Enterasys Networks XSR-3250 Benutzerhandbuch
Firewall authorization
information for
network traffic that
flows through the
box.
network traffic that
flows through the
box.
configuration data.
commands and
configuration data.
configuration data.
Table 4 – Crypto Officer Services, Descriptions, Inputs and Outputs, and CSPs
User Role
The User role accesses the module’s IPSec and IKE services. Service
descriptions, inputs and outputs, and CSPs are listed in the following
table:
descriptions, inputs and outputs, and CSPs are listed in the following
table:
Service
Description
Input
Output
CSP
IKE
Access the module IKE
functionality to
authenticate to the
module and negotiate IKE
and IPSec session keys
functionality to
authenticate to the
module and negotiate IKE
and IPSec session keys
IKE inputs and data IKE outputs,
status, and data
RSA key pair for
IKE (read
access); Diffie-
Hellman key
pair for IKE
(read and write
access); pre-
shared keys for
IKE (read
access)
IKE (read
access); Diffie-
Hellman key
pair for IKE
(read and write
access); pre-
shared keys for
IKE (read
access)
IPSec
Access the module’s
IPSec services in order to
secure network traffic
IPSec services in order to
secure network traffic
IPSec inputs,
commands, and
data
commands, and
data
IPSec outputs,
status, and data
status, and data
Session keys for
IPSec (read and
write access)
IPSec (read and
write access)
Table 5 – User Services, Descriptions, Inputs and Outputs
Authentication Mechanisms
The module supports role-based and identity-based authentication. Role-
based authentication is performed before the Super Crypto Officer enters
Bootrom monitor mode and authenticates with just a password (and no
user ID). Identity-based authentication is performed for all other types of
Crypto Officer and User authentication. These include password-based
authentication, RSA-based authentication, and HMAC-based
authentication mechanisms.
based authentication is performed before the Super Crypto Officer enters
Bootrom monitor mode and authenticates with just a password (and no
user ID). Identity-based authentication is performed for all other types of
Crypto Officer and User authentication. These include password-based
authentication, RSA-based authentication, and HMAC-based
authentication mechanisms.
The estimated strength of each authentication mechanism is described
below.
below.
Authentication Type
Role
Strength
Password-based
authentication (CLI, SNMP,
and Bootrom monitor mode)
authentication (CLI, SNMP,
and Bootrom monitor mode)
Crypto Officer
Passwords are required to be at least six
characters long. Numeric, alphabetic (upper
and lowercase), and keyboard and
extended characters can be used, which
gives a total of 95 characters to choose
from.
characters long. Numeric, alphabetic (upper
and lowercase), and keyboard and
extended characters can be used, which
gives a total of 95 characters to choose
from.
Considering only the case-insensitive
alphabet using a password with repetition,
the number of potential passwords is 26^6.
the number of potential passwords is 26^6.
RSA-based authentication
(IKE)
(IKE)
User
RSA signing and verification is used to
authenticate to the module during IKE. This
authenticate to the module during IKE. This
© Copyright 2003
Enterasys Networks
Page 14 of 25
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.