Transcription
FireEye NX Series: NX-900, NX1400, NX-2400, NX-4400, NX4420, NX-7400, NX-7420, NX7500, NX-10000, NX-9450, NX10450FireEye, Inc.FIPS 140-2 Non-Proprietary Security PolicyDocument Version: 0.4Prepared By:Acumen Security18504 Office Park DrMontgomery Village, MD 20886www.acumensecurity.net1
FIPS 140-2 Security Policyv0.2Table of Contents1.Introduction . 41.1Purpose. 41.2Document Organization . 41.3Notices . 42. FireEye NX Series: NX-900, NX-1400, NX-2400, NX-4400, NX-4420, NX-7400, NX-7420, NX7500, NX-10000, NX-9450, NX-10450 . 52.1Cryptographic Module Specification . 52.1.12.2Cryptographic Module Ports and Interfaces . 102.3Roles, Services, and Authentication . 172.3.1Authorized Roles . 172.3.2Authentication Mechanisms . 172.3.3Services . 182.4Physical Security . 232.5Cryptographic Key Management . 242.6Cryptographic Algorithm . 272.6.1FIPS-approved Algorithms . 272.6.2Non-Approved Algorithms allowed for use in FIPS-mode . 272.6.3Non-Approved Algorithms . 282.7Electromagnetic Interference / Electromagnetic Compatibility (EMI/EMC) . 292.8Self-Tests . 302.8.1Power-On Self-Tests . 302.8.2Conditional Self-Tests . 302.8.3Self-Tests Error Handling . 302.93.Mitigation of Other Attacks . 31Secure Operation . 323.12Cryptographic Boundary . 5Secure Distribution . 323.1.1Firmware Distribution. 323.1.2Hardware Distribution . 323.2Installation . 323.3Initialization . 32
FIPS 140-2 Security Policyv0.23.3.1Entering New Authentication Credentials . 323.3.2Enable Trusted Platform Module . 323.3.3Enable compliance configuration options . 323.3.4Enable FIPS 140-2 compliance . 333.4Management . 333.4.1SSH Usage . 333.4.1.1Symmetric Encryption Algorithms: . 333.4.1.2KEX Algorithms: . 333.4.1.3Message Authentication Code (MAC) Algorithms: . 343.4.23.5TLS Usage . 34Additional Information . 34Appendix A: Acronyms . 363
FIPS 140-2 Security Policyv0.21. IntroductionThis is a non-proprietary FIPS 140-2 Security Policy for the FireEye NX Series: NX-900, NX-1400,NX-2400, NX-4400, NX-4420, NX-7400, NX-7420, NX-7500, NX-10000, NX-9450, NX-10450.Below are the details of the product validated:Hardware Version: NX-900, NX-1400, NX-2400, NX-4400, NX-4420, NX-7400, NX-7420, NX-7500,NX-10000, NX-9450, NX-10450Software Version #: 7.6.0FIPS 140-2 Security Level: 11.1PurposeThis document was prepared as Federal Information Processing Standard (FIPS) 140-2validation evidence. The document describes how the FireEye NX Series: NX-900, NX-1400, NX2400, NX-4400, NX-4420, NX-7400, NX-7420, NX-7500, NX-10000, NX-9450, NX-10450 meetsthe security requirements of FIPS 140-2. It also provides instructions to individuals andorganizations on how to deploy the product in a secure FIPS-approved mode of operation.Target audience of this document is anyone who wishes to use or integrate this product into asolution that is meant to comply with FIPS 140-2 requirements.1.2Document OrganizationThe Security Policy document is one document in a FIPS 140-2 Submission Package. In additionto this document, the Submission Package contains:Vendor Evidence documentFinite State MachineOther supporting documentation as additional referencesThis Security Policy and the other validation submission documentation were produced byAcumen Security, LLC under contract to FireEye, Inc. With the exception of this Non-ProprietarySecurity Policy, the FIPS 140-2 Submission Package is proprietary to FireEye, Inc. and isreleasable only under appropriate non-disclosure agreements.1.3NoticesThis document may be freely reproduced and distributed in its entirety without modification.4
