Crossdeam X86 X80

Crossbeam Systems, Inc.
X60 and X80-S Platforms

Hardware Version: APM-9600, CPM-9600, NPM-9610, and NPM-96 0 !irmware Version: X"S #9$9$0
!%PS 1&0-' Non-Pro(rietar) Se*+rit) Poli*)

!%PS Se*+rit) ,e#el: ' -o*+ment Version: 0$1&
Prepared for:
Prepared by:
Crossbeam Systems, Inc. 80 Central Street Boxborough, MA 01719 Un ted State! of A"er #a Phone: .1 /9780 $1817%00 http:66***5#ro!!bea"5#o"
Corsec Security, Inc. 1$1$% &ee 'a#(!on Me"or al )*y, Su te ++0 ,a rfax, -A ++0$0 Un ted State! of A"er #a Phone: .1 /70$0 +27120%0 3"a l: nfo4#or!e#5#o" http:66***5#or!e#5#o"
Se*+rit) Poli*), Version 0$1&
!e.r+ar) 1/, '01/
Copyright Crossbeam Systems, 2012, ALL RIGHTS RESERVED. Crossbeam, Crossbeam Systems, XOS, X20, X30, X45, X50, X60, X80, X80-S and any logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and Trademark Office, and several international jurisdictions. All other product names mentioned in this document may be trademarks or registered trademarks of their respective companies.
Cross.eam X60 and X80-S Platforms 2 '01/ Cross.eam S)stems, %n*$ 34is do*+ment ma) .e freel) re(rod+*ed and distri.+ted w4ole and inta*t in*l+din0 t4is *o()ri04t noti*e$
Pa0e 2 of /1
!e.r+ar) 1/, '01/
Table of Contents
1 INTRODUCTION ................................................................................................................... 5 1$1 P56P"S7 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1$' 67!767NC7S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1$/ -"C5M7N3 "68AN%9A3%"N $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ X6 !ND X" #S $%!T&OR'S .............................................................................................. 6 '$1 "V76V%7: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 6 '$' M"-5,7 SP7C%!%CA3%"N $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8 '$/ M"-5,7 %N376!AC7S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9 '$& 6",7S AN- S76V%C7S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 2.4.1 Non-Approved Services ...................................................................................................................................... 18 '$ PH;S%CA, S7C56%3; $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 18 '$6 "P76A3%"NA, 7NV%6"NM7N3 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 18 '$1 C6;P3"86APH%C <7; MANA87M7N3 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 18 '$8 S7,!-37S3S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '' 2.8.1 Power-Up Self-Tests ............................................................................................................................................ 22 2.8.2 Conditional Self-Tests ......................................................................................................................................... 22 '$9 M%3%8A3%"N "! "3H76 A33AC<S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '/ S(CUR( O$(R!TION ......................................................................................................... 2) /$1 %N%3%A, S735P $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '& 3.1.1 X ! and X8!-S Set"p ...................................................................................................................................... 24 3.1.2 X ! and X8!-S #$PS %ode Confi&"ration ................................................................................................. 3! 3.1.3 #ir'ware (ersion (erification .......................................................................................................................... 3! 3.1.4 #$PS %ode Co'pliance...................................................................................................................................... 3! /$' C6;P3"-"!!%C76 85%-ANC7 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ /1 3.2.1 %ana&e'ent ........................................................................................................................................................ 31 3.2.2 )eroi*ation ............................................................................................................................................................ 31 3.2.3 Non-Approved %ode of +peration................................................................................................................ 31 /$/ 5S76 85%-ANC7 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ /& !CRON*'S .......................................................................................................................... 35
Table of &+,-res
!%8567 1 - X-S76%7S 3;P%CA, -7P,";M7N3 C"N!%856A3%"N $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 !%8567 ' = APM-9600 >,A-7 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 10 !%8567 / = CPM-9600 >,A-7 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 11 !%8567 & = NPM-96X0 >,A-7 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 11 !%8567 = X60 !6"N3 V%7:$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1' !%8567 6 = X60 >AC< V%7: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1' !%8567 1 = X80-S !6"N3 V%7: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1/ !%8567 8 = X80-S >AC< V%7: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1& !%8567 9 = X60 3AMP76 7V%-7N3 ,A>7, P,AC7M7N3 = !6"N3 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ' !%8567 10 = X60 3AMP76 7V%-7N3 ,A>7, P,AC7M7N3 = >AC< $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '6 !%8567 11 = X80-S 3AMP76 7V%-7N3 ,A>7, P,AC7M7N3 = ,7!3 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '1 !%8567 1' = X80-S 3AMP76 7V%-7N3 ,A>7, P,AC7M7N3 = 6%8H3 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '9
%+st of Tables
3A>,7 1 = S7C56%3; ,7V7, P76 !%PS 1&0-' S7C3%"N $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8 3A>,7 ' = M"-5,7 37S3 C"N!%856A3%"NS $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8 3A>,7 / = X60 AN- X80-S >,A-7 3;P7S >; S,"3 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9
Cross.eam X60 and X80-S Platforms 2 '01/ Cross.eam S)stems, %n*$ 34is do*+ment ma) .e freel) re(rod+*ed and distri.+ted w4ole and inta*t in*l+din0 t4is *o()ri04t noti*e$ Pa0e 3 of /1
!e.r+ar) 1/, '01/
3A>,7 & = C6;P3"86APH%C M"-5,7 P,A3!"6MS $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9 3A>,7 = !%PS 1&0-' ,"8%CA, %N376!AC7 MAPP%N8S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1& 3A>,7 6 = "P76A3"6 S76V%C7S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 3A>,7 1 = !%PS-APP6"V7- A,8"6%3HM %MP,7M7N3A3%"NS $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 19 3A>,7 8 = C6;P3"86APH%C <7;S, C6;P3"86APH%C <7; C"MP"N7N3S, AN- CSPS$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '0 3A>,7 9 = ,A>7, APP,%CA3%"N %NS365C3%"NS !"6 3H7 X60 CHASS%S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ' 3A>,7 10 = ,A>7, APP,%CA3%"N %NS365C3%"NS !"6 3H7 X80-S-AC CHASS%S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '8 3A>,7 11 = ,A>7, APP,%CA3%"N %NS365C3%"NS !"6 3H7 X80-S--C CHASS%S $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ '8 3A>,7 1' = N"N-!%PS M"-7 S76V%C7S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ /' 3A>,7 1/ = AC6"N;MS $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ /
Pa0e ) of /1
!e.r+ar) 1/, '01/
1
1.1 $-r/ose
Intro.-ct+on
This is a non-proprietary Cryptographic Module Security Policy for the X60 and X80-S Platforms from Crossbeam Systems, Inc., hereafter referred to as Crossbeam. This Security Policy describes how the X60 and X80-S Platforms meet the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp/index.html. This document also describes how to run the module in a secure FIPS-Approved mode of operation. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the module. The X60 and X80-S Platforms are referred to in this document as the X-Series module or the module.
1.2 References
This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: The Crossbeam website (http://www.crossbeam.com) contains information on the full line of products from Crossbeam. The CMVP website (http://csrc.nist.gov/groups/STM/cmvp/index.html) contains contact information for individuals to answer technical or sales-related questions for the module.
1.3 Doc-ment Or,an+0at+on

