Transcription
FIPS 140-2 Non-ProprietarySecurity PolicyforWatchGuard Technologies Inc.FireboxM270M370M470M570M670Version: 1.5September 18, 2020FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 1 of 52
WatchGuard Firebox FIPS 140-2 Non-Proprietary Security PolicyHardware:Firebox M270 (hardware model # TL2AE8)Firebox M370 (hardware model # WL6AE8)Firebox M470, M570, M670 (hardware model # WL6AE8 with NIC modules WG8592, WG8593, andWG8594)Firmware Version:Fireware OS v12.3.1Copyright NoticeThis document may be copied without WatchGuard’s explicit permission provided that it is copied in itsentirety without any gulatory complianceFCC Class A Part 15FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 2 of 52
Table of Contents1INTRODUCTION. 52FIREBOX MODULE OVERVIEW. 53SECURITY LEVEL. 64ROLES, SERVICES AND AUTHENTICATION . 84.1M ODULE ACCESS M ETHODS. 84.1.1 Web UI. 84.1.2 Command Line Interface . 84.2ROLES . 84.3SERVICES . 94.4APPROVED ALGORITHMS .114.5NON-FIPS APPROVED BUT ALLOWED ALGORITHMS .154.6NON-FIPS APPROVED SERVICES.154.7NON-FIPS APPROVED ALGORITHMS .154.8ALTERNATING BYPASS .164.9AUTHENTICATION .165INTERFACES .185.15.25.36FIREBOX M270.19FIREBOX M370.22FIREBOX M470, M570, AND M670 .25FIPS 140-2 COMPLIANT OPERATION .306.1SECURITY RULES.306.2SELF -TESTS .306.3CRYPTOGRAPHIC OFFICER GUIDANCE .326.3.1 Secure Installation .326.3.2 Enabling FIPS Mode Operation .326.3.3 Disabling FIPS Mode Operation .336.4USER GUIDANCE .337TAMPER EVIDENCE .347.17.27.38CRYPTOGRAPHIC KEY MANAGEMENT .388.18.29FIREBOX M270.35FIREBOX M370.36FIREBOX M470, M570, AND M670 .37CRYPTOGRAPHIC KEYS AND CRITICAL SECURITY PARAMETERS .38PUBLIC KEYS .45MITIGATION OF OTHER ATTACKS .479.19.29.3GATEWAY IPS SERVICE.47GATEWAY ANTIVIRUS SERVICE .47SPAMB LOCKER SERVICE.48FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 3 of 52
9.49.59.69.710WEBBLOCKER SERVICE.48APPLICATION CONTROL SERVICE.48DATA LOSS PREVENTION SERVICE.49ADVANCED PERSISTENT THREAT BLOCKER SERVICE.49DEFINITIONS.50FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 4 of 52
1 IntroductionThis document is a FIPS 140-2 Security Policy for WatchGuard’s Firebox Security System. This policydescribes how the Firebox M270, M370, M470, M570, and M670 models (hereafter referred to as the‘module’ or the ‘Firebox module’) meets the FIPS 140-2 security requirements and how to operate themodule in a FIPS compliant manner.This policy was created as part of the Level 2 FIPS 140-2 validation of the Firebox module.The Federal Information Processing Standards Publication 140-2 – Security Requirements forCryptographic Modules (FIPS 140-2) details the United States Federal Government requirements forcryptographic modules. Detailed information about the FIPS 140-2 standard and validation program isavailable on the NIST (National Institute of Standards and Technology) website 2 Firebox Module OverviewWatchGuard Firebox appliances are built for enterprise-grade performance with blazing throughputand numerous connectivity options. Advanced networking features include clustering, high availability(active/active), VLAN support, multi-WAN load balancing and enhanced VoIP security, plus inbound andoutbound HTTPS inspection, to give the strong security enterprises need. And the Firebox appliances arecompletely configurable – turn on or off components and services to fit different network securitydeployment requirements.WatchGuard’s Firebox product family spans the full range of network environments, from SOHO toservice provider, offering cost effective systems for any size of application. They detect and eliminatethe most damaging, content-based threats from email and Web traffic such as viruses, worms,intrusions, inappropriate Web content and more in real time — without degrading networkperformance. The Firebox module delivers a full range of application level firewall and network-levelservices — application control, data loss prevention, advanced persistent threats blocker, VPN, intrusionprevention, web filtering, antivirus, antispam and traffic shaping — in dedicated, easily managedplatforms.The Firebox security system employs the powerful, secure, Fireware OS to achieve breakthroughprice/performance. This system provides a critical layer of real-time, network-based antivirus protectionthat complements host-based antivirus software and supports “defense-in-depth” strategies withoutcompromising performance or cost. They can be easily configured to provide antivirus protection,antispam protection and content filtering in conjunction with existing firewall, VPN, and related devices,or as complete network protection systems.The Firebox module supports the IPSec industry standard for VPN, allowing VPNs to be configuredbetween a Firebox module and any client or gateway/firewall that supports IPSec VPN. The Fireboxmodule also provides SSLVPN services.The Firebox module is defined as a multi-chip standalone cryptographic module consisting of productiongrade components contained in a physically protected enclosure. The entire enclosure is defined as theFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 5 of 52