FIPS 140-2 Security Policyv0.22. FireEye NX Series: NX-900, NX-1400, NX-2400, NX-4400, NX4420, NX-7400, NX-7420, NX-7500, NX-10000, NX-9450, NX10450The FireEye NX Series: NX-900, NX-1400, NX-2400, NX-4400, NX-4420, NX-7400, NX-7420, NX7500, NX-10000, NX-9450, NX-10450 (the module) is a multi-chip standalone module validatedat FIPS 140-2 Security Level 1. Specifically, the module meets the following security levels forindividual sections in the FIPS 140-2 standard:Table 1 - Security Level for Each FIPS 140-2 Section#12345678910112.1Section TitleCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityOperational EnvironmentCryptographic Key ManagementEMI/EMCSelf-TestsDesign AssurancesMitigation Of Other AttacksSecurity Level11311N/A1113N/ACryptographic Module SpecificationThe FireEye Network Threat Prevention Platform identifies and blocks zero-day Web exploits,droppers (binaries), and multi-protocol callbacks to help organizations scale their advancedthreat defenses across a range of deployments, from the multi-gigabit headquarters down toremote, branch, and mobile offices. FireEye Network with Intrusion Prevention System (IPS)technology further optimizes spend, substantially reduces false positives, and enablescompliance while driving security across known and unknown threats.2.1.1 Cryptographic BoundaryThe cryptographic boundary for the module is defined as encompassing the "top," "front,""left," "right," and "bottom" surfaces of the case and all portions of the "backplane" of the case.The following figures provide a physical depiction of the cryptographic module.5
FIPS 140-2 Security Policyv0.2Figure 1: FireEye NX 900Figure 2: FireEye NX 1400Figure 3: FireEye NX 24006
FIPS 140-2 Security Policyv0.2Figure 4: FireEye NX 4400Figure 5: FireEye NX 4420Figure 6: FireEye NX 7400Figure 7: FireEye NX 74207
FIPS 140-2 Security Policyv0.2Figure 8: FireEye NX 7500Figure 9: FireEye NX 9450Figure 10: FireEye NX 100008
FIPS 140-2 Security Policyv0.2Figure 11: FireEye NX 104509
FIPS 140-2 Security Policy2.2v0.2Cryptographic Module Ports and InterfacesThe module provides a number of physical and logical interfaces to the device, and the physicalinterfaces provided by the module are mapped to four FIPS 140-2 defined logical interfaces:data input, data output, control input, and status output. The logical interfaces and theirmapping are described in the following tables:Table 2 - Module Interface Mapping – NX-900FIPS InterfaceData InputData OutputControl InputStatus OutputPower InterfacePhysical Interface(2x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 3 - Module Interface Mapping – NX-1400FIPS InterfaceData InputData OutputControl Input10Physical Interface(2x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports
FIPS 140-2 Security PolicyFIPS InterfaceStatus OutputPower Interfacev0.2Physical Interface(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 4 - Module Interface Mapping – NX-2400FIPS InterfaceData InputData OutputControl InputStatus OutputPower InterfacePhysical Interface(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 5 - Module Interface Mapping – NX-4400FIPS InterfaceData InputData Output11Physical Interface(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB Ports
FIPS 140-2 Security PolicyFIPS InterfaceControl InputStatus OutputPower Interfacev0.2Physical InterfaceSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 6 - Module Interface Mapping – NX-4420FIPS InterfaceData InputData OutputControl InputStatus OutputPower InterfacePhysical Interface(4x) 1000 BASE-SX Fiber Optic Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(4x) 1000 BASE-SX Fiber Optic Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 7 - Module Interface Mapping – NX-7400FIPS InterfaceData InputData Output12Physical Interface(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(4x) 10/100/1000 BASE-T Ports (Network Monitoring)