The Security Policy document is one document in a FIPS 140-2 Submission Package. The Submission Package contains: Non-proprietary Security Policy document Vendor Evidence document Finite State Model document Submission Summary Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Crossbeam Systems, Inc. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Submission Package is proprietary to Crossbeam and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Crossbeam.
Pa0e 5 of /1
!e.r+ar) 1/, '01/
2
2.1 O1er1+e2
X6 an. X" #S $latforms
The X60 and X80-S Platforms belong to Crossbeams family of security application platforms. There are three possible chassis: the X60, X80-S-AC, and X80-S-DC. The platforms consolidate multiple security applications onto a single multifunction device. The applications that can be installed on the Crossbeam platform include antivirus applications, firewall applications, spam filtering applications, Intrusion Prevention Systems (IPS), proxies, and web content gateways. A full list of supported applications can be found on Crossbeams website (http://www.crossbeam.com) by clicking on the Applications tab, although not all of these have been FIPS 140-2 validated. The platforms are composed of a combination of hot-swappable blades seated on a common backplane. The blades provide processing and storage that is used to implement module functionality. The blades can be one of the following three types: Control Processor Modules (CPMs) provide all generic system-wide functions, including a switched Ethernet control network for all slots in the chassis, all management ports, management of the system boot process, management of alarms, system health monitoring, and statistical reporting. Network Processor Modules (NPMs) provide network connectivity, handle traffic flows into and out of the system, and make load-balancing decisions. Application Processor Modules (APMs) host security applications and provide application-level processing of traffic flows. Incoming traffic is received from the NPMs, and outgoing traffic is returned to the NPMs. Applications are loaded during the APM boot process from storage on the CPM; these applications are referred to as Virtual Application Processors, or VAPs. A VAP contains a base kernel and usually a security application installed on top of that kernel.
Only the CPM blades implement cryptographic functionality. The CPM communicates to the other blades via a dual, redundant, private, switched control plane. The CPM contains the switching elements with all point-to-point connections from each of the other blades connecting through the backplane connector. The cryptographic libraries run on independent CPM blades that are inserted into the chassis backplane.
Pa0e 6 of /1
!e.r+ar) 1/, '01/
User workstations
Backup X80-S or X60 Platform
Corporate Network
Administrator Workstation
Chassis Backplane
P! "
AP! "
CP! " #Acti$e%
X'S
&osted Application
Public Network / Internet
User workstations
&+,-re 1 # X#Ser+es Ty/+cal De/loyment Conf+,-rat+on The X-Series module is validated at the FIPS 140-2 Section levels listed in Table 1 below. The overall security level of the module is 2.
!e.r+ar) 1/, '01/
Table 1 4 Sec-r+ty %e1el $er &I$S 1) #2 Sect+on Sect+on 1 ' / & Sect+on T+tle Cr)(to0ra(4i* Mod+le S(e*ifi*ation Cr)(to0ra(4i* Mod+le Ports and %nterfa*es 6oles, Ser#i*es, and A+t4enti*ation !inite State Model P4)si*al Se*+rit) 6 1 8 9 10 11 1& "(erational 7n#ironment Cr)(to0ra(4i* <e) Mana0ement 7M%?7MC Self-tests -esi0n Ass+ran*e Miti0ation of "t4er Atta*@s Cr)(to0ra(4i* Mod+le Se*+rit) Poli*)
'
%e1el ' ' / ' ' N?A1 ' ' ' ' N?A '
2.2 'o.-le S/ec+f+cat+on

The X-Series is a Multi-Chip Standalone hardware module. The cryptographic boundary of the X-Series is defined by the chassis of the platform. The testing configuration for the module includes one of each blade type (CPM, APM, and NPM) loaded into the chassis. The CPM runs the CPM kernel, the APM runs either the xsve kernel or xslinux_v5_64 kernel, and the NPM runs a network-specific operating system. This results in a total of 12 different testing configurations, as shown in Table 2 below. Please note that the CPM is present in all of the below configurations running the CPM kernel. Table 2 4 'o.-le Test Conf+,-rat+ons Test+n, Conf+,-rat+on 1 2 3 4 5 6 7 8 9 10 11 12 X" # S#!C X" # S#DC X6 !$' r-nn+n, 5s1e !$' r-nn+n, 5sl+n-561566) N$'# 761 N$'# 765
N/A Not Applicable EMI/EMC Electromagnetic Interference / Electromagnetic Compatibility Cross.eam X60 and X80-S Platforms
2
Pa0e " of /1
2 '01/ Cross.eam S)stems, %n*$ 34is do*+ment ma) .e freel) re(rod+*ed and distri.+ted w4ole and inta*t in*l+din0 t4is *o()ri04t noti*e$
!e.r+ar) 1/, '01/
The NPM blades, APM blades, power supplies, fan trays, and Air Flow Panels (AFPs) do not provide any cryptographic functionality. They provide network connections and contribute to the integrity of the module physical enclosure. Blades can occupy the slots of each chassis as defined in Table 3 below. Table 3 4 X6 an. X" #S 8la.e Ty/es by Slot Slot N-mber 1 ' / & 6 1 8 9 10 11 1' 1/ 1& X6 8la.e Ty/e NPM NPM or APM APM APM APM APM or CPM CPM N?A N?A N?A N?A N?A N?A N?A X" #S 8la.e Ty/e NPM NPM NPM or APM NPM or APM APM APM APM APM APM APM APM APM CPM CPM
The cryptographic module was tested and found compliant on the platforms listed in Table 4 below. Table ) 4 Cry/to,ra/9+c 'o.-le $latforms 8la.e CPM APM APM :!$ OS n?a As#e Aslin+AB# B6& %+n-5 ;ernel<s= '$6$18-16&$'$1 '$6$18-16&$'$1 '$6$18-16&$'$1 !rc9+tect-re A86B6& A86B6& A86B6&
2.3 'o.-le Interfaces

The X60 and X80-S Platforms consist of Ethernet ports, Small Form Pluggable (SFP) ports, a console port, a Universal Serial Bus (USB) port, and status Light-Emitting Diodes (LEDs). All empty blade slots on the chassis backplane are covered with plastic AFPs. The AFPs and blade front panels are affixed with tamper-evident labels to prevent unauthorized access. The physical ports can be categorized into the following logical interfaces defined by FIPS 140-2: Data Input Interface Data Output Interface Control Input Interface Status Output Interface Data input/output is categorized as the packets entering and leaving the module through the network ports (Ethernet ports) on the NPM blades. Control input consists of configuration or administration data entered into the module via the Command Line Interface (CLI) management interface (accessed via the CPM blades). Any User can be given administrative permissions by the Crypto Officer (CO). Status output consists of the status provided via the LEDs, CLI command output, and log information.
!e.r+ar) 1/, '01/
The APM-9600, CPM-9600, and NPM-96x03 blades are shown in Figure 2, Figure 3, and Figure 4. The front and rear of the X60 are shown in Figure 5 and Figure 6. Acronyms shown in the diagrams below: AC Alternating Current ESD Electrostatic Discharge
&+,-re 2 4 !$'#76
8la.e
NPM-96x0 refers to either the NPM-9610 or NPM-9650 blade, or both.

