WildFire WF-500 FIPS 140-2 Non-Proprietary Security Policy Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com Version: B Revision Date: 3/7/16 www.paloaltonetworks.com © 2016 Palo Alto Networks. Non-proprietary security policy may be reproduced only in its original entirety (without revision). Palo Alto Networks, PAN-OS, and WildFire are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners. Change Record Table 1 - Change Record Revision Date Author Description of Change A 12/10/2015 A. Shahhosseini Initial authoring B 3/7/2016 A. Shahhosseini Response to CMVP comments Palo Alto Networks WildFire WF-500 Security Policy Page 2 of 28 Contents 1 Module Overview ............................................................................................................................................. 5 2 Mode of Operation ........................................................................................................................................... 7 2.1 Security Levels......................................................................................................................................................... 7 2.2 FIPS 140-2 Approved Mode of Operation ............................................................................................................... 7 2.3 Approved and Allowed Algorithms ......................................................................................................................... 8 2.4 Non-Approved, Non-Allowed Algorithms .............................................................................................................10 3 Ports and Interfaces........................................................................................................................................ 11 4 Identification and Authentication Policy ........................................................................................................ 12 4.1 Assumption of Roles .............................................................................................................................................12 5 Security Parameters ....................................................................................................................................... 13 6 Access Control Policy ...................................................................................................................................... 15 6.1 Roles and Services.................................................................................................................................................15 6.2 Unauthenticated Services .....................................................................................................................................16 6.3 CSP Access Rights..................................................................................................................................................16 7 Operational Environment ............................................................................................................................... 17 8 Security Rules ................................................................................................................................................. 17 9 Physical Security Policy ................................................................................................................................... 19 9.1 Physical Security Mechanisms ..............................................................................................................................19 9.2 Operator Required Actions ...................................................................................................................................19 10 Mitigation of Other Attacks ............................................................................................................................ 20 11 References ...................................................................................................................................................... 20 12 Definitions and Acronyms .............................................................................................................................. 20 13 Appendix A – WF-500 FIPS Kit Installation Guide (12 Tamper Evident Labels) ..............................................21 Palo Alto Networks WildFire WF-500 Security Policy Page 3 of 28 Tables Table 1 - Change Record ........................................................................................................................................... 2 Table 2 - Validated Version Information................................................................................................................... 5 Table 3 - Module Security Level Specification .......................................................................................................... 7 Table 4 – CAVP Certificates for FIPS Approved Algorithms ...................................................................................... 