manualshive.com logo in svg

Avaya G250-BRI, Руководство пользователя

"Avaya G250-BRI - устройство, обеспечивающее высококачественную передачу данных и голоса. Получите пользовательский мануал с подробными инструкциями по настройке и использованию бесплатно на manualshive.com. Скачайте руководство и ознакомьтесь с функционалом Avaya G250-BRI прямо сейчас!"

Поделиться
Скачать
background image

Avaya G250 and G250-BRI Branch Office Media Gateways w/FIPS Non-Proprietary Security Policy 
Version 1.2                                                                                                          Wednesday, 14 December, 2005 

                 © 2005 Avaya Inc.

  

May be reproduced only in its original entirety [without revision].         Page 11 of 23 

                                                                                                                                                                     CID 106595

Interface 

Qty 

Logical interface definition 

Comments 

6.

 

BRI Ports 

BRI Phone Trunks. 

Data input/output 

2 BRI Trunks (4 ISDN-B Channels) supporting 
ISDN based CO access. 

7.

 

Console  

Control inputs, Status output 

Supports cryptographic module administration. 

8.

 

USB 

Control inputs, Status output, 
Power output 

Supports cryptographic module administration for 
modem dial in connection. Disabled in FIPS 
Approved mode.  

9.

 

Media Module 
Connectors 

Data input, data output, status 
output, control input 

Provide the ability to communicate using, 
Serial/TDM Data, Ethernet, PCI, CPU Device 
Bus, facilitates Power. 

10. AC Power 

Input 

Power Input 

Provides power to the module from an external 
source. 

11. Ground 

Connector 

Ground 

Provides power to the module from an external 
source. 

12. Reset Button 

Control Input 

Resets the device 

13. ASB Button 

Control Input 

When pressed with the reset button, cause the 
device to boot from an alternate firmware image 
bank 

14. System LEDs 

Status Output 

Indicates Power, Modem connection through 
Console interface, CPU activity, and Alarm state. 

15. LEDs on ETH 

WAN 

Status Output 

Link state and activity indication on the 
associated data interface 

16. LEDs on ETH 

LAN 

Status Output 

Link state and activity indication on the 
associated data interface 

Table 4 – G250-BRI Ports and Interfaces 

 
 

4.    Identification and Authentication Policy 

4.1.

 

Assumption of roles 

The definition of all supported roles is shown 

Table 5

 below. 

Role 

Type of 
Authentication 

Authentication Data 

Description 

Cryptographic
-Officer 
(Admin User) 

Identity-based 
operator 
authentication.  

 

Username and Password. The module 
stores user identity information in an 
internal or an external Radius Server 
database. 

The owner of the cryptographic 
module with full access to the 
services of the module.   

User 
(Read/Write 

Identity-based 
operator 

Username and Password. The module 
stores user identity information in an 
internal or an external Radius Server 

An assistant to the Admin User that 
has read/write access to a subset of 

Содержание G250-BRI

Страница 1: ...eproduced only in its original entirety without revision Page 1 of 23 CID 108398 Avaya G250 and G250 BRI Branch Office Media Gateways w FIPS Non Proprietary Security Policy Avaya Inc Revision Date 14 December 2005 Version 1 2 ...

Страница 2: ... 6 3 PORTS AND INTERFACES 8 3 1 G250 PORTS AND INTERFACES 8 3 2 G250 BRI PORTS AND INTERFACES 10 4 IDENTIFICATION AND AUTHENTICATION POLICY 11 4 1 ASSUMPTION OF ROLES 11 4 2 STRENGTHS OF AUTHENTICATION MECHANISMS 12 5 ACCESS CONTROL POLICY 13 5 1 SERVICES 13 5 2 ROLES AND SERVICES 15 5 3 DEFINITION OF CRITICAL SECURITY PARAMETERS CSPS 16 5 4 DEFINITION OF CSPS MODES OF ACCESS 17 6 OPERATIONAL ENVI...

Страница 3: ...be administered from a central location The G250 and G250 BRI share common hardware and firmware compatibility other than that G250 BRI contains additional ISDN B circuitry with 2 ISDN BRI trunks plus 1 Analog trunk versus 4 Analog trunks in G250 The rules in this policy generally apply to all the above devices Exceptions are explicitly rendered by device name otherwise general cryptographic modul...

Страница 4: ...module cryptographic boundary includes all of the components within the physical enclosure of the chassis without any expansion modules plugged in The figure below Figure 2 illustrates G250 BRI cryptographic module Figure 2 G250 BRI Cryptographic module 1 Security Level The module cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140 2 Security Requirements...

Страница 5: ...umber exchange c AES CBC 128 192 256 bit for IPSec and IKE encryption d SHA 1 for hashing download image digest license file digest e HMAC SHA 1 for message authentication codes for IKE and IPSEC f DES CBC for encryption of IPSec and IKE only supported for communication with legacy systems transitional phase only valid until May 19 2007 g Diffie Hellman key agreement protocol groups 2 5 14 used to...

