All modules
CMVP Validated Module · FIPS 140-3 Security Policy

NetScaler MPX

Certificate#4830StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCloud Software Group
Medium review priority  ·  no TCB surface named  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date10/10/2029
CaveatInterim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper-evident seals are installed/applied as indicated in the Security Policy.
VendorCloud Software Group

Approved Algorithms (74)

AlgorithmACVP Cert
AES-CBCA3942
AES-CBCA3943
AES-CBCA3944
AES-CFB128A3942
AES-CTRA3942
AES-GCMA3943
AES-GCMA3944
Counter DRBGA3942
ECDSA KeyGen (FIPS186-4)A3942
ECDSA KeyVer (FIPS186-4)A3942
ECDSA SigGen (FIPS186-4)A3942
ECDSA SigGen (FIPS186-4)A3943
ECDSA SigGen (FIPS186-4)A3944
ECDSA SigVer (FIPS186-4)A3942
ECDSA SigVer (FIPS186-4)A3943
ECDSA SigVer (FIPS186-4)A3944
Hash DRBGA3943
HMAC-SHA-1A3942
HMAC-SHA-1A3943
HMAC-SHA-1A3944
HMAC-SHA2-224A3943
HMAC-SHA2-224A3944
HMAC-SHA2-256A3942
HMAC-SHA2-256A3944
HMAC-SHA2-384A3942
HMAC-SHA2-384A3943
HMAC-SHA2-384A3944
HMAC-SHA2-512A3942
HMAC-SHA2-512A3943
HMAC-SHA2-512A3944
KAS-ECC-SSC Sp800-56Ar3A3942
KAS-ECC-SSC Sp800-56Ar3A3943
KAS-ECC-SSC Sp800-56Ar3A3944
KAS-FFC-SSC Sp800-56Ar3A3942
KDF IKEv1A3942
KDF IKEv2A3942
KDF SNMPA3942
KDF SP800-108A3943
KDF SSHA3942
KDF TLSA3942
KDF TLSA3943
KDF TLSA3944
KTS-IFCA3942
KTS-IFCA3943
PBKDFA3942
RSA KeyGen (FIPS186-4)A3942
RSA SigGen (FIPS186-4)A3942
RSA SigGen (FIPS186-4)A3943
RSA SigGen (FIPS186-4)A3944
RSA SigVer (FIPS186-2)A3943
RSA SigVer (FIPS186-4)A3942
RSA SigVer (FIPS186-4)A3943
RSA SigVer (FIPS186-4)A3944
Safe Primes Key GenerationA3942
Safe Primes Key VerificationA3942
SHA-1A3942
SHA-1A3943
SHA-1A3944
SHA2-224A3943
SHA2-224A3944
SHA2-256A3942
SHA2-256A3943
SHA2-256A3944
SHA2-384A3942
SHA2-384A3943
SHA2-384A3944
SHA2-512A3942
SHA2-512A3943
SHA2-512A3944
SHA3-256A3513
TLS v1.2 KDF RFC7627A3942
TLS v1.2 KDF RFC7627A3943
TLS v1.2 KDF RFC7627A3944
TLS v1.3 KDFA3943

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for NetScaler MPX
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware load<br/>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for NetScaler MPX
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware load<br/>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Cloud Software Group NetScaler MPX Hardware Models: 8900 FIPS, 9100 FIPS, 15000-50G FIPS series Part numbers: 8905 FIPS, 8910 FIPS, 8920 FIPS, 9120 FIPS, 9130 FIPS, 9140 FIPS, 9160 FIPS, 9180 FIPS, 9195 FIPS, 15030-50G FIPS, 15040-50G FIPS, 15060-50G FIPS, 1508050G FIPS, 15100-50G FIPS, 15120-50G FIPS Firmware Version: 13.1.FIPS FIPS Security Level: 2 Document Version: 0.4 Prepared for: Prepared by: Cloud Software Group Corsec Security, Inc.

851 Cypress Creek Road 12600 Fair Lakes Circle, Suite 210

Fort Lauderdale, FL 33309 Fairfax, VA 22033 United States of America United States of America Phone: +1 954 267 3000 Phone: +1 703 267 6050 www.cloud.com www.corsec.com

Page 2

Abstract This is a non-proprietary Cryptographic Module Security Policy for the NetScaler MPX (version: 13.1.FIPS) from Cloud Software Group (Cloud). This Security Policy describes how the NetScaler MPX meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 2 FIPS 140-3 validation of the module. The NetScaler MPX is referred to in this document as NetScaler MPX or the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:

Page 3
Table of Contents
#SectionPage
Page 4

List of Tables NetScaler MPX ©2024 Cloud Software Group

Page 5
List of Figures
ItemPage
Figure 1 – Typical NetScaler MPX Deployment7
Figure 2 – NetScaler MPX 89xx FIPS Front Panel17
Figure 3 – NetScaler MPX 89xx FIPS Rear Panel18
Figure 4 – NetScaler MPX 91xx FIPS Front Panel18
Figure 5 – NetScaler MPX 91xx FIPS Rear Panel18
Figure 6 – NetScaler MPX 15xxx-50G FIPS Front Panel18
Figure 7 – NetScaler MPX 15xxx-50G FIPS Rear Panel19
Figure 8 – Front Cover of the MPX 89xx FIPS46
Figure 9 – Back Panel of the MPX 89xx FIPS47
Figure 10 – Left Side of the MPX 89xx FIPS47
Figure 11 – Right Side of the MPX 89xx FIPS47
Figure 12 – Front Cover of the MPX 91xx FIPS47
Figure 13 – Back Panel of the MPX 91xx FIPS48
Figure 14 – Left Side of the MPX 91xx FIPS48
Figure 15 – Right Side of the MPX 91xx FIPS48
Figure 16 – Front Cover of the MPX 15xxx-50G FIPS48
Figure 17 – Back Panel of the MPX 15xxx-50G FIPS49
Figure 18 – Left Side of the MPX 15xxx-50G FIPS49
Figure 19 – Right Side of the MPX 15xxx-50G FIPS49
Page 6

1. General The Netscaler product line optimizes delivery of applications over the Internet and private networks. It is an Application Delivery Controller (ADC) that performs application-specific traffic analysis to intelligently distribute, optimize, and secure L4-L71 network traffic for web-applications. All these capabilities are combined into a single, integrated appliance for increased productivity, with lower overall total cost of ownership. These hardware-based appliances employ a multi-core processor design and are available in a wide range of appliance configurations, from sub gigabit throughput to 50 Gbps2. Each leverages a fully hardened and secure operating system. These appliances are installed in the data center between the clients and the internal customer network. All client requests and server responses pass through it. The internal customer network hosts all load-balancing and authentication services, such as LDAP 3 , Kerberos, and SAML 4 . The module’s features are enabled, and the configured policies are then applied to incoming and outgoing traffic. Figure 1 is an illustration of a typical deployment.

