manualshive.com logo in svg

Motorola S2500, Руководство по безопасности

Пользовательский мануал для NEC S2500 доступен для скачивания бесплатно на manualshive.com. Этот мануал предоставляет подробные инструкции по использованию продукта NEC S2500, обеспечивая пользователя необходимой информацией для правильной настройки и эксплуатации устройства. Не упустите возможность загрузить его прямо сейчас!

Поделиться
Скачать
background image

 

MNR S2500 Security Policy  

 

Version 1.3, Revision Date: 1/13/2009 

 Page 

6

Entering FIPS Mode 

To enter FIPS mode, the Crypto Officer must follow the procedure outlined in Table 3 below. 
For details on individual router commands, use the online help facility or review the 

Enterprise 

OS Software User Guide

, version 15.4 and the 

Enterprise OS Software Reference Guide

, version 

15.4. 

 

Step 

Description 

1.

 

  Configure the parameters for the IKE negotiations using the 

IKEProfile

 command. For FIPS 

mode, only the following values are allowed:  Diffie-Hellman Group (Group 2 or Group 5), 
Encryption Algorithm (AES or 3DES), Hash Algorithm (SHA), and Authentication Method 
(PreSharedKey). 

2.

 

  Manually establish via the local console port the pre-shared key (PSK) to be used for the IKE 

protocol using: 

ADD –CRYPTO FipsPreSharedKey <peer_ID> <pre-shared_key> <pre-shared_key> 

The PSK must be at least 80 bits in length with at least 80 bits of entropy. 

3.

 

  Configure Ipsec and FRF.17 selector lists using the command 

ADD –CRYPTO SelectorLIst 

For FIPS mode, the selector list must be configured to encrypt all packets on an encrypted port, 
e.g. 

ADD –CRYPTO SelectorLIst s1 1 Include ANY 0.0.0.0/0 0.0.0.0/0

 

4.

 

  If Ipsec is used, configure Ipsec transform lists using the 

ADD –CRYPTO TransformLIst

 

command. For FIPS mode, only the following values are allowed:  Encryption Transform (ESP-
3DES, or ESP-AES) and Authentication Transform (ESP-SHA). 

5.

 

  If FRF.17 is used, configure FRF.17 transform lists using the 

ADD –CRYPTO 

TransformLIst

 command. For FIPS mode, only the following values are allowed:  Encryption 

Transform (FRF-3DES, or FRF-AES) and Authentication Transform (FRF-SHA). 

6.

 

  For each port for which encrypted is required, bind a dynamic policy to the ports using  

ADD [!<portlist>] –CRYPTO DynamicPOLicy <policy_name> <priority> 
<mode> <selctrlist_name> <xfrmlist_name> [<pfs>] [<lifetime>] [<preconnect>] 

 

To be in FIPS mode, the selector list and transform list names must be defined as in previous 
steps. 

7.

 

  For each port for which encryption is required, enable encryption on that port using 

SETDefault [!<portlist>] –CRYPTO CONTrol = Enabled 

 

8.

 

 

FIPS-140-2 mode achieved  

Table 3 – FIPS Approved mode configuration 

 

To review the cryptographic configuration of the router, use the following command: 

Содержание S2500

Страница 1: ...Copyright Motorola Inc 2009 May be reproduced only in its original entirety without revision Motorola Network Router MNR S2500 Security Policy Document Version 1 3 Revision Date 1 13 2009 ...

Страница 2: ...OLICY 8 6 ACCESS CONTROL POLICY 10 AUTHENTICATED SERVICES 10 UNAUTHENTICATED SERVICES 10 ROLES AND SERVICES 11 DEFINITION OF CRITICAL SECURITY PARAMETERS CSPS 12 DEFINITION OF CSPS MODES OF ACCESS 13 7 OPERATIONAL ENVIRONMENT 15 8 SECURITY RULES 15 9 CRYPTO OFFICER GUIDANCE 16 10 PHYSICAL SECURITY POLICY 17 PHYSICAL SECURITY MECHANISMS 17 11 MITIGATION OF OTHER ATTACKS POLICY 17 12 DEFINITIONS AND...