FIPS 140-2 Security PolicyControl InputStatus OutputPower Interface(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 8 - Module Interface Mapping – NX-7420FIPS InterfaceData InputData OutputControl InputStatus OutputPower InterfacePhysical Interface(4x) 1000 BASE-SX Fiber Optic Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(4x) 1000 BASE-SX Fiber Optic Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(2x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(2x) USB PortsSerial PortPower PortTable 9 - Module Interface Mapping – NX-7500FIPS InterfaceData Input13Physical Interface(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB Portsv0.2
FIPS 140-2 Security PolicyData OutputControl InputStatus OutputPower Interfacev0.2Serial Port(4x) 10/100/1000 BASE-T Ports (Network Monitoring)(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial PortPower PortTable 10 - Module Interface Mapping – NX-9450FIPS InterfaceData InputData OutputControl InputStatus Output14Physical Interface4x SFP Ports4xSFP Ports1000baseSX Port1000baseLX Port1000baseT Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port4x SFP Ports4xSFP Ports1000baseSX Port1000baseLX Port1000baseT Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port
FIPS 140-2 Security PolicyFIPS InterfacePower Interfacev0.2Physical Interface(4x) USB PortsSerial PortPower PortTable 11 - Module Interface Mapping – NX-10000FIPS InterfaceData InputData OutputControl InputStatus OutputPower InterfacePhysical Interface(2x) 10GBASE - SR/SW 850nm Ports10GbaseSX Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port(2x) 10GBASE - SR/SW 850nm Ports10GbaseSX Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial PortPower PortTable 12 - Module Interface Mapping – NX-10450FIPS InterfaceData InputData Output15Physical Interface(8x) SFP Ports (4 x 1000base and 4 x 10Gbase)1000baseSX/10GbaseSR Port1000baseLX/10GbaseLR Port1000baseT Port10GbaseCu Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port(8x) SFP Ports (4 x 1000base and 4 x 10Gbase)1000baseSX/10GbaseSR Port
FIPS 140-2 Security PolicyControl InputStatus OutputPower Interface161000baseLX/10GbaseLR Port1000baseT Port10GbaseCu Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)PS/2 Keyboard and Mouse Ports(4x) USB PortsSerial Port(2x) 10/100/1000 BASE-T Ports (Management)DB15 VGA Port(4x) USB PortsSerial PortPower Portv0.2
FIPS 140-2 Security Policy2.3v0.2Roles, Services, and AuthenticationThe following sections provide details about roles supported by the module, how these rolesare authenticated and the services the roles are authorized to access.2.3.1 Authorized RolesThe module supports several different roles, including multiple Cryptographic Officer roles anda User role.Configuration of the module can occur over several interfaces and at different levels dependingupon the role assigned to the user. There are multiple types of Cryptographic Officers that mayconfigure the module, as follows: Admin: The system administrator is a “super user” who has all capabilities. The primaryfunction of this role is to configure the system.Monitor: The system monitor has read-only access to some things the admin role canchange or configure.Operator: The system operator has a subset of the capabilities associated with theadmin role. Its primary function is configuring and monitoring the system.Analyst: The system analyst focuses on data plane analysis and possesses severalcapabilities, including setting up alerts and reports.Auditor: The system auditor reviews audit logs and performs forensic analysis to tracehow events occurred.SNMP: The SNMP role provides system monitoring through SNMPv3.The Users of the module are the remote IT devices and remote management clients accessingthe module via cryptographic protocols. These protocols include, SSH, TLS, and SNMPv3.Unauthenticated users