Enterasys Networks XSR-1850 Crypto Officer Guidance, Copyright 2003 Enterasys Networks Page 22

Page 22

SECURE OPERATION

The XSR modules meet level 2 requirements for FIPS 140-2. The sections below describe how to place and keep the module in a FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation. The procedures are described in “Crypto Officer Guidance”.

The User can use the module after the Crypto Officer changes the mode of operation to FIPS mode. The secure operation for the User is described in “User Guidance” on page 24.

Crypto Officer Guidance

The secure operation procedures for the Crypto Officer are covered in the initial setup and Management section. Following these procedures ensure that the module runs in a FIPS-compliant manner.

Initial Setup

The Crypto Officer receives the module in a carton. Within the carton the module is placed inside an ESD bag. The Crypto Officer should examine the carton and the ESD bag for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging.

Since the module does not enforce an access control mechanism before it is initialized, the Crypto Officer must maintain control of the module at all times until the initial setup is complete.

Before turning on the module, the Crypto Officer must ensure that the module meets level 2 physical security requirements. To satisfy these requirements, the Crypto Officer must apply the tamper-evident labels provided in the FIPS kit. The Installation Guide: Attaching XSR Security Labels detail how the labels must be applied to each module.

After all the labels are in place, the Crypto Officer can open a Console session to the XSR using Microsoft’s HyperTerminal, Procomm or other program. The session properties must be set as follows: BPS – 9600, Data bits – 8, Parity – none, Stop bits – 1, Flow control – none.

Setting Passwords

During the first five seconds of initialization, the Crypto Officer must press the key combination CTRL-C to enter Bootrom monitor mode. After the Crypto Officer accesses the mode, the Crypto Officer must set the at least six character long Bootrom password.

To set the Bootrom password

1. Enter bp

© Copyright 2003 Enterasys Networks Page 22 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Page 21 Page 23
Image 22
Page 21 Page 23
Contents Fips 140-2 Non-Proprietary Security Policy Table of Contents Document Organization PurposeReferences Copyright 2003 Enterasys Networks Page 3Copyright 2003 Enterasys Networks Page 4 Overview Copyright 2003 Enterasys Networks Page 5Cryptographic Module Copyright 2003 Enterasys Networks Page 7 Self-tests Design Assurance Mitigation of Other Attacks Module InterfacesEMI/EMC Copyright 2003 Enterasys Networks Page 8Copyright 2003 Enterasys Networks Page 9 Module Physical Ports Fips 140-2 Logical Interface Copyright 2003 Enterasys Networks Page 10Roles and Services Copyright 2003 Enterasys Networks Page 11SSH SnmpVPN IKE Authenticate to the module during IKE. ThisCopyright 2003 Enterasys Networks Page 14 Operational Environment Algorithm using a 1024 bit key pairPhysical Security Mechanism is as strong as the RSACryptographic Key Management Fips 186-2 Prng Copyright 2003 Enterasys Networks Page 18 Copyright 2003 Enterasys Networks Page 19 Self-Tests Copyright 2003 Enterasys Networks Page 20Mitigation of Other Attacks Design AssuranceCopyright 2003 Enterasys Networks Page 21 Crypto Officer Guidance Copyright 2003 Enterasys Networks Page 22Enter copy running-config startup-config Copyright 2003 Enterasys Networks Page 23User Guidance Copyright 2003 Enterasys Networks Page 24XSR Copyright 2003 Enterasys Networks Page 25
Top Page Image Contents