Transcription
Infoblox Trinzic VirtualDDI ApplianceFIPS 140-2 Non-Proprietary Security PolicySecurity Level 1 ValidationVersion 1.02October 2019
Table of Contents, Table of Figures, List of TablesTable of ContentsTable of Contents, Table of Figures, List of Tables1Table of Contents1Table of Figures2Table of Tables31.Overview42.Introduction43.Cryptographic Module Specification44.3.1.Security Level Summary43.2.Cryptographic Boundary43.3.Block Diagram53.4.Secure Initialization53.5.Approved Algorithms63.6.Allowed Algorithms73.7.Non-Approved Algorithms Table7Cryptographic Module Ports and InterfacesLogical and Physical Interfaces8Roles, Services, and 1.Crypto-Officer Services5.2.2.User Services165.2.3.Unauthenticated Services195.2.4.Non-Approved Services205.3.Authentication216.Physical Security227.Operational Environment228.Cryptographic Key Management239.EMI / EMC2910. Self-Tests10.1.Power-on Self-TestsInfoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy29291
A.10.2.Conditional Self-Tests2910.3.Critical Functions Tests29AppendicesTable of FiguresTable of Contents, Table of Figures, List of Tables301Table of Contents1Table of Figures2Table of Tables31.Overview42.Introduction43.Cryptographic Module Specification44.3.1.Security Level Summary43.2.Cryptographic Boundary43.3.Block Diagram53.4.Secure Initialization53.5.Approved Algorithms63.6.Allowed Algorithms73.7.Non-Approved Algorithms Table7Cryptographic Module Ports and InterfacesLogical and Physical Interfaces8Roles, Services, and 1.Crypto-Officer Services5.2.2.User Services165.2.3.Unauthenticated Services195.2.4.Non-Approved Services205.3.Authentication216.Physical Security227.Operational Environment228.Cryptographic Key Management23Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy2
9.EMI / EMC10. Self-TestsA.292910.1.Power-on Self-Tests2910.2.Conditional Self-Tests2910.3.Critical Functions Tests29Appendices30Table of TablesTable 1 Approved Algorithms . 7Table 2 Allowed Algorithms . 7Table 3 Non-Approved Algorithms . 8Table 4 Logical and Physical Interfaces . 8Table 5 Crypto-Officer Services . 16Table 6 User Services . 19Table 7 Unauthenticated Services. 20Table 8 Non-approved Services . 21Table 9 Cryptographic Keys and CSPs . 29Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy3
1. OverviewThis document is a non-proprietary FIPS 140-2 Security Policy for Infoblox’s Trinzic Virtual DDIAppliance. This policy describes how the Infoblox Trinzic Virtual DDI Appliance (hereafter referred to asthe “module”) meets the requirements of FIPS 140-2. This document also describes how to configure themodule into the FIPS 140-2 Approved mode. This document was prepared as part of a FIPS 140-2Security Level 1 validation.The Federal Information Processing Standards Publication 140-2 - Security Requirements forCryptographic Modules (FIPS 140-2) details the United States Federal Government requirements forcryptographic modules. Detailed information about the FIPS 140-2 standard and validation program isavailable on the NIST (National Institute of Standards and Technology) website TM/cmvp/index.html.2. IntroductionInfoblox Trinzic Virtual DDI Appliances enable customers to deploy large, robust, manageable and costeffective Infoblox Grids. This next-generation solution enables distributed delivery of core networkservices—including DNS, DHCP, IPAM, TFTP, and FTP—with the nonstop availability and real-timeservice management required for today’s 24x7 advanced IP networks and applications. The InfobloxTrinzic Virtual DDI Appliance is being validated as a multi-chip standalone cryptographic module at FIPS140-2 overall Security Level 1.3. Cryptographic Module Specification3.1.Security Level SummaryThe security level claimed for each section of the FIPS 140-2 standard are as follows:Section ptographic Module SpecificationModule Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityOperational EnvironmentCryptographic Key ManagementEMI/EMCSelf-TestsDesign AssuranceMitigation of Other AttacksOverallFigure 1 Security Level Summary3.2.Cryptographic BoundaryThe cryptographic boundary for the Trinzic Virtual DDI Appliance is the edge (front, back, left, right, top,and bottom surfaces) of the physical enclosure for the physical appliance that the Trinzic Virtual DDIAppliance is running on.Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy4