are only able to access the module LEDs and power cycle the module.2.3.2 Authentication MechanismsThe module supports identity-based authentication. Module operators must authenticate tothe module before being allowed access to services, which require the assumption of anauthorized role. The module employs the authentication methods described in the table belowto authenticate Crypto-Officers and Users.Table 13 - Authentication Mechanism e Of AuthenticationPassword/UsernameAuthentication StrengthAll passwords must be between 8 and 32characters. If (8) integers are used for an eight digitpassword, the probability of randomly guessing thecorrect sequence is one (1) in 100,000,000 (thiscalculation is based on the assumption that the
FIPS 140-2 Security PolicyRoleSNMPUserType Of AuthenticationPassword/Username orRSA AsymmetricAuthenticationv0.2Authentication Strengthtypical standard American QWERTY computerkeyboard has 10 Integer digits. The calculationshould be 10 8 100,000,000). Therefore, theassociated probability of a successful randomattempt is approximately 1 in 100,000,000, whichis less than 1 in 1,000,000 required by FIPS 140-2.In order to successfully guess the sequence in oneminute would require the ability to make over1,666,666 guesses per second, which far exceedsthe operational capabilities of the module.All passwords must be between 8 and 32characters. If (8) integers are used for an eight digitpassword, the probability of randomly guessing thecorrect sequence is one (1) in 100,000,000 (thiscalculation is based on the assumption that thetypical standard American QWERTY computerkeyboard has 10 Integer digits. The calculationshould be 10 8 100,000,000). Therefore, theassociated probability of a successful randomattempt is approximately 1 in 100,000,000, whichis less than 1 in 1,000,000 required by FIPS 140-2.In order to successfully guess the sequence in oneminute would require the ability to make over1,666,666 guesses per second, which far exceedsthe operational capabilities of the module.When using RSA based authentication, RSA keypair has modulus size of 2048 bit, thus providing112 bits of strength. Therefore, an attacker wouldhave a 1 in 2 112 chance of randomly obtainingthe key, which is much stronger than the one in amillion chance required by FIPS 140-2. For RSAbased authentication, to exceed a 1 in 100,000probability of a successful random key guess in oneminute, an attacker would have to be capable ofapproximately 3.25X10 32 attempts per minute,which far exceeds the operational capabilities ofthe modules to support.2.3.3 ServicesThe services that are available to unauthenticated entities and the services that requireoperators to assume an authorized role (Crypto-Officer or User) are listed in the table below.18
FIPS 140-2 Security Policyv0.2Please note that the keys and Critical Security Parameters (CSPs) listed below use the followingindicators to show the type of access required: R (Read): The CSP is read W (Write): The CSP is established, generated, or modified Z (Zeroize): The CSP is zeroizedTable 14 - ServicesServiceSSH toexternal ITdeviceDescriptionSecure connectionbetween a NX andother FireEyeappliances usingSSH.Administrative Secure remoteaccess overcommand lineSSHapplianceadministration overan SSH tunnel.Administrative Secure remote GUIaccess overappliancewebGUIadministration orAdmin,Monitor,Operator,Key/CSP and Type of Access DRBG entropy input (R)DRBG Seed (R)DRBG V (R/W/Z)DRBG Key (R/W/Z)Diffie-Hellman Shared Secret(R/W/Z)Diffie Hellman private key (R/W/Z)Diffie Hellman public key (R/W/Z)SSH Private Key (R/W/Z)SSH Public Key (R/W/Z)SSH Session Key (R/W/Z)SSH Integrity Key (R/W/Z)Admin Password (R/W/Z)Monitor Password (R/W/Z)Operator Password (R/W/Z)Analyst Password (R/W/Z)Auditor Password (R/W/Z)DRBG entropy input (R)DRBG Seed (R)DRBG V (R/W/Z)DRBG Key (R/W/Z)Diffie-Hellman Shared Secret(R/W/Z)Diffie Hellman private key (R/W/Z)Diffie Hellman public key (R/W/Z)SSH Private Key (R/W/Z)SSH Public Key (R/W/Z)SSH Session Key (R/W/Z)SSH Integrity Key (R/W/Z)Admin Password (R/W/Z)Monitor Password (R/W/Z)Operator Password (R/W/Z)
