Nortel Networks 4600 User Manual
15
3
Secure Operation of the Contivity Switch
The Contivity Switch is a versatile machine; it can be run in a Normal Operating Mode or
a FIPS Operating Mode (FIPS mode). In FIPS mode, the switch meets all the Level 2
requirements for FIPS 140-1. To place the module in FIPS mode, click the “FIPS
Enabled” button on the Services Available management screen and restart the module. A
number of configuration settings are recommended when operating the Contivity Switch
in a FIPS 140-1 compliant manner. Other changes are required in order to maintain
compliance with FIPS 140-1 requirements. These include the following:
a FIPS Operating Mode (FIPS mode). In FIPS mode, the switch meets all the Level 2
requirements for FIPS 140-1. To place the module in FIPS mode, click the “FIPS
Enabled” button on the Services Available management screen and restart the module. A
number of configuration settings are recommended when operating the Contivity Switch
in a FIPS 140-1 compliant manner. Other changes are required in order to maintain
compliance with FIPS 140-1 requirements. These include the following:
Recommended
•
Change the default administrator password on the switch.
•
Disable all management protocols over private non-tunneled interfaces
Required
•
Select the “FIPS Enabled” button on the Service Available Management screens
and restart the module.
and restart the module.
•
Apply the tamper evident labels as described in section 2.3
•
Disable cryptographic services that employ non-FIPS approved algorithms.
•
For IPSec: When operating the device in a FIPS 140-1 compliant manner,
only the Triple DES ESP, DES ESP, and HMAC-SHA AH may be
enabled. MD5 is not an approved FIPS algorithm.
only the Triple DES ESP, DES ESP, and HMAC-SHA AH may be
enabled. MD5 is not an approved FIPS algorithm.
•
For PPTP and L2TP: When operated in a FIPS 140-1 compliant manner,
MS-CHAP and CHAP are not enabled with RC4 encryption.
MS-CHAP and CHAP are not enabled with RC4 encryption.
•
For L2P: CHAP must be disabled to operate in a FIPS compliant manner.
•
The internal LDAP database must be used in place of an external LDAP
server.
server.
•
Secure Sockets Layer (SSL) cannot be used to establish secure connections
•
For Routing Information Protocol (RIP) – In FIPS mode, MD5 must be
disabled.
disabled.
There are several services that are affected by transitioning the module into FIPS
compliant mode. When the module is restarted in FIPS mode, several administrative
services accessing the shell, including the debugging scripts, are disabled. When the
module is in FIPS mode, the administrator is given additional authority to reset the
default administrator’s password and username. The integrated firewall program, by
Checkpoint, and the restore capabilities are disabled during FIPS mode. The FTP demon
is also turned off, preventing any outside intruder from FTPing into the server. In order
to transition the mode out of FIPS mode, the FIPS disable button, on the Services
Available management screen, must be clicked and the module must be restarted.
compliant mode. When the module is restarted in FIPS mode, several administrative
services accessing the shell, including the debugging scripts, are disabled. When the
module is in FIPS mode, the administrator is given additional authority to reset the
default administrator’s password and username. The integrated firewall program, by
Checkpoint, and the restore capabilities are disabled during FIPS mode. The FTP demon
is also turned off, preventing any outside intruder from FTPing into the server. In order
to transition the mode out of FIPS mode, the FIPS disable button, on the Services
Available management screen, must be clicked and the module must be restarted.
When transitioning the module from Non-FIPS mode to FIPS mode, the Crypto Officer
should ensure that the module is running only the Nortel supplied, FIPS 140-1 validated
firmware. If there is a concern that the firmware has been modified during operation in
Non-FIPS mode (This might be done by an unauthenticated malicious remote user who
should ensure that the module is running only the Nortel supplied, FIPS 140-1 validated
firmware. If there is a concern that the firmware has been modified during operation in
Non-FIPS mode (This might be done by an unauthenticated malicious remote user who