1 L4-L7 – Layer 4 – Layer 7
2 Gbps – Gigabits per second

LDAP

4 SAML – Security Assurance Markup Language

NetScaler MPX ©2024 Cloud Software Group

Page 7

Client Internet Netscaler Internal Customer Network Authentication Services Server 1 Server 2 Kerberos LDAP Server 3 SAML/DFA/ Oauth/OpenID Figure 1

5 HTTP – Hypertext Transfer Protocol

TCP

7 URL – Uniform Resource Locator

NetScaler MPX ©2024 Cloud Software Group

Page 8

malicious requests. It provides built-in defenses against denial-of-service (DoS) attacks and supports features that protect against legitimate surges in application traffic that would otherwise overwhelm the servers. An available built-in firewall protects web applications from Application Layer attacks, including buffer overflow exploits, SQL8 injection attempts, cross-site scripting attacks, and more. In addition, the firewall provides identity theft protection by securing confidential corporate information and sensitive customer data. • Optimization features – Optimization features offload resource-intensive operations, such as SSL 9 processing, data compression, client keep-alive, TCP buffering, and the caching of static and dynamic content from servers. This improves the performance of the servers in the server farm and therefore speeds up applications. The MPX supports several transparent TCP optimizations, which mitigate problems caused by high latency and congested network links, accelerating the delivery of applications while requiring no configuration changes to clients or servers. The NetScaler MPX hardware platform consists of a Control Plane processing function (providing all configuration and management processing functions) and one to seven Data Plane(s), which provide data packet processing functions. All configuration and management activities are performed at the workstation through the web-based GUI 10 , REST 11 ful Nitro API 12 , and CLI 13 interfaces. The GUI includes a configuration utility for configuring the appliance and a statistical utility called Dashboard. NetScaler MPX is validated at the FIPS 140-3 section levels shown in Table

  1. Table 1 – Security Level per FIPS 140-3 Section ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security Level [Number Below]

1 General 2

2 Cryptographic Module Specification 2

3 Cryptographic Module Interfaces 2

4 Roles, Services, and Authentication 3

5 Software/Firmware Security 2

6 Operational Environment N/A

7 Physical Security 2

8 Non-Invasive Security N/A14

9 Sensitive Security Parameter Management 2

10 Self-tests 2

11 Life-Cycle Assurance 2

12 Mitigation of Other Attacks N/A

SQL

9 SSL – Secure Sockets Layer
10 GUI – Graphical User Interface
11 REST – Representational State Transfer
12 API – Application Programming Interface

CLI

14 N/A – Not applicable

NetScaler MPX ©2024 Cloud Software Group

Page 9

2. Cryptographic Module Specification NetScaler MPX is a hardware module with a multiple-chip standalone embodiment.

2.1 Operational Environments

The module was tested and found to be compliant with FIPS 140-3 requirements using the hardware models listed in Table 2. Note that all models within a model family employ the same chassis, ports/interfaces, and memory/storage devices. All models across all families run the same operating system and application firmware. Table 2

8900 FIPS series 8905 FIPS 13.1.FIPS

8910 FIPS 13.1.FIPS

8920 FIPS 13.1.FIPS

9100 FIPS series 9110 FIPS 13.1.FIPS

9120 FIPS 13.1.FIPS

9130 FIPS 13.1.FIPS

9140 FIPS 13.1.FIPS

9160 FIPS 13.1.FIPS

9180 FIPS 13.1.FIPS

9195 FIPS 13.1.FIPS

16 MLE – Medium and Large Enterprise

NetScaler MPX ©2024 Cloud Software Group

Page 10

Model Hardware Firmware Version Distinguishing Features (Part Number and Version) 15060-50G FIPS 13.1.FIPS

2.2 Algorithm Implementations

The module includes the following cryptographic libraries that provide basic cryptographic functionalities and support secure networking protocols:

2.2.1 Netscaler Control Plane Cryptographic Library

Table 3 lists the Approved algorithms implemented in the Netscaler Control Plane Cryptographic Library. Table 3

18 PUB – Publication
19 CBC – Cipher Block Chaining
20 CTR – Counter
21 CFB – Cipher FeedBack

GCM

23 CKG – Cryptographic Key Generation.

NetScaler MPX ©2024 Cloud Software Group

Page 11

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate17 Standard Key Strengths A3942 CVL24 KDF (IKE25 v1/v2, SSH26, - Key derivation NIST SP 800-135rev1 SNMP27, TLS28 v1.0/v1.1) No parts of the IKE, SSH, SNMP and TLS protocols, other than the KDFs, have been tested by the CAVP and CMVP. A3942 CVL KDF (TLS v1.2) - Key derivation RFC29 5246 RFC 7627 No part of the TLS protocol, other than the KDF, has been tested by the CAVP and CMVP. A3942 DRBG30 Counter-based w/ AES-256 Deterministic random bit NIST SP 800-90Arev1 derivation function generation A3942 ECDSA31 Secret generation modes: P-224, P-256, P-384, P-521 Key pair generation FIPS PUB 186-4 Testing candidates, extra bits - P-224, P-256, P-384, P-521 Public key validation - P-224, P-256, P-384, P-521 Digital signature generation (SHA2-224, SHA2-256, SHA2384, SHA2-512) - P-224, P-256, P-384, P-521 Digital signature verification (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3942 HMAC32 SHA-1, SHA2-256, SHA2- 112 (minimum) Message authentication FIPS PUB 198-1 384, SHA2-512 The module supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107rev1. A3942 KAS33 KAS-ECC-SSC with SSH KDF P-224, P-256, P-384, P-521 Key agreement NIST SP 800-56Arev3 NIST SP 800-135rev1 Key establishment methodology Compliant to IG D.F. provides between 112 and 256 bits of Scenario 2, Path 2. encryption strength KAS-ECC-SSC with TLS P-224, P-256, P-384, P-521 Key agreement v1.0/v1.1 KDF Key establishment methodology provides between 112 and 256 bits of encryption strength KAS-FFC-SSC with IKE MODP-2048, MODP-3072, Key agreement v1/v2 KDF MODP-4096, MODP-6144 Key establishment methodology provides between 112 and 176 bits of encryption strength

24 CVL – Component Validation List
25 IKE – Internet Key Exchange
26 SSH – Secure Shell

SNMP

28 TLS – Transport Layer Security
29 RFC – Request for Comments
30 DRBG – Deterministic Random Bit Generator
31 ECDSA – Elliptic Curve Digital Signature Algorithm

