FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 0.94 February 2006 © Copyright 2005-2006 Check Point Software Technologies Ltd. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents INTRODUCTION............................................................................................................. 3 PURPOSE ....................................................................................................................... 3 REFERENCES ................................................................................................................. 3 CHECK POINT VPN-1 .................................................................................................... 4 OVERVIEW ..................................................................................................................... 4 CRYPTOGRAPHIC MODULE .............................................................................................. 5 MODULE INTERFACES ..................................................................................................... 5 ROLES AND SERVICES ..................................................................................................... 6 Remote Crypto Officer Role ...................................................................................... 7 Local Crypto Officer Role ........................................................................................ 10 User Role ................................................................................................................ 12 Authentication Mechanisms .................................................................................... 13 Unauthenticated Services ....................................................................................... 14 PHYSICAL SECURITY ..................................................................................................... 14 OPERATIONAL ENVIRONMENT ........................................................................................ 14 CRYPTOGRAPHIC KEY MANAGEMENT ............................................................................. 14 SELF-TESTS ................................................................................................................. 18 DESIGN ASSURANCE ..................................................................................................... 19 MITIGATION OF OTHER ATTACKS .................................................................................... 19 SECURE OPERATION ................................................................................................. 20 FIPS MODE CONFIGURATION ........................................................................................ 20 Local Crypto-Officer Configuration Steps ................................................................ 20 Management Station Configuration Steps............................................................... 23 Remote Crypto-Officer Configuration Guidelines .................................................... 24 CRYPTO-OFFICER GUIDANCE ........................................................................................ 28 Management ........................................................................................................... 29 Termination ............................................................................................................. 29 USER GUIDANCE .......................................................................................................... 29 ACRONYMS ................................................................................................................. 30 © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 2 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Introduction Purpose This is a non-proprietary Cryptographic Module Security Policy for Check Point Software Technologies Ltd. (Check Point) VPN-1 version Next Generation (NG) with Application Intelligence R54. This security policy describes how the Check Point VPN-1 version NG with Application Intelligence R54 meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. The Check Point VPN-1 version NG with Application Intelligence R54 is referred to in this document as Check Point VPN-1 version NG with Application Intelligence, Check Point VPN-1, VPN-1, the module, and the software. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: · The Check Point website (http://www.checkpoint.com/) contains information on the full line of products from Check Point. · The NIST Validated Modules website (http://csrc.ncsl.nist.gov/cryptval/) contains contact information for answers to technical or sales-related questions for the module. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 3 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. CHECK POINT VPN-1 Overview Check Point's VPN-1 version NG with Application Intelligence R54 is a tightly integrated software solution combining the FireWall-1 (FW-1) security suite with sophisticated Virtual Private Network (VPN) technologies and a hardened Operating System (OS). The cornerstone of Check Point's Secure Virtual Network (SVN) architecture, VPN-1 meets the demanding requirements of Internet, intranet, and extranet VPNs by providing secure connectivity to corporate networks, remote and mobile users, branch offices, and business partners. VPN-1 solutions are available on the industry's broadest range of open platforms and security appliances -- meeting the price/performance requirements of any size organization. Check Point VPN-1 is integrated with the industry-standard, market- leading FireWall-1 and the hardened Operating System SecurePlatform. · Check Point VPN-1/FireWall-1, the industry's leading Internet security solution, provides the highest level of security, with access control, content security, authentication, and integrated Network Address