Federal Information
Processing Standard
(FIPS) 140-2
What is it?
Why should you care?
SECURITY IS BECOMING A GROWING CONCERN
• The migration from TDM
to IP communication
networks has drastically increased
security risks
• Growing volume, types, and
intrinsic value of traffic makes it
infinitely more interesting for
hackers
• New technologies offer hackers
an ever growing number of
access points
AVIAT NETWORKS
AN UNSECURED MICROWAVE NETWORK CAN RESULT IN
• Lost data (your customer’s and/or your organization’s)
• Communications downtime
• Downtime of critical infrastructure
AVIAT NETWORKS
MICROWAVE REQUIRES MULTI-DIMENSIONAL SECURITY STRATEGY
AAA
Server
Overhead
Payload
Eavesdropping
RF site
security
Remote
access
Remote
access
Hacker
Crypto-officer
NOC
Troubleshooting,
investigation
New employee or contractor
AVIAT NETWORKS
WHAT IS FIPS?
• Federal Information
Processing Standards
• Published by NIST (National Institute of
Standards and Technology)
• 2 Main Standards
• CAVP:
Cryptographic Algorithm Validation
Program (FIPS 197 a.k.a. AES)
• CMVP:
Cryptographic Module Validation
Program (FIPS 140-2)
Publicly announced standardizations developed by the United States federal government
The strictest security standards on the market today!
AVIAT NETWORKS
FIPS 197: ADVANCED ENCRYPTION STANDARD (AES)
• THE Data Encryption standard for
federal government networks
• If federal agency specifies data
encryption, then FIPS 197 is
mandatory.
• Advanced Encryption Standard
(AES) specifies algorithm for
encrypting and decrypting
information
• Use
keys of 128, 192 and 256 bits
AVIAT NETWORKS
FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES
• Encryption security standard for
protecting IT systems that carry
sensitive but unclassified information
• Validates both hardware and software
• FIPS 140-2 Includes FIPS 197
• 4 Levels of increasing physical
security and access control
• Includes encryption and secure
management and access
AVIAT NETWORKS
WHERE IS FIPS 140-2 NEEDED?
Mandatory for federal
government (if information
must be cryptographically
protected)
Critical for any organization
wanting the highest level of
network security
AVIAT NETWORKS
FIPS 140-2 LEVELS
• FIPS validation can be obtained for a chip, a group of chips, a card, a
terminal – and includes all hardware and software
• Validation can be done at 4 different levels (1-4)
• Level
1: WEAK
• No identity-based authentication, anyone can use the common password to turn off
security
• Level 2: STRONG
• Mandates identity-based authentication, tamper evidence, etc)
• Level 3 and 4: VERY STRONG
• Must be pick-resistant, tamper-proof. Adds large cost and complexity to product to
support
Security is balance between level of protection and cost
FIPS 140-2 Level 2 is sweet spot for networking equipment
AVIAT NETWORKS
FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES
• Specifies 11 areas related to the secure design and implementation of a
cryptographic module.
Cryptographic module specification
• Cryptographic module ports and interfaces
• Roles, services, and authentication
• Finite state model
• Physical security
• Operational environment
• Cryptographic key management
• Electromagnetic interference/electromagnetic compatibility (EMI/EMC)
• Self-tests
• Design assurance
• Mitigation of other attacks
•
AVIAT NETWORKS
HOW DOES FIPS 140-2 MAKE NETWORKS MORE SECURE?
• Independent validation by an accredited lab
• Assurance that algorithms are secure
•
Example: Lab can check code submitted by manufacturer. Well known code library function
Glibc function is OK for general use but not quite random enough for encryption
• Assurance that algorithms were properly implemented
•
Example: OpenSSL vulnerability based on SSL heartbeat. This version of OpenSSL was
cryptographically secure but not properly implemented
FIPS 140-2 Ensures Strong Security Features Exist, Work and
Are Implemented Properly
AVIAT NETWORKS
KEY MICROWAVE SECURITY FEATURES
Should include three complementary security
feature sets:
§
Secure Management
Secure access & control over unsecured networks;
protects against hacking, accidental or intentional
misconfiguration and other network-impacting actions
§
Payload Encryption
Secures all payload and network management data on
airlink; prevents “eavesdropping” and “replay” attacks
for example
§
Integrated RADIUS capability
Enables centralized access control and remote AAA;
centralizes management of Eclipse user accounts
AVIAT NETWORKS
WHAT’S REQUIRED FROM MICROWAVE VENDORS
ADVANCED SECURITY
FUNCTIONALITY
(STRONG SECURITY SUITE)
PROVEN TO WORK AND
TO BE IMPLEMENTED
PROPERLY
(FIPS 140-2)
AVIAT NETWORKS
Aviat Networks has Achieved FIPS 140-2 Level 2 Validation
AVIAT NETWORKS
ECLIPSE FIPS 140-2 VALIDATION
SECURITY REQUIREMENTS SECTION
FIPS 140-2 LEVEL
Cryptographic Module Specification
3
Module Ports and Interfaces
2
Roles, Services and Authentication
2
Finite State Model
2
Physical Security
2
Operational Environment
N/A
Cryptographic Key Management
2
EMI/EMC
2
Self-Tests
2
Design Assurance
3
Mitigation of Other Attacks
AVIAT ACHIEVED
LEVEL 3 IN TWO
CRITERIA
MINIMUM LEVEL
ACHIEVED DETERMINES
OVERALL VALIDATION
LEVEL
N/A
AVIAT NETWORKS
THE INDUSTRY’S
MOST SECURE
MICROWAVE
RADIO…
IS NOW THE ONLY
CARRIER GRADE
RADIO WITH FIPS 1402 LEVEL 2
VALIDATION
AVIAT NETWORKS
W WW.AVIATNETWORKS.COM