Краткое содержание страницы № 1 
                    
                        Polycom, Inc. 
VSX 3000, VSX 5000, and VSX 7000s 
(Firmware version: 8.5.0.2) 
 
 
FIPS 140-2 
Non-Proprietary Security Policy 
 
 
Level 1 Validation 
 
Document Version 1.0 
 
 
Prepared for: Prepared by: 
 
 
Polycom, Inc. Corsec Security, Inc. 
4750 Willow Road 10340 Democracy Lane, Suite 201 
Pleasanton, CA 94588-2708 Fairfax, VA  22030 
Phone: 1.800.POLYCOM Phone: (703) 267-6050 
Fax: (925) 924-6100  Fax: (703) 267-6810 
http://www.polycom.com http://www.corsec.com 
 
© 2007 Polycom, Inc. 
                    
                    Краткое содержание страницы № 2 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    Revision History  Version Modification Date Modified By Description of Changes  1.0 2007-06-15 Xiaoyu Ruan Release version.  Polycom VSX 3000, VSX 5000, and VSX 7000s Page 2 of 23  © 2007 Polycom, Inc. - This document may be freely reproduced and distributed whole and intact including this Copyright Notice.                                                                                                                                  
                    
                    Краткое содержание страницы № 3 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    Table of Contents  0 INTRODUCTION ...............................................................................................................................................5  0.1 PURPOSE.........................................................................................................................................................5  0.2 REFERENCES.............................................................................
                    
                    Краткое содержание страницы № 4 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    TABLE 4 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 7000E INTERFACES..............................................12  TABLE 5 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 7000S INTERFACES..............................................13  TABLE 6 - MAPPING OF FIPS 140-2 LOGICAL INTERFACES TO VSX 8000 INTERFACES................................................15  TABLE 7 - MAPPING OF CRYPTO-OFFICER’S SERVICES TO INPUTS, OUTPUTS
                    
                    Краткое содержание страницы № 5 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    0 Introduction  0.1 Purpose  This is a non-proprietary Cryptographic Module Security Policy for the VSX 3000, VSX 5000, and VSX 7000s  from Polycom, Inc..  This Security Policy describes how the VSX 3000, VSX 5000, and VSX 7000s meet the  security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode.  This policy was  prepared as part of the Level 1 FIPS 140-2 validation of the module.    FIPS 140-2 (Federa
                    
                    Краткое содержание страницы № 6 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    1 VSX 3000, VSX 5000, and VSX 7000s  1.1 Overview  Founded in 1990, Polycom is the only company delivering end-to-end rich media collaborative applications for  voice, video, data and the web.  Polycom has a wide range of products from desktop and mobile personal systems to  room systems to the network core. Polycom’s full range of high-quality voice and video communications endpoints,  video management software, web conferencing soft
                    
                    Краткое содержание страницы № 7 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007      Figure 2 - VSX 5000  The VSX 7000s is another set-top appliance which provides for a mechanical pan, tilt, zoom camera.   The VSX  7000s supports H.323 networks with a internal NIC support 10/100mbps..  The VSX 7000 supports a subwoofer into  which the optional Network Interface Card to support ISDN, V.35, RS-499 or RS-530 interfaces.  .   The VSX 7000s  uses an external microphone array and has an internal audio reproduction system
                    
                    Краткое содержание страницы № 8 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007      Figure 5 - VSX 8000  Per FIPS PUB 140-2, the VSX 3000, VSX 5000, and VSX 7000s are classified as multi-chip standalone  cryptographic modules and validated at the following FIPS 140-2 Section levels:  Table 1 - Security Level Per FIPS 140-2 Section  Section Section Title Level  1 Cryptographic Module Specification 1  2 Cryptographic Module Ports and Interfaces 1  3 Roles, Services, and Authentication 1  4 Finite State Model 1  5 Phy
                    
                    Краткое содержание страницы № 9 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    • LAN connector – For IP calls, VSX Web, and remote management   • Power connector – For power supply   • Power switch for the codec – (one of three)   • VGA connector  – For Personal Computer (PC) to use system as a computer monitor and for passing the  video image from the VGA input connector to a display device  • LCD Screen – Screen for video conferencing  • IR Sensor – Input from IR sensor   • Speaker – Built-in speaker  • Camera
                    
                    Краткое содержание страницы № 10 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    • LAN connector – For IP calls, VSX Web, and remote management  • Conference link connector – For microphone pod, SoundStation VTX 1000, or Visual Concert VSX  • VGA connector – VGA connector for input and passes the video image for monitor or projector   • VCR/DVD inputs – For VCR/DVD to play content into calls  • Power switch – To power up or down the device  • Audio connectors – For main monitor audio, or for external speaker syste
                    
