Federal Information Processing Standard (FIPS) 140-2 What is it? Why should you care?

AVIAT NETWORKS

SECURITY IS BECOMING A GROWING CONCERN

• The migration from TDM to IP communication networks has drastically increased security risks

• Growing volume, types, and intrinsic value of traffic makes it infinitely more interesting for hackers

• New technologies offer hackers an ever growing number of access points

AVIAT NETWORKS

• Lost data (your customer’s and/or your organization’s)

• Communications downtime

• Downtime of critical infrastructure

AN UNSECURED MICROWAVE NETWORK CAN RESULT IN

AVIAT NETWORKS

MICROWAVE REQUIRES MULTI-DIMENSIONAL SECURITY STRATEGY

Eavesdropping

Overhead

Payload

RF site security

Local access

Hacker

Remote access

New employee or contractor

Crypto-officer

Troubleshooting, investigation

AAA Server

Remote access

NOC

Remote access

AVIAT NETWORKS

FIPS Overview

AVIAT NETWORKS

VIDEO

AVIAT NETWORKS

• THE Data Encryption standard for federal government networks

•  If federal agency specifies data encryption, then FIPS 197 is mandatory.

• Advanced Encryption Standard (AES) specifies algorithm for encrypting and decrypting information

• Use keys of 128, 192 and 256 bits

FIPS 197: ADVANCED ENCRYPTION STANDARD (AES)

AVIAT NETWORKS

• Encryption security standard for protecting IT systems that carry sensitive but unclassified information

• Validates both hardware and software • FIPS 140-2 Includes FIPS 197 • 4 Levels of increasing physical security and access control

•  Includes encryption and secure management and access

FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES

AVIAT NETWORKS

FIPS 140-2 LEVELS

• FIPS validation can be obtained for a chip, a group of chips, a card, a terminal – and includes all hardware and software

• Validation can be done at 4 different levels (1-4) • Level 1: WEAK

• No identity-based authentication, anyone can use the common password to turn off security

• Level 2: STRONG • Mandates identity-based authentication, tamper evidence, etc)

• Level 3 and 4: VERY STRONG • Must be pick-resistant, tamper-proof. Adds large cost and complexity to product to support

Security is balance between level of protection and cost FIPS 140-2 Level 2 is sweet spot for networking equipment

AVIAT NETWORKS

HOW DOES FIPS 140-2 MAKE NETWORKS MORE SECURE?

•  Independent validation by an accredited lab

• Assurance that algorithms are secure • Example: Lab can check code submitted by manufacturer. Well known code library function Glibc function is OK for general use but not quite random enough for encryption

• Assurance that algorithms were properly implemented • Example: OpenSSL vulnerability based on SSL heartbeat. This version of OpenSSL was cryptographically secure but not properly implemented

FIPS 140-2 Ensures Strong Security Features Exist, Work and Are Implemented Properly

AVIAT NETWORKS

KEY MICROWAVE SECURITY FEATURES

Should include three complementary security feature sets:

§ Secure Management Secure access & control over unsecured networks; protects against hacking, accidental or intentional misconfiguration and other network-impacting actions

§ Payload Encryption Secures all payload and network management data on airlink; prevents “eavesdropping” and “replay” attacks for example

§  Integrated RADIUS capability Enables centralized access control and remote AAA; centralizes management of Eclipse user accounts

AVIAT NETWORKS

WHAT’S REQUIRED FROM MICROWAVE VENDORS

ADVANCED SECURITY FUNCTIONALITY

(STRONG SECURITY SUITE)

PROVEN TO WORK AND TO BE IMPLEMENTED

PROPERLY

(FIPS 140-2)

AVIAT NETWORKS

ECLIPSE FIPS 140-2 VALIDATION

SECURITY  REQUIREMENTS  SECTION   FIPS  140-­‐2  LEVEL  

Cryptographic  Module  Specifica4on   3  

Module  Ports  and  Interfaces   2  

Roles,  Services  and  Authen4ca4on   2  

Finite  State  Model   2  

Physical  Security   2  

Opera4onal  Environment   N/A  

Cryptographic  Key  Management   2  

EMI/EMC   2  

Self-­‐Tests   2  

Design  Assurance   3  

Mi4ga4on  of  Other  AJacks   N/A  

AVIAT HAS ACHIEVED LEVEL 3 IN 2 CRITERIA

MINIMUM LEVEL

ACHIEVED DETERMINES OVERALL VALIDATION

LEVEL

AVIAT NETWORKS

WHAT DOES AVIAT FIPS 140-2 LEVEL 2 VALIDATION COVER

• The entire signal processing unit (INU) •  Includes Chassis RACs, DACs, NCC, NPC, 2U chassis, and additional cards like AUX, 2U Fan, NCM, PCC card.