3.3.Block DiagramFigure 2 Block Diagram3.4.Secure InitializationThe following steps should be followed to initialize the module into the FIPS Approved mode of operation: The module’s host must be run on a production grade platform (e.g. commercially made server orgeneral purpose computer).The Trinzic Virtual DDI Appliance must be running NIOS version 8.2.6 with Hotfix-NIOS 8.2.6371069 J67303 FIPS 4-142018.bin2 and optionally Hotfix-NIOS 8.2.6 -06-16-41-2019.bin2.FIPS mode must be enabled in the NIOS CLI via command ‘set fips mode’.The password policy must be set such that the Minimum Password Length is at least 6characters. This can be accomplished via the procedures outlined in the Infoblox NIOSAdministrator Guide, section “Managing Passwords”The BloxTools feature must not be enabled when operating in the FIPS Approved mode.Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy5
The Support Access feature must not be enabled when operating in the FIPS Approved mode.RADIUS Authentication must not be used.TACACS Authentication must not be used.Cisco ISE Integration must not be used.Microsoft Server Integration must not be used.SNMPv1/v2 must not be used.Keys/CSPs generated in FIPS mode cannot be used in non-FIPS mode and vice-versa.Failure to follow the above procedures will result in the module operating in a non-approved mode.3.5.Approved AlgorithmsThe module supports the following approved algorithms for use in the approved mode. Although themodule’s cryptographic implementation supports more options than listed below, only those listed areusable by the module.CAVP CertAlgorithmStandardMode/Method4805AES 1FIPS 197VendorAffirmed1437CKGSP 800-133CBC,CBC-CS3(vendor affirmed),CFB128Section 5CVL (ECCCDH, KASECC, KASFFC)SP 800-56ARev31438Key Lengths,Curves orModuli128,256ECC:P-256 , P-384, P521FFC:2048TLS 1.2:SHA-256, SHA384CVL(TLS 21.0/1.1/1.2,SSHSNMP)SP 800-135Rev11671DRBGSP 800-90A1295DSAFIPS 186-420481213ECDSAFIPS 186-4P-256 , P-384, P521 (w/ SHA-224,SHA-256, SHA-UseDataEncryption /DecryptionKeyGenerationKeyAgreementKey DerivationSSH:SHA-1, SHA-256,SHA-384, SHA512HMAC-SHA-256DeterministicRandom BitGenerationFFC KeyGeneration 3ECC KeyGeneration 4SignatureThe module supports the use of AES-NI hardware acceleration if available.No parts of the TLS, SSH, SNMP protocols other than the KDF have been reviewed or tested by the CAVP andCMVP3The FFC keys used for Diffie-Hellman are generated according to FIPS 186-4. The module does not support thegeneration of DSA keys with approved key sizes.4The ECC keys used for EC-Diffie-Hellman are generated according to FIPS 186-4.12Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy6
3215HMACFIPS 198-14805 (AES)3215 (HMAC)2633KTSSP 800-38FRSAFIPS 186-43953SHSFIPS HMAC-SHA-1X9.31PKCS1 V1 5PSS384, or S: 128, 256HMAC: 1602048, 3072, 4096(w/ SHA-224,SHA-256, SHA384, or SHA-512)Key reGenerationandVerificationMessageDigestTable 1 Approved Algorithms3.6.Allowed AlgorithmsThe following algorithms are non-approved but allowed for use in the approved mode.AlgorithmDiffie-HellmanElliptic-Curve Diffie-HellmanHMAC-MD5CaveatCVL Certs. #1437 and #1438,Key Agreement, keyestablishment methodologyprovides 112 bits of encryptionstrengthCVL Certs. #1437 and #1438,Key Agreement, keyestablishment methodologyprovides between 128 and 256bits of encryption strengthOnly allowed for use with TLSprotocol.MD5Only allowed for use with TLSprotocol.NDRNGThis implementation satisfiesscenario 1(b) of IG 7.14. Themodule obtains a minimum of339 bits of entropy beforegenerating keys.Key Wrapping, keyestablishment methodologyprovides between 112 and 150bits of encryption strengthRSAUseKey AgreementKey AgreementTLS 1.0, Internals (i.e. objectscomparison)HMAC for cookie.TLS 1.0, Internals (i.e. objectscomparison)HMAC for cookie.Seeding the DRBGKey WrappingTable 2 Allowed Algorithms3.7.Non-Approved Algorithms TableThe following algorithms are non-approved for use in the approved mode.Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy7