Pa0e 1 of /1
Cross.eam X60 and X80-S Platforms
!e.r+ar) 1/, '01/
&+,-re 3 4 C$'#76
8la.e
&+,-re ) 4 N$'#765 8la.e
Pa0e 11 of /1
!e.r+ar) 1/, '01/
&+,-re 5 4 X6 &ront :+e2
&+,-re 6 4 X6 8ac> :+e2 The front and rear of the X80-S are shown in Figure 7 and Figure 8.
Pa0e 12 of /1
!e.r+ar) 1/, '01/
&+,-re 3 4 X" #S &ront :+e2
Pa0e 13 of /1
!e.r+ar) 1/, '01/
&+,-re " 4 X" #S 8ac> :+e2 All of the physical interfaces are separated into logical interfaces defined by FIPS 140-2, as described in Table 5 below. Table 5 4 &I$S 1) #2 %o,+cal Interface 'a//+n,s $9ys+cal $ort?Interface 7t4ernet @-ant+ty 1 CCPM-9600D 16 CNPM-96A0D &I$S 1) #2 %o,+cal Interface Control %n(+t CCPMD Stat+s "+t(+t CCPMD -ata %n(+t CNPMD -ata "+t(+t CNPMD Control %n(+t Stat+s "+t(+t
S!P
' CCPM-9600D
Pa0e 1) of /1
!e.r+ar) 1/, '01/
$9ys+cal $ort?Interface Serial
@-ant+ty ' CCPM-9600D
&I$S 1) #2 %o,+cal Interface Control %n(+t Stat+s "+t(+t Stat+s "+t(+t
,7-
/ CAPM-9600D 1 CCPM-9600D / CNPM-96A0D / on t4e X80-S *4assis, *ontrolled .) CPM ' CX60D & CX80-SD
Power
Power %n(+t
2.) Roles an. Ser1+ces

The module supports identity-based authentication for two roles: CO and User (as required by FIPS 1402). The CO role is the administrator for the system and can perform the setup, maintenance, and User management tasks. The User role can have a permission level from 0-15 and is allowed to perform configuration and monitoring tasks commensurate with the assigned permission level. Descriptions of the services available to the CO and User roles are provided in Table 6 below. Please note that the keys and Critical Security Parameters (CSPs) listed in the table indicate the type of access required using the following notation: Read: The CSP is read. Write: The CSP is established, generated, modified, or zeroized. Execute: The CSP is used within an Approved or Allowed security function or authentication mechanism. Table 6 4 O/erator Ser1+ces Ser1+ce *onfi0+re no fi(smode s4+tdown reload *lear fi(s-error Descr+/t+on -isa.les !%PS-mode S4+ts down t4e mod+le and all *r)(to ser#i*es O/erator CS$ an. Ty/e of !ccess C" C" None None None None
6estarts t4e mod+le and reloads *r)(to C" ser#i*es After an error o**+rs, *4e*@s to see if C" all self-tests (assed, and if so re-ena.les mod+le f+n*tionalit)$ %f self-tests 4a#e not (assed, indi*ates t4e failed self-tests$ 34e administrator s4o+ld re-r+n an) failed self-tests$ -is(la)s w4et4er t4e mod+le is r+nnin0 C" in !%PS mode or not 5ser
s4ow fi(s-mode
None
Pa0e 15 of /1
!e.r+ar) 1/, '01/
Ser1+ce
Descr+/t+on
O/erator CS$ an. Ty/e of !ccess C" C" Password = 6ead Cen*r)(tedD 5ser Password = 6ead Cen*r)(tedD C" Password = 6ead Cen*r)(tedD 5ser Password = 6ead Cen*r)(tedD C" Password = 6ead Cen*r)(tedD 5ser Password = 6ead Cen*r)(tedD C" Password = 6ead Cen*r)(tedD 5ser Password = 6ead Cen*r)(tedD None
s4ow r+nnin0-*onfi0 S4ows t4e *+rrentl)-loaded *onfi0+ration, in*l+din0 #ersion n+m.er for t4e mod+le
s4ow start+(-*onfi0 S4ows t4e start+( *onfi0+ration, C" in*l+din0 #ersion n+m.er for t4e mod+le Co(tion for dis(la)in0 en*r)(ted C" and +ser (asswordsD *o() r+nnin0-*onfi0 Co(ies t4e r+nnin0 *onfi0+ration to a file C"
*o() start+(-*onfi0
Co(ies t4e start+( *onfi0+ration to a file
C"
s4ow te*4-s+((ort
S4ows man) s)stem (ro(erties in*l+din0 C" mod+le #ersion, start+( *onfi0, and r+nnin0 *onfi0 S4ows information on t4e latest mod+le C" *ras4, in*l+din0 #ersion information Pre#ents ot4er o(erators from modif)in0 t4e *onfi0+ration Clears all *leara.le notifi*ations from t4e a*ti#e alarms ta.le S4ows SSH settin0s, in*l+din0 ina*ti#it) timeo+t settin0s C" C"
s4ow te*4-*ras4 lo*@-*onfi0 *lear alarms
None None None
s4ow i( ss4 *onfi0+re i( ss4
C"
None None
7na.les, disa.les, or *4an0es o(tions for C" t4e Se*+re S4ell CSSHD ser#er on t4e mod+le 3erminates an eAistin0 SSH session wit4 C" t4e s(e*ified session identifier
dis*onne*t ss4
None None 6SA& (+.li* @e) = :rite 6SA (ri#ate @e) = :rite -SA (+.li* @e) = :rite -SA (ri#ate @e) = :rite C" Password = :rite Conl) for selfD 5ser Password = :rite Conl) for selfD
*onfi0+re (assword- Sets t4e (assword (oli*) for t4e mod+le C" (oli*) remo#e-ss4-@e)s 9eroiEes t4e @e)s +sed .) SSH on t4e mod+le C"
*onfi0+re (assword
C4an0es t4e (assword for t4e *+rrent +ser
C" 5ser
RSA Rivest, Shamir, and Adelman DSA Digital Signature Algorithm Cross.eam X60 and X80-S Platforms
5
Pa0e 16 of /1
!e.r+ar) 1/, '01/
Ser1+ce *onfi0+re +sername
Descr+/t+on Creates a new o(erator a**o+nt or *onfi0+res?deletes t4e s(e*ified eAistin0 +ser a**o+nt
O/erator CS$ an. Ty/e of !ccess C" 5ser (assword = :rite
*onfi0+re fi(s-mode Promotes t4e s(e*ified 5ser wit4 *r)(to-offi*er-role (ri#ile0e le#el 1 to t4e C" role, or demotes t4e C" to a 5ser wit4 (ri#ile0e le#el 1 Commands for Commands t4at allow t4e C" or 5ser *onfi0+rin0 X-Series to *onfi0+re t4e interfa*es a#aila.le for (latform remote mana0ement of t4e mod+le mana0ement interfa*es Commands for *onfi0+rin0 +ser a**o+nts and mana0in0 +ser a**ess to t4e XSeries (latform Commands for dis(la)in0 X"S *onfi0+ration settin0s Commands t4at allow t4e C" to mana0e +sers and a**ess le#els$
C"
None
C" 5ser
None
C"
None
Commands t4at allow t4e C" or 5ser to #iew non-sensiti#e *onfi0+ration elements$
C" 5ser
None
The module authenticates the Crypto Officer and User operators account before providing any services. Once the operator authenticates, the operator assumes the role associated with the operators account. The module performs identity-based authentication. All CO and User services provided by the module require the operator to authenticate with a username and password. Operators signing into a CO account assume a permission level that grants access to all commands. Operators signing into a User account assume permissions at a level from 0-15 (as designated by a CO). This allows the CO to permit different User accounts to have multiple access levels to CLI commands. The module uses password-based authentication mechanisms. Password requirements can be modified by a CO, but must meet the following minimum criteria: 96-character password space (upper- and lower- case letters, numbers, and special characters) Passwords must be at least 8 characters in length Passwords must include at least 1 upper- and lower-case letter, 1 number, and 1 special character Passwords have a default lifetime of 1 month New passwords must have a minimum of 4 character changes from the previous password The chance of a random brute-force attempt succeeding at guessing an operators password is 1:968, or 1: 7,213,895,789,838,336. The fastest network connection supported by the module is 1 Gbps6. Hence, at most (109 60 = 6 1010 = 60,000,000,000 bits, or 7,500,000,000 bytes) of data can be transmitted in one minute. Given a minimum password length of 8 characters only 937,500,000 passwords can be guessed in a minute. Therefore, the probability that a random attempt will succeed or false acceptance will occur in a one-minute period is less than 937,500,000:968 or 1: 7,694,822.
6 Gbps Gigabits Per Second Cross.eam X60 and X80-S Platforms
Pa0e 13 of /1
!e.r+ar) 1/, '01/
2.).1 Non#!//ro1e. Ser1+ces

