Carrier Access 1750 Manual De Usuario
11-6
Broadmore 1750 - Release 4.6
Security Management (FIPS Mode)
Authentication and Identification
Authentication and Identification
The cryptographic module supports distinct operator roles and enforces the separation
of these roles using identity-based operator authentication that requires a Username and
Password, and optional SecurID.
of these roles using identity-based operator authentication that requires a Username and
Password, and optional SecurID.
The SecurID option has no effect on FIPS 140-2 compliance. When SecurID is
enabled, operators must also enter a SecurID token before they can gain access to the
Broadmore. The SecurID token is a number that may be constant or change every
minute, and it is verified by an RSA Authentication Manager deployed at the customer
site.
enabled, operators must also enter a SecurID token before they can gain access to the
Broadmore. The SecurID token is a number that may be constant or change every
minute, and it is verified by an RSA Authentication Manager deployed at the customer
site.
A username and password are always required to log in, whether or not SecurID is
enabled. The mandatory username is an alphanumeric string of characters whose
minimum length can be set by the Security Officer. The password is a string of
characters from the 94 printable and human-readable characters whose length can be
set by the Crypto Officer.
enabled. The mandatory username is an alphanumeric string of characters whose
minimum length can be set by the Security Officer. The password is a string of
characters from the 94 printable and human-readable characters whose length can be
set by the Crypto Officer.
Passwords be changed at least once every 6 months and that users be instructed to use
a random combination of all the usable characters for passwords.
a random combination of all the usable characters for passwords.
Upon successful authentication, the role and privilege level are selected based on the
identity (username) of the operator. At the end of a session, the operator should log off,
though the user is automatically logged off after a configurable period of inactivity.
identity (username) of the operator. At the end of a session, the operator should log off,
though the user is automatically logged off after a configurable period of inactivity.
Role
Privilege Level
Authorized Functions
User
Browser
User is able to look at most all data plane information but is not able to
affect anything. To protect security data, no file access is permitted.
This role cannot access the security settings.
affect anything. To protect security data, no file access is permitted.
This role cannot access the security settings.
Operations
User is able to perform data plane configurations, such as defining
PVCs, SVCs, configuring service card parameters. To protect security
data, no file access is permitted under this privilege level. This role
cannot access the security settings.
PVCs, SVCs, configuring service card parameters. To protect security
data, no file access is permitted under this privilege level. This role
cannot access the security settings.
SysAdmin
User is able to perform global configuration operations such as
redundancy. To protect security data, no file access is permitted. This
role cannot access the security settings.
redundancy. To protect security data, no file access is permitted. This
role cannot access the security settings.
Crypto
Officer
Officer
SuperUser
This role is required to manage system accounts, use SFTP, and alter
security settings. Only users at this privilege level may turn FIPS
mode on or off.
security settings. Only users at this privilege level may turn FIPS
mode on or off.