Enterasys Networks XSR-1805, XSR-1850, XSR-3250 manual Ssh, Snmp

Page 12

Read-only Crypto Officer – Management users with privilege level zero assume the Read-only Crypto Officer role. The Read-only Crypto Officer can only issue monitoring commands with low security level. Examples of commands are: show version and show clock.

Descriptions of the services available to the Crypto Officer role are provided in the table below.

Service

Description

Input

Output

Critical Security

 

 

 

 

Parameter (CSP)

 

 

 

 

Access

SSH

Provide

SSH key

SSH outputs and

DSA (SSHv2) host

 

authenticated and

agreement

data

key pair (read

 

encrypted remote

parameters, SSH

 

access), Diffie-

 

management

inputs, and data

 

Hellman key pair

 

sessions while

 

 

(read/write

 

using the CLI

 

 

access), session

 

 

 

 

key for SSH

 

 

 

 

(read/write

 

 

 

 

access), PRNG

 

 

 

 

keys (read

 

 

 

 

access); Crypto

 

 

 

 

Officer’s password

 

 

 

 

(read access)

IKE/IPSec

Provide

IKE inputs and

IKE outputs,

RSA key pair for

 

authenticated and

data; IPSec inputs,

status, and data;

IKE (read access),

 

encrypted remote

commands, and

IPSec outputs,

Diffie-Hellman key

 

management

data

status, and data

pair for IKE

 

sessions while

 

 

(read/write

 

using Telnet to

 

 

access), pre-

 

access the CLI

 

 

shared keys for

 

functionality

 

 

IKE (read access);

 

 

 

 

Session keys for

 

 

 

 

IPSec (read/write

 

 

 

 

access)

SNMP

Non-security-

Commands and

Status of

Crypto Officer’s

 

sensitive

configuration data

commands,

SNMP password

 

monitoring and

 

configuration data

(read/write access)

 

configuration using

 

 

 

 

SNMPv3 (with

 

 

 

 

standard MIB-II

 

 

 

 

and proprietary

 

 

 

 

MIB support)

 

 

 

Bootrom Monitor

Reboot, update the

Commands and

Status of

Crypto Officer’s

Mode

Bootrom, issue file

configuration data

commands,

Bootrom password

 

system-related

 

configuration data

(read/write access)

 

commands, modify

 

 

 

 

network

 

 

 

 

parameters, and

 

 

 

 

issue various show

 

 

 

 

commands

 

 

 

Configuring

Create or specify

Commands and

Status of

Master encryption

Network

master encryption

configuration data

commands and

key (read/write

© Copyright 2003 Enterasys Networks Page 12 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Page 11 Page 13
Image 12
Page 11 Page 13
Contents Fips 140-2 Non-Proprietary Security Policy Table of Contents Purpose ReferencesDocument Organization Copyright 2003 Enterasys Networks Page 3Copyright 2003 Enterasys Networks Page 4 Overview Copyright 2003 Enterasys Networks Page 5Cryptographic Module Copyright 2003 Enterasys Networks Page 7 Module Interfaces EMI/EMCSelf-tests Design Assurance Mitigation of Other Attacks Copyright 2003 Enterasys Networks Page 8Copyright 2003 Enterasys Networks Page 9 Module Physical Ports Fips 140-2 Logical Interface Copyright 2003 Enterasys Networks Page 10Roles and Services Copyright 2003 Enterasys Networks Page 11SSH SnmpVPN Authenticate to the module during IKE. This IKECopyright 2003 Enterasys Networks Page 14 Algorithm using a 1024 bit key pair Physical SecurityOperational Environment Mechanism is as strong as the RSACryptographic Key Management Fips 186-2 Prng Copyright 2003 Enterasys Networks Page 18 Copyright 2003 Enterasys Networks Page 19 Self-Tests Copyright 2003 Enterasys Networks Page 20Design Assurance Mitigation of Other AttacksCopyright 2003 Enterasys Networks Page 21 Crypto Officer Guidance Copyright 2003 Enterasys Networks Page 22Enter copy running-config startup-config Copyright 2003 Enterasys Networks Page 23User Guidance Copyright 2003 Enterasys Networks Page 24XSR Copyright 2003 Enterasys Networks Page 25
Top Page Image Contents