Carrier Access 1750 Authentication and Identification

11-6 Broadmore 1750 - Release 4.6

Security Management (FIPS Mode)

Authentication and Identification

Authentication and Identification

The cryptographic module supports distinct operator roles and enforces the separation

of these roles using identity-based operator authentication that requires a Username and

Password, and optional SecurID.

The SecurID option has no effect on FIPS 140-2 compliance. When SecurID is

enabled, operators must also enter a SecurID token before they can gain access to the

Broadmore. The SecurID token is a number that may be constant or change every

minute, and it is verified by an RSA Authentication Manager deployed at the customer

site.

A username and password are always required to log in, whether or not SecurID is

enabled. The mandatory username is an alphanumeric string of charac ters whose

minimum length can be set by the Security Officer. The password is a string of

characters from the 94 printable and human-readable characters whose length can be

set by the Crypto Officer.

Passwords be changed at least once every 6 months and that users be instructed to use

a random combination of all the usable characters for passwords.

Upon successful authentication, the role and privilege level are selected based on the

identity (username) of the operator. At the end of a session, the operator should log off,

though the user is automatically logged off after a configurable period of inactivity.

Role Privilege Level Authorized Functions

User Browser User is able to look at most all data plane information but is not able to

affect anything . To protect security data, no file access is permitted.

This role cannot access the security settings.

Operations User is able to perform data plane configurations, such as defining

PVCs, SVCs, configuring service card parameters. To protect security

data, no file access is permitted under this privilege level. This role

cannot access the security settings.

SysAdmin User is able to perform global configuration operations such as

redundancy. To protect security data, no file access is permitted. This

role cannot access the security settings.

Crypto

Officer SuperUser This role is required to manage system accounts, use SFTP, and alter

security settings. Only users at this privile ge leve l may turn FIPS

mode on or off.

