McAfee HARDWARE 1.4 Przewodnik Instalacji Pobierz pdf (Strona 58)

McAfee Email Gateway

Security Target

McAfee Incorporated

Page 58 of 61

longer available. FIPS mode is disabled by reinstalling the appliance, which removes all Key Security

Parameters.

The TOE has two methods for zeroizing keys and CSPs: a complete uninstall and reinstallation of the

TOE and a zeroization function. The zeroization function uses a cleanup routine to remove keys and /or

CSPs stored in RAM. The cleanup routine overwrites the RAM multiple times. This function is also called

prior to uninstalling the MEG.

FCS_RBG_EXT.1

The RBG is the X9.31 compliant Linux kernel Random Number Generator. Currently the TOE uses

version 2.6.27 of the Linux kernel. The TOE uses the Timer Entropy Daemon (TED) as a source of

entropy. This uses as a source of entropy the difference between hardware and software clocks. Entropy

is obtained by the TED. This program feeds the /dev/random device with entropy-data (random values)

read from timers. It does this by measuring how much longer or shorter a sleep takes (this fluctuates by a

few microseconds). The time for a sleep jitters because the frequency of the timer clocks change when

they become colder or hotter (and a few other parameters). This process produces around 500 bits per

second.

The entropy bits are placed into a pool with a maximum size of 4000 bits. If there are insufficient bits in

the pool the call from the RNG is halted until there are a sufficient number of bits for use. This ensures

that there is sufficient entropy for any call made by the RNG to the pool. In addition, the entropy source

has been tested to SP 800-90B tests and was found to be adequate.

When keys are being generated the RNG may be called repeatedly to ensure sufficient random bits are

available, with no loss of entropy (e.g. in the case of AES-256 keys).

FCS_SSH_EXT.1 SSH

The SSH client is based upon the open source OpenSSH package (portable branch from

www.openssh.org

). The appliance maintains configuration for SSH client in ssh-settings section of

network.xml. All attribute settings are configured. The default ciphers are: AES-CBC-128 and AES-CBC-

256.

The scp command is used for copying off logs and configuration from the appliance to remote devices.

The open sshd daemon responds to rekey requests from the client as appropriate. The SSH client on the

appliance is configured to rekey after 2^28 (256M) bytes of data. The value can be changed by modifying

the appliance XML configuration.

If an erroneously large packet is received (in excess of 256k), the extraneous data is ignored.

The administrator can change the SSH (ssh client) algorithms by modifying the Ciphers and MAC

attributes in the ssh-settings of network.xml and saving the appliance configuration.

DH group 14 key exchange is the default setting for SSH.

The available data integrity algorithms are hmac-sha1, hmac-sha1-96.

1 2 ... 53 54 55 56 57 58 59 60 61

Brak uwag

McAfee HARDWARE 1.4 Przewodnik Instalacji Strona 58