8 Table 5 - FIPS Allowed Algorithms Used in the Approved Mode.............................................................................. 9 Table 6 - Supported Protocols in the Approved Mode ............................................................................................. 9 Table 7 - Non-Approved, Non-Allowed Algorithms Used in the Non-Approved Mode .........................................10 Table 8 – WF-500 Ports and Interfaces ................................................................................................................... 11 Table 9 – Roles and Authentication ........................................................................................................................ 12 Table 10 - Strength of Authentication Mechanism ................................................................................................ 13 Table 11 - Private Keys and CSPs ............................................................................................................................ 13 Table 12 - Public Keys ............................................................................................................................................. 14 Table 13 - Authenticated Services .......................................................................................................................... 15 Table 14 - Unauthenticated Services ...................................................................................................................... 16 Table 15 - CSP Access Rights within Roles and Services ......................................................................................... 16 Table 16 - Inspection/Testing of Physical Security Mechanisms ............................................................................ 19 Figures Figure 1 – Front View of WF-500 .............................................................................................................................. 5 Figure 2 - Front View of WF-500 with Opacity Shield ............................................................................................... 5 Figure 3 - Rear View of WF-500 with Opacity Shield ................................................................................................ 6 Figure 4 - Right View of WF-500 with Opacity Shields.............................................................................................. 6 Figure 5 - Left View of WF-500 with Opacity Shields ................................................................................................ 6 Figure 6 - Front ports and Interfaces ...................................................................................................................... 11 Figure 7 - Rear ports and Interfaces ....................................................................................................................... 11 Figure 8 – Remove Front Handles and Modules..................................................................................................... 21 Figure 9 – Secure the Front Brackets ...................................................................................................................... 22 Figure 10 - Attach Pull Handles and Front Modules ............................................................................................... 22 Figure 11 – Install Front Opacity Shield .................................................................................................................. 23 Figure 12 – Front Opacity Shield Installed .............................................................................................................. 23 Figure 13 – Install Rear Opacity Shield Tray ........................................................................................................... 24 Figure 14 – Install Rear Opacity Shield ................................................................................................................... 25 Figure 15 – Apply Vent Overlays ............................................................................................................................. 26 Figure 16 – Apply Tamper Labels on Vent Overlays and Side Opening ..................................................................26 Figure 17 – Install Rail Kit ........................................................................................................................................ 27 Figure 18 – Apply Tamper Labels on the Bottom of the Appliance ........................................................................ 