manualshive.com logo in svg

Nortel 4600, Руководство пользователя, Страница: 15 / 16

Поделиться
Скачать
Nortel 4600 Скачать руководство пользователя страница 15

15

3

Secure Operation of the Contivity Switch

The Contivity Switch is a versatile machine; it can be run in a Normal Operating Mode or
a FIPS Operating Mode (FIPS mode). In FIPS mode, the switch meets all the Level 2
requirements for FIPS 140-1. To place the module in FIPS mode, click the “FIPS
Enabled” button on the Services Available management screen and restart the module. A
number of configuration settings are recommended when operating the Contivity Switch
in a FIPS 140-1 compliant manner. Other changes are required in order to maintain
compliance with FIPS 140-1 requirements. These include the following:

Recommended

• 

Change the default administrator password on the switch.

• 

Disable all management protocols over private non-tunneled interfaces

Required

• 

Select the “FIPS Enabled” button on the Service Available Management screens
and restart the module.

• 

Apply the tamper evident labels as described in section 2.3

• 

Disable cryptographic services that employ non-FIPS approved algorithms.

• 

For IPSec: When operating the device in a FIPS 140-1 compliant manner,
only the Triple DES ESP, DES ESP, and HMAC-SHA AH may be
enabled. MD5 is not an approved FIPS algorithm.

• 

For PPTP and L2TP: When operated in a FIPS 140-1 compliant manner,
MS-CHAP and CHAP are not enabled with RC4 encryption.

• 

For L2P: CHAP must be disabled to operate in a FIPS compliant manner.

• 

The internal LDAP database must be used in place of an external LDAP
server.

• 

Secure Sockets Layer (SSL) cannot be used to establish secure connections

• 

For Routing Information Protocol (RIP) – In FIPS mode, MD5 must be
disabled.

There are several services that are affected by transitioning the module into FIPS
compliant mode. When the module is restarted in FIPS mode, several administrative
services accessing the shell, including the debugging scripts, are disabled. When the
module is in FIPS mode, the administrator is given additional authority to reset the
default administrator’s password and username. The integrated firewall program, by
Checkpoint, and the restore capabilities are disabled during FIPS mode. The FTP demon
is also turned off, preventing any outside intruder from FTPing into the server. In order
to transition the mode out of FIPS mode, the FIPS disable button, on the Services
Available management screen, must be clicked and the module must be restarted.

When transitioning the module from Non-FIPS mode to FIPS mode, the Crypto Officer
should ensure that the module is running only the Nortel supplied, FIPS 140-1 validated
firmware. If there is a concern that the firmware has been modified during operation in
Non-FIPS mode (This might be done by an unauthenticated malicious remote user who

Содержание 4600

Страница 1: ...ks This document may be freely reproduced and distributed whole and intact including this Copyright Notice Contivity Extranet Switch 4600 FIPS 140 1 Non Proprietary Cryptographic Module Security Policy Level 2 Validation June 2001 ...

Страница 2: ...ation 3 2 The Contivity Extranet 4600 Switch 5 2 1 Cryptographic Module 5 2 2 Module Interfaces 5 2 3 Physical Security 7 2 4 Roles and Services 10 2 4 1 Crypto Officer Services 11 2 4 2 User Services 12 2 5 Key Management 13 2 6 Self tests 14 3 Secure Operation of the Contivity Switch 15 ...

Страница 3: ...formation is available on the Contivity Extranet Switch 4600 and the entire line of Contivity products from the following sources The Nortel Networks web site contains information on the full line of Contivity products at www nortelnetworks com For answers to technical or sales related questions please refer to the contacts listed on the Nortel Networks web site at www nortelnetworks com 1 3 Docum...

Страница 4: ...curity policy the FIPS 140 1 certification submission documentation is Nortel proprietary and is releasable only under appropriate non disclosure agreements Please contact Nortel Networks for access to these documents ...

