Federal Information Processing Standard (FIPS) What is it? Why should you care?

Transcription

1 Federal Information Processing Standard (FIPS) What is it? Why should you care?

2 SECURITY IS BECOMING A GROWING CONCERN The migration from TDM to IP communication networks has drastically increased security risks Growing volume, types, and intrinsic value of traffic makes it infinitely more interesting for hackers New technologies offer hackers an ever growing number of access points

3 AN UNSECURED MICROWAVE NETWORK CAN RESULT IN Lost data (your customer s and/or your organization s) Communications downtime Downtime of critical infrastructure

4 MICROWAVE REQUIRES MULTI-DIMENSIONAL SECURITY STRATEGY Remote access AAA Server Overhead Payload RF site security Eavesdropping Remote access Hacker Crypto-officer NOC Troubleshooting, investigation New employee or contractor

5 WHAT IS FIPS? Federal Information Processing Standards Published by NIST (National Institute of Standards and Technology) 2 Main Standards CAVP: Cryptographic Algorithm Validation Program (FIPS 197 a.k.a. AES) CMVP: Cryptographic Module Validation Program (FIPS 140-2) Publicly announced standardizations developed by the United States federal government The strictest security standards on the market today!

6 FIPS 197: ADVANCED ENCRYPTION STANDARD (AES) THE Data Encryption standard for federal government networks If federal agency specifies data encryption, then FIPS 197 is mandatory. Advanced Encryption Standard (AES) specifies algorithm for encrypting and decrypting information Use keys of 128, 192 and 256 bits

7 FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES Encryption security standard for protecting IT systems that carry sensitive but unclassified information Validates both hardware and software FIPS Includes FIPS Levels of increasing physical security and access control Includes encryption and secure management and access

8 WHERE IS FIPS NEEDED? Mandatory for federal government (if information must be cryptographically protected) Critical for any organization wanting the highest level of network security

9 FIPS LEVELS FIPS validation can be obtained for a chip, a group of chips, a card, a terminal and includes all hardware and software Validation can be done at 4 different levels (1-4) Level 1: WEAK No identity-based authentication, anyone can use the common password to turn off security Level 2: STRONG Mandates identity-based authentication, tamper evidence, etc) Level 3 and 4: VERY STRONG Must be pick-resistant, tamper-proof. Adds large cost and complexity to product to support Security is balance between level of protection and cost FIPS Level 2 is sweet spot for networking equipment

10 FIPS 140-2: SECURITY REQ FOR CRYPTOGRAPHIC MODULES Specifies 11 areas related to the secure design and implementation of a cryptographic module. Cryptographic module specification Cryptographic module ports and interfaces Roles, services, and authentication Finite state model Physical security Operational environment Cryptographic key management Electromagnetic interference/electromagnetic compatibility (EMI/EMC) Self-tests Design assurance Mitigation of other attacks

11 HOW DOES FIPS MAKE NETWORKS MORE SECURE? Independent validation by an accredited lab Assurance that algorithms are secure Example: Lab can check code submitted by manufacturer. Well known code library function Glibc function is OK for general use but not quite random enough for encryption Assurance that algorithms were properly implemented Example: OpenSSL vulnerability based on SSL heartbeat. This version of OpenSSL was cryptographically secure but not properly implemented FIPS Ensures Strong Security Features Exist, Work and Are Implemented Properly

12 KEY MICROWAVE SECURITY FEATURES Should include three complementary security feature sets: Secure Management Secure access & control over unsecured networks; protects against hacking, accidental or intentional misconfiguration and other network-impacting actions Payload Encryption Secures all payload and network management data on airlink; prevents eavesdropping and replay attacks for example Integrated RADIUS capability Enables centralized access control and remote AAA; centralizes management of Eclipse user accounts

13 WHAT S REQUIRED FROM MICROWAVE VENDORS ADVANCED SECURITY FUNCTIONALITY (STRONG SECURITY SUITE) PROVEN TO WORK AND TO BE IMPLEMENTED PROPERLY (FIPS 140-2)

14 Aviat Networks has Achieved FIPS Level 2 Validation

15 ECLIPSE FIPS VALIDATION SECURITY REQUIREMENTS SECTION FIPS LEVEL Cryptographic Module Specification 3 Module Ports and Interfaces 2 Roles, Services and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A AVIAT ACHIEVED LEVEL 3 IN TWO CRITERIA MINIMUM LEVEL ACHIEVED DETERMINES OVERALL VALIDATION LEVEL

16 THE INDUSTRY S MOST SECURE MICROWAVE RADIO IS NOW THE ONLY CARRIER GRADE RADIO WITH FIPS LEVEL 2 VALIDATION

17 W W W. A V I A T N E T W O R K S. C O M