27 Figure 19 – Apply Tamper Labels on the Top and Sides of the Appliance ..............................................................28 Palo Alto Networks WildFire WF-500 Security Policy Page 4 of 28 1 Module Overview WildFire WF-500 identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) through dynamic analysis, and automatically disseminates protection in near real-time to help security teams meet the challenge of advanced cyber-attacks. Unknown files are analyzed by WildFire in a scalable sandbox environment where new threats are identified and protections are automatically developed and delivered in the form of an update. The result is a unique, closed loop approach to controlling cyber threats that begins with positive security controls to reduce the attack surface, inspection of all traffic, ports, and protocols to block all known threats, and rapid detection of unknown threats by observing their actual behavior. The Palo Alto Networks WildFire WF-500 is a multi-chip standalone module. The module is shown in Figure 1. The module boundary is the outer chassis enclosure. The cryptographic boundary includes all of the logical components of the modules and the boundary is the physical enclosure of the WF-500. Figure 2 through Figure 5 provide images of the module with the FIPS kit’s opacity shields in place. See Section 9.1 for details regarding the module’s physical security mechanisms. Table 2 - Validated Version Information FIPS Kit Hardware FIPS Kit Part Firmware Module Part Number Hardware Version Number Version Version WF-500 910-000097-00G Rev G 920-000145 00A 7.0.3 Figure 1 – Front View of WF-500 Figure 2 - Front View of WF-500 with Opacity Shield Palo Alto Networks WildFire WF-500 Security Policy Page 5 of 28 Figure 3 - Rear View of WF-500 with Opacity Shield Figure 4 - Right View of WF-500 with Opacity Shields Figure 5 - Left View of WF-500 with Opacity Shields Palo Alto Networks WildFire WF-500 Security Policy Page 6 of 28 2 Mode of Operation 2.1 Security Levels The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-2. Table 3 - Module Security Level Specification Security Requirements Section Levels Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 3 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A 2.2 FIPS 140-2 Approved Mode of Operation The module provides both a FIPS 140-2 Approved and non-Approved mode of operation. The following procedure will place the module into the Approved mode of operation: • Install module and interface connections in addition to the FIPS kit. • The tamper evident labels and opacity shields must be installed as per Section 9 for the module to operate in the FIPS Approved mode of operation. • Apply power to the device. • Establish a serial connection to the console port, and command the module to enter into maintenance mode. The module will reboot, and then enter maintenance mode. • After reboot, select “Continue.” • Select the “Set CCEAL4 Mode” option, and press enter. • Select “Enable CCEAL4 Mode”, and press enter. • When prompted, select “Reboot” and the module will re-initialize and continue into the Approved mode. • The module will reboot. • In the Approved mode, the console port is available only as a status output port. Palo Alto Networks WildFire WF-500 Security Policy Page 7 of 28 The module will automatically indicate the Approved mode of operation in the following manner: • Status output interface will indicate “**** CCEAL4 MODE ENABLED ****” via the CLI session. • Status output interface will indicate “CCEAL4 mode enabled successfully” via the console port. Should one or more power-up self-tests fail, the module will not enter the FIPS Approved mode of operation. Feedback will consist of: • The module will output “CCEAL4 failure”. • The module will reboot and enter a state in which the reason for the reboot can be determined by following the on-screen instructions. 2.3 Approved and Allowed Algorithms The cryptographic module has the following CAVP certificates: Table 4 – CAVP Certificates for FIPS Approved Algorithms FIPS Approved Algorithm CAVP Cert. # AES ECB, CBC, CFB, OFB modes (encrypt/decrypt): 128, 192, 256 bits CTR: 128, 192, 256 bits 3475 CCM: 128 bits GCM (encrypt/decrypt): 128, 192, 256 bits Note: GCM is used compliant with SP 800-52 and used in accordance to Section 4 of RFC 5288 for TLS key establishment. RSA (FIPS 186-4) Key Generation: 2048, 3072 bits Signature Generation: ANSI X9.31, 2048, 3072 bits (with SHA 256, 384, 512) Signature Generation: PSS 2048, 3072 bits (with SHA 224, 256, 384 and 512) Signature Generation: PKCS 1.5 2048, 3072 bits (with SHA 256, 1782 384, 512) Signature Verification: ANSI X9.31 1024, 2048, 3072 bits (with SHA-1, 256, 384, 512) Signature Verification: PKCS 1.5 2048, 3072 bits (with SHA-1, 224, 256, 384, 512) Signature Verification: PSS 1024, 2048, 3072 bits (with SHA 1, 224, 256, 384, 512) ECDSA (FIPS 186-4) Signature Verification: 256, 384 bits (with SHA-1, 224, 256, 384, 713 512) HMAC 2220 Palo Alto Networks WildFire WF-500 Security Policy Page 8 of 28 FIPS Approved Algorithm CAVP Cert. # HMAC-SHA-1/256/384/512 SHA 2870 SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 DRBG 870 SP800-90A AES 256 CTR DRBG CVL (SP 800-56A) ECDHE except KDF P-256 564 CVL (SP800-135: TLS 1.0/1.1/1.2, SSH, SNMP) 565 CVL (FIPS 186-4 ECDSA) P-256 and P-384 566 Signature Generation: 256, 384 bits CVL (SP800-56A: Section 5.7.1.2) P-256 and P-384 567 Note: For specifics regarding what is supported in the Approved mode, see subsequent sections