manualshive.com logo in svg

Nortel 4600, Owner'S Manual, Page: 12 / 16

Share
Download
Nortel 4600 Owner'S Manual Download Page 12

12

direction. The administrator may use any of the pre-defined Rules or create
custom Rules to be included in each Filter.

• 

Status Functions: to view the switch configuration, routing tables, active
sessions, use Gets to view Simple Network Management Protocol (SNMP)
Management Information Base (MIB) II statistics, usage graphs, health,
temperature, memory status, voltage, packet statistics, and review accounting
logs.

• 

Manage the Switch: to log off users, shut down or reset the switch, disable
or enable audible alarms, manually back up switch configurations, restore
switch configurations, create a recovery diskette, etc.

A complete description of all the management and configuration capabilities of the
Contivity Extranet switch can be found in the Contivity Extranet Switch Administrator’s
Guide and in the online help for the switch.

2.4.2

User Services

An administrator (who has manage users rights) assigns each User a name and a User
Group. The User Group defines access limitations and services that the User may
exercise, including access hours, call admission priority, forwarding priority, number of
simultaneous logins, maximum password age, minimum password length, whether
passwords may contain only alphabetic characters, whether static Internet Protocol (IP)
addresses are assigned, idle timeout, forced logoff for timeout, filters, whether
Internetwork Packet Exchange (IPX) is allowed.

The administrator also assigns each User separate User IDs and passwords for the
following services: IPSec, PPTP, L2TP, and L2F tunnels. (A fifth ID and password may
be assigned for Administration of the switch as described in 2.4.1.) The User may then
authenticate as necessary to initiate secure tunnels using any of these services.

• 

IPSec: Requires authentication through User Name and Password
(checked against a Lightweight Directory Access Protocol (LDAP)
directory or using AXENT or a SecureID token). This authenticates
the User to the switch and is protected using Internet Security
Association and Key Management Protocol (ISAKMP). The Switch
may be configured to additionally require authentication through
RADIUS with a Group Name and Password. Security options for
IPSec include using an Encapsulated Security Payload (ESP) with
Triple-DES, Data Encryption Standard (DES), or “40-bit DES”, and an
Authentication Header (AH) with Message Authentication Code
Secure Hash Algorithm (HMAC-SHA) or HMAC-MD5. When
operating the device in a FIPS 140-1 compliant manner, only the
Triple DES ESP, DES ESP, and HMAC-SHA AH may be enabled.

• 

PPTP: Requires authentication using the Microsoft Challenge
Handshake Authentication Protocol (MS-CHAP), Challenge
Handshake Authentication Protocol (CHAP), or Password

Summary of Contents for 4600

Page 1: ...ks This document may be freely reproduced and distributed whole and intact including this Copyright Notice Contivity Extranet Switch 4600 FIPS 140 1 Non Proprietary Cryptographic Module Security Policy Level 2 Validation June 2001 ...

Page 2: ...ation 3 2 The Contivity Extranet 4600 Switch 5 2 1 Cryptographic Module 5 2 2 Module Interfaces 5 2 3 Physical Security 7 2 4 Roles and Services 10 2 4 1 Crypto Officer Services 11 2 4 2 User Services 12 2 5 Key Management 13 2 6 Self tests 14 3 Secure Operation of the Contivity Switch 15 ...

Page 3: ...formation is available on the Contivity Extranet Switch 4600 and the entire line of Contivity products from the following sources The Nortel Networks web site contains information on the full line of Contivity products at www nortelnetworks com For answers to technical or sales related questions please refer to the contacts listed on the Nortel Networks web site at www nortelnetworks com 1 3 Docum...

Page 4: ...curity policy the FIPS 140 1 certification submission documentation is Nortel proprietary and is releasable only under appropriate non disclosure agreements Please contact Nortel Networks for access to these documents ...