When the module is operating in the non-Approved mode of operation (described in Section 3.2.3), the following additional services are available to the operator of the module: Non-Approved HTTPS (RSA, AES, and TDES), Blowfish CAST7-128 RC48 Use of LibGCrypt for RSA (key gen) and RNG
2.5 $9ys+cal Sec-r+ty

The X-Series is a multi-chip standalone cryptographic module. It is enclosed in a hard and opaque paintedmetal case that completely encloses all internal components. There are only a limited set of ventilation holes provided by the case, and the view of internal components of the module is obscured by: Baffles on the left side of the X60 chassis, Fan trays on the right side of the X60 chassis, Baffles provided by the power supply units (X60 and X80-S), Baffles provided by the APM, CPM, and NPM blades and AFPs (X60 and X80-S), An internal metal enclosure that surrounds the internal components of the X80-S chassis, and Baffles provided by the backplane of the X80-S chassis. Tamper-evident labels are applied to the case to provide physical evidence of attempts to gain access to the modules internal components. All of the modules components are production grade. The placement of the tamper-evident labels can be found in Section 3.1.1. The module conforms to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (business use).
2.6 O/erat+onal (n1+ronment

The operational environment requirements do not apply to the module, because the module does not provide a general-purpose Operating System (OS) for operators. The X60 and X80-S Platforms employ one of three kernels listed in Table 4 above. Each kernel is a non-modifiable OS that provides only a limited operational environment, and only the modules custom-written images can be run on the system.
2.3 Cry/to,ra/9+c ;ey 'ana,ement