AlgorithmDESDiffie-HellmanCaveatNon-compliant when used withkey sizes less than 2048 bits inlengthDSAHMAC-MD5MD5RSANon-compliant when used withkey sizes less than 2048 bits inlengthUseEncryption/DecryptionKey AgreementKey Generation, SignatureGeneration, SignatureVerificationKeyed HashMessage DigestKey WrappingTable 3 Non-Approved Algorithms4. Cryptographic Module Ports and Interfaces4.1.Logical and Physical InterfacesThe module’s interfaces can be categorized under the following FIPS 140-2 logical interfaces. Data InputData OutputControl InputStatus OutputThe following table provides a mapping of the module’s interfaces to the FIPS 140-2 defined interfacecategories.FIPS 140-2 LogicalInterface(s) Data Input Data Output Control Input Status Output Data Input Data Output Control Input Status Output Power InputPhysical InterfaceDDI Appliance InterfaceHost Network InterfacesVirtual Ethernet PortsHost Network InterfacesVirtual ConsoleHost Power SupplyN/ATable 4 Logical and Physical Interfaces5. Roles, Services, and AuthenticationInfoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy8
5.1.RolesThe Infoblox Trinzic Virtual DDI Appliance defines user permissions based on roles. Roles are assignedto user groups. Custom roles can be created to restrict access to particular services.FIPS RoleTrinzic RoleDescriptionCrypto-OfficerSuperuserThe Superuser role has full access toall resources on the appliance.Superusers can create limitedaccess admin groups and grant themspecific permissions for CryptoOfficer services.Limited-Access AdminAn admin belonging to a limitedaccess group which has beengranted permissions to Crypto Officerservices.Grid MemberA Trinzic appliance that is a memberof a NIOS grid and managed by aGrid Master.Limited-Access UserAn admin belonging to a limitedaccess group which has only beengranted read permissions to GridManager services.User5.2.ServicesListed below are the services for each of the module’s roles that are approved for use in the FIPSapproved mode.5.2.1. Crypto-Officer ServicesNameDescriptionInputsOutputsKey/CSP AccessInfobloxConsoleAccess NIOSCLI via virtualconsole us ofcommandsandconfigurationdata Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security PolicySuperuser/Admin Password(read)9
InfobloxRemoteConsoleAccess NIOSCLI via SSH tomanageappliance.SSH inputs,commands,and dataSSH outputs,commands,and data Infoblox GridManagerAccess NIOSweb interfaceto manageapplianceTLS inputs,commands,and dataTLS outputs,commands,and data Superuser/Admin Password(read)SSHv2 private key (read)SSHv2 public key (read)SSHv2 Diffie-HellmanPrivate Key(read/write/delete)SSHv2 Diffie-HellmanPublic Key(read/write/delete)SSHv2 Elliptic-Curve DiffieHellman Private Key(read/write/delete)SSHv2 Elliptic-Curve DiffieHellman Public Key(read/write/delete)SSHv2 Encryption Key(read/write/delete)SSHv2 Authentication Key(read/write/delete)X.509 HTTPS Certificate(read)TLS pre-master secret(read/write/delete)TLS master secret(read/write/delete)TLS encryption key(read/write/delete)TLS authentication key(read/write/delete)Superuser/Admin Password(read)X. 509 User Certificate(read)X. 509 CA Certificate (read)Show StatusView currentlylogged in userin GridManagerN/AStatus anddataNoneConfigureDashboardsHome page inGrid Managerproviding quickaccess to task,grid andnetwork status.CommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneConfigureSmart FoldersOrganize corenetworkingservice data inGrid Manager.CommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneInfoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy10
ManageLicensesManageappliancelicenses fromCLI or GridManagerCommandsandconfigurationdataStatus ng upusers, groups,roles, andpermissionsfrom GridManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdata Superuser/Admin/UserPassword (write/delete)ManageRemoteAuthentication ServicesConfigureremoteauthenticationservices forActiveDirectory,LDAPS, orCertificateAuthenticationfrom GridManager.CommandsandconfigurationdataStatus ofcommandsandconfigurationdata LDAPS Bind UserPassword (write/delete)X. 509 CA Certificate(read/write/delete)Deploy GridCreating andmanaging Gridmaster andmembers viaGrid Managerand CLI.OpenVPNinputs,commands,and dataOpenVPNoutputs,commands,and data DeployIndependentappliancesDeploy Infobloxappliance as astandalone viaGrid Managerand CLI.CommandsandconfigurationdataStatus ofcommandsandconfigurationdataInfoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy Grid Shared Secret(read/write/delete)OpenVPN TLS Public Key(read)TLS pre-master secret(read/write/delete)TLS master secret(write/delete)TLS encryption key(write/delete)TLS authentication key(write/delete)OpenVPN pre-mastersecret (read/write/delete)OpenVPN master secret(write/delete)OpenVPN encryption key(write/delete)OpenVPN authenticationkey (write/delete)Superuser/Admin Password(write/delete)11
