Avaya G250-BRI, Руководство пользователя

Страница: 7 / 23

Avaya G250 and G250-BRI Branch Office Media Gateways w/FIPS Non-Proprietary Security Policy
Version 1.2 Wednesday, 14 December, 2005
© 2005 Avaya Inc. May be reproduced only in its original entirety [without revision]. Page 7 of 23
CID 106595
# Step Description
9. Disable Signaling Encryption (H.248).
10. Disable Avaya Media Encryption (SRTP, AEA, RTP/AES).
11. Disable modem interfaces (USB, Console), Disable Modem Dial Backup
12. Disable the recovery password mechanism
13. Disable SSH service.
14. Disable Chatter Test Plug application.
15. Disable Survivability Application. Only holds true for G250. G250-BRI doesn’t support
Survivability.
16. Configure other module configuration related parameters – VoIP, media, L2 switching, E1/T1.
17. Determine which interfaces will be used for clear-text data, and which for encrypted data.
18. Configure additional interfaces including the IP addresses of the interfaces.
19. Change the password of the default Crypto-Officer. Define additional operators for Crypto-
Officer, User, and Read-Only User roles as required. Remove all redundant users. For existing
users define new CLI and SNMPv3 secrets.
20. Configure Radius servers (primary/secondary), OSPF router peers, and PPPoE peer. Redundant
OSPF peers need to be removed. New secret need to be assigned to Radius and PPPoE.
21. Activate enhanced-security mode.
22. Define an Access Control list that block packets with IP destination address of any of the module
interfaces for the following protocols: TELNET, FTP, TFTP, SNMP. Activate the ACL on the
inbound direction of all clear-text interfaces.
23. Configure packet forwarding: static routes, dynamic routes learned via RIP and/or OSPF, and
policy based routing lists.
24. Configure IKE: Diffie-Hellman (group 2, group 5 or group 14), HMAC-SHA-1, AES, TDES (or
DES for interconnection with legacy systems) and optional PFS parameters.
25. Configure VPN peers (pre-shared keys). Redundant VPN peers need to be removed. For existing
peers a new preshared keys need to be assigned.
26. Configure IPSec transform-sets: HMAC-SHA-1, AES, TDES (or DES for interconnection with
legacy systems).
27. Define IPSec Crypto list(s) that provide encryption rules for traffic that needs protection. Make
sure that packets with IP source address of any of the module interfaces for the following
protocols: TELNET, FTP, TFTP, SNMP, are always ESP protected with TDES or AES
encryption – null encryption is explicitly is NOT allowed for such flows.
28. Activate the crypto-list(s) on all cipher-text interfaces. For flows that need to be encrypted even if
directed to clear-text interfaces, apply crypto-lists to all interfaces.
29. Save running config to startup config.