                    Краткое содержание страницы № 11 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000s Port/Interface  Power Power connector  The following is the list of ports and interfaces for the VSX 7000e system and Figure 8 below shows the ports on  module’s back panel.   • Network interface bay – For network interface module (for BRI, PRI, and V.35/RS-449/RS-530  connection)   • VCR/DVD connector – Play VCR/DVD content into calls or record the calls to VCR/DVD   • Au
                    
                    Краткое содержание страницы № 12 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007      Figure 8 - VSX 7000e Back Panel  Section 1 of the Administrator’s Guide for the VSX Series lists the connection cables required for the VSX 7000e  system. The following table maps VSX 7000e interfaces with FIPS 140-2 logical interfaces.   Table 4 - Mapping of FIPS 140-2 Logical Interfaces to VSX 7000e Interfaces  FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000se  Port/Interface  Data Input Network interface bay, VCR/DV
                    
                    Краткое содержание страницы № 13 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    • LAN connector – For IP calls, VSX Web, and remote management   • Conference link connector – For microphone pod, SoundStation VTX 1000, or Visual concert VSX   • VGA connector – Output from system for VGA monitor or projector   • VCR/DVD connector – Play VCR/DVD connect into calls or record call content    • Power switch    • S-Video connector – Input from camera or output to S-Video monitor   • Audio connector – Output from system 
                    
                    Краткое содержание страницы № 14 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    • Network interface bay – For network interface module (for BRI, PRI, and V.35/RS-449/RS-530  connection)   • Balanced Audio connector – Input for mixed or powerful microphones or output for external audio  equipment    • VCR/DVD connector – Play VCR/DVD content into calls or record the calls to VCR/DVD   • Serial ports – RS-232 port for touch panel, camera control, or other RS-232 device   • Monitor 1Y and C – output for main monitor
                    
                    Краткое содержание страницы № 15 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007      Figure 10 - VSX 8000 Back Panel  Section 1 of the Administrator’s Guide for the VSX Series lists the connection cables required for the system. The  following table maps VSX 8000 interfaces with FIPS 140-2 logical interfaces.  Table 6 - Mapping of FIPS 140-2 Logical Interfaces to VSX 8000 Interfaces  FIPS 140-2 Logical Interface VSX 3000, VSX 5000, and VSX 7000s Port/Interface  Data Input Network interface bay, Balanaced Audio conne
                    
                    Краткое содержание страницы № 16 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    1.4 Roles and Services  The modules support two authorized roles (as required by FIPS 140-2) that operators may assume: a Crypto Officer  role and User role.  1.4.1 Crypto-Officer Role  The Crypto-Officer (CO) installs and uninstalls the cryptographic module. Also, the CO is responsible for  monitoring and configuring the modules and call settings.   The Crypto-Officer can manage the VSX modules over a Transport Layer Security (TLS) v
                    
                    Краткое содержание страницы № 17 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    Service Description Input Output CSP and Access  Control  Secured call on IP Placing secured call on Command and calling Connection established Diffie-Hellman key  network IP network via LAN information pairs – Read  port  IP Encryption Key –  Read/Write  Secured call on ISDN  Placing secured call on Command and calling Connection established Diffie-Hellman key  ISDN via BRI/PRI information pairs – Read  port ISDN Encryption Key  – Re
                    
                    Краткое содержание страницы № 18 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    Key Key Type Generation / Output Storage Zeroization Use  Input  x.509 certificate 1024 bits RSA Generated Output in Stored in Flash Erasing the flash Authenticates the  (RSA Public public key externally, input plaintext in plaintext image module during  key) in plaintext TLS handshake  RSA Private key 1024 bits RSA Generated Never exits the Stored in Flash Erasing the flash Authenticates the  private key  externally, input module in 
                    
                    Краткое содержание страницы № 19 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    1.7.3 Key Storage  The RSA public/private key pair and Integrity Check Key are stored in the modules’ flash drives in plaintext form.  The Session Key, IP Encryption Key, ISDN Encryption Key, DH public/private key pair, and PRNG seed are held  in volatile memory in plaintext.  1.7.4 Key Zeroization  The RSA key pair is zeroized by overwriting the flash image. The Session Key, IP Encryption Key, ISDN  Encryption Key, Diffie-Hellman (DH
                    
                    Краткое содержание страницы № 20 
                    
                        Non-Proprietary Security Policy, Version 1.0 June 15, 2007    2 Secure Operation  The VSX 3000, VSX 5000, and VSX 7000s meet Level 1 requirements for FIPS 140-2. The sections below describe  how to place and keep the module in FIPS-approved mode of operation.  2.1 Crypto-Officer Guidance  The Crypto-Officer is responsible for initialization and security-relevant configuration and management of the  module through the web management interface, serial port from a non networked PC, or secure Telnet