HMAC

33 KAS – Key Agreement Scheme

NetScaler MPX ©2024 Cloud Software Group

Page 12

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate17 Standard Key Strengths KAS-FFC-SSC with SSH KDF MODP-2048, MODP-4096 Key agreement Key establishment methodology provides between 112 and 176 bits of encryption strength KAS-FFC-SSC with TLS ffdhe2048, ffdhe3072, Key agreement v1.0/v1.1 KDF ffdhe4096, ffdhe6144 Key establishment methodology provides between 112 and 176 bits of encryption strength A3942 KAS KAS-ECC-SSC with TLS v1.2 P-224, P-256, P-384, P-521 Key agreement NIST SP 800-56Arev3 KDF RFC34 7627 Key establishment methodology Compliant to IG D.F. provides between 112 and 256 bits of Scenario 2, Path 2. encryption strength KAS-FFC-SSC with TLS v1.2 ffdhe2048, ffdhe3072, Key agreement KDF ffdhe4096, ffdhe6144 Key establishment methodology provides between 112 and 176 bits of encryption strength A3942 KAS-ECC-SSC35 EphemeralUnified P-224, P-256, P-384, P-521 Shared secret computation NIST SP 800-56Arev3 A3942 KAS-FFC-SSC36 dhEphem MODP-2048, MODP-3072, Shared secret computation NIST SP 800-56Arev3 MODP-4096, MODP-6144, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 A3942 KTS-IFC37 rsakpg1-basic KTS-OAEP-basic Key transport NIST SP 800-56Brev2 Compliant to IG D.G. Key establishment methodology provides 112 bits of encryption strength A3942 PBKDF238 Section 5.4, option 1a HMAC SHA-1 Password-based key derivation NIST SP 800-132 A3942 RSA39 Key generation mode: 2048, 3072 Key pair generation FIPS PUB 186-4 B.3.3 2048, 3072 (SHA2-256, SHA2- Digital signature generation 384, SHA2-512) PKCS#1 v1.5 2048, 3072 (SHA-1, SHA2-256, Digital signature verification SHA2-384, SHA2-512) A3942 Safe Primes - MODP-2048, MODP-3072, Key generation NIST SP 800-56Arev3, MODP-4096, MODP-6144, Appendix D ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144

34 RFC – Request for Comments

35 KAS-ECC-SSC

36 KAS-FFC-SSC

37 KTS-IFC – Key Transport Scheme - Integer Factorization Cryptography

PBKDF2

39 RSA – Rivest Shamir Adleman

NetScaler MPX ©2024 Cloud Software Group

Page 13

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate17 Standard Key Strengths - MODP-2048, MODP-3072, Key verification MODP-4096, MODP-6144, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 A3942 SHS40 SHA-1, SHA2-256, SHA2- - Message digest FIPS PUB 180-4 384, SHA2-512 The Netscaler Control Plane Cryptographic Library uses PBKDF option 1a for PEM41 key establishment. The PBKDF takes an input salt that is 128 bits in length with a password/passphrase containing at least 8 characters and produces a random value of 256 bits for AES keys. A password length of 8 characters is enforced by the module (see section 11.2.2 Configure the Passphrase Requirements). In addition, the function has an iteration count of 2,048. The underlying pseudorandom function used in this derivation is HMAC SHA-1. The keys derived from these PBKDF functions are only used for storage applications. The vendor affirms the following cryptographic security methods implemented by the Netscaler Control Plane Cryptographic Library:

2.2.2 Netscaler Data Plane Cryptographic Library

Table 5 lists the Approved algorithms implemented in the Netscaler Data Plane Cryptographic Library.

40 SHS – Secure Hash Standard

PEM

42 Per FIPS 140-3 Implementation Guidance 2.4.A, this hashing technique with TLS 1.0/1.1 is allowed in the Approved mode with no security claimed.

NetScaler MPX ©2024 Cloud Software Group

Page 14

Table 5

6.3 method 3.

A3943 CVL KDF (TLS v1.0/1.1) - Key derivation NIST SP 800-56Arev3 No part of TLS protocol, other than the KDF, has been tested by the CAVP and CMVP. A3943 CVL KDF (TLS v1.2) - Key derivation RFC 5246 RFC 7627 No part of the TLS protocol, other than the KDF, has been tested by the CAVP and CMVP. A3943 CVL KDF (TLS v1.3) - Key derivation RFC 8446 No part of TLS protocol, other than the KDF, has been tested by the CAVP and CMVP. A3943 DRBG Hash-based - Deterministic random bit NIST SP 800-90Arev1 generation A3943 ECDSA Secret generation mode: P-224, P-256, P-384, P-521 Key pair generation FIPS PUB 186-4 Testing candidates - P-224, P-256, P-384, P-521 Public key validation - P-224, P-256, P-384, P-521 Digital signature generation (SHA2-224, SHA2-256, SHA2384, SHA2-512) - P-224, P-256, P-384, P-521 Digital signature verification (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3943 HMAC SHA-1, SHA2-224, SHA2- 112 (minimum) Message authentication FIPS PUB 198-1 256, SHA2-384, SHA2-512 The cryptographic library supports the truncation of HMAC SHA-1 to 96 bits according to NIST SP 800-107rev1. A3943 KAS-ECC-SSC EphemeralUnified P-224, P-256, P-384, P-521 Shared secret computation NIST SP 800-56Arev3 A3943 KBKDF Counter HMAC-SHA2-256 Key derivation NIST SP 800-108

43 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.

NetScaler MPX ©2024 Cloud Software Group

Page 15

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate43 Standard Key Strengths A3943 KTS-IFC rsakpg1-basic KTS-OAEP-basic Key transport NIST SP 800-56Brev2 Compliant to IG D.G. Key establishment methodology provides 112 bits of encryption strength A3943 RSA PKCS#1 v1.5 4096 (SHA-1, SHA2-224, SHA2- Digital signature verification FIPS PUB 186-2 256, SHA2-384, SHA2-512) A3943 RSA PKCS#1 v1.5 2048, 3072, 4096 (SHA2-224, Digital signature generation FIPS PUB 186-4 SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 (SHA-1, Digital signature verification SHA2-224, SHA2-256, SHA2384, SHA2-512) A3943 SHS SHA-1, SHA2-224, SHA2- - Message digest FIPS PUB 180-4 256, SHA2-384, SHA2-512 *Not all tested algorithms/modes are used by the module. The vendor affirms the following cryptographic security methods implemented by the Netscaler Data Plane Cryptographic Library:

2.2.3 Intel Hardware Cryptographic Accelerator

Table 6 lists the Approved algorithms implemented in the module’s Intel Communication Chipset 8955 hardware cryptographic accelerator. Random values are provided by the NetScaler Data Plane Cryptographic Library to cryptographic functions requiring it. NetScaler MPX ©2024 Cloud Software Group

Page 16

Table 6

Page 17
2.2.4 NetScaler CPU Jitter Entropy Source

Table 6 lists the Approved algorithms implemented in the module’s CPU Jitter Entropy Source. Table 7

2.3 Cryptographic Boundary

The cryptographic boundary of the module is defined by the enclosure of each NetScaler MPX appliance chassis. This includes all ports, physical interfaces, and removable covers. The NetScaler MPX 89xx FIPS appliance is illustrated in Figure 2 and Figure 3. Figure 2

Page 18

Figure 3 – NetScaler MPX 89xx FIPS Rear Panel The NetScaler MPX 91xx FIPS appliance is illustrated in Figure 4 and Figure

  1. Figure 4 – NetScaler MPX 91xx FIPS Front Panel Figure 5 – NetScaler MPX 91xx FIPS Rear Panel The NetScaler MPX 15xxx-50G FIPS appliance is illustrated in Figure 6 and Figure
  2. Figure 6 – NetScaler MPX 15xxx-50G FIPS Front Panel NetScaler MPX ©2024 Cloud Software Group
Page 19

Figure 7

2.4 Excluded Components

There are no excluded components.