Contents

Main Page P Compliance FCC Requirements, Part 15 W ARNING! Page Broadmore 1750 - Release 4.6 v NEBS Validated National Electrical Code Requirements Safety Information CAUTION! Notices DANGER! CAUTION! W ARNING! NOTE: Electrostatic Discharge (ESD) Precautions Broadmore 1750 - Release 4.6 ix Warranty Warranty Procedure x Broadmore 1750 - Release 4.6 Limitation of Warranty & Limitation of Remedies Broadmore 1750 - Release 4.6 xi xii Broadmore 1750 - Release 4.6 Warranty Product Returns Preface T ABLE OF C Preface 1 2 3 4 5 6 7 Page 8 9 10 11 12 A B C D E F G Index Glossary Page Product Description Purpose Applications Interfaces ATM Interfaces User Equipment Interfaces Product Description Management Interfaces Security FIPS Interface NOTE: Physical and Logical Interfaces User Interfaces File Access and Software Upgrades System Description Features Chassis Fan Tray NOTE: Power and Redundancy Grounding Alarms Modules NOTE: Broadmore 1750 - Release 4.6 1-11 Modules Example of Fully Redundant Configuration with Unstructured DS3-3 or E3-3 SAMs Example of Fully Redundant Configuration with Structured DS3 SAMs Module Descriptions OC-12c/STM-4c NIM NIM IOM Unstructured DS3-3 SAM Unstructured E3-3 SAM Unstructured DS3-3/E3-3 IOM Structured DS3 SAM Structured DS3 IOM Unstructured DS3-3/E3-3 IOM Protection IOM CPU CPU IOM Alarm Power Module (APM) Alarm Power Module IOM Page Planning and Ordering Guide Application Planning Guide Basic Features TDM Circuit Aggregation and Backhaul Mission-Critical Circuit Resiliency Page System Planning Factors System Architecture NOTE: 2-8 Broadmore 1750 - Release 4.6 Cell Bus Configuration Cell Bus Configuration ABCDEFGHJ KLMNP CPU QCPU RAPM Unstructured DS3-3/E3-3 Configuration Guidelines Structured DS3 Configuration Guidelines NOTE: ATM Bandwidth per Cell Bus ATM Bandwidth per Module ATM Network Loading Installation Planning Factors Page Ordering Guide Contact Information Broadmore 1750 Chassis Broadmore 1750 Options and Spares Planning and Ordering Guide Network Interface Module (NIM) Options NIM Sets Individual Modules Service Access Module (SAM) Options SAM Sets Individual Modules Receipt of Product Receipt NOTE: Unpacking W ARNING! Inspection W ARNING! Damage Reporting Page Chassis Installation and Grounding DANGER! W ARNING! Installation Factors Rack Mounting Mounting Brackets W ARNING! Rack Mounting Procedure DANGER! W ARNING! Chassis Grounding W ARNING! AC Power Supply Tray NOTE: Page Module and Fan Installation Page Module Installation Procedures Overview NOTE: Remove Chassis Covers W ARNING! Module Locations CAUTION! NOTE: Installation Sequence NOTE: NIM Installation NOTE: SAM Installation CPU Installation APM Installation NIM IOM Installation SAM IOM Installation Protection SAM IOM Installation CPU IOM Installation APM IOM Installation Replace Chassis Covers W ARNING! NOTE: Fan Tray Installation Procedure Remove Front Chassis Cover W ARNING! Fan Tray Installation Replace Chassis Cover W ARNING! Electrical Installation W ARNING! NOTE: Electrical Requirements Power Cable Management Cabling and Compliance Requirements Electrical Installation Alarm Port Connections Optical Interface Connections W ARNING! BITS Interface Connections NIM/SAM IOM Connections General Instructions NOTE: Unstructured DS3-3/E3-3 IOM Connections Structured DS3 IOM Connections CPU IOM Connections Remote Shutdown Connections Serial Port Connections Ethernet Connections Power Supply Connections W ARNING! Optional AC Power Supply Connections Page Broadmore Power Input Connector Connecting 48 VDC Power POWER Software Page Configuration CAUTION! OFFICER) SHOULD PERFORM THE INITIAL CONFIGURATION AND CREATE Power-up User Interface Requirements NOTE: Screen Display Annotation Key Map CAMMI Access NOTE: System Services Configuration CAM Name Page NOTE: Configuration ATM Address CAUTION! ATM Address List (optional) Page Page CIP over ATM (RFC 1577) Page Static Routes NOTE: LANE Configuration Page Configuration UNI Version NOTE: CAUTION! UNI SUPPORT. General Properties Page NOTE: User Security Configuration NOTE: Power Supply Redundancy Module Redundancy Protection Definitions NIM Redundancy NOTE: Page Page SAM Redundancy CAUTION! NOTE: Page CPU Redundancy IP Addresses CAUTION! Release CPU Control Reboot Standby CPU Install Single or Dual CPU