below in this document. The cryptographic module supports the following non-FIPS Approved algorithms that are allowed for use in the Approved mode of operation Table 5 - FIPS Allowed Algorithms Used in the Approved Mode FIPS Allowed Algorithms Diffie-Hellman (key agreement; key establishment methodology provides 112 bits of encryption strength) EC Diffie-Hellman (CVL Cert. #567, key agreement; key establishment methodology provides 128 or 192 bits of encryption strength) RSA (key wrapping; key establishment methodology provides 112 bits of encryption strength) Non-Approved NDRNG (used to seed DRBG) MD5 (within TLS) Table 6 - Supported Protocols in the Approved Mode Supported Protocols TLS v1.0/1.1, 1.2 SSHv2 SNMPv2c, v3 Note: These protocols have not been tested or reviewed by the CMVP or the CAVP. Palo Alto Networks WildFire WF-500 Security Policy Page 9 of 28 2.4 Non-Approved, Non-Allowed Algorithms The cryptographic module supports the following non-Approved algorithms. No security claim is made in the current module for any of the following non-Approved algorithms. Table 7 - Non-Approved, Non-Allowed Algorithms Used in the Non-Approved Mode Non-FIPS Algorithms in Non-Approved Mode Encrypt/Decrypt – Triple-DES (non-compliant), CAST, ARCFOUR, Blowfish, Camellia, SEED, RC2, RC4 Key Exchange using non-Approved strengths – DH (1024) and ECDH (sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, sect283k1, sect283r1, secp256k1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2) Message Authentication – HMAC-MD5, UMAC, HMAC-RIPEMD Hashing – MD5 Digital Signatures using SHA-1 Palo Alto Networks WildFire WF-500 Security Policy Page 10 of 28 3 Ports and Interfaces The WF-500 provides the following ports and interfaces: Figure 6 - Front ports and Interfaces Figure 7 - Rear ports and Interfaces Table 8 – WF-500 Ports and Interfaces FIPS 140-2 Interface Name and Description Qty. Designation 1 Power Button and Reset Reboot or shut down device 2 Control input 2 Front LED Panel Power, Power Failure, HDD, 4 Status output Overheat/Fan Failure 3 Drive LEDs Left LED—drive failure 48 Status output Right LED—drive activity 4 Power Power supplies 2 Power Input Console (Note: In the 5 DB9 1 Data input, Control Approved mode, the Console input, Data output, port is only available as Status output Status output) Disabled (Note: Reserved for 6 USB 4 N/A - Disabled future use) 7 RJ45 MGT Ethernet 10/100/1000 1 Data input, Control input, Data output, Status output Ethernet 1 VM (Note: In the 1 Data input, Data Approved mode, this port is output disabled) Palo Alto Networks WildFire WF-500 Security Policy Page 11 of 28 FIPS 140-2 Interface Name and Description Qty. Designation Ethernet 2 and 3 (Note: 2 N/A - Disabled Reserved for future use) Graphic port (Note: 8 VGA 1 N/A - Disabled Reserved for future use) 9 UID button with LED Button that activates LED on 1 Control input, Status front and back of chassis to output help identify physical location 4 Identification and Authentication Policy 4.1 Assumption of Roles The module supports distinct operator roles. The cryptographic module enforces the separation of roles using unique authentication credentials associated with operator accounts. The module supports concurrent operators. The module does not provide a maintenance role or bypass capability. Table 9 – Roles and Authentication Role Description Authentication Type Authentication Data Crypto-Officer This role has read, write, Identity-based Username and (CO) execute, and delete operator password capabilities for all authentication Manager services. The CO has the ability to create other CO and User accounts that have limited service access. User This User role has read- Identity-based Username and only access defined for a operator password set of configuration and authentication status information. Palo Alto Networks WildFire WF-500 Security Policy Page 12 of 28 Table 10 - Strength of Authentication Mechanism Authentication Strength of Mechanism Mechanism Username and The minimum length of a password is 6 characters (95 possible Password characters). The probability that a random attempt will succeed or a false acceptance will occur is 1/(956), which is less than 1/1,000,000. The module supports a maximum of 10 failed attempts to authenticate into the module in a one minute period. If the maximum number of attempts is reached, the operator is locked out for a configurable time period (1 minute to indefinitely). Therefore, the probability of successfully authenticating to the module within a one-minute period is 10/(956), which is less than 1/100,000. 5 Security Parameters The module contains the following keys and Critical Security Parameters (CSP): Table 11 - Private Keys and CSPs CSP # Key/CSP Description 1 RSA 2048 Private keys support establishment of TLS RSA Private keys session keys, and host authentication. 2 TLS DH Private Diffie-Hellman private component (≥ 224 bits). Components 3 TLS Pre-Master Secret value used to derive TLS session keys. Secret 4 AES (128 or 256 bit; CBC or GCM) session keys used in TLS Encryption keys TLS connections. 