Translation. Only FireWall-1 delivers true Stateful Inspection across the broadest set of applications in the industry, including Voice over IP and multimedia applications. · Check Point SecurePlatform is a customized and hardened Operating System, with no unnecessary components that could pose security risks. SecurePlatform is pre-configured and optimized to perform its task as a network security device. VPN-1 is designed to allow secure access to an organization's resources to multiple users over an unsecured TCP/IP network. Relying on a hardened, optimized operating system coupled with FireWall-1, it performs all the required security functions and provides the following high-level functionality: · Screening of all incoming communications to ensure authorized user access. · Secure, authenticated and encrypted sessions with Clients and subsystems. · Secure VPN between subsystems. · Central security administration. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 4 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Cryptographic Module Check Point VPN-1 version NG with Application Intelligence R54 is considered to be a multi-chip standalone module for FIPS 140-2. VPN-1 is a firmware module intended to run on any standard personal computer (PC). It includes a hardened operating system that is not general purpose and does not implement physical security mechanisms. Logically, the cryptographic boundary is composed of the Check Point VPN-1 and FireWall-1 software running on the Secure Platform Operating System. Physically, the cryptographic boundary of the module is the PC case, which physically encloses the complete set of hardware and software. The physical ports, logical interfaces, and FIPS logical interfaces are described in table Table 2. The module was tested on a Dell Optiplex GX 1 PC. The module is intended to meet overall FIPS 140-2 level 1 requirements (see table Table 1). Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and 1 Interfaces 3 Roles, Services, and Authentication 2 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key Management 1 8 EMI/EMC 3 9 Self-tests 1 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Table 1 ­ Intended Level Per FIPS 140-2 Section Module Interfaces As a multi-chip standalone module being evaluated on a standard PC, the physical ports of the module include the network ports, keyboard/mouse ports, USB ports, and serial ports. All of these physical ports are separated into logical interfaces into the software, and these software logical interfaces are then mapped into FIPS 140-2 logical interfaces, as described in the following table. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 5 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. FIPS 140-2 Logical Logical Interface Standard PC Physical Port Interface Data input interface User Interface (UI) for the Keyboard ports, USB ports, Secure Platform, Network serial ports, network ports Layer IP interface Data output interface User Interface (UI) for the Network ports, serial ports, VPN-1, Network Layer IP monitor port interface Control input interface User Interface (UI) for the Keyboard ports, USB ports, VPN-1, Network Layer IP serial ports, network ports interface Status output interface User Interface (UI) for the Network ports, serial ports, VPN-1, Network Layer IP monitor port interface, Log files Power interface Power interface Power connector Table 2 ­ Mapping Standard PC Physical Ports and Logical Interfaces to FIPS 140-2 Interfaces The logical interfaces are separated by the UIs that distinguish between data input, data output, control input and status output through the dialogues. Similarly, the module distinguishes between different forms of data, control and status traffic over the Network ports by analyzing the packets header information and contents. Log files are only utilized for status output. Although the module consists entirely of software, the FIPS 140-2 evaluated platform is a standard PC, which has been tested for and meets applicable FCC EMI and EMC requirements for business use as defined by 47 Code of Federal Regulations, Part15, Subpart B. Roles and Services The module supports three distinct roles: Client User, Local Crypto- Officer, and remote Crypto-Officer roles. It uses digital signatures, pre- shared keys, and passwords for authentication. The Local Crypto-Officer role is responsible for the installation, minimal configuration, and removal of the VPN-1. These operations are performed locally using physical access to the PC the module is installed on. The Remote Crypto-Officer role performs primary configuration of VPN-1. After authenticating, the Remote Crypto-Officer uses a powerful set of © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 6 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. management tools to configure and monitor the module. The remote management session uses TLS to ensure security. Figure 1­ Easy to Use Management Tools The User role is for clients that are accessing the module from remote locations. These operators can authenticate through IKE using either pre- shared keys or digital certificates. Once authenticated, an encrypted tunnel is established between the Check Point VPN-1 and the client using IPSec. Of note, module can itself act as a User when establishing tunnels to other modules. Remote Crypto Officer Role The role of the Remote Crypto-Officer includes refinement of administrative permissions, generation and destruction of keys, user access control and creation of the information database. Each management server (i.e., Remote Crypto-Officer) authenticates to the module through TLS using digital certificates. After authenticating, the Remote Crypto-Officers use Check Point management software to manage the module over the secure TLS session. Descriptions of the services available to the Crypto Officer role are provided in the table below. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 7 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output Critical Security Parameter (CSP) Access TLS Access the module's TLS handshake TLS outputs and RSA key pair TLS to create a parameters, TLS data for secure session for inputs, data management remotely managing (read access); the module. Session keys for management (read/write access); X9.31 PRNG keys (read access) Create and Define users and user Commands and Status of None Configure groups allows the configuration data commands and Users/User Crypto-Officer to (policy files) configuration data Groups create permission for (policy files) individual users or a whole group of users; set permissions such as access hours, user priority, authentication mechanisms, protocols allowed, filters applied, and types of encryption Define and Configure and install Commands and Status of None Implement security policies that configuration data commands and Security Polices are applied to the (policy files) configuration data (including the network and users. (policy files) rule sets These policies contain governing the a set of rules that automatic, govern the alternating communications bypass) flowing into and out of the module, and provide the Crypto- Officer with a means to control the types of traffic permitted to flow through the module. These policies include the rules that govern the automatic, alternating bypass state of the module. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 8 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output Critical Security Parameter (CSP) Access Management of Configure the digital Commands and Status of RSA key pair keys certificates and/or pre- configuration data commands and for IKE shared keys for use (policy files) configuration data (read/write by IPSec and IKE for (policy files) access); pre- authentication shared keys for IKE (read/write access) Initialization of Establish trust Commands and Status of RSA key pair Secure Internal between management configuration data commands for Communication server and the VPN-1 (SIC policy) management (SIC) module to allow (read/write configuration of the access) module's services Monitoring Provides detailed Commands Status of None information for both commands and monitoring of status information connection activities (logs) and the system status Table 3 ­ Crypto Officer Services, Descriptions, Inputs and Outputs © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 9 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Local Crypto Officer Role Local operators authenticate to the module using a user name and password. Once authenticated, the operator implicitly assumes the role of Local Crypto-Officer and can access the various utilities and configurations available to that role. Table Table 4 contains a list of all of the services available to the Local Crypto-Officer, a description of those services along with the relevant CLI commands, the inputs to the services, and the outputs of the services. Service Description with CLI Input Output CSP commands FIPS mode Switch to FIPS mode and Command and any Status of DES-MAC enable integrity check. options commands integrity key (read access) Manage CLI Switch between standard Commands, any Status of Local settings and expert CLI modes options, and commands Crypto- (expert); Logout of the CLI password (for Officer (exit); Change the logged in switching between password Local Crypto-Officer's CLI modes) (read/write password (passwd) access) View local help List available commands and Commands Status of None documentation their respective descriptions commands (help or ?) and status information (help information) Get and set date View/change date (date); Commands, any Status of None and time view/change time (time); options, and date commands view time zone (timezone) or time settings and status information (date, time, or time zone information) System Display or clear audit logs Commands, any Status of None management (audit); backup the system options, and commands commands configuration (backup); configuration and status restore the system parameters information configuration (restore); (logs) reboot the module (reboot); shutdown the module (shutdown); apply an upgrade or hotfix (patch) ­ not available in FIPS mode © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 10 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description with CLI Input Output CSP commands System Change logging options Commands and Status of None diagnostic (log); Display top 15 any options commands commands processes ranked by CPU and status usage (top); display or send information diagnostic information (diag) (process list or diagnostic information) Check Point Install licenses, configure the Command Status of None module SNMP daemon, modify the (cpconfig), menu commands/ commands list of Unix groups authorized options, and menu to run VPN-1/FW-1 services, configuration options and register a cryptographic information status token, enter random data to information help seed the PRNG, (configuratio configure the one time SIC n password, and specify information) whether the VPN-1/FW-1 services should automatically start at boot time (all functionality is provided through text-based menuing system after executing cpconfig) Command, any Start the Check Point options, and applications (cpstart); stop configuration Status of the Check Point applications information commands (cpstop); show Check Point and status diagnostic information information (cpinfo); display the status of (diagnostic Check Point applications information, (cpstat); manage Check version Point licenses (cplic); show numbers, the SVN Foundation version and license (cpshared_ver); enable the information) high availability feature (cphastart); disable the high