2.5 Modes of Operation

When installed, configured, and operated according to this Security Policy, the module supports the Approved mode of operation only; non-Approved operations are not supported. NetScaler MPX ©2024 Cloud Software Group

Page 20
  1. Cryptographic Module Interfaces FIPS 140-3 defines the following logical interfaces for cryptographic modules: • Data Input • Data Output • Control Input • Control Output • Status Output As a hardware appliance, the module’s physical perimeter includes the physical ports, manual controls, physical indicators, and physical, logical, and electrical characteristics of the device. Each of the module’s physical ports and manual controls maps to one of the defined FIPS 140-3 logical interfaces. A mapping of the interfaces, the host device’s physical interfaces, and the module’s logical interfaces can be found in Table
  2. Table 8 – Ports and Interfaces Physical Port Logical Interface Data That Passes Over Port/Interface 10/100/1000Base-T copper RJ45 Ethernet port Data Input Network traffic (ingress) Data Output Network traffic (egress) Control Input Administrative data; Management data used to remotely manage the appliance independently of the firmware via the Lights-Out Management (LOM) feature Control Output Control information is sent to remote machines supporting LDAP and RADIUS in order for the module to communicate with these machines. Status Output Status information used to remotely monitor the appliance independently of the firmware via the LightsOut Management (LOM) feature LOM Port44 N/A N/A Management Port Control Input Ethernet Management ports used to connect directly to the appliance for CSG ADC administration functions Status Output Ethernet Management ports used to connect directly to the appliance for CSG ADC administration functions 10G SFP+ Ethernet port* Data Input Network traffic (ingress) Data Output Network traffic (egress Control Input Administrative data; Management data used to remotely manage the appliance independently of the firmware via the Lights-Out Management (LOM) feature The LOM Port is disabled by default, the operator shall not enable this port. For more information see section 11.4.4 Additional Administrator Policies and Guidance. NetScaler MPX ©2024 Cloud Software Group
Page 21

Physical Port Logical Interface Data That Passes Over Port/Interface Control Output Control information is sent to remote machines supporting LDAP and RADIUS in order for the module to communicate with these machines. Status Output Status information used to remotely monitor the appliance independently of the firmware via the LightsOut Management (LOM) feature 50G Ethernet port Data Input Network traffic (ingress) Data Output Network traffic (egress) Control Input Administrative data; Management data used to remotely manage the appliance independently of the firmware via the Lights-Out Management (LOM) feature Control Output Control information is sent to remote machines supporting LDAP and RADIUS in order for the module to communicate with these machines. Status Output Status information used to remotely monitor the appliance independently of the firmware via the LightsOut Management (LOM) feature RS-232 serial port Control Input Initial configuration data from a connected computer Status Output Status information sent to a connected computer regarding initial configuration activities LCD Keypad Control Input Initial configuration information from a connected computer; status information (available only on the 89xx FIPS & 15xxx-50G FIPS models) Status Output IP information, system status updates, system information, current selection, or input information Disable Alarm button** Control Input Button used to stop the power alarm from sounding. NMI45 button Control Input Button used (at the request of Technical Support) to initiate a core dump. Power interface Power N/A *1G copper transceivers are supported in 10G slots; 1G fiber transceivers are not supported. **The Disable Alarm button is functional only if a second power supply is installed.

45 NMI – Non-Maskable Interrupt

NetScaler MPX ©2024 Cloud Software Group

Page 22

4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.

4.1 Authorized Roles

The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs administrative services on the module, such as initialization, configuration, and monitoring of the module. The CO role includes the privileges listed under the read-only, operator, network, and sysadmin command policies. The module also supports the following role(s):

46 IPsec – Internet Protocol Security
48 NTP – Network Time Protocol

NetScaler MPX ©2024 Cloud Software Group

Page 23

Role Service Input Output CO, User Establish IPsec session Command Status output / connection success CO Backup and restore Command / backup files Status output / backup files CO Manage encryption keys Command Status output CO Manage HMAC keys Command Status output CO Configure traffic management Command and parameters Command response / status output CO, User Establish TLS session Command Status output / connection success CO, User Resume TLS session Command Status output / connection success CO Apply data policies Command Status output CO Configure security Command and parameters Command response / status output CO Configure Gateway Command and parameters Command response / status output CO Establish Gateway connection Command and parameters Command response / status output / connection success CO Configure external servers for system, AAA, Command and parameters Command response / status output and Gateway authentication CO Configure SNMPv3 Command and parameters Command response / status output CO SNMPv3 traps None Status output CO Zeroize KEK Command Status output (non-error message on success) CO Zeroize SSH private keys Command Status output (non-error message on success) CO, User Authenticate operators Password or certificate Status output / login success CO Firmware load Command and firmware image Status output / new firmware loaded and version The module supports up to 10 concurrent connections. Operators connect to the module via an SSH connection (using the CLI or REST API) of via a TLS connection (using the Web GUI). Each operator authenticates using a username/password or a certificate associated with the correct protocol in order to set up secure communication channels. Each secure session for simultaneous operators is distinguished and kept separate by unique session information, which is provided by the session protocol and protected by the OS. Each session remains active (logged in) and secured until the operator logs out or is automatically logged out from inactivity (inactivity default is 900 seconds).

4.2 Authentication Methods

The module supports identity-based authentication; operators explicitly assume their role based on the authentication credentials used. Each role determines the functionality available to the operator within the module. Operators authenticate to the module using either:

Page 24

60 seconds) = 6x1010 = 60,000,000,000 bits of data can be transmitted in one minute. The minimum

password is 64 bits (8 bits per character x 8 characters), meaning 9.375x108 passwords can be passed to the module (assuming there is no overhead). This equates to a 1:4,591,650 chance of a random attempt will succeed, or a false acceptance will occur in a one-minute period, which is less than the required probability. Certificate Using conservative estimates and equating a 2048-bit RSA key to a 112-bit symmetric key, the probability for a random attempt to succeed is:

Page 25
4.3 Services

Descriptions of the services available are provided in Table 11 below. As allowed per section 2.4.C of FIPS 140-3 Implementation Guidance, the module provides indicators for the use of Approved services through a combination of an explicit indication (via a global Approved mode indicator) and an implicit indication (via the successful completion of the service). Please note that the keys and Sensitive Security Parameters (SSPs) listed in the table indicate the access rights required using the following notation:

50 NTP – Network Time Protocol

NetScaler MPX ©2024 Cloud Software Group

Page 26

Service Description Approved Security Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Function(s) Configure Add, edit, delete KDF TLS (Cert. A3942) TLS Extended Master Secret CO TLS Extended Master Secret –W/E Command Line system profiles system profiles AES (Cert. A3942) TLS Ticket Encryption Key TLS Ticket Encryption Key

Page 27

Service Description Approved Security Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Function(s) Configure SSH Configure SSH CKG (Vendor Affirmed) SSH Private Key CO SSH Private Key

51 PSK – Pre-shared Key

NetScaler MPX ©2024 Cloud Software Group

Page 28

Service Description Approved Security Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Function(s) Configure Configure TLS; AES (Certs. A3942, A3943) CA54 Public Key CO CA Public Key

