Gebruiksaanwijzing /service van het product XSR-3250 van de fabrikant Enterasys Networks
Ga naar pagina of 25
XSR-1805, XSR-1850, and XSR-3250 (Hardware Version: REV 0A-G, Software Version: REL 6.3, Firmware Version : REL 6.3) FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.00 September 2003 © Copyright 2003 Enterasys Networks This document may be freely reproduced and distr ibuted whole and intact including this Copyr ight Notice.
Table of Contents INTRODUC TION ............................................................................................................. 3 P URPOSE ..................................................................................................
Introduction Purpose This document is a nonproprietary Cr yptographic Module Security Policy for the Enterasys Networks XSR -1805, XSR-1850, and XSR-3250 appliances. This security policy describes how the XSR-1805, XSR-1850, and XSR-3250 meet the security requirements of FIPS 140-2 and how to run the modules in a secure FIPS 140-2 mode.
This Security Policy and the other validation submission documentation were produced by Corsec Security , Inc. under contract to Enterasys Networks. With the exception of this Non-Proprietary Security.
E NTERASYS N ETWORKS XSR-1805, XSR-1850, AND XSR-3250 Overview Part of the Enterasys Networks X-Pedi tion Security Router (XSR) series, the XSR-1805, XSR-1850, and XSR- 3250 modules are networking dev.
ideal to support mission- critical app lications extending to the branch office. The XSR-3250 offers nearly ten time s the performance speed of the XSR- 1850 and approximately 15 times more VPN tunnels.
The hardware components for the XSR-18xx modules vary slightly to meet the performance level for each module. The XSR-1850 is an enhancement of the XSR-1805 consisting of the following additional features: • Two fans • External power source connector • One PMC slot for PPMC card • 19” 1.
The software image is contained in a single file with the power-up diagnostics. It is based on the Nortel Open IP design model and runs on top of the VxWorks operating system. The modules are intended to m eet overall FIPS 140-2 Level 2 requirements (see Table 2).
• Ten status LEDs • One power connector • One power switch • One default configuration button The XSR-1850 implements the same ph ysical ports as the XSR-1805 and the following additional ones.
• Three 10/100/1000BaseT GigabitEther net LAN ports with two LEDs on each port, instead of the two 10/100BaseT FastEthernet LAN ports • Mini-Gigabit Interface Converter (MGBIC) fiberoptic port plu.
Roles and Services The module supports role-based and identity- based authentication 1 . There are two main roles in the module (as required by FIPS 140-2) that operators may assume: a Crypto Of ficer role and User role. Crypto Officer Role The Crypto Officer role has the abili ty to configure, manage, and monitor the module.
• Read-only Crypto Officer – Mana gement users with privilege level zero assume the Read-only Crypto Officer role. The Read-only Crypto Officer can only issue monitoring commands with low security level. Examples of commands are: show version and show clock .
Management key; create DSA host key for SSHv2; create management users and set their password and privilege level; configure the SNMP agent configuration data access), DSA host key pair (read/write ac.
Firewall authorization information for network traffic that flows through the box. configuration data. commands and configuration data. Table 4 – Crypto Officer Services, Descri ptions, Inputs and Outputs, and CSPs User Role The User role accesses the module’s IPSec and IKE services.
mechanism is as strong as the RSA algorithm using a 1024 bit key pair. Pre-shared key-based authentication (IKE) User HMAC SHA-1 generation and verification is used to authenticate to the module during IKE with preshared keys. This mechanism is as strong as the HMAC with SHA-1 algorithm.
Cryptographic Key Management The modules implement the fo llowing FIPS-approv ed algorithms: Typ e Algorithm Standard Certificate Number AES (CBC) FIPS 197 Cert. #48, #106, #107 Triple-DES (CBC and ECB) FIPS 46-3 Cert. #158, #218, #219, #220 Symmetric DES (CBC) FIPS 46-3 Cert.
the encryption accelerators. The encry ption accelerators implement the following FIPS-approved algorithms: • XSR-18xx – Triple-DES, DES, and HMAC SHA-1 • XSR-3250 – AES, Triple-DES, DES, and HMAC SHA-1 Cryptographic processing is performed during SSHv2, SNMPv3, IKE, IPSec, and when accessing and storing database files.
IPSec se ssion keys 56-bit DES, 168-bit TDES, or 128/192/256-bit AES keys; HMAC SHA-1 key Established during the Diffie-Hellman key agreement Stored in plaintext in memory Secure IPSec traffic Load te.
If the master encryption key is gener ated within the module, the module outputs the key to the cons ole as soon as the key is generated in order for the Crypto Officer to note down and st ore the key securely outside of the module. This is required, since the Cr ypto Officer must enter the current key before changing or removing it.
Self-Tests The module performs a set of self-t ests in order to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-up (power-up self-tests) or when certain conditions are met (conditional self-tests).
• Continuous random number generator te st: this test is constantly run to detect failure of the random number generator of the module. • Manual key entry test: when enter ing a pre-shared key, ma.
S ECURE O PERATION The XSR modules meet level 2 requirements fo r FIPS 140-2. The sections below describe how to place and keep the module in a FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation.
2. At the prompt <Enter curr ent password: >, press Enter. 3. At the prompt <Enter new pa ssword: >, enter the password. 4. At the prompt <Re-enter new pa ssword: >, re-enter the password. 5. At the prompt, enter bc for cold boot. The Crypto Officer must now set the at least six character long CLI password.
• Dial backup access must be disabled. • Syslog remote logging must be disabled. • VPN services can only be provided by IPSec or L2TP over IPSec. • Only SNMPv3 can be enabled. • If cryptographic algorithms can be set for services (such as IKE/IPSec and SNMP), only FIPS -approved algorithms can be specified.
© Copyright 2003 Enterasys Networks Page 25 of 25 This document may be freely reproduced and distributed w hole an d intact including this Copyright Notice.
Een belangrijk punt na aankoop van elk apparaat Enterasys Networks XSR-3250 (of zelfs voordat je het koopt) is om de handleiding te lezen. Dit moeten wij doen vanwege een paar simpele redenen:
Als u nog geen Enterasys Networks XSR-3250 heb gekocht dan nu is een goed moment om kennis te maken met de basisgegevens van het product. Eerst kijk dan naar de eerste pagina\'s van de handleiding, die je hierboven vindt. Je moet daar de belangrijkste technische gegevens Enterasys Networks XSR-3250 vinden. Op dit manier kan je controleren of het apparaat aan jouw behoeften voldoet. Op de volgende pagina's van de handleiding Enterasys Networks XSR-3250 leer je over alle kenmerken van het product en krijg je informatie over de werking. De informatie die je over Enterasys Networks XSR-3250 krijgt, zal je zeker helpen om een besluit over de aankoop te nemen.
In een situatie waarin je al een beziter van Enterasys Networks XSR-3250 bent, maar toch heb je de instructies niet gelezen, moet je het doen voor de hierboven beschreven redenen. Je zult dan weten of je goed de alle beschikbare functies heb gebruikt, en of je fouten heb gemaakt die het leven van de Enterasys Networks XSR-3250 kunnen verkorten.
Maar de belangrijkste taak van de handleiding is om de gebruiker bij het oplossen van problemen te helpen met Enterasys Networks XSR-3250 . Bijna altijd, zal je daar het vinden Troubleshooting met de meest voorkomende storingen en defecten #MANUAl# samen met de instructies over hun opplosinge. Zelfs als je zelf niet kan om het probleem op te lossen, zal de instructie je de weg wijzen naar verdere andere procedure, bijv. door contact met de klantenservice of het dichtstbijzijnde servicecentrum.