MLXe-16 device requires the placement of twenty-four seals:  Front: A total of twenty-two seals must be placed on the front panel of each Brocade MLXe-16 device. See Figure 14 for correct seal orientation and positioning. - Affix eleven vertically-oriented seals along the top row of modules; each seal must be affixed to the front panel of the chassis and to the upper right side of each module. - Affix eleven vertically-oriented seals along the bottom row of modules; each seal must be affixed to the bottom left side of each module and to the front panel of the chassis.  Rear: Affix two vertically-oriented seals from the top panel of the chassis covering a portion of the fan unit lip. One seal will be to the left of the upper leftmost securing post; and the other seal will be to the right of the rightmost securing post. You must bend these seals to position them correctly. See Figure 15 for correct seal orientation and positioning. Figure 14 Front view of a Brocade MLXe-16 device with security seals Brocade Communications Systems, Inc. Page 39 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 15 Rear and side view of a Brocade MLXe-16 device with security seals Brocade Communications Systems, Inc. Page 40 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Applying seals to Brocade NetIron CER 2024 devices Use the figures in this section as a guide for security seal placement on Brocade NetIron CER 2024C and CER 2024F devices. The connectors on the faceplate of a particular model may vary, but the placement of the seals is the same. Brocade NetIron CER 2024C and CER 2024F devices require the placement of 21 seals:  Top: Affix one seal lengthwise completely covering the top rightmost screw that connects the faceplate to the device. See Figure 16 for correct seal orientation and positioning.  Right and left sides: Affix seven seals on each side of the device. The seals placed on the sides must each be vertically oriented and cover two open holes. See Figure 16 for correct seal orientation and positioning on the right side. The orientation and placement of seals on the left side mirrors the orientation and placement of seals on the right side. See Figure 17 for correct seal orientation and positioning on the left side.  Front: Affix a seal from the front panel to the bottom panel. See Figure 16 for correct seal orientation and placement.  Rear: Affix four seals from the top panel to the rear panel. Affix one seal from the rear panel to the bottom panel. See Figure 17 for correct seal orientation and placement. Figure 16 Front, top, and right side view of a Brocade NetIron CER 2024 device with security seals Brocade Communications Systems, Inc. Page 41 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 17 Rear, top, and left side view of a Brocade NetIron CER 2024 device with security seals Brocade Communications Systems, Inc. Page 42 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Applying seals to Brocade NetIron CER 2048 devices Use the figures in this section as a guide for security seal placement on Brocade NetIron CER 2048C and CER 2048F series devices. The connectors on the faceplate of a particular model may vary, but the placement of the seals is the same. Brocade NetIron CER 2048C, Brocade NetIron CER 2048CX, Brocade NetIron CER 2048F and Brocade NetIron CER 2048FX devices require the placement of 20 seals:  Top: Affix one seal lengthwise completely covering the top rightmost screw that connects the faceplate to the device. See Figure 18 for correct seal orientation and positioning.  Right and left sides: Affix seven seals on each side of the device. The seals placed on the sides must each be vertically oriented and cover two open holes. See Figure 18 for correct seal orientation and positioning on the right side. The orientation and placement of seals on the left side mirrors the orientation and placement of seals on the right side. See Figure 19 for correct seal orientation and positioning on the left side.  Rear: Affix four seals from the top panel to the rear panel. Affix one seal from the rear panel to the bottom panel. See Figure 19 for correct seal orientation and placement Figure 18 Front, top, and right side view of a Brocade NetIron CER 2048 device with security seals Brocade Communications Systems, Inc. Page 43 of 44 NI 5.1.01a Non-Proprietary Security Policy Version 2.6 Figure 19 Rear, top and left side view of a Brocade NetIron CER 2048 device with security seals Brocade Communications Systems, Inc. Page 44 of 44