cryptographic boundary of the cryptographic module. The cryptographic boundary for FIPS 140-2certification is equivalent to the TOE boundary for Common Criteria (CC) certification.Figure 1: Cryptographic Module Block Diagram3 Security LevelThe WatchGuard Firebox appliances meet the overall requirements applicable to Level 2 security of FIPS140-2.Table 1: Module Security Level SpecificationSecurity Requirements SectionCryptographic Module SpecificationCryptographic Module Ports SpecificationRoles, Services, and AuthenticationFinite State MachinePhysical SecurityLevel22222FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 6 of 52
Operational EnvironmentCryptographic Key ManagementEMI/EMCSelf-TestsDesign AssuranceMitigation of Other AttacksN/A22222FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 7 of 52
4 Roles, Services and Authentication4.1 Module Access MethodsThere are two convenient and secure ways to connect, configure and manage the module.4.1.1Web UIThe Firebox module provides a web based GUI based access to the module, which is the convenient wayto configure the module. The Web UI requires a web browser on the management computer and anEthernet connection between the module and the management computer.A web-browser that supports Transport Layer Security (TLS) 1.2 is required for remote access to theWeb UI when the modules are operating in FIPS mode.The web browser is not part of the validated module boundary.4.1.2Command Line InterfaceThe Command Line Interface (CLI) is a rich, text based management tool for the module. The CLIprovides access to all of the possible services and configuration options in the modules. The CLI uses aconsole or a network (Ethernet) connection between the module and the management computer. Theconsole connection is a direct serial connection. Terminal emulation software is required on themanagement computer using either method. For network access, a Telnet or SSH client that supportsthe SSH v2.0 protocol is required. SSH v1.0 is not supported in FIPS mode.The Telnet or SSH client is not part of the validated module boundary.4.2 RolesThe module implements role-based authentication. The module provides two pre-defined roles forusers: User (status) and Cryptographic Officer (admin) role. One of these roles can be assumed by anoperator after authenticating to the module remotely or through a console connection using ausername/password combination. The module does not allow the creation of additional operatoraccounts or roles.An operator assuming the Cryptographic Officer role has full read/write access to all of the functions andservices of the module, including configuration, resetting or shutting down the module. This also impliesthat the Cryptographic Officer role includes all the accesses and privileges the User has.The User is not allowed to make any changes to the configuration of the module. The User role is onlyfor viewing and reporting the configuration and status of the module and its functions.Operator accounts are differentiated by the username during authentication. More than one operatorwith User role can be connected to the module at any given time. However, there can be only oneCryptographic Officer login at any given time. Concurrent login attempts by the Cryptographic Officerare refused by the module.It is not possible to change roles without re-authentication.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 8 of 52
4.3 ServicesThe following table details the FIPS approved services available for each role, the types of access foreach role, and the Keys or CSPs they affect. The role names are abbreviated as follows:Cryptographic Officer - COUser - UR Read Access, W Write/ Delete Access, X Execute AccessThe Key/CSP is documented in section “Cryptographic Key Management” on page 38.Table 2: FIPS approved services in Command Line Interface and Web UI access modeServiceUCOKey/ CSPXXshow system statusshow FIPS mode enabled/disabledenable FIPS modeRRN/ARRWdisable FIPS modeN/AWexecute FIPS on-demand self-testsset/reset passwordexecute firmware download1execute system rebootN/AN/AN/AN/AXWXXWXexecute system shutdownN/AWXchange system timeread/modify system/network configurationread/modify firewall policies.read/modify Gateway AV configurationread/modify spamBlocker configurationread/ modify WebBlocker configurationread/modify