52 DNS – Domain Name System
53 GSLB – Global Server Load Balancing
54 CA – Certificate Authority
55 KSK – Key Signing Key

ZSK

57 IV – Initialization Vector

NetScaler MPX ©2024 Cloud Software Group

Page 29

Service Description Approved Security Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Function(s) Configure Configure DNS None None CO N/A Command Line security security profiles, Interface application firewall profiles and policies, reputation settings, protection features, and content inspection policies Configure Configure AES (Cert. A3942 RDP59 PSK CO RDP PSK

58 AAA – Authentication, Authorization, Accounting
59 RDP – Remote Desktop Protocol
60 LDAP – Lightweight Directory Access Protocol
61 DFA – Delegated Form Authentication

SAML

63 IV – Initialization Vector

NetScaler MPX ©2024 Cloud Software Group

Page 30

Service Description Approved Security Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Function(s) Configure Configure SNMP AES (Cert. A3942) SNMPv3 Authentication CO SNMPv3 Authentication Passphrase

64 ID – Identifier

66 The operator shall be aware the new firmware version may not be a FIPS validated version.

NetScaler MPX ©2024 Cloud Software Group

Page 31

5. Software/Firmware Security All firmware within the cryptographic boundary is verified using an approved integrity technique implemented within the cryptographic module itself. The module implements a 2048-bit RSA digital signature verification with a SHA-512 hash to ensure the integrity of its firmware components. The module’s pre-operational integrity check is performed automatically at module power-up. This integrity check can also be performed on demand by the module operator by performing a reboot. NetScaler MPX ©2024 Cloud Software Group

Page 32

6. Operational Environment The module employs a limited operational environment. The module does not provide access to a general-purpose operating system (OS). All services provided by the module are provided by the module’s firmware and external interfaces. All firmware upgrades are digitally signed, and a conditional self-test (RSA signature verification) is performed with each upgrade. Therefore, per ISO/IEC 19790:2021 section 7.6.1, requirements for this section are not applicable. NetScaler MPX ©2024 Cloud Software Group

Page 33

7. Physical Security As a multi-chip standalone hardware module, the module includes an enclosure composed of hard, productiongrade, metal components necessary to meet FIPS 140-3 level 2 physical security requirements. The module enclosure completely encloses all of its internal components, and all integrated circuits are coated with commercial standard passivation. The MPX enclosure has removable front and back covers. Each cover is secured with screws and serialized tamperevident seals. Tamper-evident seals are applied at the factory to the modules to protect against unauthorized access to the module. When the module is received, the operator must confirm placement of all tamper-evident seals. Table 12

Page 34

8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques references in ISO/IEC 19790:2021 Annex F. NetScaler MPX ©2024 Cloud Software Group

Page 35

9. Sensitive Security Parameter Management

9.1 Keys and SSPs

The module supports the keys and other SSPs listed in Table 13 and Table 14 below. Table 13

67 Zeroization of KEK renders SSP permanently unrecoverable

NetScaler MPX ©2024 Cloud Software Group

Page 36

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type Cert # Keys CA Public Key [RSA public RSA - Imported in - Plaintext on disk No68 TLS certificate (PSP) key] (Cert. A3942) plaintext form via authentication Between 80 local console or in and 150 bits KTS-IFC encrypted form via 1024-bit RSA (Cert. A3942) TLS or SSH session / public keys are [ECDSA public exits the module in used for key] plaintext form signature Between 112 verification only and 256 bits DH Private Key [for SSH KAS-FFC-SSC Generated Never imported; - Plaintext in Reboot; Generation of (CSP) sessions] (Cert. A3943) internally via never exported volatile memory remove power; SSH, TLS, and IKE Between 112 Approved DRBG session shared secrets and 201 bits termination [for TLS sessions] Between 112 and 150 bits [for IKE sessions]

112 bits

DH Public Key [for SSH KAS-FFC-SSC [for the module] [for the module] - Plaintext in Reboot; Generation of (PSP) sessions] (Cert. A3943) Generated Exits the module in volatile memory remove power; SSH, TLS, and IKE Between 112 internally via plaintext form session shared secrets and 201 bits Approved DRBG termination [for TLS [for a peer] sessions] Input in plaintext Between 112 form / and 150 bits Never exits the module [for IKE sessions]

112 bits

ECDH Private Key Between 112 KAS-ECC-SSC Generated Never imported; - Plaintext in Reboot; Generation of (CSP) and 256 bits (Certs. A3942, A3943) internally via never exported volatile memory remove power; SSH and TLS Approved DRBG session shared secrets termination ECDH Public Key Between 112 KAS-ECC-SSC [for the module] [for the module] - Plaintext in Reboot; Generation of (PSP) and 256 bits (Certs. A3942, A3943, Generated Exits the module in volatile memory remove power; SSH and TLS A3944) internally via plaintext form session shared secrets Approved DRBG termination [for a peer] Input in plaintext form / Never exits the module RSA Private Key 112 or 128 RSA Generated Never imported; - Encrypted on disk N/A67 Generation of TLS (CSP) bits (Cert. A3942) internally via never exported (via KEK) shared secrets Approved DRBG RSA Public Key 112 or 128 RSA [for the module] [for the module] - Plaintext in No68 Generation of TLS (PSP) bits (Cert. A3942) Generated Exits the module in volatile memory shared secrets internally via plaintext form KTS-IFC Approved DRBG (Cert. A3942) [for a peer] Input in plaintext form / Never exits the module

68 NetScaler MPX detects modification of Public Security Parameters listed in this table.

NetScaler MPX ©2024 Cloud Software Group

Page 37

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type Cert # Keys SSH Private Key [RSA private RSA Generated Exits the module in - Plaintext on disk CLI command Authentication (CSP) key] (Cert. A3942) internally via encrypted form as during SSH

112 or 128 Approved DRBG part of config session

bits ECDSA backup file negotiation; (Cert. A3942) RBA69 [ECDSA Authentication private key] for LDAP; GSLB Between 112 configuration and 256 bits sync SSH Public Key [RSA public RSA Generated Exits the module in - Plaintext in No68 Authentication (PSP) key] (Cert. A3942) internally via encrypted form as volatile memory during SSH