• All RF Units • All RF units connectable to INU are automatically covered

•  IRU 600, ODU 600, WTM 3xxx

• Secure Management, Payload Encryption, and RADIUS

In Short… It Covers Everything

Bill of Materials

1.  Software Feature License 2.  Firmware upload (07.07.10) for NCC 3.  NCC EXN-004 card 4.  RAC card 5.  Eclipse INUe chassis with std cards

AVIAT NETWORKS

THE INDUSTRY’S MOST SECURE MICROWAVE RADIO… IS NOW THE ONLY CARRIER GRADE RADIO WITH FIPS 140-2 LEVEL 2 VALIDATION

WWW.AVIATNETWORKS.COM

AVIAT NETWORKS

WHERE IS FIPS 140-2 NEEDED?

Mandatory for federal government (if information must be cryptographically protected) Critical for any organization wanting the highest level of network security

AVIAT NETWORKS

• Specifies 11 areas related to the secure design and implementation of a cryptographic module.

• Cryptographic module specification • Cryptographic module ports and interfaces • Roles, services, and authentication • Finite state model • Physical security • Operational environment • Cryptographic key management • Electromagnetic interference/electromagnetic compatibility (EMI/EMC) • Self-tests • Design assurance • Mitigation of other attacks

FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES

AVIAT NETWORKS

WHAT IS FIPS?

• Federal Information Processing Standards

• Published by NIST (National Institute of Standards and Technology)

• 2 Main Standards • CAVP: Cryptographic Algorithm Validation Program (FIPS 197 a.k.a. AES)

• CMVP: Cryptographic Module Validation Program (FIPS 140-2)

Publicly announced standardizations developed by the United States federal government The strictest security standards on the market today!

AVIAT NETWORKS

GETTING FIPS 140-2 VALIDATED

• Testing performed by 1 of 21 NVLAP accredited labs around the world (13 US labs)

• Lab issues test report to CMVP (NIST)

• CMVP (NIST) evaluates report, asks questions

• Lab and manufacturer provide additional information as required

• CMVP (NIST) issues validation certificate: • Validation lists at http://csrc.nist.gov/groups/STM/cmvp/validation.html#01 • Similarly for CAVP (FIPS 197): http://csrc.nist.gov/groups/STM/cavp/validation.html

AVIAT NETWORKS

Aviat Strong Security Overview

AVIAT NETWORKS

Aviat has Achieved FIPS 140-2 Level 2 Validation (which includes FIPS 197)

AVIAT NETWORKS

FIPS VALIDATION FOR ECLIPSE PLATFORM

AVIAT NETWORKS

    Aviat   ALU   Exalt   NEC   Dragonwave   Cambium   Ceragon   Huawei   SIAE   Ericsson  

Access  Control                                          

Configurable User Priveliges                                        Multi-factor support                                        Radius Client                                        Authentication to backup RADIUS server                                        Local caching of user accounts                                        Strong password enforcement                                        Mechanized attack prevention                                        Pre-login and post-login banners                                        Secure  Management                                          FIPS 140-2                

Level  1  Only          

TDD  Radio  Only                  

ACL for craft tool and NMS/RADIUS/Syslog access                                        Traffic segregation: VLAN (802.11Q)                                        Disable unused ports/services on NMS & interfaces                                        Secure Syslog via TLS                                        Logging of all user activity                                        SSH for shell based access                                        TLS v1.2 for web based access                                        SNMPv3                                        OSPF authentication                                        Remote backup of software & config files                                        Encrypted configuration files                                        Disable DHCP server                                        Payload  EncrypNon                                          FIPS 197                                        AES 256 bit symmetric keys                                        Automatically scheduled key renewal                                        Diffie-Hellman key agreement                                        

MICROWAVE VENDOR SECURITY LANDSCAPE

AVIAT NETWORKS

AVIAT: THE ONLY CARRIER GRADE RADIO WITH FIPS 140-2 LEVEL 2 VALIDATION THE ONLY OTHER VENDORS WITH SOME TYPE OF FIPS 140-2 VALIDATION ARE:

• NEC • FIPS 140-2 Level 1 ONLY • NEC implementation covers 1 card, not entire solution

• No Secure Management & RADIUS (means can log in and turn off Payload Encryption!)

• Level 1 means no identity-based authentication: anyone can log in with the common password and turn off security!

If the vendor is not listed here, they’re not “validated”: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

•  Cambium (TDD Radios) • PTP 800 is FIPS 140-2 Level 1 ONLY • Level 1 means no identity-based authentication: anyone can log in with the common password and turn off security!

• No opacity protection, no tamper evidence • PTP 600 is FIPS 140-2 Level 2 Validated - however is a TDD Radio (not for mission critical or latency sensitive applications)