The module implements the FIPS-Approved algorithms listed in Table 7 below.
CAST Carlisle Adams Stafford Tavares RC4 Rons Code 4 Cross.eam X60 and X80-S Platforms
8
Pa0e 1" of /1
!e.r+ar) 1/, '01/
Table 3 4 &I$S#!//ro1e. !l,or+t9m Im/lementat+ons !l,or+t9m Ad#an*ed 7n*r)(tion Standard CA7SD = C>C9, 7C>10, "!>11, and C!>-1'81' modes C1'8-.it, 19'-.it, and ' 6-.it @e)sD A7S = C361/ mode C1'8-.it, 19'-.it, and ' 6-.it @e)sD 3ri(le -ata 7n*r)(tion Standard C3-7SD = C>C, 7C>, "!>, and C!>-6& wit4 /-@e) 3-7S = C36 mode wit4 /-@e) 6SA ANS% X9$/1 <e) 0en, P+.li* <e) Cr)(to0ra(4) Standard F1 CP<CSF1D #1$ Csi0n?#erif)D = 10'&-, 1 /6- , '0&8- , /01'- , and &096-.it 6SA ANS% X9$/1 Csi0n?#erif)D Pro.a.ilisti* Si0nat+re S*4eme CPSSD Csi0n?#erif)D = 10'&-, 1 /6-, '0&8-, /01'-, and &096-.it -SA PG8C0enD, si0n?#erif) 10'&-.it -SA @e) 0eneration = 10'&-.it Se*+re Has4 Al0orit4m CSHAD-1, SHA-''&, SHA-' 6, SHA-/8&, and SHA- 1' ANS% X9$/1 A((endiA A$&$' Pse+do 6andom N+m.er 8enerator CP6N8D Cert+f+cate N-mbers O/enSS% %+bACry/t
Cert$ F 1811 Cert$ F 1818 N?A Cert F1818
Cert$ F 1''0 Cert$ F 1''1 N?A Cert$ F 9 8 Cert$ F 9 8 Cert$ F 81 Cert F 81 Cert F1''1 N?A N?A N?A N?A
Cert$ F 16 0 Cert$ F 16 1 Cert$ F 98/ N?A
NOTE: As of December 31, 2010, the following algorithms listed in the table above are considered deprecated. For details regarding algorithm deprecation, please refer to NIST Special Publication 800-131A. SHA-1 for digital signature generation and verification Random number generation using ANSI X9.31-1998 Digital signature generation using 1024-bit DSA
The RNG in LibGCrypt does not conform to all of the requirements of the FIPS standard. The RSA key generation algorithm in LibGCrypt relies on random bits provided by the RNG, and thus, it is likewise deemed non-conformant due to the dependency on the RNG. The Crossbeam module does not rely on the RNG or key generation capabilities of LibGCrypt, and the non-conformance does not impact the security profile or posture of the module. The module also supports the following non-FIPS-Approved algorithms: RSA (encrypt, decrypt) (key wrapping, key establishment methodology provides between 80 and 150 bits of encryption strength), RSA (key gen) using LibGCrypt DSA PQG(gen) and sign/verify using libgcrypt RNG using LibGCrypt Diffie-Hellman (key agreement, key establishment methodology provides between 80 and 219 bits of encryption strength).
CBC Cipher Block Chaining ECB Electronic Codebook OFB Output Feedback 12 CFB Cipher Feedback 13 CTR Counter Cross.eam X60 and X80-S Platforms
10 11
Pa0e 17 of /1
!e.r+ar) 1/, '01/
The module supports the CSPs listed below in Table 8. Table " 4 Cry/to,ra/9+c ;eys, Cry/to,ra/9+c ;ey Com/onents, an. CS$s ;ey "(enSS, 6SA (ri#ate @e) ;ey Ty/e Aenerat+on ? In/-t O-t/-t Ne#er eAits t4e mod+le Stora,e Bero+0at+on Use <e) eA*4an0e for SSH sessions <e) eA*4an0e for SSH sessions <e) eA*4an0e for SSH sessions <e) eA*4an0e for SSH sessions -ata en*r)(tion and de*r)(tion for SSH sessions -ata en*r)(tion and de*r)(tion for SSH sessions$ A+t4enti*ates t4e C"
'0&8-.it 6SA (ri#ate %nternall) 0enerated @e) %nternall) 0enerated
Hard dis@ in (lainteAt >) *ommand
"(enSS, 6SA (+.li* 10'&-, 1 /6-, '0&8-, @e) /01'-, or &096-.it 6SA (+.li* @e) "(enSS, -SA (+.li* 10'&-.it -SA (+.li* @e) @e) "(enSS, -SA (ri#ate @e)
7Aits in (lainteAt Hard dis@ in (lainteAt >) *ommand form d+rin0 SSH session esta.lis4ment 7Aits in (lainteAt Hard dis@ in (lainteAt >) *ommand form d+rin0 SSH session esta.lis4ment Ne#er eAits t4e mod+le Hard dis@ in (lainteAt >) *ommand >) (ower *)*le or session termination
%nternall) 0enerated
10'&-.it -SA (ri#ate %nternall) 0enerated @e) 1'8-.it A7S C>C %nternall) 0enerated 19'-.it A7S C>C ' 6-.it A7S C>C 19'-.it 3-7S C>C
"(enSS, Session @e) -iffie-Hellman Session @e)
7Aits in en*r)(ted 6esides in #olatile form d+rin0 SSH @e) memor) onl) in esta.lis4ment (lainteAt 6esides in #olatile memor) onl) in (lainteAt Hard dis@ in 4as4ed format
1'8-.it A7S C>C 8enerated internall) Ne#er eAits t4e 19'-.it A7S C>C d+rin0 -iffie-Hellman mod+le ' 6-.it A7S C>C @e) ne0otiation 19'-.it 3-7S C>C
>) (ower *)*le or session termination
Cr)(to "ffi*er (assword
8-*4ara*ter minim+m 7nters t4e mod+le in Ne#er eAits t4e (assword en*r)(ted form #ia mod+les t4e 7t4ernet (ort on t4e CPM 8-*4ara*ter minim+m 7nters t4e mod+les Ne#er eAits t4e (assword in en*r)(ted form #ia mod+les t4e 7t4ernet (ort on t4e CPM
"#erwritten .) anot4er (assword
5ser (assword
Hard dis@ in 4as4ed format
"#erwritten .) anot4er (assword
A+t4enti*ates t4e 5ser
Pa0e 2 of /1
!e.r+ar) 1/, '01/
;ey
;ey Ty/e
Aenerat+on ? In/-t %nternall) 0enerated
O-t/-t Ne#er eAits t4e mod+le Ne#er eAits t4e mod+le
Stora,e 6esides in #olatile memor) onl) in (lainteAt 6esides in #olatile memor) onl) in (lainteAt
Bero+0at+on >) (ower *)*le or session termination >) (ower *)*le or session termination
Use Seeds t4e !%PSA((ro#ed P6N8 Seeds t4e !%PSA((ro#ed P6N8
"(enSS, P6N8 seed /' .)tes of random @e) #al+e "(enSS, P6N8 seed 16 .)tes of random #al+e
%nternall) 0enerated
Pa0e 21 of /1
!e.r+ar) 1/, '01/
2." Self#Tests
The module implements cryptographic algorithms using firmware. The module performs various SelfTests (Power-Up Self-Tests and Conditional Self-Tests) to verify the functionality and correctness of the algorithms. If any of the power-up or conditional self-tests fail, the module immediately enters a critical error state. While in the critical error state, the module inhibits any data output services by terminating the process providing cryptographic services at the time of the self-test failure. Additionally, the module disables all data output interfaces on the NPM and all interfaces on the CPM except for the serial interface. These interfaces remain disabled until the error state is cleared, or until the module is taken out of FIPS mode. The Crypto Officer can clear the error state by rebooting the module with the reload command, which causes the self-tests to be reinvoked. If all self-tests pass, then the module leaves the error state, but interfaces remain disabled until the CO runs the clear fips-error command.
2.".1 $o2er#U/ Self#Tests

The X-Series module performs the following self-tests at power-up to verify the integrity of the firmware binaries and the correct operation of the FIPS-Approved algorithm implementations employed by the module for the OpenSSL library: Firmware integrity check using a Digital Authentication Code (SHA-256) Cryptographic algorithm tests: o AES-ECB-128 Known Answer Test (KAT) o TDES KAT o RSA sign/verify test o DSA sign/verify test o RSA (key generation) pair-wise consistency test o DSA (key generation) pair-wise consistency test o SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 KATs o ANSI X9.31 PRNG KAT The X-Series module performs the following self-tests at power-up to verify the integrity of the firmware binaries and the correct operation of the FIPS-Approved algorithm implementations employed by the module for the LibGCrypt library: Firmware integrity check using a Digital Authentication Code (SHA-256) Cryptographic algorithm tests: o AES-ECB-128 Known Answer Test (KAT) o TDES KAT o RSA sign/verify test o DSA sign/verify test o SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 KATs The CO can perform the power-up self-tests at any time by power-cycling the module or issuing a reload command from the modules CLI.
2.".2 Con.+t+onal Self#Tests

The X60 and X80-S Platforms perform the following conditional self-tests for the OpenSSL library: Continuous Random Number Generator (RNG) test for ANSI X9.31 implementation RSA pairwise consistency tests DSA pairwise consistency tests
Pa0e 22 of /1
!e.r+ar) 1/, '01/
2.7 '+t+,at+on of Ot9er !ttac>s

This section is not applicable.
Pa0e 23 of /1
!e.r+ar) 1/, '01/
3
3.1 In+t+al Set-/
Sec-re O/erat+on
The X60 and X80-S Platforms meet Level 2 requirements for FIPS 140-2. The sections below describe how to place and keep the module in a FIPS-approved mode of operation.
The following sections provide the necessary step-by-step instructions for the secure installation and configuration of the X60 and X80-S Platforms, including the steps necessary to place the module into a FIPS-Approved mode of operation. When the module arrives it is not considered to be in any FIPS or nonFIPS mode of operation until it has been provisioned by a CO.
3.1.1 X6 an. X" #S Set-/