Страница 3: ...he photo blank plates cover slots that can hold optional network interface cards The FIPS validated firmware versions are XS 15 1 0 75 XS 15 1 0 76 XS 15 2 0 20 and XS 15 4 0 60 S2500 Base Unit S2500 Encryption Module Configurations P N Tanapa Number Revision P N Tanapa Number Revision FW Version 1 ST2500B CLN1713E B ST2516A CLN8262C C XS 15 1 0 75 2 ST2500B CLN1713E B ST2516A CLN8262C C XS 15 1 0...

Страница 4: ...l Environment N A Cryptographic Key Management 1 EMI EMC 3 Self Tests 1 Design Assurance 1 Mitigation of Other Attacks N A Table 2 Module Security Level Specification 3 Modes of Operation Approved mode of operation In FIPS mode the cryptographic module supports the following FIPS Approved algorithms as follows Hardware Implementations a Triple DES CBC mode 112 or 168 bit for IPsec and FRF 17 encry...

Страница 5: ...349 The MNR S2500 router supports the commercially available IKE and Diffie Hellman protocols for key establishment IPsec ESP and FRF 17 protocols to provide data confidentiality using FIPS approved encryption and authentication algorithms and SSHv2 for secure remote access Allowed Algorithms Diffie Hellman allowed for key agreement per Annex D key agreement methodology provides 80 to 112 bits of ...

Страница 6: ...For FIPS mode the selector list must be configured to encrypt all packets on an encrypted port e g ADD CRYPTO SelectorLIst s1 1 Include ANY 0 0 0 0 0 0 0 0 0 0 4 If Ipsec is used configure Ipsec transform lists using the ADD CRYPTO TransformLIst command For FIPS mode only the following values are allowed Encryption Transform ESP 3DES or ESP AES and Authentication Transform ESP SHA 5 If FRF 17 is u...

Страница 7: ...ge 7 SHOW CRYPTO CONFiguration This command shows a detailed summary of the cryptographic configuration and allows a user to verify that encryption is enabled on user determined ports and that only FIPS Approved algorithms are used for encryption and authentication ...

Страница 8: ... input data output status output control input power output Optional conventional to IP E M Power Plug 1 Power input N A External Power input port LEDs 7 Status Output N A Provides LED status output Table 4 S2500 physical ports and logical interfaces 5 Identification and Authentication Policy Assumption of roles The MNR S2500 router supports five distinct operator roles Crypto Officer SuperUser Ad...

Страница 9: ...module with full access to services of the module Network Manager Role based operator authentication Username and Password The module stores user identity information internally A user of the cryptographic module with almost full access to services of the module Admin Role based operator authentication Username and Password The module stores user identity information internally An assistant to the...

Страница 10: ...nel establishment IPsec protocol FRF 17 tunnel establishment Frame Relay Privacy Protocol SSHv2 for remote access to the router Network configuration Configure networking capabilities Enable Ports Apply a security policy to a port File System Access file system Authenticated Show status Provide status to an authenticated operator Access Control Provide access control for all operators Unauthentica...

Страница 11: ...Entry X X User Management X X IKE X X IPsec Tunnel Establishment X X FRF 17 Tunnel Establishment X X SSHv2 X X Reboot X X Zeroization X X Crypto Configuration X X Network Configuration X X Enable Ports X X File System X X Authenticated Show Status X X X X Unauthenticated Show Status X X X X X Power up Self Tests X X X X Monitor X X Access Control X X Table 7 Services to Roles mapping ...

Страница 12: ...emeral DH Phase 2 private key a Phase 2 Diffie Hellman private keys used in PFS for key renewal IPSEC Session keys 128 192 256 bit AES CBC and 168 bit TDES keys are used to encrypt and authenticate IPSEC ESP packets FRF 17 Session Keys 168 bit TDES CBC and 128 192 256 bit AES CBC keys are used to encrypt and authenticate FRF 17 Mode 2 SSH RSA Private Key Key used to authenticate oneself to peer SS...

Страница 13: ...uted to module used to authenticate peer IKE DH public key g a Generated for IKE Phase 1 key establishment IKE DH phase 2 public g a key Phase 2 Diffie Hellman public keys used in PFS for key renewal if configured SSH DH Key Generated for SSH key establishment Table 9 Public Keys Definition of CSPs Modes of Access Table 10 defines the relationship between access to CSPs and the different module se...