availability feature (cphastop); define a critical process (cphaprob) Network Ping network hosts (ping); Commands and Status of None diagnostic trace the route of packets to any options commands commands a host (traceroute); show and status network statistics (netstat) information (diagnostic information) © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 11 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description with CLI Input Output CSP commands Network Show and modify the Commands, any Status of None configuration kernel's ARP cache (arp); options, and commands commands show, set, or remove configuration and status hostname to IP mappings information information (hosts); show, configure, and (configuratio store network interface n settings (ifconfig); configure information) virtual LAN interfaces (vconfig); show and configure routing entries (route); get or modify the system's host name (hostname); get or set the system's domain name (domainname); show, add, or remove domain name servers (dns); interactive script for configuring the network and security settings of the system (sysconfig) Key/CSP The Local Crypto-Officer can None None All CSPs zeroization zeroize all of the module's stored on CSPs by reformatting the the module's hard drive the module is hard drive installed on. Table 4 ­ Local Crypto-Officer Services, Descriptions, Inputs and Outputs User Role The User role access the module's IPSec and IKE services and authenticates to the module using digital certificates or pre-shared keys. Service descriptions and inputs/outputs are listed in the following table: Service Description Input Output CSP IKE Access the module's IKE IKE inputs and IKE outputs, RSA key pair functionality in order to data status, and data for IKE (read authenticate to the access); module and negotiate IKE Diffie- and IPSec session keys Hellman key pair for IKE (read/write access); pre- shared keys for IKE (read access) IPSec Access the module's IPSec inputs, IPSec outputs, Session keys IPSec services in order to commands, and status, and data for IPSec secure network traffic data (read/write access) Table 5 ­ User Services, Descriptions, Inputs and Outputs © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 12 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Authentication Mechanisms The module implements password-based authentication, RSA-based authentication, and HMAC-based authentication mechanisms. Authentication Type Strength RSA-based authentication RSA encryption/decryption is used to authenticate to (TLS handshake) the module during the TLS handshake. This mechanism is as strong as the RSA algorithm using a key pair of either 1024, 2048 and 4096 bits. Using 1024 bit key pair (the default), is generally considered equivalent to brute forcing an 80 bit key (i.e., a 1 in 2^80 chance of false positive). RSA-based authentication RSA signing/verifying is used to authenticate to the (IKE) module during IKE. This mechanism is as strong as the RSA algorithm using a key pair of either 1024, 2048 and 4096 bits. Using a 1024 bit key pair (the default), this is generally considered equivalent to brute forcing an 80 bit key (i.e., a 1 in 2^80 chance of false positive). Pre-shared key-based SHA-1 HMAC generation/verification is used to authentication (IKE) authenticate to the module during IKE with pre-shared keys (at least 6 characters in length). Considering the possible field of ASCII characters, the number of potential passwords is 94^6. Password-based Passwords are required to be at least 6 characters in authentication length, a mixture of alphabetic and numeric characters, at least four different characters, and not to use simple dictionary words or common strings such as "qwerty." Considering only the case sensitive English alphabet and the numerals 0-9 using a 6 digit password with repetition, the number of potential passwords is 62^6. Table 6 ­ Estimated Strength of Authentication Mechanisms Each of the authentication mechanisms shown in Table 6 demonstrates that a single, random authentication attempt has less than a 1:1,000,000 chance at success (i.e., a false positive). Repeated attempts to defeat the authentication mechanisms over a 1- minute period such that there would be a chance for a false positive would require the following attempt rates: · IKE / HMAC: ( (94^6) / (100,000 *60) ) = 114,000 attempts per second · RSA-based: ( (2^80) / (100,000 *60) ) = 2*10^17attempts per second The cryptographic module cannot process repeated authentication attempts at these frequencies. Additionally, when operating in Approved Mode, the module only allows a maximum of three unsuccessful password-based attempts before imposing a 60 minute lockout period. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 13 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The module successfully meets the FIPS 140-2 requirements for strength of authentication for all of its authentication mechanisms. Unauthenticated Services The cryptographic module does not provide any unauthenticated services. All module services are available only to authenticated operators assuming either a Crypto Officer or a User role. Physical Security The module meets the physical security requirements for a level 1 firmware module. Operational Environment The operational environment requirements do not apply to this module. Check Point VPN-1 version NG with Application Intelligence R54 does not provide a general-purpose operating system nor does it provide a mechanism to load new software. The module was tested on the Check Point Secure Platform Operating System version NG with Application Intelligence R54 running on a standard PC architecture Pentium III processor based system. Cryptographic Key Management Check Point adheres to cryptographic standards and provides the strongest cryptography available. Check Point