Module Configuration How to Configure Specific Modules NOTE: Broadmore 1750 - Release 4.6 7-39 OC-12c/STM-4c OC-12c/STM-4c Item Options Comment OC-12c/STM-4c BITS/Timing Redundancy Page Page Unstructured DS3 SAM 7-44 Broadmore 1750 - Release 4.6 Table 7-2: Unstructured DS3 SAM Configuration Items Table 7-3: Unstructured DS3 SAM Diagnostics Configuration Broadmore 1750 - Release 4.6 7-45 Service RAI Auto X-bits 1 X-bits 0 7-46 Broadmore 1750 - Release 4.6 Table 7-4: Unstructured DS3 SAM Alarm Configuration Network Alarms Options Service Alar ms Page 7-48 Broadmore 1750 - Release 4.6 Table 7-6: Service Alarm Definitions Network Alarm Definition Broadmore 1750 - Release 4.6 7-49 Structured DS3 SAM Broadmore 1750 - Release 4.6 7-51 Table 7-7: Structured DS3 SAM Operational Configuration 7-52 Broadmore 1750 - Release 4.6 Table 7-8: Structured DS3 SAM Diagnostics Configuration Table 7-9: Structured DS3 SAM Alarms Broadmore 1750 - Release 4.6 7-53 Service Alarms Options Page Table 7-11: Structured DS3 SAM DS1 Tributary Configuration Table 7-12: Structured DS3 SAM DS0 Loopback Tributary Configuration 7-56 Broadmore 1750 - Release 4.6 Unstructured E3-3 SAM 7-58 Broadmore 1750 - Release 4.6 Table 7-13: Unstructured E3-3 SAM Operational Configuration Table 7-14: Unstructured E3-3 SAM Diagnostics Configuration Broadmore 1750 - Release 4.6 7-59 Item Options Comment Page Broadmore 1750 - Release 4.6 7-61 Table 7-16: Unstructured E3-3 SAM Network Alarms Network Alarm Definition 7-62 Broadmore 1750 - Release 4.6 Table 7-17: Unstructured E3-3 SAM Service Alarms PVC Connection NOTE: SVC Connection 7-66 Broadmore 1750 - Release 4.6 SVC Connection Item Definition VP Reservation NOTE: Page Page System Configuration Save Configuration Configuration Restore Configuration Delete Configuration Set Power-on Default Save Card Defaults Restore Card Defaults Page Page Maintenance and Troubleshooting Statistics Chassis Statistics OC-12c/STM-4c NIM Statistics Alarm Overview Slot Statistics for NIM/SAM Cards Maintenance and Troubleshooting Unstructured DS3 and Unstructured E3 SAM Statistics Unstructured DS3 Statistics Page Page Unstructured E3 SAM Statistics Page Page Page Page 24-Hour Statistics PLOA/AAL5 Statistics Troubleshooting NOTE: LED Alerts Error Codes NOTE: Redundancy CPU Sync NOTE: Problem Isolation Maintenance and Troubleshooting Port Loopback CAUTION! ACCESS ENGINEERS AND SHOULD NOT BE USED. 8-20 Broadmore 1750 - Release 4.6 Port Loopback Figure 8-1: Loopback Options Failure Recovery Alarm Response/Reset Flowchart CAUTION! Figure 8-2: Troubleshooting Flowchart Based On LEDs Broadmore 1750 - Release 4.6 8-23 8-24 Broadmore 1750 - Release 4.6 Figure 8-3: APM Major Alarm Troubleshooting Flowch art APM M ajor Alarm Troubleshooting Flow chart Figure 8-4: APM Minor Alarm Troubleshooting Flowchart Broadmore 1750 - Release 4.6 8-25 Figure 8-5: NIM Major Alarm Troubleshooting Flowchart 8-26 Broadmore 1750 - Release 4.6 Figure 8-6: NIM Minor Alarm Troubleshooting Flowchart Broadmore 1750 - Release 4.6 8-27 Figure 8-7: SAM Major Alarm Troubleshooting Flowchart 8-28 Broadmore 1750 - Release 4.6 Figure 8-8: SAM Minor Alarm Troubleshooting Flowchart Broadmore 1750 - Release 4.6 8-29 Repair/Replacement W ARNING! CAUTION! Power Supply NIM Replacement SAM Replacement IOM Replacement Maintenance and Troubleshooting CPU Replacement CAUTION! NOTE: CPU IOM Replacement Fan Replacement Integrated Fan/Alarm Module Replacement CAUTION! Page General Maintenance Fan Filter Cleaning and Replacement NOTE: Maintenance/Diagnostics Page Engineering Analysis Page 8-44 Broadmore 1750 - Release 4.6 Summary of Front Panel LEDs Summary of Front Panel LEDs The following table provides descriptions of the front panel LEDs for the Broadmore 1750. Module LED Display LED Color Definition Page Page Command Line Interface CLI Access NOTE: Command Line Interface Example: Creating and Running Scripts NOTE: Port Configuration Page Page About Command Page Security Management Security Features NOTE: Security Guidance Page Logging In NOTE: Log-in Banner System Clock NOTE: Network Time Protocol Broadmore 1750 - Release 4.6 10-9 Network Time Protocol Managing Users and Audit Trails User ID Rules Security Management Change User ID Adding a User Page User Audit Trails NOTE: NOTE: Security Management Deleting Audit