Polycom, Inc. VSX 3000, VSX 5000, and VSX 7000s (Firmware version: 8.5.0.2) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document Version 1.0 Prepared for: Prepared by: Polycom, Inc. 4750 Willow Road Pleasanton, CA 94588-2708 Phone: 1.800.POLYCOM Fax: (925) 924-6100 http://www.polycom.com Corsec Security, Inc. 10340 Democracy Lane, Suite 201 Fairfax, VA 22030 Phone: (703) 267-6050 Fax: (703) 267-6810 http://www.corsec.com © 2007 Polycom, Inc.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Revision History Version Modification Date Modified By 1.0 2007-06-15 Xiaoyu Ruan Description of Changes Release version. Page 2 of 23 Polycom VSX 3000, VSX 5000, and VSX 7000s © 2007 Polycom, Inc. - This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Table of Contents 0 INTRODUCTION ...............................................................................................................................................5 0.1 PURPOSE .........................................................................................................................................................5 0.2 REFERENCES ..........................................................................................
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 TABLE 4 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 7000E INTERFACES ..............................................12 TABLE 5 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 7000S INTERFACES ..............................................13 TABLE 6 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 8000 INTERFACES ................................................
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 0 Introduction 0.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the VSX 3000, VSX 5000, and VSX 7000s from Polycom, Inc.. This Security Policy describes how the VSX 3000, VSX 5000, and VSX 7000s meet the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 1 VSX 3000, VSX 5000, and VSX 7000s 1.1 Overview Founded in 1990, Polycom is the only company delivering end-to-end rich media collaborative applications for voice, video, data and the web. Polycom has a wide range of products from desktop and mobile personal systems to room systems to the network core.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 2 - VSX 5000 The VSX 7000s is another set-top appliance which provides for a mechanical pan, tilt, zoom camera. The VSX 7000s supports H.323 networks with a internal NIC support 10/100mbps.. The VSX 7000 supports a subwoofer into which the optional Network Interface Card to support ISDN, V.35, RS-499 or RS-530 interfaces. . The VSX 7000s uses an external microphone array and has an internal audio reproduction system.
Non-Proprietary Security Policy, Version 1.
Non-Proprietary Security Policy, Version 1.
Non-Proprietary Security Policy, Version 1.
Non-Proprietary Security Policy, Version 1.0 FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000s Port/Interface Power Power connector June 15, 2007 The following is the list of ports and interfaces for the VSX 7000e system and Figure 8 below shows the ports on module’s back panel. • • • • • • • • • • • • • • Network interface bay – For network interface module (for BRI, PRI, and V.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 8 - VSX 7000e Back Panel Section 1 of the Administrator’s Guide for the VSX Series lists the connection cables required for the VSX 7000e system. The following table maps VSX 7000e interfaces with FIPS 140-2 logical interfaces.
Non-Proprietary Security Policy, Version 1.
Non-Proprietary Security Policy, Version 1.0 • • • • • • • • • • • • • • • • • • June 15, 2007 Network interface bay – For network interface module (for BRI, PRI, and V.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Figure 10 - VSX 8000 Back Panel Section 1 of the Administrator’s Guide for the VSX Series lists the connection cables required for the system. The following table maps VSX 8000 interfaces with FIPS 140-2 logical interfaces.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 1.4 Roles and Services The modules support two authorized roles (as required by FIPS 140-2) that operators may assume: a Crypto Officer role and User role. 1.4.1 Crypto-Officer Role The Crypto-Officer (CO) installs and uninstalls the cryptographic module. Also, the CO is responsible for monitoring and configuring the modules and call settings.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Service Description Input Output Secured call on IP network Placing secured call on IP network via LAN port Command and calling information Connection established Secured call on ISDN Placing secured call on ISDN via BRI/PRI port Command and calling information Connection established 1.4.
Non-Proprietary Security Policy, Version 1.0 Key x.
Non-Proprietary Security Policy, Version 1.0 1.7.3 June 15, 2007 Key Storage The RSA public/private key pair and Integrity Check Key are stored in the modules’ flash drives in plaintext form. The Session Key, IP Encryption Key, ISDN Encryption Key, DH public/private key pair, and PRNG seed are held in volatile memory in plaintext. 1.7.4 Key Zeroization The RSA key pair is zeroized by overwriting the flash image.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 2 Secure Operation The VSX 3000, VSX 5000, and VSX 7000s meet Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. 2.1 Crypto-Officer Guidance The Crypto-Officer is responsible for initialization and security-relevant configuration and management of the module through the web management interface, serial port from a non networked PC, or secure Telnet over TLS.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 2.2 User Guidance The User does not have the ability to configure sensitive information on the module. They only access the secured communication functionality of the module. Users can find the basic instructions to use the VSX systems in Getting Started Guide for the VSX Series.
Non-Proprietary Security Policy, Version 1.0 June 15, 2007 Table 11 - BRI Network Interface LEDs LED Status Status Description Indicators are off • • • • No power to the system, or The system is not connected to the network, or The system is not receiving a clock signal from the network, or The system is restarting Green indicator is on • The system is receiving a clock signal from the network. Yellow indicator is on • The system is able to make a call.
Non-Proprietary Security Policy, Version 1.