Страница 6: ... d Avaya Media Encryption AEA for encryption decryption e SSH v2 use of MD5 DH group 786 2048 non compliant TDES non compliant DES in non FIPS mode only commercially available key establishment protocol f HMAC SHA 1 used in non compliant manner in SNMPv3 in non FIPS mode only 2 3 Entering FIPS Mode To enter FIPS mode the Crypto Officer must follow the procedure outlined in the Table 2 below Step D...

Страница 7: ...need to be removed New secret need to be assigned to Radius and PPPoE 21 Activate enhanced security mode 22 Define an Access Control list that block packets with IP destination address of any of the module interfaces for the following protocols TELNET FTP TFTP SNMP Activate the ACL on the inbound direction of all clear text interfaces 23 Configure packet forwarding static routes dynamic routes lea...

Страница 8: ...igure 3 G250 faceplate The G250 cryptographic module provides the physical ports and logical interfaces defined in Table 3 below Interface Qty Logical interface definition Comments 1 ETH LAN POE 8 Data input data output status output control input power outout Supports local area network connectivity 2 ETH WAN 1 Data input data output status output control input Supports wide area network connecti...

Страница 9: ...e administration 7 USB 1 Control inputs Status output Power output Supports cryptographic module administration for modem dial in connection Disabled in FIPS Approved mode 8 Media Module Connectors 2 Data input data output status output control input Provide the ability to communicate using Serial TDM Data Ethernet PCI CPU Device Bus facilitates Power 9 AC Power Input 1 Power Input Provides power ...

Страница 10: ...a input data output status output control input Supports wide area network connectivity 3 CCA 1 Power output Contact Closure Adjunct Powers two contact closure relays 4 Analog Line 2 Analog Phones Line1 Line2 Data input output power output Line 2 ceases to be a data input output from the module and is directly connected to Analog Trunk providing a power interface when an emergency state occurs a P...

Страница 11: ...Control Input Resets the device 13 ASB Button 1 Control Input When pressed with the reset button cause the device to boot from an alternate firmware image bank 14 System LEDs 4 Status Output Indicates Power Modem connection through Console interface CPU activity and Alarm state 15 LEDs on ETH WAN 2 Status Output Link state and activity indication on the associated data interface 16 LEDs on ETH LAN...

Страница 12: ...D5 hash of the packet and the secret An entity authenticates to the module for the purpose of permitting denying access to services PPPoE client Role based operator authentication Chap Pap Secrets Simple password authentication is used for PAP based authentication Gateway use MD5 function to hash the challenge and the secret value in the response message to PPPoE Server An entity that facilitates ...

Страница 13: ...to power cycle via a remote command Read all status indications obtain all statuses securely via IPSEC console port and LEDs on the front panel of a Gateway This service also reports about the status of the bypass capability Bypass status is reported by CLI commands show ip active lists crypto show ip crypto list show crypto ipsec transform set available from the console and remote telnet Read sub...

Страница 14: ...n over an Ethernet link Radius authentication authenticate communication between the module and a primary or secondary Radius server Unauthenticated Services Show status provide the status of the cryptographic module the status is shown using the LEDs on the front panel Constantly lit CPU led indicates normal operation Flashing CPU led indicates operation in error state Self tests execute the suit...

Страница 15: ... Radius Client IKE Peer OSPF Router peer PPPoE client Serial Number Peer Enable FIPS mode X Firmware Update X CSPs Management X X User Management X Module configuration X X Reset X X Read all status indications X Read subset of status indications X X X Module configuration backup X X Module configuration Restore X Zeroization X IKE negotiation X X X X IPSec traffic processing X X X X Serial Number...

Страница 16: ...DH exchange Generated for VPN IKE Phase 1 key establishment IKE Session Phase 1 Secret SKEYID_d Phase 1 key used to derive keying material for IPSec Sas IKE Session Phase 1 HMAC Key SKEYID_a Key used for integrity and authentication of the ISAKMP SA IKE Session Phase 1 Encrypted Key SKEYID_e Shared key used for extraction of encryption keys protecting the ISAKMP SA IKE Session Phase 1 TDES key Key...

Страница 17: ...9 31 PRNG Table 8 CSPs and private keys The following are the public keys contained in the module Key Description Usage IKE Ephemeral DH Phase 1 public keys Generated for VPN IKE Phase 1 key establishment IKE Ephemeral DH Phase 2 public keys Generated for VPN IKE Phase 2 PFS key renewal Image download certificate Avaya root CA RSA public key Used for authentication of software download The Avaya R...