5 HMAC session keys (minimum HMAC-SHA-1/SHA- TLS MAC keys 256/SHA-384) used in TLS connections. 6 SSH DH Private Diffie-Hellman private component (≥ 224 bits). Components 7 SSH Session AES (128, 192, or 256 bit; CTR or CBC) session keys used Encryption key in SSH connections. 8 SSH Session HMAC session keys (HMAC-SHA-1) used in SSH Authentication key connections. 9 CO, User Password Password for operator authentication (minimum 6 characters). 10 DRBG Seed and AES CTR DRBG used in the generation of random values. State 11 SNMPv3 Secrets SNMPv3 Authentication and Privacy Secrets 12 SNMPv3 Keys AES Session and HMAC-SHA-1 Authentication Keys Palo Alto Networks WildFire WF-500 Security Policy Page 13 of 28 Table 12 - Public Keys Key Name Description RSA Public keys managed as certificates for RSA Public Keys / CA the verification of signatures, establishment Certificates of TLS (2048 bits). TLS DH Public components Used in key agreement (2048 bits). SSH DH Public components Used in key agreement (2048 bits). SSH Host RSA Public key SSH Host Public Key (2048 bits). Firmware Authentication RSA key used to authenticate firmware (2048 Key bits). Palo Alto Networks WildFire WF-500 Security Policy Page 14 of 28 6 Access Control Policy 6.1 Roles and Services The Approved and non-Approved mode of operation provide identical services. While in the Approved mode of operation all authenticated services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. The Crypto-Officer may access all services, and has the ability to define multiple Crypto-Officer roles. The User role provides read-only access to the system via the System Audit service. Table 13 - Authenticated Services CO Services Description System Operational Perform system management functions including firmware updates, licensing, diagnostics Management and debug functions. System Configuration Presents configuration options for management interfaces and communication for peer Management services. Import, Export, Save, Load, revert and validate configurations and state. Define access control methods via admin role profiles, configure administrators/users, and password profiles. Configure operators and authentication profiles. Data Analysis Configure data submission, analysis and reporting functions. Management Check Status Review system, configuration, debug logs, and show configurations. User services Description System Audit Allows review of limited configuration and system status via logs, dashboard and configuration screens. Provides no configuration commit capability. Palo Alto Networks WildFire WF-500 Security Policy Page 15 of 28 6.2 Unauthenticated Services The cryptographic module supports the following unauthenticated services: Table 14 - Unauthenticated Services Service Description Zeroize The device will overwrite all CSPs. The zeroization procedure is invoked when the operator performs a factory reset or exits out of the Approved mode of operation. The operator must be present to observe that the method has completed successfully or the operator must be in control of the module via a remote management session. During the zeroization procedure, no other services are available. Self-Tests Run power up self-tests on demand by power cycling the module. Show Status View status of the module via the LEDs. SNMP SNMPv2c provides system status and information. There is neither read nor write access to CSPs. 6.3 CSP Access Rights The following table defines the access to CSPs and the different module services. While in the Approved mode, all authenticated services and CSPs are accessed via authenticated TLS or SSH sessions. Approved and allowed algorithms, relevant CSPs, and public keys related to these protocols are used to access the services as listed in Table 15. The modes of access shown in the table are defined as: R = Read: The module reads the CSP. W = Write: The module writes the CSP. This write access is performed after a CSP is either imported into the module, generated by the module, or if the module overwrites an existing CSP. Z = Zeroize: The module zeroizes the CSP. Table 15 - CSP Access Rights within Roles and Services Role Authorized Service Mode CSP Access CO System Operational RW 1, 2, 3, 4, 5, 6, 7, 8, 9 Management CO System Configuration RW 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 Management CO Data Analysis RW 1, 2, 3, 4, 5, 6, 7, 8, 9 Management CO Check Status R 1, 6, 7, 8, 9 User System Audit 1, 6, 7, 8, 9 (W possible for User R Password only) Palo Alto Networks WildFire WF-500 Security Policy Page 16 of 28 Unauthenticated Zeroize Z All CSPs are zeroized. Unauthenticated Self-Tests N/A N/A Unauthenticated Show Status (LEDs) N/A N/A Unauthenticated SNMP N/A N/A 7 Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable. The operational environment is limited since the Module includes a firmware load service to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of the scope of this validation and require a separate FIPS 140-2 validation. 