Enterasys Networks XSR-1850 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Enterasys Networks XSR-1850, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Enterasys Networks XSR-1850 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Enterasys Networks XSR-1850. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Enterasys Networks XSR-1850 should contain:
- informations concerning technical data of Enterasys Networks XSR-1850
- name of the manufacturer and a year of construction of the Enterasys Networks XSR-1850 item
- rules of operation, control and maintenance of the Enterasys Networks XSR-1850 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Enterasys Networks XSR-1850 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Enterasys Networks XSR-1850, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Enterasys Networks service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Enterasys Networks XSR-1850.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Enterasys Networks XSR-1850 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    XSR-1805, XSR-1850, and XSR-3250 (Hardware Version: REV 0A-G, Software Version: REL 6.3, Firmware Version : REL 6.3) FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.00 September 2003 © Copyright 2003 Enterasys Networks This document may be freely reproduced and distr ibuted whole and intact including this Copyr ight Notice.[...]

  • Page 2

    Table of Contents INTRODUC TION ............................................................................................................. 3 P URPOSE ....................................................................................................................... 3 R EFERENCES ...............................................................[...]

  • Page 3

    Introduction Purpose This document is a nonproprietary Cr yptographic Module Security Policy for the Enterasys Networks XSR -1805, XSR-1850, and XSR-3250 appliances. This security policy describes how the XSR-1805, XSR-1850, and XSR-3250 meet the security requirements of FIPS 140-2 and how to run the modules in a secure FIPS 140-2 mode. This policy[...]

  • Page 4

    This Security Policy and the other validation submission documentation were produced by Corsec Security , Inc. under contract to Enterasys Networks. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Do cumentation is proprietary to Enterasys Networks and can be released only under appropriate non-disclosure agree[...]

  • Page 5

    E NTERASYS N ETWORKS XSR-1805, XSR-1850, AND XSR-3250 Overview Part of the Enterasys Networks X-Pedi tion Security Router (XSR) series, the XSR-1805, XSR-1850, and XSR- 3250 modules are networking devices that combine a broad range of IP routing features, a broad range of WAN interfaces and a rich suite of network security functions, including site[...]

  • Page 6

    ideal to support mission- critical app lications extending to the branch office. The XSR-3250 offers nearly ten time s the performance speed of the XSR- 1850 and approximately 15 times more VPN tunnels. Coupling these features with the six network interf ace module (NIM) slots makes the XSR- 3250 ideally suited to a regional office required to term[...]

  • Page 7

    The hardware components for the XSR-18xx modules vary slightly to meet the performance level for each module. The XSR-1850 is an enhancement of the XSR-1805 consisting of the following additional features: • Two fans • External power source connector • One PMC slot for PPMC card • 19” 1.5 U rack-mount chassis • 64 MB of DRAM Due to the [...]

  • Page 8

    The software image is contained in a single file with the power-up diagnostics. It is based on the Nortel Open IP design model and runs on top of the VxWorks operating system. The modules are intended to m eet overall FIPS 140-2 Level 2 requirements (see Table 2). Section Section Title Level 1 Cryptographic Module Spe cification 2 2 Cryptographic M[...]

  • Page 9

    • Ten status LEDs • One power connector • One power switch • One default configuration button The XSR-1850 implements the same ph ysical ports as the XSR-1805 and the following additional ones: • External power source connector • PPMC slot for Processor The XSR-3250 varies to the XSR-1805 modules as follows: • One additional power sou[...]

  • Page 10

    • Three 10/100/1000BaseT GigabitEther net LAN ports with two LEDs on each port, instead of the two 10/100BaseT FastEthernet LAN ports • Mini-Gigabit Interface Converter (MGBIC) fiberoptic port plus two LEDs • Two NCC slots with two NIM slots on each card • No power switch • No default configuration button All of these physical ports are s[...]

  • Page 11

    Roles and Services The module supports role-based and identity- based authentication 1 . There are two main roles in the module (as required by FIPS 140-2) that operators may assume: a Crypto Of ficer role and User role. Crypto Officer Role The Crypto Officer role has the abili ty to configure, manage, and monitor the module. Three management inter[...]

  • Page 12

    • Read-only Crypto Officer – Mana gement users with privilege level zero assume the Read-only Crypto Officer role. The Read-only Crypto Officer can only issue monitoring commands with low security level. Examples of commands are: show version and show clock . Descriptions of the services availabl e to the Crypto Officer role are provided in the[...]