The CO is responsible for installing the platform and powering it up. Before powering up the platform, the CO must ensure that the required tamper-evident labels (included in the FIPS kit) are correctly applied to the platform enclosures following the instructions below. Prior to applying the tamper evident labels, the CO must ensure that all blade slots are populated with a blade (APM-9600, CPM-9600, NPM-9610, or NPM-9650) or an AFP. The chassis must be loaded with at least one CPM-9600, one APM-9600 and one NPM-9610 or NPM-9650. Failure to populate every slot with a blade or AFP would expose the internal circuitry to a potential attacker, compromising the physical security of the module. The Crossbeam X60 Platform Hardware Installation Guide gives detailed instructions on how to install the X60 chassis in a server room environment and how to install blades into the chassis. The Crossbeam X80-S Platform Hardware Installation Guide gives detailed instructions on how to install the X80-S chassis into a server room environment and how to install blades into the chassis. These guides also contain step-by-step instructions on how to configure basic host information required for the platform. The Crossbeam FIPS Level 2 Label Installation Guide gives detailed steps for caring for and applying the tamper-evident seals to the module. To order more labels, the CO should contact Crossbeam sales and request Stock Keeping Unit XS-FIPS-LABEL-KIT. Tamper-evident seals (hereafter referred to as labels) must be applied to the X60 and X80-S chassis to ensure the physical security of the module. Below are instructions for applying the labels. 3.1.1.1 Recor.+n, t9e &I$S %abel N-mbers
Each FIPS label is numbered. The CO may choose to record in a log the serial number of each label that is used along with its associated location on the chassis. 3.1.1.2 Clean+n, t9e C9ass+s S-rfaces
Ensure that all surfaces are cleaned with 99% isopropyl alcohol and dried with a clean cloth and that the surface temperature is a minimum of 10C (50F) before applying the labels. 3.1.1.3 %abel C-r+n, T+me
Labels should be applied 30 minutes before the module is placed into operation.
Pa0e 2) of /1
!e.r+ar) 1/, '01/
3.1.1.)
!//ly+n, &I$S %abels to an X6 C9ass+s
It is the responsibility of the CO to apply the tamper-evident labels to the module. Apply 10 FIPS labels to an X60 chassis as shown in Figure 9 and Figure 10. Each label position (numbered 1 through 10 in the two pictures) is explained in Table 9.
&+,-re 7 4 X6 Tam/er (1+.ent %abel $lacement 4 &ront
Table 7 4 %abel !//l+cat+on Instr-ct+ons for t9e X6 C9ass+s %abel N-mber 1 %ocat+on >lade in .ottom slot 1$ Descr+/t+on Atta*4 t4e first la.el C1D to t4e ri04t side of t4e .lade in t4e .ottom *4assis slot, startin0 at t4e to( ed0e of t4e .lade$ '$ After a((l)in0 t4e la.el from t4e to( to t4e .ottom of t4e .lade, wra( t4e remainder of t4e la.el aro+nd t4e ed0e of t4e *4assis$ /$ !inis4 .) a((l)in0 t4e end of t4e la.el to t4e .ottom of t4e *4assis$ Atta*4 one la.el a*ross ea*4 adHa*ent (air of .lades as s4own in !i0+re 9 a.o#e$ Atta*4 a la.el .etween t4e left and ri04t sides of t4e .eEel and t4e *4assis, ens+rin0 t4at t4e la.el fits sn+0l) into t4e *orner .etween t4e .eEel and t4e *4assis$ At t4e rear of t4e *4assis, atta*4 a la.el to t4e fan tra) and t4e *4assis as s4own in !i0+re 10$
' t4ro+04 1 8 and 9
>lades and Air !low Panels >eEel
10
!an 3ra)
Pa0e 25 of /1
!e.r+ar) 1/, '01/
&+,-re 1 4 X6 Tam/er (1+.ent %abel $lacement 4 8ac>
3.1.1.5
!//ly+n, &I$S %abels to an X" #S C9ass+s
Apply 19 FIPS labels to an X80-S-AC chassis as shown in Figure 11 and Figure 12 and as described in Table 10 below. Apply 17 FIPS tamper-evident labels to an X80-S-DC chassis as described in Table 11 below.
Pa0e 26 of /1
!e.r+ar) 1/, '01/
&+,-re 11 4 X" #S Tam/er (1+.ent %abel $lacement 4 %eft
Pa0e 23 of /1
!e.r+ar) 1/, '01/
Table 1 4 %abel !//l+cat+on Instr-ct+ons for t9e X" #S#!C C9ass+s %abel N-mber 1 and ' %ocat+on 5((er >eEel Descr+/t+on Atta*4 a la.el .etween t4e left and ri04t sides of t4e +((er .eEel and t4e *4assis, ens+rin0 t4at t4e la.el fits sn+0l) into t4e *orner .etween t4e *4assis and t4e .eEel$ Atta*4 one la.el a*ross ea*4 adHa*ent (air of .lades as s4own in !i0+re 11, a.o#e$ 1$ Atta*4 la.el 10 to t4e .ottom of t4e .lade in t4e leftmost *4assis slot, startin0 at t4e ri04t ed0e of t4e .lade$ '$ After a((l)in0 t4e la.el from t4e ri04t to t4e left of t4e .lade, a((l) t4e remainder of t4e la.el to t4e adHa*ent (art of t4e *4assis$ /$ !inis4 .) a((l)in0 t4e end of t4e la.el to t4e front of t4e *4assis$ NOT(C 18 and 19 ,ower >eEel !or la.el 11, +se a similar a((roa*4, .+t start on t4e left side of t4e ri04tmost .lade$
/ t4ro+04 9 and 11 t4ro+04 16 10 and 11
>lades and Air !low Panels >lades and Air !low Panels
A((l) a la.el to t4e left and ri04t sides of t4e lower .eEel so t4at t4e la.el is atta*4ed to t4e .eEel and t4e *4assis, as s4own in !i0+re 11 and !i0+re 1'$ 7ns+re t4at t4e la.el fits sn+0l) into t4e *orner .etween t4e *4assis and t4e .eEel$
Table 11 4 %abel !//l+cat+on Instr-ct+ons for t9e X" #S#DC C9ass+s %abel N-mber 1 and ' %ocat+on 5((er >eEel Descr+/t+on Atta*4 a la.el .etween t4e left and ri04t sides of t4e +((er .eEel and t4e *4assis, ens+rin0 t4at t4e la.el fits sn+0l) into t4e *orner .etween t4e *4assis and t4e .eEel$ Atta*4 one la.el a*ross ea*4 adHa*ent (air of .lades as s4own in !i0+re 11, a.o#e$ 1$ Atta*4 la.el 10 to t4e .ottom of t4e .lade in t4e leftmost *4assis slot, startin0 at t4e ri04t ed0e of t4e .lade$ '$ After a((l)in0 t4e la.el from t4e ri04t to t4e left of t4e .lade, a((l) t4e remainder of t4e la.el to t4e adHa*ent (art of t4e *4assis$ /$ !inis4 .) a((l)in0 t4e end of t4e la.el to t4e front of t4e *4assis$ NOT(C
/ t4ro+04 9 and 11 t4ro+04 16 10 and 11
>lades and Air !low Panels >lades and Air !low Panels
NOT(C
!or la.el 11, +se a similar a((roa*4, .+t start on t4e left side of t4e ri04tmost .lade$ 34e X80-S--C *4assis 4as no lower .eEel$ As a res+lt, t4ere is no need to a((l) la.els 18 and 19 w4en dealin0 wit4 t4is *4assis t)(e$
Pa0e 2" of /1
!e.r+ar) 1/, '01/
&+,-re 12 4 X" #S Tam/er (1+.ent %abel $lacement 4 R+,9t
Pa0e 27 of /1
!e.r+ar) 1/, '01/
3.1.1.6
Re/lac+n, a %abel
The CO is responsible for the direct control and observation of any changes to the equipment, such as reconfigurations where the tamper evident labels or security appliances are removed or installed to ensure that the security of the equipment is maintained during such changes and that the module is returned to a FIPS-Approved state. If any label has been compromised, either deliberately or by accident, it must be replaced immediately using the procedures in this document. If a label must be compromised as part of the maintenance or replacement procedure, replace it using the procedures in this document. 3.1.1.3 %abel Stora,e
The CO is responsible for securing and having control at all times of any unused labels. The recommended storage conditions are: Temperature: 20C 25C (68F 77F) Relative Humidity Less than 50%
When stored under these conditions, the shelf life of labels is 1 year.
3.1.2 X6 an. X" #S &I$S 'o.e Conf+,-rat+on