Deploy CloudNetworkAutomationConfiguringCloud platformappliances toprovide DNSand DHCPservice in thecloud from GridManager.CommandsandconfigurationdataStatus ackupsConfigureSyslog tobackup overFTP or SCP inGrid ManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdata Capture andExportNetworkTrafficCapturenetwork trafficon applianceinterfaces andexport capturefile via SCP orTLS.CommandsandconfigurationdataStatus ofcommandsandconfigurationdata Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security PolicyTLS pre-master secret(read/write/delete)TLS master secret(read/write/delete)TLS encryption key(read/write/delete)TLS authentication key(read/write/delete)SSHv2 Diffie-HellmanPrivate Key(read/write/delete)SSHv2 Diffie-HellmanPublic Key(read/write/delete)SSHv2 Elliptic-Curve DiffieHellman Private Key(read/write/delete)SSHv2 Elliptic-Curve DiffieHellman Public Key(read/write/delete)SSHv2 Encryption Key(read/write/delete)SSHv2 Authentication Key(read/write/delete)SSHv2 Diffie-HellmanPrivate Key(read/write/delete)SSHv2 Diffie-HellmanPublic Key(read/write/delete)SSHv2 Elliptic-Curve DiffieHellman Private Key(read/write/delete)SSHv2 Elliptic-Curve DiffieHellman Public Key(read/write/delete)SSHv2 Encryption Key(read/write/delete)SSHv2 Authentication Key(read/write/delete)12
Manage NTPManagenetwork timeprotocolservice in GridManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneManageCaptive PortalManagenetworkcaptive portalin GridManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneManage IPAMManaging IPaddressmanagementservices in GridManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneManage FileDistributionServiceManagingtransfer of filesthrough TFTP,FTP and HTTPin GridManagerCommandsandconfigurationdataStatus ware andConfigurationFilesPerformingsoftwareupgrades anddowngrades inGrid Manager.CommandsandconfigurationdataStatus ofcommandsandconfigurationdata CommandsandconfigurationdataStatus e LoadTest Public Key (read)(New firmwareversions withinthe scope ofthis validationmust bevalidatedthrough theFIPS 140-2CMVP. Anyother firmwareloaded into thismodule is outof the scope ofthis validationand requires aseparate FIPS140-2validation.)Configure stries inGrid Manager.Infoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy13
Configure IPAddressManagementManagingnetwork and IPaddresses inGrid Managerand CLI.CommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneConfigure IPDiscoveryandvDiscoveryIP discovery fordetecting andobtaininginformationabout activehosts inpredefinednetworks inGrid ManagerCommandsandconfigurationdataStatus xNetworkInsightConfigureunited networkdiscovery forgeographicallydispersednetworks inGrid ManagerCommandsandconfigurationdataStatus iguringDNS servicesin GridManagerCommandsandconfigurationdataStatus onfigureDNSSECservices in GridManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdata DNSSEC KSK Private Key(write/delete)DNSSEC KSK Public Key(read/write/delete)DNSSEC ZSK Private Key(write/delete)DNSSEC ZSK Public Key(read/write/delete)ConfigureDHCPConfiguringDHCP servicesin GridManagerCommandsandconfigurationdataStatus icatedDHCPConfigureDHCP toauthenticateusers usingconfiguredRemoteAuthenticationservers in GridManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdataNoneInfoblox Trinzic Virtual DDI Appliance FIPS 140-2 Non-Proprietary Security Policy14
te ofappliance,service,databasecapacity, andports in GridManagerCommandsandconfigurationdataStatus gerprintDetectionDHCPfingerprintdetection toidentify IPv4and IPv6devices in GridManagerCommandsandconfigurationdataStatus onfigureSNMPv3 inGrid ManagerCommandsandconfigurationdataStatus ofcommandsandconfigurationdata ConfigureInfobloxReportingand AnalyticsConfigureautomatedcollection,analysis andpresentation ofcorenetworkingdata in GridManagerCommandsandconfigurationdataStatus xAdvancedDNSprotectionConfigurethreatprotection rulesto detect,report and stopDoS, DDoSand othernetworkattackstargeting DNSin GridManage
Infoblox Trinzic Virtual DDI Appliance FIPS 1402 Non- -Proprietary Security Policy 4 1. Overview This document is a non-proprietary FIPS 140-2 Security Policy for Infoblox’s Trinzic Virtual DDI Appliance. This policy describes how the Infoblo