VPN-1's efficient implementation of standard cryptographic algorithms ensures the highest level of interoperability. In addition, the module's implementations provide some of the fastest system performance available in software. VPN-1 provides the capability to use TLSv1 to secure management sessions. The module supports IPSEC/ESP for data encryption and IPSEC/ESP for data integrity. It implements all IKE modes: main, aggressive, and quick, using ISAKMP as per the standard. The Check Point VPN-1 implements the following FIPS-approved algorithms: Data Encryption: · Advanced Encryption Standard (AES) in CBC mode (128 or 256 bit keys) ­ as per NIST FIPS PUB 197 (Certificate 88) · Data Encryption Standard (DES) in CBC mode (56 bit keys) ­ as per NIST PUB FIPS 46-3 (Certificate 311) (transitional phase only - valid until May 19, 2007) © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 14 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · Triple DES (3DES) in CBC modes (168 bit keys) ­ as per NIST PUB FIPS 46-3 (Certificate 333) Data Packet Integrity: · HMAC-SHA-1 (20 byte) ­ as per NIST PUB FIPS 198, RFC 2104 (HMAC: Keyed-Hashing for Message Authentication), and RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH). (Certificate 56) Data Hashing: · Secure Hash Algorithm (SHA-1) ­ as per NIST PUB FIPS 180-2 (Certificate 325) PRNG: · X9.31-based PRNG with Yarrow controls on entropy gathering o Triple DES (3DES) in ECB modes (112 bit keys) ­ as per NIST PUB FIPS 46-3 (Certificate 30) Digital Signatures: · RSA ­ as per PKCS#1 (Certificate 63) The module implements the following protocols permitted for use in a FIPS-Approved mode of operation: Session Security: · TLS v1.0 ­ as per RFC 2246 · IPSec Key Agreement: · Diffie-Hellman (used by IKE), key agreement, key establishment methodology provides between 70 and 97-bits of encryption strength · RSA (used by TLS), key wrapping, key establishment methodology provides between 80 bits and 150 bits of encryption strength) In addition, the Check Point VPN-1 provides the following non FIPS- approved algorithms: · CAST (40 or 128 bit keys) © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 15 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · HMAC-MD5 (16 bytes) ­ as per RFC 2104 (HMAC: Keyed-Hashing for Message Authentication) and RFC 2403 (The Use of HMAC- MD5-96 within ESP and AH). · MD5 · Secure Socket Layer (SSL) v3 ­ as per the Transport Layer Security Working Group draft. Key Key type Generation Storage Use Local Crypto- - - Stored on disk (/etc/password) - Local Crypto- Officer plaintext Officer passwords authentication RSA key pair RSA key RSA key Stored "encrypted" on disk in P12 Authentication for pair (1024 generation format ($CPDIR/conf/sic_cert.p12)- during TLS management 2048 or (outside of plaintext handshake 4096 bits) crypto- boundary) RSA key pair RSA key RSA key Stored on disk Authentication for IKE pair (1024, generation ($FWDIR$/database/fwauth.NDBX) during IKE 2048 or (outside of - plaintext 4096 bits) crypto- boundary) Preshared IKE Outside of Stored on disk Authentication keys for IKE preshared crypto- ($FWDIR$/database/fwauth.NDB) during IKE (SHA-1 key (48 ­ boundary - plaintext HMAC) 512 bits) Diffie- Diffie- Generated by RAM only (public parameters stored on Key exchange Hellman key Hellman IKE disk during IKE pairs key pairs negotiations ($FWDIR/database/objects.C and (768, 1024, $FWDIR/state/local/FW1/local.objects)) 1536 bits) - plaintext Session keys DES/TDES Generated by RAM only - plaintext Secure IPSec for IPSec keys IKE traffic (56/168 negotiations bits), AES (128, 256 Bits) Session keys DES/TDES Generated by Cached to disk Secure TLS for keys TLS ($CPDIR$/database/session.NDBX) traffic (SIC) management (56/168 handshake - plaintext bits) DES-MAC DES keys Outside of Stored on disk ($CPDIR/bin/cphash) - Perform integrity (56 bits) crypto- plaintext integrity check check key boundary of module's software X9.31 PRNG Triple-DES Generated by RAM only, but entropy used to generate Random seed keys (112 bit) gathering keys is cached to disk number entropy ($CPDIR/registry/HKLM_registry.data generator and $CPDIR/registry/HKLM_registry.data.ol d) - plaintext © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 16 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table 7 ­ Listing of the Module's CSPs The Local Crypto-Officer passwords are used to authenticate the Local Crypto-Officer to the CLI. Additionally, these passwords are used to switch CLI modes and to access the bootloader. These passwords are configured by the local Crypto-Officer over the CLI or by the Remote Crypto-Officer over an authenticated, encrypted management session. These passwords are stored on the module's hard drive, and can be zeroized by changing the password or reformatting the hard drive. The RSA key pair for remote management sessions is generated externally by the management software. This key pair is loaded onto the module during the setup of secure communications with a management station over a secure TLS session. This key pair is stored on the module's hard drive and can be zeroized by reformatting the hard drive containing the module's software or re-initializing SIC. The RSA key pair used by IKE is generated externally by the management software. This key pair is loaded onto the module over a secure TLS session established between the module and the management software. This key pair is stored on the module's hard drive and can be zeroized by reformatting the module's hard drive containing the module's software. Additionally, it can be overwritten by generating a new RSA key pair. Pre-shared keys are input into the module over an encrypted management session. These keys are used during IKE for authentication. The pre- shared key configuration information is stored on the module's hard drive and can be zeroized by