Nortel 4600 Скачать руководство пользователя страница 14 | Manualshive

Страница: 14 / 16

Nortel 4600 Скачать руководство пользователя страница 14

14

contained on the floppy disk via the module’s management interface. The
format utility then causes the firmware of the module to be erased

•

RSA keys: These RSA public/private key-pairs are used for generating and
verifying digital signatures for authentication of users during IPSec tunneling
sessions. The module’s keys are generated internally by the PKCS#1 standard
using a pseudo-random number generator. The keys are stored in uniquely
named directories in PKCS#5 and PKCS#8 formats, respectively. All RSA
keys can be zeroized by the administrator by entering commands to delete and
zeroize the key directories. The private key is never output from the module
while the module’s public key is output to obtain a certificate from a third
party Certificate Authority (CA).

•

RSA Certificates: These public key based certificates are used to authenticate
users for IPSec tunnel sessions. In addition, the module has its own certificate
that it uses to authenticate to users. These X.509 certificates are issued by a
third party CA and stored in the internal LDAP.

2.6

Self-tests

It is important to test the cryptographic components of a security module to insure all
components are functioning correctly. The Contivity Switch includes an array of self-tests
that are run during startup and periodically during operations. The self-tests run at
power-up include a cryptographic known answer tests (KAT) on the FIPS-approved
cryptographic algorithms implemented in both Hardware and Software (DES, 3DES), on
the message digest (SHA-1), and on signatures (RSA with SHA-1). Additional self-tests
performed at startup include software integrity tests using a DES MAC per FIPS 113 and
a continuous random number generator test. Other tests are run periodically or
conditionally such as a software load test for FIPS-approved upgrades using a DES MAC
and the continuous random number generator test. In addition, there are checksum tests
on the flash memory that are updated with flash changes.

If any of these self-test fail the switch will transition into an error state. Within the error
state, all secure data transmission is halted and the switch outputs status information
indicating the failure.

«
...
12
13
14
15
16
»

Содержание 4600

Страница 1: ...ks This document may be freely reproduced and distributed whole and intact including this Copyright Notice Contivity Extranet Switch 4600 FIPS 140 1 Non Proprietary Cryptographic Module Security Policy Level 2 Validation June 2001 ...

Страница 2: ...ation 3 2 The Contivity Extranet 4600 Switch 5 2 1 Cryptographic Module 5 2 2 Module Interfaces 5 2 3 Physical Security 7 2 4 Roles and Services 10 2 4 1 Crypto Officer Services 11 2 4 2 User Services 12 2 5 Key Management 13 2 6 Self tests 14 3 Secure Operation of the Contivity Switch 15 ...

Страница 3: ...formation is available on the Contivity Extranet Switch 4600 and the entire line of Contivity products from the following sources The Nortel Networks web site contains information on the full line of Contivity products at www nortelnetworks com For answers to technical or sales related questions please refer to the contacts listed on the Nortel Networks web site at www nortelnetworks com 1 3 Docum...

Страница 4: ...curity policy the FIPS 140 1 certification submission documentation is Nortel proprietary and is releasable only under appropriate non disclosure agreements Please contact Nortel Networks for access to these documents ...

Страница 5: ...user sessions allowing each user to exercise a variety of secure services The Switch supports a number of secure network layer and data link layer protocols including Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP and Layer Two Forwarding L2F The architecture for the Switch is user centric where an individual user or group of users can be ...

Страница 6: ...s and the LAN Port interface can be found in Getting Started with the Contivity Extranet Switch 4600 The physical interfaces the LAN port the 10 100Base TX ports serials port and status LEDs map to the logical interfaces defined in FIPS 140 1 as described in Table 1 Switch physical interface FIPS 140 1 Logical Interface 10 100BASE TX LAN Ports LAN Port Data Input Interface 10 100BASE TX LAN Ports ...

Страница 7: ...peripherals designated for home use ClassB The case has two removable portions the front bezel and the top cover Removing the front bezel allows access to the floppy drive The following diagram shows how to remove the front bezel Note The steps required to remove the front bezel are the same whether or not the Switch is rack mounted Figure 3 Removing the front bezel ...

Страница 8: ...els Alcohol based cleaning pads are recommended for this purpose The temperature of the switch should be above 10 C 2 Apply two 2 labels on the top cover overlapping the side and the rear of the chassis as shown in Figure 5 3 Apply two 2 labels on the top and bottom overlapping the front bezel as shown in Figure 5 4 Apply one 1 label over the keyboard button cover as shown in Figure 5 5 Record the...

Страница 9: ...e applied serial numbers to verify that the module has not been tampered An intact label is shown in Figure 6 with a visible serial number and no breaks FIPS 140 1 Level 2 Tamper Evident Label A567422 Contivity Extranet Switch Figure 6 Tamper Evident Label Attempting to remove a label breaks it or continually tears off small fragments as depicted in Figure 7 Other signs of tamper evidence include ...

Страница 10: ...Defender Service Crypto Officer User Configure the Switch Create User Groups Create Users Modify User Groups Modify Users Delete User Groups Delete Users Define Rules and Filters Status Functions Manage the Switch Encrypted Traffic Change Password Table 2 Matrix of Services Users may assume one of two roles Crypto Officer role or User role An administrator of the switch assumes the Crypto Officer ...

Страница 11: ...rface of the Switch without requiring a secure tunnel At the highest level Crypto Officer services include the following Configure the Switch to define network interfaces and settings set the protocols the switch will support define routing tables set system date and time load authentication information etc Create User Groups to define common sets of user permissions such as access hours user prio...

Страница 12: ...static Internet Protocol IP addresses are assigned idle timeout forced logoff for timeout filters whether Internetwork Packet Exchange IPX is allowed The administrator also assigns each User separate User IDs and passwords for the following services IPSec PPTP L2TP and L2F tunnels A fifth ID and password may be assigned for Administration of the switch as described in 2 4 1 The User may then authe...

Страница 13: ...ed They are used only for authentication in key exchange protocols which protect Critical Security Parameters CSPs according to their protocol Crypto Officers should be aware that PAP transmits password information in the clear and should not be enabled before deciding local policy See notes on PAP in the Contivity Extranet Switch Administrator s Guide Session Keys These are ephemeral encryption k...

Страница 14: ...ficates are issued by a third party CA and stored in the internal LDAP 2 6 Self tests It is important to test the cryptographic components of a security module to insure all components are functioning correctly The Contivity Switch includes an array of self tests that are run during startup and periodically during operations The self tests run at power up include a cryptographic known answer tests...

Страница 15: ...r MS CHAP and CHAP are not enabled with RC4 encryption For L2P CHAP must be disabled to operate in a FIPS compliant manner The internal LDAP database must be used in place of an external LDAP server Secure Sockets Layer SSL cannot be used to establish secure connections For Routing Information Protocol RIP In FIPS mode MD5 must be disabled There are several services that are affected by transition...

Страница 16: ...16 has the capability to submit shell commands then the Crypto Officer should reinstall the Nortel firmware from a trusted media such as the installation CD or the Nortel website ...

Отзывы:

Нет отзывов