8 Security Rules The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of a FIPS 140-2 Level 2 module. 1. The cryptographic module shall provide distinct operator roles. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services. 2. The cryptographic module shall clear previous authentications on power cycle. 3. The cryptographic module shall perform the following tests: A. Power up Self-Tests 1. Cryptographic algorithm tests a. AES Encrypt Known Answer Test b. AES Decrypt Known Answer Test c. AES GCM Encrypt Known Answer Test d. AES GCM Decrypt Known Answer Test e. AES CCM Encrypt Known Answer Test f. AES CCM Decrypt Known Answer Test g. RSA Sign Known Answer Test h. RSA Verify Known Answer Test i. ECDSA Sign Known Answer Test j. ECDSA Verify Known Answer Test k. HMAC (HMAC-SHA-1/256/384/512) Known Answer Test l. SHA-1 Known Answer Test m. SHA-256 Known Answer Test n. SHA-384 Known Answer Test o. SHA-512 Known Answer Test p. DRBG Known Answer Test q. SP 800-90A Section 11.3 Health Tests Palo Alto Networks WildFire WF-500 Security Policy Page 17 of 28 r. ECDH Known Answer Test B. Firmware Integrity Test –HMAC-SHA-256. C. Critical Functions Tests 1. N/A D. Conditional Self-Tests 1. Continuous Random Number Generator (RNG) test – performed on NDRNG and DRBG, 128 bits 2. Firmware Load Test – Verify RSA 2048 signature on firmware at time of load 3. RSA Pairwise Consistency Test If any self-tests or conditional test fails, the module will output ‘CCEAL4 failure’ and the specific test that failed. 4. Power-up self-tests shall not require any operator action. 5. The operator shall be capable of commanding the module to perform the power-up self-test by power cycling the module. 6. Data output shall be inhibited during power-up self-tests and error states. 7. Processes performing key generation and zeroization processes shall be logically isolated from the logical data output paths. 8. The module does not output intermediate key generation values. 9. Status information output from the module shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 10. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. 11. The module maintains separation between concurrent operators. 12. The module does not support a maintenance interface or role. 13. The module does not have any external input/output devices used for entry/output of data. 14. The module does not allow the input or output of plaintext CSPs. 15. The module provides a warning, “Your device is still configured with the default admin account credentials. Please change your password prior to deployment” to inform the operator to change their default authentication data. Vendor imposed security rules: 16. If the cryptographic module remains inactive in any valid role for the administrator specified time interval, the module automatically logs out the operator. 17. The module enforces a timed access protection mechanism that supports at most ten authentication attempts per minute. After the administrator specified number of consecutive unsuccessful password validation attempts have occurred, the cryptographic module shall enforce a wait period of at least 1 minute before any more login attempts can be attempted. Palo Alto Networks WildFire WF-500 Security Policy Page 18 of 28 9 Physical Security Policy 9.1 Physical Security Mechanisms The multi-chip standalone module is production quality, and contains standard passivation. Chip components are protected by an opaque enclosure. There are tamper evident labels that are applied on the module by the Crypto-Officer, and any unused labels are to be controlled by the Crypto-Officer. The Crypto-Officer must ensure that the module surface is clean and dry before applying the labels. The labels prevent removal of the opaque enclosure without evidence, which should be inspected by the Crypto- Officer every 30 days for evidence of tamper. If the labels or opacity shields show evidence of tamper, the Crypto-Officer should assume that the module has been compromised and contact Customer Support. Note: For ordering information, see Table 2 for FIPS kit part numbers and versions. Opacity shields are included in the FIPS kits. Refer to Appendix A for instructions regarding installation of the tamper labels and opacity shields. Tamper evident labels must be pressed firmly onto the adhering surfaces during installation, and once applied, the Crypto-Officer shall permit 24 hours of cure time for all tamper evident labels. The placement of the twelve (12) tamper evident labels are shown in Appendix A. 9.2 Operator Required Actions Table 16 - Inspection/Testing of Physical Security Mechanisms Physical Recommended Model Security Frequency of Inspection/Test Guidance Details Mechanisms Inspection/Test WF-500 Tamper Evident 30 days Verify integrity of tamper evident labels Labels in the locations specified in Appendix A. WF-500 Front and Rear 30 days Verify that the front and rear opacity Opacity Shields shields have not been deformed from their original shape, thereby reducing their effectiveness. WF-500 Vent Overlays 30 days Verify that the vent overlays have not been removed or deformed. All edges should maintain strong adhesion characteristics. Palo Alto Networks WildFire WF-500 Security Policy Page 19 of 28 10 Mitigation of Other Attacks These requirements are not applicable as the module has not been designed to mitigate any specific attacks outside of the scope of FIPS 140-2. 