APTBlocker configurationread/ modify VPN WXRWXR2, 3, 4, 5, 6, 7, 14, 15, 16, 17, 18,19, 20, 21, 24, 25, 29, 30, 31, 32,33, 3416, 17, 19, 2016, 17, 19, 201, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,13, 14, 15, 16, 17, 18, 19, 20, 21,22, 23, 24, 25, 26, 27, 28, 29, 30,31, 32, 33, 34, 351, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13,14, 15, 17, 18, 19, 20, 22, 23, 26,28, 29, 34, 352, 3, 16, 17, 19, 20, 2616, 17, 19, 20, 2416, 17, 19, 20, 251, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13,14, 15, 17, 18, 19, 20, 22, 23, 26,28, 29, 34, 351, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13,14, 15, 17, 18, 19, 20, 22, 23, 26,28, 29, 34, 3516, 17, 19, 2016, 17, 19, 2016, 17, 19, 2016, 17, 19, 2016, 17, 19, 2016, 17, 19, 2016, 17, 19, 202, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,13, 28, 31, 3216, 17, 19, 2016, 17, 19, 20, 2716, 17, 19, 20authenticate to moduleread/modify IPS configurationread/ modify logging configurationread log dataFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 9 of 52
manual Gateway AV/IPS signature updaterestore factory defaultN/AN/ARXW16, 17, 19, 201, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13,14, 15, 17, 18, 19, 20, 22, 23, 26,28, 29, 34, 351Any f irmware loaded into this module that is not shown on the module certificate, is out of the scopeof this validation and requires a separate FIPS 140-2 validation.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 10 of 52
4.4 Approved AlgorithmsThe cryptographic module implements the following FIPS approved algorithms: Hardware:- Triple-DES- AES- SHS- HMACTable 3: FIPS approved algorithms for 35921,5922,59234677Triple-DES2SP 800-67TCBC192DataEncryption/DecryptionAESFIPS 197,SP 800-38ACBC128, 192,256DataEncryption/DecryptionAESFIPS 197,SP 800-38DGCM3128, 256DataEncryption/DecryptionSHSFIPS 180-44678,4679SHSFIPS 180-43901HMACFIPS MACFIPS 198-1Key sizes blocksizeHMAC-SHA-1,Key sizesHMAC-SHA-256, blockHMAC-SHA-384sizeHMAC-SHA-512Message DigestMessage DigestMessage AuthenticationMessage AuthenticationNote: The algorithms listed above are implemented by the module when operating in a FIPSapproved mode of operation. The certificates list additional modes and key sizes that are notaccessible through the cryptographic module interfaces.2The user shall not use the same Triple-DES key for more than 216 encryption operations.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 11 of 52
3The module generates AES GCM IV in accordance to SP 800-38D in compliance with IG A.5 scenario1.-The GCM IV generation in the TLS context is in compliance with RFC 5288 and used for the TLS1.2 protocol.The GCM IV generation in the IPsec context is in compliance with RFC 4106 and shall only beused with IPsec and IKEv2 (RFC 7296) to be compliant with IG A.5.The implementation of the 64-bit nonce explicit (TLS)/nonce (IPsec) part of the IV isdeterministic and management logic is inside the module. By the design of the module and byvirtue of the data size limit set, the maximum number possible value of 264 - 1 fornonce explicit/nonce (IPsec) part of the IV is never reached. In event that the module’s power islost and then restored, the key used for the AES GCM encryption or decryption shall be redistributed.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 12 of 52
Firmware:- Triple-DES- AES- SHS- HMAC- RSA- DRBG- IKEv1 KDF- IKEv2 KDF- TLS KDF- SSH KDF- SNMP KDFTable 4: FIPS approved algorithms for firmwareCAVP CertAlgorithmStandardMode/MethodKeyLengths,Curves, orModuliUse2875, 2876,2877, 2878,28795913, 5914,5918, 5919,59205913, 5914,5918, 5919,59204671, 4672,4674, 4675,4676Triple-DES4SP 800-67TCBCAESFIPS 197,SP 800-38ACBC128, 192,256DataEncryption/DecryptionAESFIPS 197,SP 800-38DGCM5128, 192,256DataEncryption/DecryptionSHSFIPS 180-43895, 3896,3898, 3899,3900HMACFIPS 512DataEncryption/DecryptionMessage DigestKey sizes blocksize,Key sizes blocksize,Key sizes blocksizeMessageAuthenticationFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 13 of 52
1024,1536,2048,3072,40962048,3072Digital ,SHA-512ANSI X9.31PKCS v1.52048,3072,4096Digital SignatureGeneration andVerificationAES CTR based128, 192,256Deterministic RandomBit Generation3102, 3103,3104, 3105,3106RSAFIPS 186-2SHA-1ANSI X9.31PKCS v1.53102, 3103,3104, 3105,31063102, 3103,3104, 3105,3106RSAFIPS 186-4Probable Primes(B.3.3)RSAFIPS 186-42475, 2476,2478, 2479,24802144, 2145,2146, 2147,2148DRBGSP 800-90ACVLIKEv1IKEv2TLS 1.2SSHSNMPCKGSP 800135rev1Key DerivationSP 800-133Key Generation6VendorAffirmationKey GenerationNote: The algorithms listed above are implemented by the module when operating in a FIPSapproved mode of operation. The certificates list additional modes and key sizes that are notaccessible through the cryptographic module interfaces.4The user shall not use the same Triple-DES key for more than 216 encryption operations.5 The modulegenerates AES GCM IV in accordance to SP 800-38D in compliance with IG A.5 scenario1.6 Resulting symmetric keys and seeds used forasymmetric key generation are an unmodified outputfrom the approved DRBG.