Trails Archiving Audit Trails Page Page SNMP Messages Shell Commands (Non-FIPS Mode) FIPS Mode Authorized Access to Shell Commands Page FTP Login Page Security Management (FIPS Mode) Security Features NOTE: Security Guidance Page Page Authentication and Identification Authorized Services NOTE: Key Management Logging In NOTE: Logging in with SecurID Disabled Page Logging in with SecurID Enabled Page Log-in Banner System Clock NOTE: Network Time Protocol 11-16 Broadmore 1750 - Release 4.6 Network Time Protocol Changing Security Modes Help About Security Enabling FIPS Mode NOTE: Disabling FIPS Mode CAUTION! NOTE: Enabling SecurID NOTE: Setting up the first CPU Security Management (FIPS Mode) Setting up the second CPU Disabling SecurID NOTE: IP ICMP Messages SNMP Messages User Administration and Audit Trails User ID Rules NOTE: Security Management (FIPS Mode) Change User ID NOTE: Adding a User Page Security Management (FIPS Mode) Modifying a User User Audit Trails NOTE: NOTE: Deleting Audit Trails Archiving Audit Trails Page Shell Commands (FIPS Mode) fipsmode NOTE: selftest NOTE: settimeout NOTE: sshdShow Page sshdSessionShow scp Using SCP Enabling Debug Messages NOTE: resetSecurID zeroize W ARNING! Authorized Access to Shell Commands Page SFTP Login Logging in with SecurID Disabled NOTE: Page Logging in with SecurID Enabled Page Page SecurID Features Residual Data and Memory Volatility Non-Volatile Memory Network Interfaces Sanitation Procedures Page SNMP Configuration SNMP Overview NOTE: SNMP Properties 12-4 Broadmore 1750 - Release 4.6 SNMP Properties The following table lists the SNMP property selections. Page USM/VACM Configuration NOTE: Users Page Page NOTE: Page Groups Page Page Views Page View Edit Rules Access Page Broadmore 1750 - Release 4.6 12-21 Access Access Edit Rules Access Policy NOTE: Communities NOTE: Page Page Trap Configuration Trap Detection Overview Trap Management Overview 12-30 Broadmore 1750 - Release 4.6 Trap Management Overview Page Table Usage NOTE: Targets 12-34 Broadmore 1750 - Release 4.6 Targets The following table describes the selections. Target Parameters 12-36 Broadmore 1750 - Release 4.6 Target Parameters NOTE: in this table exists in the Notify Profiles table. The following table describes the selections. Notifications Page NOTE: Notify Filters NOTE: Notify Profiles NOTE: Page A Technical Specifications Broadmore 1750 Platform System Architecture Management Network Standards Redundancy Alarms Testing & Diagnostics Power Regulatory Approvals Physical Environment Broadmore Modules OC-12c Network Interface Modules (NIMs) DS3 (T3) Structured Circuit Emulation SAM NOTE: DS3 Unstructured Circuit Emulation SAM NOTE: E3 Unstructured Circuit Emulation SAM NOTE: Page B Spare Parts List Spare Parts List P/N Description Page C Software Error Messages NOTE: Troubleshooting on page 8-1 Broadmore 1750 - Release 4.6 C-3 System Errors System Errors The user cannot address these errors. Contact Carrier Access Customer Support. C-4 Broadmore 1750 - Release 4.6 Setup Errors Setup Errors These errors can usually be corrected by the user. Broadmore 1750 - Release 4.6 C-5 Setup Errors Page D Sample Network with RFC 1577 Configuration Page Page D-4 Broadmore 1750 - Release 4.6 Sample Network with RFC 1577 Classic IP (CIP) Over ATM Broadmore 1750 #3 Broadmore 1750 #1 CIP (RFC1577) Subnet Broadmore 1750 #2 Page Chassis Differences Broadmore Chassis Differences Hardware Differences Chassis Differences Software Differences Page F IPv6 Support Configuring IPv6 Addresses for Network Interfaces Adding an IPv6 Address Displaying an Address Deleting an IPv6 Address Pinging over IPv6 Pinging an IPv6 Host Ping the Loopback Interface Address Testing route6 Application F-6 Broadmore 1750 - Release 4.6 Showing all IPv6 routes config ured in the Broadmore Showing all IPv6 routes configured in the Broadmore Page Page Page Broadmore Command List Commands Available at the Command Prompt Broadmore Command List Commands Available at the CLI Prompt Page G Acronyms and Abbreviations Page Page Page Page Glossary of Terms ATM Adaptation Layer (AAL) Broadband Bearer Capability Glossary Constant Bit Rate Circuit Emulation Service (CES) End-to-End Timing Requirements Point-to-Point Connection Point-to-Multipoint Connection Quality of Service (QoS) Page Page I