11 References [FIPS 140-2] FIPS Publication 140-2 Security Requirements for Cryptographic Modules 12 Definitions and Acronyms AES – Advanced Encryption Standard CA – Certificate Authority CLI – Command Line Interface CO – Crypto-Officer CSP – Critical Security Parameter CVL – Component Validation List DB9 – D-sub series, E size, 9 pins DES – Data Encryption Standard DH – Diffie-Hellman DRBG – Deterministic Random Bit Generator EDC – Error Detection Code ECDH – Elliptical Curve Diffie-Hellman ECDSA – Elliptical Curve Digital Signature Algorithm FIPS – Federal Information Processing Standard HMAC – (Keyed) Hashed Message Authentication Code KDF – Key Derivation Function LED – Light Emitting Diode NDRNG – Non-Deterministic Random Number Generator RJ45 – Networking Connector RNG –Random number generator RSA – Algorithm developed by Rivest, Shamir and Adleman SHA – Secure Hash Algorithm SNMP – Simple Network Management Protocol SSH – Secure Shell TLS – Transport Layer Security USB – Universal Serial Bus VGA – Video Graphics Array Palo Alto Networks WildFire WF-500 Security Policy Page 20 of 28 13 Appendix A – WF-500 FIPS Kit Installation Guide (12 Tamper Evident Labels) Step 1: Remove the two pull handles and front modules on the left and right side of the appliance by removing the three screws located behind each handle/module. There is no need to disconnect the LED circuit board attached to the end of the ribbon cable. Retain these screws for Step 2. Figure 8 – Remove Front Handles and Modules Palo Alto Networks WildFire WF-500 Security Policy Page 21 of 28 Step 2: Attach the left and right front cover brackets to the appliance using the six screws that you removed in Step 1. First attach the brackets using the bottom screws (one on each side) as shown in Figure 9, ensuring that you feed the ribbon cable and LED circuit board through the left bracket. Replace the front modules and secure them using the middle and top screws on each side as shown in Figure 10. Figure 9 – Secure the Front Brackets Figure 10 - Attach Pull Handles and Front Modules Palo Alto Networks WildFire WF-500 Security Policy Page 22 of 28 Step 3: Secure the front opacity shield to the right and left front brackets that you installed in Step 2. Use two screws (provided) on each side. Figure 11 – Install Front Opacity Shield Figure 12 – Front Opacity Shield Installed Palo Alto Networks WildFire WF-500 Security Policy Page 23 of 28 Step 4: Attach the rear opacity shield tray to the appliance. First, remove the two screws (shown in Figure 13) from the appliance and use these screws to secure the rear opacity shield tray. Note: Install the back cables (power cords and network/management cables) because you will not be able to access these ports after the next step. Figure 13 – Install Rear Opacity Shield Tray Palo Alto Networks WildFire WF-500 Security Policy Page 24 of 28 Step 5: Place the rear opacity shield on top of the rear opacity shield tray ensuring that you run the cables through the opening at the bottom. Secure the opacity shields with two screws (provided) on each side. Figure 14 – Install Rear Opacity Shield Palo Alto Networks WildFire WF-500 Security Policy Page 25 of 28 Step 6: Cover the vent openings as shown in Figure 15 by applying one overlay sticker over the left side vent and one overlay sticker over the right side vent. Each overlay requires two tamper labels as shown in Figure 16. Also apply one additional tamper label as shown in Figure 16 Item 5. Figure 15 – Apply Vent Overlays Figure 16 – Apply Tamper Labels on Vent Overlays and Side Opening Palo Alto Networks WildFire WF-500 Security Policy Page 26 of 28 Step 7: Attach the rail kit to the appliance as shown in Figure 17 and then add three tamper labels to the bottom of the appliance as shown in Figure 18. One tamper label prevents tampering of the front opacity shield connected to the bottom of the appliance and two tamper labels wrap around the upper and lower rear opacity shields to prevent tampering of the rear opacity shields. Figure 17 – Install Rail Kit Figure 18 – Apply Tamper Labels on the Bottom of the Appliance Palo Alto Networks WildFire WF-500 Security Policy Page 27 of 28 Step 8: Place four tamper labels on the top of the appliance. Two tamper labels (9 and 11) prevent tampering of the top front and rear opacity shields and two tamper labels (10 and 12) prevents someone from attempting to access the vent overlays by sliding the rail kit. This completes the FIPS kit installation. Figure 19 – Apply Tamper Labels on the Top and Sides of the Appliance Palo Alto Networks WildFire WF-500 Security Policy Page 28 of 28