FIPS 140-2 Security PolicyServiceDescriptiona TLS tunnel.v0.2RoleAnalyst,AuditorAdministrativeaccess overserial consoleand VGADirectly connectedcommand ,Analyst,AuditorSNMPv3Secure remoteSNMPv3-basedsystem monitoring.TLS-basedconnection used toupload data to theFireEye cloud.SNMPDTIconnectionLDAP over TLS20Secure remoteauthentication viaTLS protected LDAPUserUserKey/CSP and Type of Access Analyst Password (R/W/Z)Auditor Password (R/W/Z)DRBG entropy input (R)DRBG Seed (R)DRBG V (R/W/Z)DRBG Key (R/W/Z)Diffie-Hellman Shared Secret(R/W/Z)Diffie Hellman private key (R/W/Z)Diffie Hellman public key (R/W/Z)TLS Private Key (R/W/Z)TLS Public Key (R/W/Z)TLS Pre-Master Secret (R/W/Z)TLS Session Encryption Key (R/W/Z)Admin Password (R/W/Z)Monitor Password (R/W/Z)Operator Password (R/W/Z)Analyst Password (R/W/Z)Auditor Password (R/W/Z)SNMP Session Key (R/W/Z)SNMPv3 password (R/W/Z)DRBG entropy input (R)DRBG Seed (R)DRBG V (R/W/Z)DRBG Key (R/W/Z)Diffie-Hellman Shared Secret(R/W/Z)Diffie Hellman private key (R/W/Z)Diffie Hellman public key (R/W/Z)TLS Private Key (R/W/Z)TLS Public Key (R/W/Z)TLS Pre-Master Secret (R/W/Z)TLS Session Encryption Key (R/W/Z)Admin Password (R/W/Z)Monitor Password (R/W/Z)Operator Password (R/W/Z)Analyst Password (R/W/Z)Auditor Password (R/W/Z)
FIPS 140-2 Security PolicyServiceDescriptionv0.2RoleKey/CSP and Type of Access Secure logtransferTLS-basedconnection with aremote auditserver.Show StatusView theoperational statusof the moduleZeroization via“compliancedeclassifyzeroize”CommandPerform zeroizationof all persistentCSPs within torAdmin DRBG entropy input (R)DRBG Seed (R)DRBG V (R/W/Z)DRBG Key (R/W/Z)Diffie-Hellman Shared Secret(R/W/Z)Diffie Hellman private key (R/W/Z)Diffie Hellman public key (R/W/Z)TLS Private Key (R/W/Z)TLS Public Key (R/W/Z)TLS Pre-Master Secret (R/W/Z)TLS Session Encryption Key (R/W/Z)DRBG entropy input (R)DRBG Seed (R)DRBG V (R/W/Z)DRBG Key (R/W/Z)Diffie-Hellman Shared Secret(R/W/Z)Diffie Hellman private key (R/W/Z)Diffie Hellman public key (R/W/Z)TLS Private Key (R/W/Z)TLS Public Key (R/W/Z)TLS Pre-Master Secret (R/W/Z)TLS Session Encryption Key (R/W/Z)N/A Admin Password (Z)Monitor Password (Z)Operator Password (Z)Analyst Password (Z)Auditor Password (Z)SSH Private Key (Z)SSH Public Key (Z)SNMPv3 password (Z)TLS Private Key (Z)TLS Public Key (Z)
FIPS 140-2 Security PolicyServiceStatus LEDOutputCycle Power/Perform SelfTestsDescriptionView status via theModules LEDs.Reboot ofappliance.R – Read, W – Write, Z – Zeroize22v0.2RoleKey/CSP and Type of AccessUn-auth N/AAdmin,Monitor,Operator,Analyst,Auditor,Un-auth DRBG entropy input (Z)DRBG Seed (Z)DRBG V (Z)DRBG Key (Z)Diffie-Hellman Shared Secret (Z)Diffie Hellman private key (Z)Diffie Hellman public key (Z)SSH Session Key (Z)SSH Integrity Key (Z)SNMPv3 session key (Z)TLS Pre-Master Secret (Z)TLS Session Encryption Key (Z)TLS Session Integrity Key (Z)
FIPS 140-2 Security Policy2.4Physical SecurityThe modules are production grade multi-chip standalone cryptographic modules that meetLevel 1 physical security requirements.23v0.2