  • Page 13

    Management key; create DSA host key for SSHv2; create management users and set their password and privilege level; configure the SNMP agent configuration data access), DSA host key pair (read/write access), Cry pto Officer’s password for CLI and SNMP (read/write access) Configuring the T1/E1 Subsystem Interfaces Define the T1/E1 subsystem functio[...]

  • Page 14

    Firewall authorization information for network traffic that flows through the box. configuration data. commands and configuration data. Table 4 – Crypto Officer Services, Descri ptions, Inputs and Outputs, and CSPs User Role The User role accesses the module’s IPSec and IKE services. Service descriptions, inputs and outputs, and CSPs are lis te[...]

  • Page 15

    mechanism is as strong as the RSA algorithm using a 1024 bit key pair. Pre-shared key-based authentication (IKE) User HMAC SHA-1 generation and verification is used to authenticate to the module during IKE with preshared keys. This mechanism is as strong as the HMAC with SHA-1 algorithm. Additionally, preshared keys must be at least six characters [...]

  • Page 16

    Cryptographic Key Management The modules implement the fo llowing FIPS-approv ed algorithms: Typ e Algorithm Standard Certificate Number AES (CBC) FIPS 197 Cert. #48, #106, #107 Triple-DES (CBC and ECB) FIPS 46-3 Cert. #158, #218, #219, #220 Symmetric DES (CBC) FIPS 46-3 Cert. #204, #238, #239, #240 DSA FIPS 186-2 Change Notice 1 Cert. #97 Asymmetr[...]

  • Page 17

    the encryption accelerators. The encry ption accelerators implement the following FIPS-approved algorithms: • XSR-18xx – Triple-DES, DES, and HMAC SHA-1 • XSR-3250 – AES, Triple-DES, DES, and HMAC SHA-1 Cryptographic processing is performed during SSHv2, SNMPv3, IKE, IPSec, and when accessing and storing database files. The module supports [...]

  • Page 18

    IPSec se ssion keys 56-bit DES, 168-bit TDES, or 128/192/256-bit AES keys; HMAC SHA-1 key Established during the Diffie-Hellman key agreement Stored in plaintext in memory Secure IPSec traffic Load test HMAC SHA-1 key ≥ 80-bit HMAC SHA-1 key External Stored encrypted in NVRAM of the real time clock chip Compute and verify the HMAC SHA-1 value for[...]

  • Page 19

    If the master encryption key is gener ated within the module, the module outputs the key to the cons ole as soon as the key is generated in order for the Crypto Officer to note down and st ore the key securely outside of the module. This is required, since the Cr ypto Officer must enter the current key before changing or removing it. T he master se[...]

  • Page 20

    Self-Tests The module performs a set of self-t ests in order to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-up (power-up self-tests) or when certain conditions are met (conditional self-tests). Power-up Self-tests : • Software integrity tests: the modules use an EDC, in the form of an MD5 checksum,[...]

  • Page 21

    • Continuous random number generator te st: this test is constantly run to detect failure of the random number generator of the module. • Manual key entry test: when enter ing a pre-shared key, master encryption key, or load test HMAC SHA-1 key, the module performs the manual key entry test by requesting the Crypto Officer to enter the key in t[...]

  • Page 22

    S ECURE O PERATION The XSR modules meet level 2 requirements fo r FIPS 140-2. The sections below describe how to place and keep the module in a FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation. The procedures are described in “Crypto Officer Guidance”. The User can use [...]

  • Page 23

    2. At the prompt <Enter curr ent password: >, press Enter. 3. At the prompt <Enter new pa ssword: >, enter the password. 4. At the prompt <Re-enter new pa ssword: >, re-enter the password. 5. At the prompt, enter bc for cold boot. The Crypto Officer must now set the at least six character long CLI password. To set the CLI password[...]

  • Page 24

    • Dial backup access must be disabled. • Syslog remote logging must be disabled. • VPN services can only be provided by IPSec or L2TP over IPSec. • Only SNMPv3 can be enabled. • If cryptographic algorithms can be set for services (such as IKE/IPSec and SNMP), only FIPS -approved algorithms can be specified. These include the following: o [...]

  • Page 25

    © Copyright 2003 Enterasys Networks Page 25 of 25 This document may be freely reproduced and distributed w hole an d intact including this Copyright Notice. A CRONYMS AAA Authentication, Au thorization, and Accounting AES Advanced Encryption Standard ANSI American Nati onal Standards Institute BOM Bill of Mate rials CLI Command Line Interface CSP [...]