112 or 128 Approved DRBG part of config session

bits ECDSA backup file negotiation; RBA (Cert. A3942) Authentication [ECDSA public for LDAP; GSLB key] configuration Between 112 sync and 256 bits SSH Session Key Between 128 AES (CBC, CTR modes) - Never imported; Derived internally Plaintext in Reboot; Encryption and AES key (CBC and and 256 bits (Cert. A3942) never exported via SSH KDF volatile memory remove power; decryption of SSH CTR mode) session session packets (CSP) termination SSH Between 160 HMAC - Never imported; Derived internally Plaintext in Reboot; Authentication of Authentication and 512 bits (Cert. A3942) never exported via SSH KDF volatile memory remove power; SSH session Key session packets HMAC key termination (CSP) IKE/IPsec Pre- - - - input in plaintext Derived Plaintext in Reboot; Authentication shared key (PSK) form via local internally via volatile memory remove power; during IKE/IPsec (CSP) console / shared secret session session Exits the module in computation termination negotiation encrypted form as part of config [IKEv1 Only] backup file Derivation of the IKE/IPsec Session Keys and IKE/IPsec Authentication Keys IKE/IPsec Session Between 128 AES Generated Never imported; - Plaintext in Reboot; Encryption and Key and 256 bits (Cert. A3942) internally via IKE never exported volatile memory remove power; decryption of (AES key) KDF session IKE/IPsec session (CSP) termination packets IKE/IPsec Between 160 HMAC Derived internally Never imported; Derived internally Plaintext in Reboot; Authentication of Authentication and 512 bits (Cert. A3943) via IKE KDF never exported via IKE KDF volatile memory remove power; IKE/IPsec session Key session packets (HMAC key) termination (CSP) RDP Session Key 256 bits AES - Never exits the Key Derivation Plaintext in Reboot; Encryption and (CSP) (Cert. A3942) module volatile memory remove power; decryption of session RDP user and termination target information DFA Session Key 256 bits AES - Never exits the Key Derivation Plaintext in Reboot; DFA (CSP) (Cert. A3943) module volatile memory remove power; authentication to session the module termination

69 RBA – Role-based Authentication

NetScaler MPX ©2024 Cloud Software Group

Page 38

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type Cert # Keys TLS Private Key [RSA private RSA Generated Imported in Encrypted on disk N/A67 TLS (CSP) key] (Cert. A3942) internally via plaintext form via (via PEM key) authentication; Between 112 Approved DRBG local console or in and 150 bits ECDSA encrypted form via SAML (Cert. A3942) TLS or SSH session / authentication [ECDSA Exits the module in (RSA only); private key] encrypted form as Between 112 part of config OpenID and 256 bits backup file authentication (RSA only) TLS Session Key [AES key] AES - Never imported; Derived internally Plaintext in Reboot; Encryption and (CSP) 128 or 256 (Certs. A3942, A3943) never exported using the TLS Pre- volatile memory remove power; decryption of TLS bits Master Secret via session session packets AES (GCM mode) TLS KDF termination (Certs. A3942, A3943) [AES GCM key]

128 or 256

bits TLS Between 160 HMAC - Never imported; Derived internally Plaintext in Reboot; Authentication of Authentication and 384 bits (Certs. A3942, A3943) never exported using the TLS Pre- volatile memory remove power; TLS session Key Master Secret via session packets (HMAC key) TLS KDF termination (CSP) TLS Ticket 128 bits AES Generated Imported in - Reboot; Encryption and Encryption Key (Cert. A3943) internally via encrypted form via Plaintext in remove power; decryption of TLS (AES key) Approved DRBG TLS session / Never volatile memory session session tickets (CSP) exits the module termination TLS Ticket 256 bits HMAC Generated Imported in - Computes the Authentication (Certs. A3942, A3943) internally via encrypted form via Plaintext in Reboot; digest of TLS Key Approved DRBG TLS session / Never volatile memory remove power; session tickets (HMAC key) exits the module session (CSP) termination SNMPv3 Privacy 128 bits AES - Never imported; Derived internally Plaintext in Reboot; Encryption and Key (Cert. A3942) never exported via SNMP KDF volatile memory remove power; decryption of (AES key) session SNMPv3 packets (CSP) termination SNMPv3 160 bits HMAC - Never imported; Derived internally Plaintext in Reboot; Authentication of Authentication (Cert. A3942) never exported via SNMP KDF volatile memory remove power SNMPv3 packets Key (HMAC key) (CSP) Public DNS KSK Between 112 RSA Generated Imported in - Plaintext on disk No68 Public DNS ZSK (RSA public key) and 150 bits (Cert. A3942) internally via encrypted form via authentication (PSP) Approved DRBG SSH session / Exits the module in plaintext form as part of config backup file Private DNS KSK Between 112 RSA Generated Imported in - Encrypted on disk N/A67 Public DNS ZSK (RSA private key) and 150 bits (Cert. A3942) internally via encrypted form via (via PEM key) signature (CSP) Approved DRBG SSH session / Exits generation the module in encrypted form as part of config backup file Public DNS ZSK Between 112 RSA Generated Imported in - Plaintext on disk No68 DNS zone (RSA public key) and 150 bits (Cert. A3942) internally via encrypted form via authentication (PSP) Approved DRBG SSH session / Exits the module in plaintext form as part of config backup file NetScaler MPX ©2024 Cloud Software Group

Page 39

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type Cert # Keys Private DNS ZSK Between 112 RSA Generated Imported in - Encrypted on disk N/A67 DNS zone (RSA private key) and 150 bits (Cert. A3942) internally via encrypted form via (via PEM key) signature (CSP) Approved DRBG SSH session / Exits generation the module in encrypted form as part of config backup file *Keys derived from the PBKDF function are only used for storage applications. Table 14

70 The indicators provided by zeroization methods specified in this column are implicit as the normal, non-error, status output of the function performing

71 In compliance with TLS 1.2 GCM Cipher Suites for TLS and Section 8.2.1 of NIST SP 800-38D

NetScaler MPX ©2024 Cloud Software Group

Page 40

Key/SSP Strength Security Function Generation Import/Export Establishment Storage Zeroization70 Use &Related Name/Type and Cert. Number Keys TLS Extended - TLS KDF - Never exits the Derived Plaintext in Reboot; Derivation of Master Secret (Certs. A3942, module internally via volatile remove the TLS (CSP) A3943) TLS KDF memory power; Session Key session and TLS termination Authentication Key Hash DRBG - DRBG - Never exits the - Plaintext in Reboot; Entropy input Entropy (Cert. A3943) module volatile remove power for Hash DRBG (CSP) memory Hash DRBG - DRBG Generated Never exits the - Plaintext in Reboot; Seed material Seed (Cert. A3943) internally via module volatile remove power for Hash DRBG (CSP) Approved DRBG memory Hash DRBG ‘V’ - DRBG Generated Never exits the - Plaintext in Reboot; Internal state Value (Internal (Cert. A3943) internally via module volatile remove power value used state value) Approved DRBG memory with Hash (CSP) DRBG Hash DRBG ‘C’ - DRBG Generated Never exits the - Plaintext in Reboot; Internal state Value (Cert. A3943) internally via module volatile remove power value used (Internal state Approved DRBG memory with Hash value) DRBG (CSP) CTR DRBG - DRBG Generated Never exits the - Plaintext in Reboot; Entropy input Entropy (Cert. A3942) internally via module volatile remove power for CTR DRBG (CSP) CPU Jitter memory Entropy Source CTR DRBG - DRBG Generated Never exits the - Plaintext in Reboot; Seed material Seed (Cert. A3942) internally via module volatile remove power for CTR DRBG (CSP) Approved DRBG memory CTR DRBG ‘V’ - DRBG Generated Never exits the - Plaintext in Reboot; Internal state Value (Cert. A3942) internally via module volatile remove power value used (CSP) Approved DRBG memory with CTR DRBG CTR DRBG - DRBG Generated Never exits the - Plaintext in Reboot; Internal state ‘Key’ Value (Cert. A3942) internally via module volatile remove power value used (AES key) Approved DRBG memory with CTR DRBG (CSP) SNMPv3 - - - Input in plaintext - Encrypted on N/A67 Derivation of Privacy form via local disk (via KEK) the SNMPv3 Passphrase console or in Privacy Key (Alphanumeric encrypted form string) (CSP) via TLS or SSH session / Exits the module in encrypted form as part of config backup file SNMPv3 - - - Input in plaintext - Encrypted on N/A67 Derivation of Authentication form via local disk (via KEK) the SNMPv3 Passphrase console or in Authentication (Alphanumeric encrypted form Key string) (CSP) via TLS or SSH session / Exits the module in encrypted form as part of config backup file LDAP Admin - - - Input in plaintext - Encrypted on N/A67 Used to bind Password form via local disk (via KEK) to the LDAP (Alphanumeric console or in server string) (CSP) encrypted form via TLS or SSH session / Exits the module in encrypted form as part of config backup file NetScaler MPX ©2024 Cloud Software Group