Once all necessary setup procedures have been performed as described in the preceding section, the module needs to be configured to comply with FIPS 140-2 requirements. Once configured as described in this section, the module will be considered to be in the FIPS-Approved mode, which can be verified at any time by executing the show fips-mode command via the CLI. To configure the module for FIPS mode, log into the CLI and run the configure fips-mode command. This command initiates a series of scripts that automatically check for running insecure services and configuration settings. If the check finds any insecure services running, the administrator is notified and must manually disable the insecure services and re-run the configure fips-mode command. Once the configuration is complete, the system prompts to change the administrators password. The administrator who ran the command is now the CO for the system. Once this step is complete, the module is considered to exist in a well-defined state for the first time and is operating in FIPS mode. Only the FIPS-Approved VAPs found in Table 4 can be run on the APM-9600 while in FIPS mode. The CO may get into the vap-group context only for limited configuration tasks.
3.1.3 &+rm2are :ers+on :er+f+cat+on

To ensure that the module is running the validated version of the module firmware, operators should compare the running versions to those documented in this Security Policy. To display the running version of the firmware, an operator must type the show current-release command via the CLI.
3.1.) &I$S 'o.e Com/l+ance

When setup, installed, and configured per the guidance provided in Section 3.1 of this document, the module is considered to be in a well-defined FIPS-Approved mode of operation. Deviation from this guidance will result in non-compliance. Additionally, the guidance provided below must be followed to ensure that the module remains in a FIPSApproved mode of operation. Failure to do so will result in non-compliance. Never install a non-FIPS-validated version of the module.
!e.r+ar) 1/, '01/
Although a configure no fips-mode command is available, the CO should never use this command.
The CO must periodically ensure that the labels or blade slots do not show any signs of tampering. Evidence of tampering can be indicated by any of the following: Deformation of the label or dot pattern visible Label appearing broken or torn Missing label (in parts or full) from its expected position Warped or bent metal covers Scratches in the paint of the module
In case of any evidence indicating that the physical security has been violated, it is up to the CO to ensure that the module is secured in terms of its functionality and re-apply the tamper evident labels, following the procedure as described in Section 3.1.1. If required, the CO should perform a reboot or follow the Zeroization process as described in Section 3.2.2. Additionally, the CO should keep all unused labels in a secure location at all times.
3.2 Cry/to#Off+cer A-+.ance

The CO can initiate the execution of self-tests and can access the modules status reporting capability. Self-tests can be initiated at any time by re-loading the module or rebooting the module.
3.2.1 'ana,ement
It is the responsibility of the CO to ensure that the module is set up to run securely. Please refer to Section 3.1.4 above for guidance that the CO must follow for the module to remain in a FIPS-Approved mode of operation. Additionally, the CO should be careful to protect any secret or private keys in his possession. For details regarding the management of the modules, please refer to the Crossbeam XOS Configuration Guide.
3.2.2 Bero+0at+on
The module stores an RSA keypair as plaintext in disk memory. There are many CSPs within the modules cryptographic boundary, including private keys, operator passwords, and configuration files. All ephemeral keys used by the module are zeroized when the module is rebooted, power is removed, or upon session termination. CSPs reside in disk memory and Random Access Memory (RAM). CSPs in RAM are zeroized when the module is rebooted, power is removed, or the process using the CSP is terminated or completed. CSPs in disk memory are zeroized when overwritten by another CSP.
3.2.3 Non#!//ro1e. 'o.e of O/erat+on

The X60 and X80-S Platforms contain both an Approved and Non-Approved mode of operation. Instructions on how to place the module into an Approved mode of operation are available in Section 3.1. To take the module out of an Approved mode of operation, the CO can call configure no fips-mode. When operating in a Non-Approved mode, the module provides all cryptographic algorithms listed in Table 7 in a non-compliant form, with the addition of the following services:
Pa0e 31 of /1
!e.r+ar) 1/, '01/
Table 12 4 Non#&I$S mo.e Ser1+ces Ser1+ce 3elnet is ena.led configure ip telnet show ip telnet None Non#!//ro1e. !l,or+t9ms
%nstallation and +se of non-!%PS "S and VAP "S None <ernels configure vap-group vap-count configure vap-group max-load-count configure vap-group ap-list rebuild-vap-group Can *onfi0+re non-!%PS "S and VAP "S <ernels application application-update application-upgrade None
A+tomated wor@flow s)stem *ommands are None a#aila.le: automated-workflow-menu automated-workflows show automated-workflow-progress SNMP1& s+((ort is ena.led show snmp configure snmp-user show snmp-user 6M"N1 s+((ort is ena.led configure rmon show rmon show traplog ,-AP16 s+((ort is ena.led configure ldap-parameter show ldap-parameters configure ldap-server 6A-%5S11 s+((ort is ena.led configure radius-server show radius-server 6emote s)slo0 s+((ort is ena.led configure logging server show logging server !3P18 s+((ort is ena.led configure ip ftp show ip ftp validate-fips-configuration None
None
None
None
None
None
14 15
SNMP Simple Network Management Protocol RMON Remote Monitoring 16 LDAP Lightweight Directory Access Protocol 17 RADIUS Remote Access Dial-In User Service 18 FTP File Transfer Protocol
!e.r+ar) 1/, '01/
Ser1+ce
19
Non#!//ro1e. !l,or+t9ms
85% is ena.led Cinformational dis(la)s onl), no 5ses non-a((ro#ed *r)(to0ra(4) for H33PS a**ess to *onfi0+re t4e s)stemD *onne*tions Cnon-#alidated 6SA, A7S, and 3-7SD$ configure web-server show web-server 5niA s4ell a**ess is allowed unix exec cd pwd dir 6oot s4ell is ena.led cd pwd dir CPM *onfi0+ration o(tions are a#aila.le configure cp-redundancy configure module configure cp-action configure cp-action disk-error show cp-disk-error cp-disk-scheme cp-next-boot reset-cp-serial reset-configuration configure reset-password None
None
None
6o+tin0 (roto*ol *onfi0+ration o(tions are a#aila.le None configure routing-protocol configure routing-protocol-services routing-protocol routing-protocol-services Admin *an +(0rade firmware upgrade -e.+0 *ommand is a#aila.le debug Ar*4i#in0 tools are a#aila.le archive archive-vap-group Additional SSH o(tions ssh 6SA <e)0en +sin0 li.0*r)(t -SA PG8C0enD and si0n?#erif) +sin0 li.0*r)(t None None None
>lowfis4, CAS3-1'8, 6C& 6SA @e)0en 10'&-, 1 /6- , '0&8- , /01'- , and &096.it #ia non-a((ro#ed P6N8$ -SA PG8C0enD, si0n?#erif) 10'&-.it
Additionally, the services listed in Table 6 are available to the user of the module and can be run in a nonApproved form. While operating in a non-Approved mode, all module services are available to all operators with access to the module.
19
GUI Graphical User Interface