--The GCM IV generation in the TLS context is in compliance with RFC 5288 and used for the TLS1.2 protocol, and the module supports acceptable GCM ciphersuites form SP 800-52 Rev 1,Section 3.3.1.The GCM IV generation in the IPsec context is in compliance with RFC 4106 and shall only beused with IPsec and IKEv2 (RFC 7296) to be compliant with IG A.5. The module uses the RFCFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 14 of 52
-7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCMencryption keys are derived.The implementation of the 64-bit nonce explicit (TLS)/nonce (IPsec) part of the IV isdeterministic and management logic is inside the module. By the design of the module and byvirtue of the data size limit set, the maximum number possible value of 264 fornonce explicit/nonce (IPsec) part of the IV is never reached. In event that the module’s power islost and then restored, the key used for the AES GCM encryption or decryption shall be redistributed.The IKEv1, IKEv2, TLS, SSH, and SNMP protocols have not been tested by the CMVP or CAVP.The minimum encryption strength of symmetric keys is 112 bits and the maximum is 256 bits.4.5 Non-FIPS Approved But Allowed AlgorithmsThe cryptographic module implements the following non-FIPS approved but allowed algorithms: RSA key transport (with 2048 bit keys)- Key wrapping, key establishment methodology provides 112 bits of equivalent encryption strength Diffie Hellman (CVL Certs. #2144, #2145, #2146, #2147 and #2148, key agreement; keyestablishment methodology provides 112 or 128 bits of encryption strength)EC Diffie-Hellman (CVL Certs. #2144, #2145, #2146, #2147 and #2148, key agreement; keyestablishment methodology provides 128 or 192 bits of encryption strength)NDRNG 4.6 Non-FIPS Approved ServicesThe cryptographic module provides the following non-FIPS approved services: Mobile VPN with PPTP PPPoEBackup image to USBAuthenticate to module7Read/modify VPN configuration77When used with a non-compliant Diffie-Hellman key size.If any of these services are used, the cryptographic module is not operating in a FIPS approved mode ofoperation.4.7 Non-FIPS Approved AlgorithmsThe cryptographic module implements the following non-FIPS approved algorithms: DESMD5TKIPFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 15 of 52
The AES algorithm is non-compliant when used in CCM mode or when invoking the non-FIPSApproved “Backup image to USB” serviceUse of HMAC-SHA-1 for MAC generation with key length 80 bits and 112, and use of HMACSHA-1 for MAC verification with key length 80 bits and 112 bitsUse of SHA-1 for digital signature generationPassword Based Key Derivation Function (for 128 bit AES key). Keys derived using a PBKDF cannot beused in a FIPS approved mode of operationDiffie Hellman- Key establishment, key agreement method is non-compliant when using key sizes with less than112 bits of equivalent encryption strength4.8 Alternating BypassThe primary cryptographic function of the module is to act as a firewall, and as a VPN device. Encryptand decrypt operations are performed on traffic based on firewall policies. The cryptographic moduleimplements an alternating bypass feature based on VPN tunnels and firewall policies. Traffic can beencrypted/decrypted or passed as plaintext, depending on the VPN tunnel and selected policy.Two actions must be taken by the Cryptographic Officer to transition between VPN bypass states. TheCryptographic Officer must first create the VPN gateway. The Cryptographic Officer must then create theVPN tunnel and tunnel route, and associate the VPN tunnel with a VPN policy.Whether VPN bypass is enabled or not can be determined by examining the list of VPN gateways andVPN tunnels.4.9 AuthenticationCryptographic Officer or User (referred to as Operator) must authenticate with a username andpassword combination to access the modules remotely or locally via the console. Remote operatorauthentication is done over HTTPS (TLS 1.2) or SSH (v2.0). The access to the module is based on firewallpolicy and authentication by IP address.For end users (including CO or U) using module functionality and invoking the SSLVPN or IPSecencrypt/decrypt services, the module supports authentication with a username/password combination.The authentication is done over HTTPS over a dedicated port and it does not allow access to the modulefor any of the administrative