Page 41

Key/SSP Strength Security Function Generation Import/Export Establishment Storage Zeroization70 Use &Related Name/Type and Cert. Number Keys RDP PSK - KBKDF - Input in plaintext - Encrypted on N/A67 (Shared secret) (Cert. A3943) form via local disk (via KEK) Used as input (CSP) console or in to derive RDP encrypted form Session Key via TLS or SSH session / Exits the module in encrypted form as part of config backup file Oauth Client - - - Input in plaintext - Encrypted on N/A67 Oauth and Secret form via local disk (via KEK) Oauth IDP72 (Shared secret) console or in authentication (CSP) encrypted form to the module via TLS or SSH session / Exits the module in encrypted form as part of config backup file DFA Shared - KBKDF - Input in plaintext - Encrypted on N/A67 Used as input Secret (Cert. A3943) form via local disk (via KEK) to derive DFA (CSP) console or in Session Key encrypted form via TLS or SSH session / Exits the module in encrypted form as part of config backup file ZebOS Router - - - Input in plaintext Key Entry Encrypted on N/A67 Router Password form via local disk (via KEK) authentication (Alphanumeric console or in string) (CSP) encrypted form via TLS or SSH session / Exits the module in encrypted form as part of config backup file Cluster - - - Input in plaintext Key Entry Encrypted on N/A67 Used to Password form via local disk (via KEK) connect nodes (Alphanumeric console or in to the cluster string) (CSP) encrypted form coordinator via TLS or SSH session / Exits the module in encrypted form Operator - - - Input in plaintext Key Entry Plaintext in Reboot; Authenticate Password form via TLS or volatile remove power the operator (Alphanumeric SSH session / Exits memory to the module string) (CSP) the module in via an external encrypted form authentication service Firmware Load 2048 bits RSA (Cert. A3942) - Input in plaintext Key Entry Plaintext in Reboot; Used to verify Integrity Key volatile remove power the new (RSA public memory firmware load key) (PSP) All RSA and ECDSA keys at 2048 and 3072-bit modulus size are generated internally by the Netscaler Control Plane Cryptographic Library. All RSA and ECDSA keys at the 4096-bit modulus size are generated outside of the module and input either in plaintext form via local console or encrypted form via a TLS or SSH session.

72 IDP – Identity Provider

NetScaler MPX ©2024 Cloud Software Group

Page 42

AES GCM encryption is used in the context of the TLS 1.2 protocol. The module supports acceptable AES GCM cipher suites from section 3.3.1 of NIST SP 800-52r2 and meets the (key/IV) pair uniqueness requirements from NIST SP 800-38D. The mechanism for IV generation is compliant with RFC 5288 per scenario 1 in FIPS 140-3 IG C.H. The counter portion of the IV is strictly increasing. The nonce explicit part of the IV does not exhaust the maximum number of possible values for a given session key. This condition is implicitly ensured by the design of the TLS protocol, in which the nonce_explicit is denied exhaustion by the control exerted by the protocol’s (and hence also the module’s) management logic (wherein the nonce_explicit is incremented per each TLS record). This management logic also implies that the probability of an exhaustion of all 264 - 1 values of the nonce_explicit for the same TLS session in a realistic time frame is not significant.

9.2 RGB Entropy Sources

The following table specifies the module’s entropy sources. Table 15

Page 43

10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is powered up and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.

10.1 Pre-Operational Self-Tests

The module performs the following pre-operational self-test(s):

10.2 Conditional Self-Tests

The module performs the following conditional self-tests:

73 KAT – Known Answer Test

NetScaler MPX ©2024 Cloud Software Group

Page 44
Page 45
10.3 Self-Test Failure Handling

If the module fails the pre-operational integrity test, the module enters a critical error state and logs an error message. In this state, the boot sequence and entire system is halted. The only action available from this state is to reboot the module to trigger the re-execution of the integrity test. The error condition is considered to have been cleared if the module successfully passes the pre-operational integrity test. If the module continues to return to a halted state, the module is considered to be malfunctioning or compromised, and Cloud Customer Support must be contacted. If the module enters the critical error state due to a failure of any of the conditional CASTs, cryptographic operations are halted, and the module inhibits all data output from the module. The module logs an error message and automatically reboots to clear the error state. The CO must contact Cloud Software Group if this error occurs. The successful completion or failure of the pre-operational self-tests and conditional CASTs can be verified by checking the log files.

Page 46

11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:

11.1 Secure Installation

The module is shipped to the customer in a non-configured state. The CO is responsible for all initial setup activities, including installing and configuring the module firmware. Prior to the installation, the CO should read the document entries within the Citrix ADC 13.1

11.1.1 Initial Tamper-Evident Seal Inspection

Tamper-evident seals are applied at the factory to the modules to protect against unauthorized access to the module. When the module is received, the operator must confirm placement of all tamper-evident seals. The MPX 89xx FIPS will have a total of four (4) tamper-evident seals installed.

Page 47

Figure 9

Page 48

Figure 13

Page 49

Figure 17

11.1.2 Installation

For detailed guidance regarding the installation of the module, please see the Citrix ADC 13.1

Page 50

ADC licensing overview webpage on Citrix’s online product documentation portal. Once the license files are installed, reboot the module so all licenses are applied.

11.2 Initialization

After the appliance has been setup, the CO is responsible for the general configuration of the module. The Web GUI or CLI can be used for the general configuration of the module. All general configuration must be complete before performing configuration necessary to place the module in a Approved mode of operation. The general configuration requirements and instructions are described in the “Quick Start Installation and Configuration” section of the Citrix ADC Deployment Guide found on Citrix’s online product documentation portal.