Страница 18: ...tions OSPF routing PPPoE Service Radius Authentication Serial Number Exchange PRNG keys RWZ ZW Z R IKE Pre shared Keys RWZ W Z Z R Pre shared Session Key SKEYID Z Z RW Ephemeral DH private key Z Z RW Ephemeral DH shared secret Z Z RW HASH_I HASH_R Z Z RW IKE session Phase 1 Secret SKEYID_d Z Z RW IKE Phase 1 HMAC Key SKEYID_a Z Z RW IKE Session Phase 1 SKEYID_e Z Z RW IKE Session Phase 1 TDES Z Z ...

Страница 19: ...oot password RW RW R W R R R R R W R OSPF Secret WZ WZ Z Z R Radius Secret WZ WZ Z R PPPoE Chap PAP Secret WZ W Z Z R SNMPv3 authentication password WZ R R WZ R R R R R Z Fixed Serial Number secret W Z R Ephemeral Serial Number secret Z Z RW IKE Ephemeral DH public keys Z Z RW IKE Ephemeral DH Phase 2 public keys Z Z RW Avaya root CA RSA public key RW License RSA public key R RW Table 10 CSP Acces...

Страница 20: ... Software Integrity Test 32 bit CRC verification and Booter Integrity Test 32 bit CRC verification Critical Functions Tests Non Volatile Random Memory NVRAM Integrity test EEPROM Integrity Test 3 The cryptographic module shall perform the Conditional Self Tests Continuous Random Number Generator RNG test performed on all RNGs supporting crypto activities in FIPS Approved mode Done for PRNG x9 31 a...

Страница 21: ...Details Production grade components and production grade enclosure N A N A Table 8 Inspection Testing of Physical Security Mechanisms 9 Mitigation of Other Attacks Policy The FIPS 140 2 Area 11 requirements are not applicable because the cryptographic module has not been designed to mitigate specific attacks outside of the scope of FIPS 140 2 Other Attacks Mitigation Mechanism Specific Limitations...

Страница 22: ...e Adjunct CLI Command Line Interface CNA Converged Network Analyzer DES Data Encryption Standard DH Diffie Hellman DSS Digital Signature Standard FTP File Transfer Protocol HMAC Hash Message Authentication Code IKE Internet Key Exchange IP Internet Protocol ISDN Integrated Services Digital Network LAN Local Area Network KAT Known Answer Test OSPF Open Shortest Path First PFS Perfect Forward Secrec...

Страница 23: ...S Non Proprietary Security Policy Version 1 2 Wednesday 14 December 2005 2005 Avaya Inc May be reproduced only in its original entirety without revision Page 23 of 23 CID 106595 TFTP Trivial File Transfer Protocol USB Universal Serial Bus WAN Wide Area Network ...

Отзывы:

Нет отзывов

Похожие инструкции для G250-BRI

THOMSON TG605s Cli Reference Manual preview
TG605s
Бренд: THOMSON Страницы: 974
XAVI Technologies Corp. X8824r+ User Manual preview
X8824r+
Бренд: XAVI Technologies Corp. Страницы: 51
Pathway connectivity solutions Pathport OCT User Manual preview
Pathport OCT
Бренд: Pathway connectivity solutions Страницы: 14
Pace 5111NV Installation Manual preview
5111NV
Бренд: Pace Страницы: 19
Advantech UNO-410 User Manual preview
UNO-410
Бренд: Advantech Страницы: 66
Sinclair DRY CONTACT GATEWAY SDG-01 User Manual preview
DRY CONTACT GATEWAY SDG-01
Бренд: Sinclair Страницы: 20
NETGEAR CG814W Reference Manual preview
CG814W
Бренд: NETGEAR Страницы: 163
3Com VCX V6000 Manual preview
VCX V6000
Бренд: 3Com Страницы: 24
iSMA CONTROLLI iSMA-B-MG-IP User Manual preview
iSMA-B-MG-IP
Бренд: iSMA CONTROLLI Страницы: 29
NEC MG-SIP Configuration Manual preview
MG-SIP
Бренд: NEC Страницы: 81
Linksys VGA2000 Quick Installation Manual preview
VGA2000
Бренд: Linksys Страницы: 32
3Com OfficeConnect User Manual preview
OfficeConnect
Бренд: 3Com Страницы: 112
NetComm NF5 Setup Manual preview
NF5
Бренд: NetComm Страницы: 7
NetComm HS960 Specifications preview
HS960
Бренд: NetComm Страницы: 4
NetComm NetComm Gateway Series User Manual preview
NetComm Gateway Series
Бренд: NetComm Страницы: 62
NetComm 3G41WT Quick Start Manual preview
3G41WT
Бренд: NetComm Страницы: 12
Multi-Tech RouteFinder RF550VPN User Manual preview
RouteFinder RF550VPN
Бренд: Multi-Tech Страницы: 76
2Wire Intelligent Gateway 1800 User Manual preview
Intelligent Gateway 1800
Бренд: 2Wire Страницы: 148

Бренды по названию

Популярные бренды

Загрузить еще бренды