2 secure operation, 1 crypto-officer guidance – Polycom VSX 3000 User Manual
Page 20
Non-Proprietary Security Policy, Version 1.0
June 15, 2007
Polycom VSX 3000, VSX 5000, and VSX 7000s
Page 20 of 23
© 2007 Polycom, Inc. -
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
2 Secure Operation
The VSX 3000, VSX 5000, and VSX 7000s meet Level 1 requirements for FIPS 140-2. The sections below describe
how to place and keep the module in FIPS-approved mode of operation.
2.1 Crypto-Officer Guidance
The Crypto-Officer is responsible for initialization and security-relevant configuration and management of the
module through the web management interface, serial port from a non networked PC, or secure Telnet over TLS.
Please see Polycom’s Administrator’s Guide for the VSX Series for more information on setting up, configuring and
maintaining the modules.
2.1.1
Initialization
The Crypto-Officer is responsible for putting the modules in FIPS mode of Operation, by enabling the system to
automatically encrypt calls. AES encryption is a standard feature on all VSX systems. The system will be shipped
by default in Non-Secure Mode. To put the modules in FIPS mode of Operation, the Crypto-Officer must:
o
Go to System
→
→
→
→
Admin Settings
→
→
→
→
System Security
o
Select Secure Mode
o
Selecting the Secure mode will result in a system reset
o
The change of mode from Non-Secure mode to secure mode shall initiate Crypto-Officer password
change request
2.1.2
Management
Following are the points of System behavior in FIPS mode of Operation:
o
Default password (System Serial number) or Dummy password (No password), is not allowed for
'admin' login in the secured mode.
o
Only https over TLS, secure telnet, and secure FTP connections are allowed in the secured mode. The
standard http connections with no security will not be allowed.
o
Media encryption during a call (H.323/H.320) will always be set to ON (AES-Encryption ON)
The following table details the port number to be used for secure applications, telnet, FTP, and https over TLS.
Application
Port Number
TLS Telnet Debug Port
992
TLS Telnet API Port
993
TLS FTP for control Connection
990
TLS FTP for data Connection
989
TLS http
443
The Crypto-Officer is able to monitor and configure the module via the web interface (https over TLS), serial port,
or via secure telnet (Telnet over TLS). Detailed instructions to monitor and troubleshoot the systems are provided in
the Administrator’s Guide for the VSX Series.
Software upgrade is not allowed in FIPS mode of Operation.