Pa0e 33 of /1 2 '01/ Cross.eam S)stems, %n*$ 34is do*+ment ma) .e freel) re(rod+*ed and distri.+ted w4ole and inta*t in*l+din0 t4is *o()ri04t noti*e$
!e.r+ar) 1/, '01/
3.3 User A-+.ance

Users do not have the ability to configure sensitive information on the modules, with the exception of their own passwords. Users must be diligent to pick strong passwords and must not reveal their passwords to anyone. Users should not increase the password duration interval beyond 1 month.
Pa0e 3) of /1
!e.r+ar) 1/, '01/
)
!cronym !C !(S !&$ !NSI !$' C!ST C8C C&8 C%I C':$ CO C$' CS(C CS$ DS! (C8 ('C ('I (SD &I$S &T$ Ab/s AUI D'!C I$S ;!T %D!$ %(D N?! NIST
!cronyms
Table 13 4 !cronyms Def+n+t+on Alternatin0 C+rrent Ad#an*ed 7n*r)(tion Standard Air !low Panel Ameri*an National Standards %nstit+te A((li*ation Pro*essor Mod+le Carlisle Adams Stafford 3a#ares Ci(4er >lo*@ C4ainin0 Ci(4er !eed.a*@ Command ,ine %nterfa*e Cr)(to0ra(4i* Mod+le Validation Pro0ram Cr)(to "ffi*er Control Pro*essor Mod+le Comm+ni*ations Se*+rit) 7sta.lis4ment Canada Criti*al Se*+rit) Parameter -i0ital Si0nat+re Al0orit4m 7le*troni* Code >oo@ 7le*troma0neti* Com(ati.ilit) 7le*troma0neti* %nterferen*e 7le*trostati* -is*4ar0e !ederal %nformation Pro*essin0 Standard !ile 3ransfer Proto*ol 8i0a.its Per Se*ond 8ra(4i*al 5ser %nterfa*e C<e)ed-D Has4 Messa0e A+t4enti*ation Code %ntr+sion Pre#ention S)stem <nown Answer 3est ,i04twei04t -ire*tor) A**ess Proto*ol ,i04t-7mittin0 -iode Not A((li*a.le National %nstit+te of Standards and 3e*4nolo0)
Pa0e 35 of /1
This section describes the acronyms.
!e.r+ar) 1/, '01/
!cronym N$' O&8 OS $;CSE1 $RNA $SS R!DIUS R!' RC) R'ON RNA RS! S&$ SD! SN'$ SSD TD(S US8 :!$ Networ@ Pro*essor Mod+le "+t(+t !eed.a*@ "(eratin0 S)stem
Def+n+t+on
P+.li* <e) Cr)(to0ra(4) Standard F1 Pse+do-6andom N+m.er 8enerator Pro.a.ilisti* Si0nat+re S*4eme 6emote A**ess -ial-%n 5ser Ser#i*e 6andom A**ess Memor) 6onIs Code & 6emote Monitorin0 6andom N+m.er 8enerator 6i#est S4amir and Adleman Small !orm Pl+00a.le Se*+re Has4 Al0orit4m Sim(le Networ@ Mana0ement Proto*ol Se*+re S4ell 3ri(le -ata 7n*r)(tion Standard 5ni#ersal Serial >+s Virt+al A((li*ation Pro*essor
Pa0e 36 of /1
Prepared by: Corsec Security, Inc.
1$1$% &ee 'a#(!on Me"or al )*y5, Su te ++0 ,a rfax, -A ++0$$ Un ted State! of A"er #a Phone: .1 /70$0 +27120%0 3"a l: nfo4#or!e#5#o" http:66***5#or!e#5#o"

Crossdeam X86 X80

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Crossdeam X86 X80

Uploaded by

Copyright:

Available Formats

Crossbeam Systems, Inc.

X60 and X80-S Platforms

!%PS 1&0-' Non-Pro(rietar) Se*+rit) Poli*)

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

1.3 Doc-ment Or,an+0at+on

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

X6 an. X" #S $latforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Backup X80-S or X60 Platform

CP! " #Acti$e%

Public Network / Internet

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

2.2 'o.-le S/ec+f+cat+on

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

2.3 'o.-le Interfaces

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

NPM-96x0 refers to either the NPM-9610 or NPM-9650 blade, or both.

Cross.eam X60 and X80-S Platforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

&+,-re ) 4 N$'#765 8la.e

Cross.eam X60 and X80-S Platforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

&+,-re 5 4 X6 &ront :+e2

Cross.eam X60 and X80-S Platforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

&+,-re 3 4 X" #S &ront :+e2

Cross.eam X60 and X80-S Platforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Cross.eam X60 and X80-S Platforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

$9ys+cal $ort?Interface Serial

@-ant+ty ' CCPM-9600D

&I$S 1) #2 %o,+cal Interface Control %n(+t Stat+s "+t(+t Stat+s "+t(+t

2.) Roles an. Ser1+ces

Cross.eam X60 and X80-S Platforms

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Co(ies t4e start+( *onfi0+ration to a file

s4ow te*4-*ras4 lo*@-*onfi0 *lear alarms

None None None

s4ow i( ss4 *onfi0+re i( ss4

C4an0es t4e (assword for t4e *+rrent +ser

Se*+rit) Poli*), Version 0$1&

!e.r+ar) 1/, '01/

Ser1+ce *onfi0+re +sername

!%PS 1&0-' Non-Pro(rietar) Se+rit) Poli)

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

s4ow te4-ras4 lo@-onfi0 *lear alarms

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

>) (ower )le or session termination

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&

Se+rit) Poli), Version 0$1&