reformatting the hard drive containing the module's software. Additionally, it can be overwritten by changing the pre- shared key. Diffie-Hellman (DH) key pairs are generated during IKE for use for key exchange during IKE. These are ephemeral key pairs. The Diffie-Hellman public parameters are generated externally by the management software. These parameters are loaded onto the module over a secure TLS session established between the module and the management software. These parameters are stored on the module's hard drive, and can be zeroized by reformatting the hard drive containing the module's software or by generating a new set of DH public parameters. Session keys for IPSec are ephemeral keys established for IPSec connections. These keys are negotiated during IKE as part of the DH key exchange. They are generated as needed by an SA and are only stored in volatile memory. These keys can be zeroized by powering down the module. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 17 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Session keys for management session are established by the TLS handshake protocol. These keys are used to encrypt management session and are generated as needed by the TLS handshake. These keys are stored in volatile memory as well as cached to disk for possible reuse. The keys in volatile memory can be zeroized by powering down the module. The keys cached to disk can be zeroized by reformatting the hard drive containing the module's software. The DES-MAC integrity check key is generated externally from the module and is hard-coded into the cphash binary. This key is stored on the module's hard drive in plaintext and is used to perform the software integrity check. The keys cached to disk can be zeroized by reformatting the partition (or whole hard drive). The X9.31 pseudo-random number generator (PRNG) keys are generated by the module using entropy gathered from various sources. The entropy used to generate these keys is cached to the module's hard drive and are used by the X9.31 PRNG. This entropy can be zeroized by reformatting the hard drive containing the module's software. Self-Tests The module performs a set of self-tests in order to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-up (power-up self-tests) or when certain conditions are met (conditional self-tests). Power-up Self-tests: · Software Integrity Tests: The module checks the integrity of its various components using a DES-MAC. · Cryptographic Algorithm Known Answer Tests (KATs): KATs are run at power-up for AES, DES, RSA, and Triple-DES encryption/decryption, pseudo-random number generation, SHA-1 hashing, and HMAC with SHA-1 calculation. o AES-CBC KAT o DES-CBC KAT o Triple-DES-CBC KAT o PRNG KAT o RSA KAT (encrypt/decrypt) and pair wise consistency test o SHA-1 KAT o SHA-1 HMAC KAT © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 18 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · Bypass Mode Test: The module performs SHA-1 check value verification to ensure the policy files have not been modified. Conditional Self-tests: · Continuous Random Number Generator Test: This test is constantly run to detect failure of the module's random number generator · Bypass Mode Test: The module performs SHA-1 check value verification to ensure the policy files have not been modified. If any of the kernel module KATs fail, the system enters the kernel panic state. If any one of the service KATs fails, that service halts and the system enters the error state. If the KATs are passed (by both the kernel modules and the services), the success is logged to the Check Point log. If the power-up software integrity check fails, the system enters the integrity check failure state, halts, and has to be restarted. If the software integrity check passes, the event is logged to the Check Point log. If the continuous RNG test fails, the system reboots. All errors are logged to the Check Point logs. When the module enters the error state, all cryptographic services and data output for the problem service is halted until the error state is cleared. Restarting the module or the failed service can clear the error state. Design Assurance Check Point uses a hybrid configuration management system for its products and documentation management needs. Both CVS and Rational® ClearCase® are used for configuration management of product source code releases. These software applications provide access control, versioning, and logging capabilities for tracking the components included in the various Check Point products. Manual configuration management controls are utilized for the associated product documentation. A formal process has been implemented whereby a log is kept of all product documentation and updates. Product documentation releases are tied to versions of the cryptographic module and source code build releases through this log. Microsoft SharePoint® is used to provide configuration management and archival for the module's FIPS 140-2 documentation. This document database application provides access control, versioning, and logging for documents created in support of FIPS 140-2 validation testing efforts. