Dial backup access must be disabled.

Syslog remote logging must be disabled.

VPN services can only be provided by IPSec or L2TP over IPSec.

Only SNMPv3 can be enabled.

If cryptographic algorithms can be set for services (such as IKE/IPSec and SNMP), only FIPS-approved algorithms can be specified. These include the following:

oAES

oTriple-DES

oDES

oSHA-1

oHMAC SHA-1

oDSA

oRSA signature and verification

FTP and TFTP can only be used to load valid software files. (FTP and TFTP over IPSec can be used to transfer configuration files.)

The module logs must be monitored. If a strange activity is found, the Crypto Officer should take the module off line and investigate.

The tamper-evident labels must be regularly examined for signs of tampering.

User Guidance

The User accesses the module VPN functionality as an IPSec client. Although outside the boundary of the module, the User should be careful not to provide authentication information and session keys to other parties.

© Copyright 2003 Enterasys Networks Page 24 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Page 23 Page 25
Page 24
Image 24
Enterasys Networks XSR-1805, XSR-1850, XSR-3250 manual User Guidance, Copyright 2003 Enterasys Networks Page 24
Page 23 Page 25
Top Page Image Contents