Enterasys Networks XSR-1805 - Manuals

Enterasys Networks XSR-1805 – Manual in PDF format online.

Manuals:

Manual

Manual Enterasys Networks XSR-1805

Summary

Page 2 - Table of Contents; Enterasys Networks

Table of Contents INTRODUCTION............................................................................................................. 3 P URPOSE ....................................................................................................................... 3 R EFERENCES ..................

Page 3 - Introduction; Purpose

Introduction Purpose This document is a nonproprietary Cryptographic Module Security Policy for the Enterasys Networks XSR-1805, XSR-1850, and XSR-3250 appliances. This security policy describes how the XSR-1805, XSR-1850, and XSR-3250 meet the security requirements of FIPS 140-2 and how to run the ...

Page 5 - Overview; Figure 1 – Typical Deployment of the XSR Modules

E NTERASYS N ETWORKS XSR-1805, XSR-1850, AND XSR-3250 Overview Part of the Enterasys Networks X-Pedition Security Router (XSR) series, the XSR-1805, XSR-1850, and XSR-3250 modules are networking devices that combine a broad range of IP routing features, a broad range of WAN interfaces and a rich sui...

Page 6 - The features of each XSR module are summarized in; Table 1; No; Some highlighted security features of the XSR modules are:

ideal to support mission- critical applications extending to the branch office. The XSR-3250 offers nearly ten times the performance speed of the XSR-1850 and approximately 15 times more VPN tunnels. Coupling these features with the six network interface module (NIM) slots makes the XSR-3250 ideally...

Page 8 - Module Interfaces

The software image is contained in a single file with the power-up diagnostics. It is based on the Nortel Open IP design model and runs on top of the VxWorks operating system. The modules are intended to meet overall FIPS 140-2 Level 2 requirements (see Table 2). Section Section Title Level 1 Crypto...

Page 10 - Module Physical Ports

• Three 10/100/1000BaseT GigabitEthernet LAN ports with two LEDs on each port, instead of the two 10/100BaseT FastEthernet LAN ports • Mini-Gigabit Interface Converter (MGBIC) fiberoptic port plus two LEDs • Two NCC slots with two NIM slots on each card • No power switch • No default configuration b...

Page 11 - Roles and Services; Crypto Officer Role; show

Roles and Services The module supports role-based and identity-based authentication 1 . There are two main roles in the module (as required by FIPS 140-2) that operators may assume: a Crypto Officer role and User role. Crypto Officer Role The Crypto Officer role has the ability to configure, manage,...

Page 12 - Service

• Read-only Crypto Officer – Management users with privilege level zero assume the Read-only Crypto Officer role. The Read-only Crypto Officer can only issue monitoring commands with low security level. Examples of commands are: show version and show clock . Descriptions of the services available to...

Page 15 - User; Table 6 – Estimated Strength of Authentication Mechanisms; Physical Security

mechanism is as strong as the RSA algorithm using a 1024 bit key pair. Pre-shared key-based authentication (IKE) User HMAC SHA-1 generation and verification is used to authenticate to the module during IKE with preshared keys. This mechanism is as strong as the HMAC with SHA-1 algorithm. Additionall...

Page 16 - Type; Note: DES should be used for legacy purposes only.

Cryptographic Key Management The modules implement the following FIPS-approved algorithms: Type Algorithm Standard Certificate Number AES (CBC) FIPS 197 Cert. #48, #106, #107 Triple-DES (CBC and ECB) FIPS 46-3 Cert. #158, #218, #219, #220 Symmetric DES (CBC) FIPS 46-3 Cert. #204, #238, #239, #240 DS...

Page 18 - Table 8 – Listing CSPs for the Module

IPSec session keys 56-bit DES, 168-bit TDES, or 128/192/256-bit AES keys; HMAC SHA-1 key Established during the Diffie-Hellman key agreement Stored in plaintext in memory Secure IPSec traffic Load test HMAC SHA-1 key ≥ 80-bit HMAC SHA-1 key External Stored encrypted in NVRAM of the real time clock c...

Page 19 - Session keys can be zeroized by rebooting the module.

If the master encryption key is generated within the module, the module outputs the key to the console as soon as the key is generated in order for the Crypto Officer to note down and store the key securely outside of the module. This is required, since the Crypto Officer must enter the current key ...

Page 20 - Conditional Self-tests

Self-Tests The module performs a set of self-tests in order to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-up (power-up self-tests) or when certain conditions are met (conditional self-tests). Power-up Self-tests : • Software integrity tests: the modu...

Page 22 - The XSR modules; Initial Setup; Installation Guide: Attaching XSR Security; Setting Passwords; To set the Bootrom password; bp

S ECURE O PERATION The XSR modules meet level 2 requirements for FIPS 140-2. The sections below describe how to place and keep the module in a FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation. The procedures are described in...

Page 25 - CRONYMS

© Copyright 2003 Enterasys Networks Page 25 of 25 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. A CRONYMS AAA Authentication, Authorization, and Accounting AES Advanced Encryption Standard ANSI American National Standards Institute BOM Bill ...