Enterasys Networks XSR-3250 manual Roles and Services, Copyright 2003 Enterasys Networks Page 11

Page 11

Roles and Services

The module supports role-based and identity-based authentication1. There are two main roles in the module (as required by FIPS 140-2) that operators may assume: a Crypto Officer role and User role.

Crypto Officer Role

The Crypto Officer role has the ability to configure, manage, and monitor the module. Three management interfaces can be used for this purpose:

CLI – The Crypto Officer can use the CLI to perform non-security- sensitive and security-sensitive monitoring and configuration. The CLI can be accessed locally by using the console port or remotely by using Telnet over IPSec or the SSHv2 secured management session.

SNMP – The Crypto Officer can use SNMPv3 to remotely perform non-security-sensitive monitoring and configuration.

Bootrom Monitor Mode – In Bootrom monitor mode, the Crypto Officer can reboot, update the Bootrom, issue file system-related commands, modify network parameters, and issue various show commands. The Crypto Officer can only enter this mode by pressing the key combination CTRL-C during the first five seconds of initialization. It can also be entered if Bootrom cannot find a valid software file.

Due to the different privilege levels (0-15) that can be assigned to each user, the Crypto Officer role can be split into different types of management users:

Super Crypto Officer – Management users with a privilege level of 15 assume the Super Crypto Officer role. Since 15 is the highest privilege level available, the Super Crypto Officer can issue all the configuration and monitoring commands available through the CLI and SNMP. Only the Super Crypto Officer can enter Bootrom monitor mode.

Junior Crypto Officer – Management users with a privilege level of 10 assume the Junior Crypto Officer role. The Junior Crypto Officer can issue all monitoring commands with higher security level and some configuration commands. Examples of commands are: show running-configand show interfaces, and all SNMP show commands.

1Please note that overall the modules meet the level 2 requirements for Roles and Services.

© Copyright 2003 Enterasys Networks Page 11 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Page 10 Page 12
Image 11
Page 10 Page 12
Contents Fips 140-2 Non-Proprietary Security Policy Table of Contents Copyright 2003 Enterasys Networks Page 3 PurposeReferences Document OrganizationCopyright 2003 Enterasys Networks Page 4 Copyright 2003 Enterasys Networks Page 5 OverviewCryptographic Module Copyright 2003 Enterasys Networks Page 7 Copyright 2003 Enterasys Networks Page 8 Module InterfacesEMI/EMC Self-tests Design Assurance Mitigation of Other AttacksCopyright 2003 Enterasys Networks Page 9 Copyright 2003 Enterasys Networks Page 10 Module Physical Ports Fips 140-2 Logical InterfaceCopyright 2003 Enterasys Networks Page 11 Roles and ServicesSnmp SSHVPN Copyright 2003 Enterasys Networks Page 14 Authenticate to the module during IKE. ThisIKE Mechanism is as strong as the RSA Algorithm using a 1024 bit key pairPhysical Security Operational EnvironmentCryptographic Key Management Fips 186-2 Prng Copyright 2003 Enterasys Networks Page 18 Copyright 2003 Enterasys Networks Page 19 Copyright 2003 Enterasys Networks Page 20 Self-TestsCopyright 2003 Enterasys Networks Page 21 Design AssuranceMitigation of Other Attacks Copyright 2003 Enterasys Networks Page 22 Crypto Officer GuidanceCopyright 2003 Enterasys Networks Page 23 Enter copy running-config startup-configCopyright 2003 Enterasys Networks Page 24 User GuidanceCopyright 2003 Enterasys Networks Page 25 XSR
Top Page Image Contents