Nortel 4600 Скачать руководство пользователя страница 11 | Manualshive

Страница: 11 / 16

Nortel 4600 Скачать руководство пользователя страница 11

11

•

IPSec Protocol Tunnels

•

PPTP Protocol Tunnels

•

L2TP Protocol Tunnels

•

L2F Protocol Tunnels

•

Change Password

2.4.1

Crypto Officer Services

There is a factory default login ID and password, which allows access to the Crypto
Officer role. This initial account is the primary administrator's account for the Switch,
and guarantees that at least one account is able to assume the Crypto Officer role and
completely manage the switch and users. The switch can also be configured to
authenticate based on RSA digital signatures. An administrator of the switch may assign
permission to access the Crypto Officer role to additional accounts, thereby creating
additional administrators. Each administrator would have a separate ID and password.
Administrators may always access the switch and authenticate themselves via the serial
port. They may also authenticate as a User over a secure tunnel and then authenticate to
the switch as a Crypto Officer in order to manage the switch. An administrator can also
configure the switch to allow or disallow management via a private LAN interface,
without using a secure tunnel. Initially the default configuration allows HTTP
management on the private LAN interface of the Switch without requiring a secure
tunnel.

At the highest level, Crypto Officer services include the following:

•

Configure the Switch: to define network interfaces and settings, set the
protocols the switch will support, define routing tables, set system date and
time, load authentication information, etc.

•

Create User Groups: to define common sets of user permissions such as
access hours, user priority, password restrictions, protocols allowed, filters
applied, and types of encryption allowed. Administrators can create, edit and
delete User Groups, which effectively defines the permission sets for a
number of Users.

•

Create Users: to define User accounts and assign them permissions using
User Groups. Every User may be assigned a separate ID and password for
IPSec, PPTP, L2TP, and L2F, which allow access to the User roles.
Additionally, an account may be assigned an Administration ID, allowing
access to the Crypto Officer role. Each Administrator ID is assigned rights to
Manage the Switch (either none, view switch, or manage switch) and rights to
Manage Users (either none, view users, or manage users).

•

Define Rules and Filters: to create packet Filters that are applied to User
data streams on each interface. Each Filter consists of a set of Rules, which
define a set of packets to permit or deny based on characteristics such as
protocol ID, addresses, ports, TCP connection establishment, or packet

«
...
9
10
11
12
13
...
»

Содержание 4600

Страница 1: ...ks This document may be freely reproduced and distributed whole and intact including this Copyright Notice Contivity Extranet Switch 4600 FIPS 140 1 Non Proprietary Cryptographic Module Security Policy Level 2 Validation June 2001 ...

Страница 2: ...ation 3 2 The Contivity Extranet 4600 Switch 5 2 1 Cryptographic Module 5 2 2 Module Interfaces 5 2 3 Physical Security 7 2 4 Roles and Services 10 2 4 1 Crypto Officer Services 11 2 4 2 User Services 12 2 5 Key Management 13 2 6 Self tests 14 3 Secure Operation of the Contivity Switch 15 ...

Страница 3: ...formation is available on the Contivity Extranet Switch 4600 and the entire line of Contivity products from the following sources The Nortel Networks web site contains information on the full line of Contivity products at www nortelnetworks com For answers to technical or sales related questions please refer to the contacts listed on the Nortel Networks web site at www nortelnetworks com 1 3 Docum...

Страница 4: ...curity policy the FIPS 140 1 certification submission documentation is Nortel proprietary and is releasable only under appropriate non disclosure agreements Please contact Nortel Networks for access to these documents ...

Страница 5: ...user sessions allowing each user to exercise a variety of secure services The Switch supports a number of secure network layer and data link layer protocols including Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP and Layer Two Forwarding L2F The architecture for the Switch is user centric where an individual user or group of users can be ...

Страница 6: ...s and the LAN Port interface can be found in Getting Started with the Contivity Extranet Switch 4600 The physical interfaces the LAN port the 10 100Base TX ports serials port and status LEDs map to the logical interfaces defined in FIPS 140 1 as described in Table 1 Switch physical interface FIPS 140 1 Logical Interface 10 100BASE TX LAN Ports LAN Port Data Input Interface 10 100BASE TX LAN Ports ...

Страница 7: ...peripherals designated for home use ClassB The case has two removable portions the front bezel and the top cover Removing the front bezel allows access to the floppy drive The following diagram shows how to remove the front bezel Note The steps required to remove the front bezel are the same whether or not the Switch is rack mounted Figure 3 Removing the front bezel ...

Страница 8: ...els Alcohol based cleaning pads are recommended for this purpose The temperature of the switch should be above 10 C 2 Apply two 2 labels on the top cover overlapping the side and the rear of the chassis as shown in Figure 5 3 Apply two 2 labels on the top and bottom overlapping the front bezel as shown in Figure 5 4 Apply one 1 label over the keyboard button cover as shown in Figure 5 5 Record the...

Страница 9: ...e applied serial numbers to verify that the module has not been tampered An intact label is shown in Figure 6 with a visible serial number and no breaks FIPS 140 1 Level 2 Tamper Evident Label A567422 Contivity Extranet Switch Figure 6 Tamper Evident Label Attempting to remove a label breaks it or continually tears off small fragments as depicted in Figure 7 Other signs of tamper evidence include ...

Страница 10: ...Defender Service Crypto Officer User Configure the Switch Create User Groups Create Users Modify User Groups Modify Users Delete User Groups Delete Users Define Rules and Filters Status Functions Manage the Switch Encrypted Traffic Change Password Table 2 Matrix of Services Users may assume one of two roles Crypto Officer role or User role An administrator of the switch assumes the Crypto Officer ...

Страница 11: ...rface of the Switch without requiring a secure tunnel At the highest level Crypto Officer services include the following Configure the Switch to define network interfaces and settings set the protocols the switch will support define routing tables set system date and time load authentication information etc Create User Groups to define common sets of user permissions such as access hours user prio...

Страница 12: ...static Internet Protocol IP addresses are assigned idle timeout forced logoff for timeout filters whether Internetwork Packet Exchange IPX is allowed The administrator also assigns each User separate User IDs and passwords for the following services IPSec PPTP L2TP and L2F tunnels A fifth ID and password may be assigned for Administration of the switch as described in 2 4 1 The User may then authe...

Страница 13: ...ed They are used only for authentication in key exchange protocols which protect Critical Security Parameters CSPs according to their protocol Crypto Officers should be aware that PAP transmits password information in the clear and should not be enabled before deciding local policy See notes on PAP in the Contivity Extranet Switch Administrator s Guide Session Keys These are ephemeral encryption k...

Страница 14: ...ficates are issued by a third party CA and stored in the internal LDAP 2 6 Self tests It is important to test the cryptographic components of a security module to insure all components are functioning correctly The Contivity Switch includes an array of self tests that are run during startup and periodically during operations The self tests run at power up include a cryptographic known answer tests...

Страница 15: ...r MS CHAP and CHAP are not enabled with RC4 encryption For L2P CHAP must be disabled to operate in a FIPS compliant manner The internal LDAP database must be used in place of an external LDAP server Secure Sockets Layer SSL cannot be used to establish secure connections For Routing Information Protocol RIP In FIPS mode MD5 must be disabled There are several services that are affected by transition...

Страница 16: ...16 has the capability to submit shell commands then the Crypto Officer should reinstall the Nortel firmware from a trusted media such as the installation CD or the Nortel website ...

Отзывы:

Нет отзывов