Manualshelf

Installation guide

ManualsBrandsMotorola ManualsComputer equipmentRFS7000 Series
41424344454647484950
Motorola WS5100 Wireless Switch and RFS7000 RF Switch Security Target
Page 41 of 85
The audit events records are transmitted to the external audit server over a secure IPSec/IKE
connection.
Reliable time stamps are used for audit records.
6.1.2 Cryptographic Support
The TOE utilizes cryptographic functions for the purposes of wireless data protection using 802.11i
protocol, for SSH trusted path used for the TOE administration, as well as for IPSec/IKE trusted
channel established between the TOE and external authentication, audit and time servers.
The cryptographic module implemented by the TOE complies with FIPS 140-2 requirements at
Security Level 2. The module implements cryptographic algorithms as specified in FCS_CKM.1,
FCS_COP_EXP.2(1), and FCS_COP_EXP.2(2). A key zeroization function implemented by the
module zeroizes all cryptographic keys and critical security parameters by overwriting the storage
area three times with an alternating pattern. All intermediate storage areas for cryptographic keys
and critical security parameters are zeroized upon the transfer of the key or CSP to another
location. The module implements an administrator command to manually input/output cryptographic
keys, including the IPSec/IKE pre-shared keys and RADIUS authentication key.
The module employs ANSI X9.31 FIPS 140-2 approved random number generator for key
generation purposes.
6.1.3 User Data Protection
The TOE implements a capability to protect authenticated user data exchanged with a wireless
client using 802.11i wireless security protocol, which utilizes AES-CCM encryption with 128-bit
keys. The keys are dynamically established by the external authentication server during EAP-TLS,
EAP-TTLS or PEAP authentication phase, and then transferred from the authentication server to
the TOE over a protected IPSec/IKE channel.
The memory locations corresponding to 802.11i and IP network packets processed by the TOE are
zeroized when the packet is processed.
6.1.4 Identification and Authentication
The TOE keeps a local database of administrator usernames and passwords and utilizes password-
based authentication to authenticate administrators connecting remotely using SSH protocol, or
locally using a serial console connection. The TOE also provides a capability to authenticate
administrator against an external RADIUS authentication server, however only internal
administrator database is used in the evaluated configuration. When a pre-defined number of
unsuccessful authentication attempts for a remote administrator has been reached, the
administrator user is disabled until re-enabled using a local console connection.
The TOE authenticates wireless users utilizing an external RADIUS authentication server, which
implements EAP-TLS, EAP-TTLS and PEAP protocols. The trusted channel between the TOE and