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 19 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Mitigation of Other Attacks The module is designed to meet the overall FIPS 140-2 level 1 requirements and provides the standard level of security that comes with meeting those requirements. It does not provide mitigation against other attacks. SECURE OPERATION Check Point VPN-1 version NG with Application Intelligence R54 meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. FIPS Mode Configuration Local Crypto-Officer Configuration Steps The Local Crypto-Officer must perform the following operations during installation and initialization of the module in order to enable the FIPS mode of operation. Note: These instructions also apply if the Local Crypto-Officer is migrating from VPN-1 NG with Application Intelligence to VPN-1 NG with Application Intelligence R54. The Local Crypto-Officer must reinstall and reinitialize the module as per these instructions. Before beginning the initialization of the module, the Local Crypto-Officer must obtain patch SK26538, titled "Required Patch for FIPS 140-2 Certification for VPN-1 NG with Application Intelligence R54 on SecurePlatform and IPSO" from Check Point support. The patch will be installed during the initialization process. The system time clocks of the module platform, the management station, and any other trusted systems must all be synchronized. 1. Install the Secure Platform operating system. The module automatically reboots the system once this is completed. 2. Login to the console using the default Local Crypto-Officer password. The module will immediately request that this password be changed. 3. At the command prompt, run the following command to begin configuration of the module. sysconfig The following will be performed via the menus displayed when "sysconfig" is run. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 20 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. a. Perform the network configuration, date and time configuration, and the licensing configuration. b. At point, the enterprise suite options menu is entered. Select "New Installation" and continue. c. The next configuration menu determines which Check Point software to install on top of the operating system. Select only "VPN-1 & FireWall-1" and continue. d. The setup type menu is now displayed. Select a distributed installation and continue. e. The installation type menu is entered at this point. Select only "enforcement module" and continue. f. Continue through the rest of the configuration until the sysconfig command finishes. 4. Reboot the module. 5. Login to the console. 6. Switch to expert mode. 7. Copy /boot/grub/grub.conf to /boot/grub/grub.conf.bak. 8. Edit /boot/grub/grub.conf and remove all of the lines below and including the "title Secure Platform NG with Application Intelligence [Maintenace]" line. 9. Save /boot/grub/grub.conf. 10. Copy /etc/cpshell/cpshell.cfg to /etc/cpshell/cpshell.cfg.bak. 11. Edit /etc/cpshell/cpshell.cfg and remove the line beginning with "patch". 12. Save /etc/cpshell/cpshell.cfg. 13. Copy /etc/cpshell/fips.cfg to /etc/cpshell/fips.cfg.bak. 14. Edit /etc/cpshell/fips.cfg and add the following line. expert 0 1 "expert" "Switch to expert mode" 15. Save /etc/cpshell/fips.cfg. 16. Save $CPDIR/conf/sic_policy.conf. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 21 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 17. Copy $CPDIR/lib/libcpprng.so to $CPDIR/lib/libcpprng.so.old 18. Copy libcpprng.so for SecurePlatform, as contained in SK26538 into $FWDIR, overwriting the existing file of that name. (This can be achieved by copying the libcpprng.so from the fix to a floppy, mounting the floppy on the system containing the newly installed Check Point VPN-1 NG with Application Intelligence software, and copying libcpprng.so from the floppy to $CPDIR/lib/libcpprng.so.) 19. Run the following command and verify the Build Number output is "540027501". cpvinfo $CPDIR/lib/libcpprng.so If the output is not "540027501", return to the previous step and ensure you are copying the version of libcprng.so that was contained in the Check Point SK26538. If, after repeating step 18, the output is still not "540027501", please contact Check Point support. 20. Copy libcpcert.so for SecurePlatform, as contained in SK26538 into $FWDIR, overwriting the existing file of that name. (This can be achieved by copying the libcpcert.so file from the fix to the system containing the newly installed Check Point VPN-1 NG with Application Intelligence software, and copying libcpcert.so into $CPDIR/lib/libcpcert.so). 21. An application, cd2iso.exe, is provided in the SK to verify the SHA-1 hash of the replacement libcpcert.so file. On a Windows platform, verify the hash of libcpcert.so by running the following command: cd2iso -f libcpcert.so Verify that the output displayed by the application is: "1e2f7a8bdeb104654c36ecf4a76f489f855b50fd libcpcert.so 2443122" If the output is not exactly as shown, return to the previous step and ensure you are copying the version of libcpcert.so that was contained in the Check Point SK26538. If, after repeating steps 20 and 21, the output is still not correct, please contact Check Point support. 22. Exit expert mode. 23. Switch the module to FIPS mode by entering the following command. fips on © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 22 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 24. Run the following command to rebuild the software integrity values. fips integrity on 25. Reboot. Running the "fips on" command disables SSH, disables the Web UI, removes support for SSLv3 from SIC (i.e. only TLS is supported), enables Local Crypto-Officer account lockout of 60 minutes after 3 failed authentication attempts, disables remote installation daemon, and removes access to the fw, fwm, and vpn command line utilities. The Local Crypto-Officer must not switch out of FIPS mode or disable the software integrity check. Management Station Configuration Steps In order for the management station to operate correctly with the module running in FIPS mode, the following commands must be run on the management station. Also, the time clock on the management station should be synchronized with the module platform as well as any other trusted systems. 