purposes whatsoever.The minimum password length is 8 characters when in FIPS mode. Using a strong password policy,where operator and end user passwords are at least 8 characters in length and use a mix ofalphanumeric (printable) characters from the ASCII character set, the odds of guessing a password are 1in 948 , which is far less than 1 in 1,000,000. The total password space is sufficiently large such thatexceeding a 1 in 100,000 probability of correctly guessing the password in one minute would requireapproximately 6.1 x 1010 attempts per minute, which is beyond the operational capability of the module.For end users invoking the IPSec encrypt/decrypt services, the module acts on behalf of the end userand negotiates a VPN connection with a remote module. The strength of authentication for IPSecservices is based on the authentication method defined in the specific firewall policy: IKE pre-shared keyor IKE RSA key (RSA certificate). The odds of guessing the authentication key for each IPSec method is:FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 16 of 52
1 in 948 for the IKE preshared key (based on an 8 character, ASCII printable key)1 in 2112 for the IKE RSA key (based on a 2048 bit RSA key size, which is equivalent to 112 bits ofsecurity)Therefore the minimum odds of guessing the authentication key for IPSec is 1 in 948 based on the IKEpreshared key, or 1 in 2112 based on the IKE RSA key, which is far less than 1 in 1,000,000. The key size issufficiently large such that exceeding a 1 in 100,000 probability of correctly guessing the key in oneminute would require approximately 6.1 x 1010 attempts per minute (for preshared key) or 5.2 x 1028attempts per minute (for RSA key) , which is beyond the operational capability of the module.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 17 of 52
5 InterfacesPhysical ports and interfaces on the Firebox module can be categorized into the following logical interfaces:- Data Input- Data Output- Control Input- Status OutputAll of the physical ports and interfaces are separated into the FIPS 140-2 logical interfaces, as described in the following tables. The logicalinterfaces may share a physical port. The firmware in the Firebox module separates and routes data to the appropriate internal firmware taskassociated with a logical interface based on port number, session, and/or command context.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 18 of 52
5.1 Firebox M270Figure 2: M270 Front ViewFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 19 of 52
Table 5: Front Panel AccessPORT NAME/TYPENumber DescriptionRJ45 EthernetInterfaces with linklights8Configurable ports can be data input or data outputfor External, LAN, or Optional. Link lights showconnection speed and activity. RJ45 Console Interface1Serial port for CLI access. USB Interfaces2Used for backup, or to store a support snapshot.Power LED1Lit green when the module is powered on. Arm/Disarm LED1This light is red after power-on or reboot. It turnsgreen after successful module initialization. Storage LED1Lit yellow when there is activity on the mSATA card. Reset Button1Used to reset the module. Power Button1Controls power supplied to device. FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxDataInputDataOutputControlInputStatusOutput Page 20 of 52
Figure 3: M270 Rear ViewTable 6: Rear Panel AccessPORT NAME/TYPENumber DescriptionPower Interface1Auto-sensing AC power supply.Power Switch1Controls power supplied to device.FIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxDataInputDataOutputControlInput Page 21 of 52StatusOutput
5.2 Firebox M370Figure 4: M370 Front ViewFIPS 140-2 Non-Proprietary Security Policy for WatchGuard Technologies Inc. FireboxPage 22 of 52
Table 7: Front Panel AccessPORT NAME/TYPENumber DescriptionRJ45 EthernetInterfaces with linklights8Configurable ports can be data input or data outputfor External, LAN, or Optional. Link lights showconnection speed and activity. RJ45 Console Interface1Serial port for CLI access. USB Interfaces2Used for backup, or to store a support snapshot.Power LED1Lit green when the module is powered on. Arm/Disarm LED1This light is red after power-on or reboot. It turnsgreen after successful module initialization. Storage LED1Lit yellow when there is activity on the mSATA card. Reset Button1Used to reset the module. Power Button1Controls power su
antispam protection and content filtering in conjunction with existing firewall, VPN, and related devices, or as complete network protection systems. The Firebox module supports the IPSec industry standard for VPN, allowing VPNs to be configured between a Firebox module and any client or gateway/firewall that supports IPSec VPN. The Firebox