2.5Cryptographic Key ManagementThe following table identifies each of the CSPs associated with the module. For each CSP, the following information is provided: The name of the CSP/Key The type of CSP and associated length A description of the CSP/Key Storage of the CSP/Key The zeroization for the CSP/KeyTable 15 - Details of Cryptographic Keys and CSPsKey/CSPDRBG entropyinputDRBG SeedTypeCTR 256-bitDescriptionThis is the entropy for SP 800-90 RNG.StorageZeroizationDRAMDevice power cycle.CTR 256-bitDRAMDevice power cycle.DRBG VCTR 256-bitDRAMDevice power cycle.DRBG KeyCTR 256-bitDRAMDevice power cycle.Diffie-HellmanShared SecretDiffie Hellmanprivate keyDiffie Hellmanpublic keySSH Private KeyDH 2048 – 4096bitsDH 2048 – 4096bitsDH 2048 – 4096bitsRSA (Private Key)2048 – 3072 bitsRSA (Public Key)2048 – 3072 bitsTriple-DES 192bitsThis DRBG seed is collected from the onboard hardwareentropy source.Internal V value used as part of SP800-90 CTR DRBG.Internal Key value used as part of SP800-90 CTR DRBG.The shared exponent used in Diffie-Hellman (DH)exchange. Created per the Diffie-Hellman protocol.The private exponent used in Diffie-Hellman (DH)exchange.The p used in Diffie-Hellman (DH) exchange.DRAMDevice power cycle.DRAMDevice power cycle.DRAMDevice power cycle.The SSH private key for the module used for sessionauthentication.The SSH public key for the module used for sessionauthentication.The SSH session key. This key is created through SSHkey establishment.NVRAMOverwritten w/ “00”prior to replacement.Overwritten w/ “00”prior to replacement.Device power cycle.SSH Public KeySSH Session Key24NVRAMDRAM
FIPS 140-2 Security PolicyKey/CSPSSH Integrity KeySNMPv3 passwordSNMPv3 sessionkeyTLS Private KeyTLS Public KeyTLS Pre-MasterSecretTLS SessionEncryption KeyTLS SessionIntegrity KeyAdmin PasswordMonitor Password25TypeAES 128, 256 bitsHMAC-SHA1,HMAC-SHA-256HMAC-512Shared Secret, atleast eightcharactersAES 128 bitsRSA (Private Key)2048 – 3072 bitsECDSA (224 –512 bits)RSA (Private Key)2048 – 3072 bitsECDSA (224 –512 bits)Shared Secret,384 bitsTriple-DES 192bitsAES 128, 256 bitsv0.2DescriptionStorageZeroizationThe SSH data integrity key. This key is created throughSSH key establishment.DRAMDevice power cycle.This secret is used to derive HMAC-SHA1 key forSNMPv3 Authentication.NVRAMOverwritten w/ “00”prior to replacement.SNMP symmetric encryption key used toencrypt/decrypt SNMP traffic.This private key is used for TLS session authentication.DRAMDevice power cycle.NVRAMOverwritten w/ “00”prior to replacement.This public key is used for TLS session authentication.NVRAMOverwritten w/ “00”prior to replacement.Shared Secret created using asymmetric cryptographyfrom which new TLS session keys can be created.Key used to encrypt/decrypt TLS session data.DRAMDevice power cycle.DRAMDevice power cycle.DRAMDevice power cycle.NVRAMOverwritten w/ “00”prior to replacement.Overwritten w/ “00”HMAC SHA-1 160 HMAC-SHA-1 used for TLS data integrity protection.bitsShared Secret,Authentication password for the Admin user role.8 charactersShared Secret,Authentication password for the Monitor user role.NVRAM
FIPS 140-2 Security PolicyKey/CSPOperator PasswordAnalyst PasswordAuditor Password26Type8 charactersShared Secret,8 charactersShared Secret,8 charactersShared Secret,8 charactersv0.2DescriptionStorageAuthentication password for the Operator user role.NVRAMAuthentication password for the Analyst user role.NVRAMAuthentication password for the Audit user role.NVRAMZeroizationprior to replacement.Overwritten w/ “00”prior to replacement.Overwritten w/ “00”prior to replacement.Overwritten w/ “00”prior to replacement.
2.6Cryptographic Algorithm2.6.1 FIPS-approved AlgorithmsThe following table identifies the FIPS-approved algorithms included in the module for use inthe FIPS mode of operation.Table 16 – FIPS-approved AlgorithmsCryptographi
FireEye, Inc. FIPS 140-2 Non-Proprietary Security Policy Document Version: 0.4 Prepared By: Acumen Security 18504 Office Park Dr Montgomery Village, MD 20886 www.acumensecurity.net FireEye NX Series: NX-900, NX-1400, NX-2400, NX-4400, NX-4420, NX-7400, NX-7420, NX-
