Carrier Access user manual Broadmore 1750 Release

Security Management (FIPS Mode)

Security Guidance

Potential Security Vulnerabilities

(1)Disabling fipsmode deletes existing user access accounts and cryptographic keys and reverts the Broadmore to the factory default SuperUser ID and password, which can deny management access and compromise security. No one can log in till the Broadmore is rebooted. It is recommended that the fipsmode be changed only during initial setup and decommissioning.

(2)The Broadmore accepts loose source routed IP packets, so it is recommended that source routed packets be dropped on routers and firewalls. (See manufacturer’s instructions.)

(3)The Broadmore RS-232 COM 1 serial port used for “Craft Access” does not immediately terminate a management session if a user disconnects without typing “exit”. During the following timeout period, another user can connect without logging into the RS-232 port and other users are denied access through the ethernet port. It is recommended that all accounts be created with “Remote Access” only, except for one failsafe SuperUser account with “Craft Access.” The craft password should be stored safely in the NOC. When needed, the SuperUser can log into the craft port, fix things, change the password, log out, and store the new password back in the NOC.

Initialization and Verification – When the Broadmore is powered up in the FIPS mode, the FIPS 140-2 validated software will perform a self-test to verify software integrity and cryptographic functions. To verify that the Broadmore is operating in FIPS mode, see “Help About Security” on page 11-17.

Key Management – A DSA private hosts key is required for SSH2 connection to the Broadmore. A default key is provided for use in initializing the Broadmore after installation at the customer site. The SuperUser should change this key before making the Broadmore operational and change it periodically in accordance with local security practice.

System Clock – The system clock is used to time stamp all events recorded in the system log and user audit log. To set the system clock, see “System Clock” on page 11-14.