Nortel Networks 4600 User Manual
11
•
IPSec Protocol Tunnels
•
PPTP Protocol Tunnels
•
L2TP Protocol Tunnels
•
L2F Protocol Tunnels
•
Change Password
2.4.1
Crypto Officer Services
There is a factory default login ID and password, which allows access to the Crypto
Officer role. This initial account is the primary administrator's account for the Switch,
and guarantees that at least one account is able to assume the Crypto Officer role and
completely manage the switch and users. The switch can also be configured to
authenticate based on RSA digital signatures. An administrator of the switch may assign
permission to access the Crypto Officer role to additional accounts, thereby creating
additional administrators. Each administrator would have a separate ID and password.
Administrators may always access the switch and authenticate themselves via the serial
port. They may also authenticate as a User over a secure tunnel and then authenticate to
the switch as a Crypto Officer in order to manage the switch. An administrator can also
configure the switch to allow or disallow management via a private LAN interface,
without using a secure tunnel. Initially the default configuration allows HTTP
management on the private LAN interface of the Switch without requiring a secure
tunnel.
Officer role. This initial account is the primary administrator's account for the Switch,
and guarantees that at least one account is able to assume the Crypto Officer role and
completely manage the switch and users. The switch can also be configured to
authenticate based on RSA digital signatures. An administrator of the switch may assign
permission to access the Crypto Officer role to additional accounts, thereby creating
additional administrators. Each administrator would have a separate ID and password.
Administrators may always access the switch and authenticate themselves via the serial
port. They may also authenticate as a User over a secure tunnel and then authenticate to
the switch as a Crypto Officer in order to manage the switch. An administrator can also
configure the switch to allow or disallow management via a private LAN interface,
without using a secure tunnel. Initially the default configuration allows HTTP
management on the private LAN interface of the Switch without requiring a secure
tunnel.
At the highest level, Crypto Officer services include the following:
•
Configure the Switch: to define network interfaces and settings, set the
protocols the switch will support, define routing tables, set system date and
time, load authentication information, etc.
protocols the switch will support, define routing tables, set system date and
time, load authentication information, etc.
•
Create User Groups: to define common sets of user permissions such as
access hours, user priority, password restrictions, protocols allowed, filters
applied, and types of encryption allowed. Administrators can create, edit and
delete User Groups, which effectively defines the permission sets for a
number of Users.
access hours, user priority, password restrictions, protocols allowed, filters
applied, and types of encryption allowed. Administrators can create, edit and
delete User Groups, which effectively defines the permission sets for a
number of Users.
•
Create Users: to define User accounts and assign them permissions using
User Groups. Every User may be assigned a separate ID and password for
IPSec, PPTP, L2TP, and L2F, which allow access to the User roles.
Additionally, an account may be assigned an Administration ID, allowing
access to the Crypto Officer role. Each Administrator ID is assigned rights to
Manage the Switch (either none, view switch, or manage switch) and rights to
Manage Users (either none, view users, or manage users).
User Groups. Every User may be assigned a separate ID and password for
IPSec, PPTP, L2TP, and L2F, which allow access to the User roles.
Additionally, an account may be assigned an Administration ID, allowing
access to the Crypto Officer role. Each Administrator ID is assigned rights to
Manage the Switch (either none, view switch, or manage switch) and rights to
Manage Users (either none, view users, or manage users).
•
Define Rules and Filters: to create packet Filters that are applied to User
data streams on each interface. Each Filter consists of a set of Rules, which
define a set of packets to permit or deny based on characteristics such as
protocol ID, addresses, ports, TCP connection establishment, or packet
data streams on each interface. Each Filter consists of a set of Rules, which
define a set of packets to permit or deny based on characteristics such as
protocol ID, addresses, ports, TCP connection establishment, or packet