11.2.1 Approved Mode Configuration and Status

The CO is responsible for the security-relevant configuration of the module. To initialize the module for Approved mode of operation, the CO must:

11.2.2 Configure the Passphrase Requirements

Passphrases are used to derive keys using PBKDF. The CO must configure strong passphrase requirements. This is accomplished with the following steps from the Web GUI:

  1. In the Configuration navigation pane, go to System and click the Settings node.
  2. In the Settings section, click the Change Global System Settings link.
  3. In the Strong Password field, select Enable All.
  4. In the Min Password Length field, type “8”.
  5. Click OK.
11.2.3 Replace the Default TLS Certificate

By default, the module includes a factory-provisioned RSA certificate for TLS connections (ns-server.cert and ns-server.key). This certificate is not intended for use in production deployments and must be replaced. The CO must replace the default certificate with a newly-generated certificate after the initial installation. To replace the default TLS certificate, the CO must follow these steps:

  1. Run the following CLI command to set the hostname of the module: set ns hostName [hostname]
  2. From the Web GUI, complete the following procedure to create a Certificate Signing Request (CSR): • In the Configuration navigation pane, go to Traffic Management and click the SSL node. NetScaler MPX ©2024 Cloud Software Group
Page 51

• In the SSL Certificates section, click the Create Certificate Request link. • Make sure to provide values for all the required fields marked with an “*” and then click Create. Note that the Common Name field will contain the value of hostname created in step 1 above.

  1. Submit the CSR file to a trusted CA. The CSR file is available in the /nsconfig/ssl directory.
  2. After receiving the certificate from the trusted CA, copy the file to the /nsconfig/ssl directory.
  3. From the Web GUI, navigate to Traffic Management > SSL and choose ns-server-certificate.
  4. Click Update.
  5. In the Certificate File Name field, choose the certificate file that was received from the CA. Use the Browse option to choose the file that you have received from CA after signing. Choose the Browse > Local option if the file is saved on your workstation/local drive.
  6. In the Private Key File Name field, specify the default private key file name (ns-server.key).
  7. Select the No Domain Check option.
  8. Click OK. For more information, please refer to the Citrix Support Knowledge Center article CTX122521) on Citrix’s online product documentation portal.
11.2.4 Disable HTTP Access to the Web GUI

The CO protects traffic to the administrative interface and Web GUI, by configuring the module to use HTTPS74. Once the module has been configured to use new TLS and SSH certificates, disable HTTP access to the GUI management interface with the following CLI command: set ns ip <NSIP> -gui SECUREONLY

11.2.5 Disable Local Authentication

The nsroot account is a default account with root CLI access (superuser) privileges that is required for initial configuration. During initial configuration, the CO shall disable local system authentication to block access to all local accounts (including the nsroot account), and the CO must ensure that superuser privileges are not assigned to any user account. To disable local system authentication and enable external system authentication, the CO must run the following CLI command: set system parameter -localauth disabled

11.2.6 Enable External Authentication

Once the module is configured in Approved mode and the nsroot account is disabled, then external authentication must be configured. Follow the instructions on the Citrix ADC 13.1

74 HTTPS – Hypertext Transfer Protocol Secure

NetScaler MPX ©2024 Cloud Software Group

Page 52
11.3 Startup

No additional startup steps are required to be performed by end-users.

11.4 Administrator Guidance

Once installed and configured, the Crypto Officer is responsible for maintaining and monitoring the status of the module to ensure that it is running in its Approved mode. Please refer to this section for guidance that the Crypto Officer must follow to ensure that the module is operating in a Approved manner.

11.4.1 On-Demand Self-Tests

Although pre-operational self-tests are performed automatically during module power up, they can also be manually launched on demand. Self-tests can be executed by:

11.4.2 Zeroization

There are many CSPs within the module’s cryptographic boundary including symmetric keys, private keys, public keys, and passphrases. CSPs reside in multiple storage media including the RAM and system memory. All ephemeral keys are zeroized on module reboot, power removal, or session termination. The KEK is stored as plaintext in non-volatile memory. Zeroizing the KEK renders all passphrases and passwords stored in the non-volatile memory unrecoverable, effectively zeroizing them. The KEK is zeroized via the following CLI command: rm system csps -type KEK SSH private keys are stored as plaintext in non-volatile memory. SSH private keys are zeroized via the following CLI command: rm system csps -type SSH_HOST_KEYS The output (indicator) of both zeroization commands above is successful return from the command line without any error showing on the console. If the commands fails, an error will show on the console before returning control to the user. After the module’s integrity test is complete the firmware clears out all values when the signature verification operation is complete (zeroizes temporary values used in the integrity test). NetScaler MPX ©2024 Cloud Software Group

Page 53
11.4.3 Status and Versioning Information

The CO shall be responsible for regularly monitoring the module’s status for the Approved mode of operation. When configured according to the CO’s guidance, the module only operates in the Approved mode. Thus, the current status of the module when operational is always in the Approved mode. An operator can view the versioning information by:

11.4.4 Additional Administrator Policies and Guidance

This section notes additional policies below that must be followed by COs:

75 ID – Identifier

NetScaler MPX ©2024 Cloud Software Group

Page 54
11.5 Non-Administrator Guidance

Operators with the User role do not have the ability to configure sensitive information on the module. They must be diligent to select strong passwords and must not reveal their password to anyone. Additionally, they must be careful to protect any secret or private keys in their possession. NetScaler MPX ©2024 Cloud Software Group

Page 55

12. Mitigation of Other Attacks The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 2 requirements for this validation. Therefore, per ISO/IEC 19790:2021 section 7.12, requirements for this section are not applicable. NetScaler MPX ©2024 Cloud Software Group

Page 56

Appendix A. Acronyms and Abbreviations Table 16 provides definitions for the acronyms and abbreviations used in this document. Table 16

Page 57

Term Definition FFC Finite Field Cryptography FIPS Federal Information Processing Standard GCM Galois/Counter Mode GSLB Global Server Load Balancing GMAC Galois Message Authentication Code GPC General-Purpose Computer GUI Graphical User Interface HMAC (keyed-) Hash Message Authentication Code HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol IKE Internet Key Exchange KAS Key Agreement Scheme KAS-SSC Key Agreement Scheme-Shared Secret Computation KAT Known Answer Test KDF Key Derivation Function KEK Key Encryption Key KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding LDAP Lightweight Directory Access Protocol LOM Lights Out Management MD5 Message Digest 5 MLE Medium and Large Enterprise MODP Modular Exponentiation NDRNG Non-Deterministic Random Number Generator NIST National Institute of Standards and Technology NTP Network Time Protocol OID Object Identifier OS Operating System PBKDF Password Based Key Derivation Function PCT Pairwise Consistency Test PEM Privacy-Enhanced Mail PKCS Public Key Cryptography Standard PSK Pre-shared Key PSS Probabilistic Signature Scheme PUB Publication NetScaler MPX ©2024 Cloud Software Group

Page 58

Term Definition RBA Role Based Authentication RDP Remote Desktop Protocol REST Representational State Transfer RNG Random Number Generator RSA Rivest, Shamir, and Adleman SAML Security Assurance Markup Language SHA Secure Hash Algorithm SME Small and Medium Enterprise SHS Secure Hash Standard SNMP Simple Network Management Protocol SP Special Publication SQL Structured Query Language SSL Secure Sockets Layer TCP Transmission Control Protocol TGS Ticket Granting Service TLS Transport Layer Security UDP User Datagram Protocol URL Uniform Resource Locator XML eXtensible Markup Language NetScaler MPX ©2024 Cloud Software Group

Page 59

Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com