Page 5: ...user sessions allowing each user to exercise a variety of secure services The Switch supports a number of secure network layer and data link layer protocols including Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP and Layer Two Forwarding L2F The architecture for the Switch is user centric where an individual user or group of users can be ...

Page 6: ...s and the LAN Port interface can be found in Getting Started with the Contivity Extranet Switch 4600 The physical interfaces the LAN port the 10 100Base TX ports serials port and status LEDs map to the logical interfaces defined in FIPS 140 1 as described in Table 1 Switch physical interface FIPS 140 1 Logical Interface 10 100BASE TX LAN Ports LAN Port Data Input Interface 10 100BASE TX LAN Ports ...

Page 7: ...peripherals designated for home use ClassB The case has two removable portions the front bezel and the top cover Removing the front bezel allows access to the floppy drive The following diagram shows how to remove the front bezel Note The steps required to remove the front bezel are the same whether or not the Switch is rack mounted Figure 3 Removing the front bezel ...

Page 8: ...els Alcohol based cleaning pads are recommended for this purpose The temperature of the switch should be above 10 C 2 Apply two 2 labels on the top cover overlapping the side and the rear of the chassis as shown in Figure 5 3 Apply two 2 labels on the top and bottom overlapping the front bezel as shown in Figure 5 4 Apply one 1 label over the keyboard button cover as shown in Figure 5 5 Record the...

Page 9: ...e applied serial numbers to verify that the module has not been tampered An intact label is shown in Figure 6 with a visible serial number and no breaks FIPS 140 1 Level 2 Tamper Evident Label A567422 Contivity Extranet Switch Figure 6 Tamper Evident Label Attempting to remove a label breaks it or continually tears off small fragments as depicted in Figure 7 Other signs of tamper evidence include ...

Page 10: ...Defender Service Crypto Officer User Configure the Switch Create User Groups Create Users Modify User Groups Modify Users Delete User Groups Delete Users Define Rules and Filters Status Functions Manage the Switch Encrypted Traffic Change Password Table 2 Matrix of Services Users may assume one of two roles Crypto Officer role or User role An administrator of the switch assumes the Crypto Officer ...

Page 11: ...rface of the Switch without requiring a secure tunnel At the highest level Crypto Officer services include the following Configure the Switch to define network interfaces and settings set the protocols the switch will support define routing tables set system date and time load authentication information etc Create User Groups to define common sets of user permissions such as access hours user prio...

Page 12: ...static Internet Protocol IP addresses are assigned idle timeout forced logoff for timeout filters whether Internetwork Packet Exchange IPX is allowed The administrator also assigns each User separate User IDs and passwords for the following services IPSec PPTP L2TP and L2F tunnels A fifth ID and password may be assigned for Administration of the switch as described in 2 4 1 The User may then authe...

Page 13: ...ed They are used only for authentication in key exchange protocols which protect Critical Security Parameters CSPs according to their protocol Crypto Officers should be aware that PAP transmits password information in the clear and should not be enabled before deciding local policy See notes on PAP in the Contivity Extranet Switch Administrator s Guide Session Keys These are ephemeral encryption k...

Page 14: ...ficates are issued by a third party CA and stored in the internal LDAP 2 6 Self tests It is important to test the cryptographic components of a security module to insure all components are functioning correctly The Contivity Switch includes an array of self tests that are run during startup and periodically during operations The self tests run at power up include a cryptographic known answer tests...

Page 15: ...r MS CHAP and CHAP are not enabled with RC4 encryption For L2P CHAP must be disabled to operate in a FIPS compliant manner The internal LDAP database must be used in place of an external LDAP server Secure Sockets Layer SSL cannot be used to establish secure connections For Routing Information Protocol RIP In FIPS mode MD5 must be disabled There are several services that are affected by transition...

Page 16: ...16 has the capability to submit shell commands then the Crypto Officer should reinstall the Nortel firmware from a trusted media such as the installation CD or the Nortel website ...

Reviews:

No comments