1. If the Check Point services are running, execute the following command to stop all Check Point services. cpstop 2. Copy $CPDIR/conf/sic_policy.conf to $CPDIR/conf/sic_policy.conf.bak. 3. Edit $CPDIR/conf/sic_policy.conf and remove all of the following keywords: sslca_rc4 sslca_rc4_comp asym_sslca_rc4 asym_sslca_rc4_comp none sslca_clear ssl sslclear fwa1 © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 23 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. skey fwn1 skey2 ssl_opsec fwn1_opsec Note: If removal of these terms results in the column being blank (columns are delimited by a semi-colon (';')) then comment the line out or remove it. If these words are followed by a comma (', '), then remove it as well. 4. Run the following command to enable only TLSv1 for management sessions. ckp_regedit -a "Software\CheckPoint\SIC" FIPS_140 -n 1 5. If the Check Point services were stopped in step 1, restart them by entering the following command. cpstart Remote Crypto-Officer Configuration Guidelines The Remote Crypto-Officer must follow the following guidelines for configuring the modules services. Authentication during IKE must employ pre-shared keys or digital certificates. Additionally, only the following FIPS-approved algorithms may be used by IPSec and IKE: Data Encryption · DES (for legacy use only) · Triple-DES · AES Data Packet Integrity · HMAC with SHA1 Authentication · Certificates · Pre-shared keys © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 24 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The following figures contain screen-shots that illustrate the FIPS mode settings: Figure 2 ­ Only FIPS-Approved Algorithms may be used with IKE © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 25 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 3 ­ Only Pre-Shared Keys or Digital Certificates may be used to Authenticate Clients © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 26 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 4 ­ Only FIPS-Approved Algorithms may be used with IPSec © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 27 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 5 ­ Only FIPS-Approved Algorithms may be used with IPSec or IKE Crypto-Officer Guidance The Crypto-Officer is responsible for installation and initialization of the module, configuration and management of the module, and removal of the module. More details on how to use the module can be found in the Check Point NG user manuals. The Crypto-Officer receives the module in a shrink wrapped package containing a CD-ROM with the VPN-1 installation media and user documentation. The Crypto-Officer should examine the package and shrink wrap for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 28 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Before the installation of the module, there is no access control provided by the module. Therefore, the Crypto-Officer must maintain control of the installation media. During installation, the Crypto-Officer boots a standard PC from the CD- ROM containing the module's software. The Crypto-Officer will walk through a series of steps, and must follow the directions above to properly configure the module for FIPS 140-2 compliance. The Local Crypto-Officer password for the module is a default after installation. Before this is changed, the Crypto-Officer should maintain control of the module. This must be changed immediately upon logging into the module after installation. The Crypto-Officer must establish the SIC configuration after logging into the module for the first time. Once this has been completed, the module has been adequately initialized and can be managed from the management server. Management Once initialization of the module has been completed, the Crypto-Officer should manage the module using the remote management server. Through this server, the Crypto-Officer is able to configure policies for the module. These policies determine how the firewall and VPN services of the module will function. The Crypto-Officer is responsible for maintaining the module. Besides management of the module, this involves monitoring the module's logs. If strange activity is found, the Crypto-Officer should take the module offline and investigate. If the module consistently malfunctions or otherwise repeatedly enters an error state, the Crypto-Officer should contact the manufacturer. Termination At the end of the life cycle of the module, the Crypto-Officer should reformat the hard drive containing the module's software. This will zeroize all keys and other CSPs. User Guidance The User access the module's VPN functionality as an IPSec client. Although outside the boundary of the module, the User should be careful not to provide authentication information and session keys to other parties. © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 29 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. ACRONYMS AH Authentication Header ANSI American National Standards Institute CBC Cipher Block Chaining CLI Command Line Interface CRC Cyclic Redundancy Check CSP Critical Security Parameter DSA Digital Signature Standard EMC Electromagnetic Compatibility EMI Electromagnetic Interference ESP Encapsulating Security Payload FCC Federal Communication Commission FIPS Federal Information Processing Standard FP Feature Pack HF Hot Fix IKE Internet Key Exchange IPSec IP Security KAT Known Answer Test LED Light Emitting Diode MAC Message Authentication Code NG Next Generation NIST National Institute of Standards and Technology NVLAP National Voluntary Laboratory Accreditation Program PC Personal Computer PRNG Pseudo Random Number Generator RAM Random Access Memory RIP Routing Information Protocol RSA Rivest Shamir and Adleman SA Security Association SHA Secure Hash Algorithm SIC Secure Internal Communications SNMP Simple Network Management Protocol SP Secure Platform SSH Secure Shell SVN Secure Virtual Network TLS Transport Layer Security VPN Virtual Private Network © Copyright 2005-2006 Check Point Software Technologies Ltd. Page 30 of 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.