Страница 5: ...user sessions allowing each user to exercise a variety of secure services The Switch supports a number of secure network layer and data link layer protocols including Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP and Layer Two Forwarding L2F The architecture for the Switch is user centric where an individual user or group of users can be ...

Страница 6: ...s and the LAN Port interface can be found in Getting Started with the Contivity Extranet Switch 4600 The physical interfaces the LAN port the 10 100Base TX ports serials port and status LEDs map to the logical interfaces defined in FIPS 140 1 as described in Table 1 Switch physical interface FIPS 140 1 Logical Interface 10 100BASE TX LAN Ports LAN Port Data Input Interface 10 100BASE TX LAN Ports ...

Страница 7: ...peripherals designated for home use ClassB The case has two removable portions the front bezel and the top cover Removing the front bezel allows access to the floppy drive The following diagram shows how to remove the front bezel Note The steps required to remove the front bezel are the same whether or not the Switch is rack mounted Figure 3 Removing the front bezel ...

Страница 8: ...els Alcohol based cleaning pads are recommended for this purpose The temperature of the switch should be above 10 C 2 Apply two 2 labels on the top cover overlapping the side and the rear of the chassis as shown in Figure 5 3 Apply two 2 labels on the top and bottom overlapping the front bezel as shown in Figure 5 4 Apply one 1 label over the keyboard button cover as shown in Figure 5 5 Record the...

Страница 9: ...e applied serial numbers to verify that the module has not been tampered An intact label is shown in Figure 6 with a visible serial number and no breaks FIPS 140 1 Level 2 Tamper Evident Label A567422 Contivity Extranet Switch Figure 6 Tamper Evident Label Attempting to remove a label breaks it or continually tears off small fragments as depicted in Figure 7 Other signs of tamper evidence include ...

Страница 10: ...Defender Service Crypto Officer User Configure the Switch Create User Groups Create Users Modify User Groups Modify Users Delete User Groups Delete Users Define Rules and Filters Status Functions Manage the Switch Encrypted Traffic Change Password Table 2 Matrix of Services Users may assume one of two roles Crypto Officer role or User role An administrator of the switch assumes the Crypto Officer ...

Страница 11: ...rface of the Switch without requiring a secure tunnel At the highest level Crypto Officer services include the following Configure the Switch to define network interfaces and settings set the protocols the switch will support define routing tables set system date and time load authentication information etc Create User Groups to define common sets of user permissions such as access hours user prio...

Страница 12: ...static Internet Protocol IP addresses are assigned idle timeout forced logoff for timeout filters whether Internetwork Packet Exchange IPX is allowed The administrator also assigns each User separate User IDs and passwords for the following services IPSec PPTP L2TP and L2F tunnels A fifth ID and password may be assigned for Administration of the switch as described in 2 4 1 The User may then authe...

Страница 13: ...ed They are used only for authentication in key exchange protocols which protect Critical Security Parameters CSPs according to their protocol Crypto Officers should be aware that PAP transmits password information in the clear and should not be enabled before deciding local policy See notes on PAP in the Contivity Extranet Switch Administrator s Guide Session Keys These are ephemeral encryption k...

Страница 14: ...ficates are issued by a third party CA and stored in the internal LDAP 2 6 Self tests It is important to test the cryptographic components of a security module to insure all components are functioning correctly The Contivity Switch includes an array of self tests that are run during startup and periodically during operations The self tests run at power up include a cryptographic known answer tests...

Страница 15: ...r MS CHAP and CHAP are not enabled with RC4 encryption For L2P CHAP must be disabled to operate in a FIPS compliant manner The internal LDAP database must be used in place of an external LDAP server Secure Sockets Layer SSL cannot be used to establish secure connections For Routing Information Protocol RIP In FIPS mode MD5 must be disabled There are several services that are affected by transition...

Страница 16: ...16 has the capability to submit shell commands then the Crypto Officer should reinstall the Nortel firmware from a trusted media such as the installation CD or the Nortel website ...

Отзывы:

Нет отзывов