Страница 14: ...ticated Show Status Access Control KEK R R Z R IKE Pre shared Key W R Z W RW R SKEYID RW Z Z SKEYID_d RW Z SKEYID_a RW Z SKEYID_e RW Z Ephemeral DH Phase 1 private key RW Z Ephemeral Phase 2 DH private key RW Z IPSEC Session Keys RW R Z FRF 17 Session Keys RW R Z SSH RSA Private Key RW Z RW SSH DSA Private Key RW Z RW SSH Session Keys RW Z SSH DH Private Key RW Z Root Password RW Z User Admin RW Z...

Страница 15: ...e MNR S2500 router provides five distinct operator roles Crypto Officer SuperUser Admin Network Manager User and Maintenance The Crypto Officer role uses the root account 2 The MNR S2500 router encrypts message traffic using the AES or TDES algorithm 3 The MNR S2500 router performs the following tests A Power up Self Tests 1 Cryptographic algorithm tests Hardware Implementation a AES CBC Known Ans...

Страница 16: ...r on the module and verify successful completion of power up self tests from console port or inspection of log file 2 Authenticate to the module using the default user acting as the Crypto Officer with the default password and username 3 Verify that the Hardware and Firmware P Ns and version numbers of the module are the FIPS approved versions 4 Change the Network Manager Crypto Officer and User p...

Страница 17: ...itions and Acronyms AES Advanced Encryption Standard CBC Cipher Block Chaining CLI Command Line Interface CSP Critical Security Parameter DH Diffie Hellman DRNG Deterministic Random Number Generator FRF Frame Relay Forum FRF 17 Frame Relay Privacy Implementation Agreement FRPP Frame Relay Privacy Protocol HMAC Hash Message Authentication Code IKE Internet Key Exchange IP Internet Protocol IPsec In...

Страница 18: ...Revision Date 1 13 2009 Page 18 PFS Perfect Forward Secrecy RNG Random Number Generator SHA Secure Hash Algorithm SSH Secure Shell SNMP Simple Network Management Protocol Tanapa The part number that is built and stocked for customer orders ...

Отзывы:

Нет отзывов

Похожие инструкции для S2500

GE MDS 4710M Setup Manual preview
MDS 4710M
Бренд: GE Страницы: 6
4IPNET WHG301 User Manual preview
WHG301
Бренд: 4IPNET Страницы: 97
Extron electronics PoleVault System A/V Source Inputs Specification Sheet preview
PoleVault System A/V Source Inputs
Бренд: Extron electronics Страницы: 4
TP-Link Archer VR500vd Installation Manual preview
Archer VR500vd
Бренд: TP-Link Страницы: 7
SAB SABVISION NVR32 Quick Start Manual preview
SABVISION NVR32
Бренд: SAB Страницы: 29
B&B Electronics Elinx ESW200 Series Quick Start Manual preview
Elinx ESW200 Series
Бренд: B&B Electronics Страницы: 20
3Com 3C13640 Installation Manual preview
3C13640
Бренд: 3Com Страницы: 32
1&1 Homeserver+ Quick Start Manual preview
Homeserver+
Бренд: 1&1 Страницы: 32
Sparklan WNFB-265AXI(BT) User Manual preview
WNFB-265AXI(BT)
Бренд: Sparklan Страницы: 14
IBM CFFh Installation Manual preview
CFFh
Бренд: IBM Страницы: 34
Lantech IMR-3003 User Manual preview
IMR-3003
Бренд: Lantech Страницы: 40
B-G Instruments DataPlot CB1224 Manual preview
DataPlot CB1224
Бренд: B-G Instruments Страницы: 4
Rajant Corporation BreadCrumb CX1 User Manual preview
BreadCrumb CX1
Бренд: Rajant Corporation Страницы: 40
MSNswitch UIS-322b Quick Installation Manual preview
UIS-322b
Бренд: MSNswitch Страницы: 2
Zigen IP-Logic ZIG-IPPRO-RX Quick Start Manual preview
IP-Logic ZIG-IPPRO-RX
Бренд: Zigen Страницы: 4
National Instruments PXI Terminal Block NI TB-2709 Installation Manual preview
PXI Terminal Block NI TB-2709
Бренд: National Instruments Страницы: 12
ZyXEL Communications P-2602H Series Specifications preview
P-2602H Series
Бренд: ZyXEL Communications Страницы: 2
Ubiquiti UniFi AP PRO Quick Start Manual preview
UniFi AP PRO
Бренд: Ubiquiti Страницы: 20

Бренды по названию

Популярные бренды

Загрузить еще бренды