Document toolboxDocument toolbox

Security Guidelines

Owned by Aliaksei Shautsou (Deactivated)
Last updated: Jul 16, 2018 by Poojary Dimple
3 min read

Following are security assumptions to ensure that the TOE is administered in a secure manner after it is delivered:

  • The environment ensures the physical security of the TOE, commensurate with its value and the value of the data that it contains.
  • Administrators are non-hostile, properly trained and trusted to apply all administrator guidance.
  • Administrators will take appropriate measures to prevent unauthorized individuals from accessing the TOE.

Note the following:

  • When you configure a Grid Master and enable a certain, either CC or FIPS, mode in the Grid Master and then configure a Grid member with a different mode than that of the Grid Master, the member automatically takes the same mode as the Grid Master when you add this member to the Grid Master. For example, if the Grid Master is in FIPS mode and the Grid member is CC mode enabled, the Grid member becomes FIPS enabled when you add this member to the Grid.
  • Consider an HA Grid Master with a certain, either CC or FIPS, mode enabled in the active node. When you join a passive node to the HA Grid Master, it automatically takes the same node as the Grid Master in the active node. For example, if FIPS is enabled in the active node, then the  passive node too becomes FIPS enabled when you join it to the HA Grid Master even though it was in CC mode earlier.

  • When the HA pair is enabled, you cannot enable or disable either the CC or FIPS mode on the active or passive nodes.

Infoblox suggests that you do the following for an HA pair:

  • Set either CC or FIPS mode on each node before building an HA pair.
  • Set both the nodes of an HA pair in the same mode, that is either in the CC mode, or FIPS mode, or none.

Installation and Configuration

To ensure the security of the installation and configuration of the TOE:

  • Administrators must install the appliance according to the procedures in the installation guides.
  • The TOE contains an option for upgrading the system. This is available only for security administrators. The security administrator will be able to upgrade to a validated release package only. The security administrator can verify the TOE by the version number included in the file name as well as through the administrative interface before and after the upgrade.
    When upgrading, ensure that the .bin2 file is uploaded, and not the .bin file. Refer to the Release Notes of the NIOS version to which the TOE is upgrading for additional upgrade instructions.
  • Users' access to the TOE is controlled by security mechanisms and unauthorized users are denied access to the TOE. For more information, see Administration.
  • The TOE provides external authentication mechanisms for remote users using SSL with Active Directory. For more information, see Authenticating Admins Using Active Directory.

Secure Delivery of NIOS Virtual Software Package

You can download the NIOS virtual software from the Infoblox Technical Support site. To download the software, you must have a valid login account on the Infoblox Support site. Register your product at https://support.infoblox.com if you do not already have an account. This software package consists of a template file with .ova extension for all the supported NIOS appliance models. Make sure that you download the file with an extension that corresponds to the appliance model number. You can deploy the NIOS virtual appliance from a remote web server or a local file system accessible from your management system. To verify the version of the software that you are running, you can use the show version command.

You can validate the file downloaded from the Infoblox support website using the MD5/SHA256/SHA512 checksum provided on the support portal at https://support.infoblox.com. To verify the checksum, you can execute the md5sum/sha256sum/sha512sum command from the Unix/Linux based system or use Cygwin installed on a Windows machine. In addition, there are paid and freeware versions that you can install and execute from Windows. For a Mac OS, you can use the md5/shasum -a 256/shasum -a 512 command. Infoblox recommends that you use what is appropriate for your environment.
The Infoblox appliance ships with a default user name and password. Change the default admin account password immediately after the system is installed to safeguard its use. Make sure that the NIOS appliance has at least one administrator account with superuser privileges at all times, and keep a record of your account information in a safe place. You can create new administrator accounts, with or without superuser privileges. For more information, see Managing Administrators.
The Common Criteria compliant hardware platform that hosts NIOS virtual is VMware ESXi, either version 5.5 or 6.5, with the following system hardware:

  • HP DL380 G9 host platform
  • Intel Xeon Family processor E5-2680v3 CPU
  • 128GB RAM (8 x HP 752369)