MNR S2500 Security Policy
Version 1.3, Revision Date: 1/13/2009
Entering FIPS Mode
To enter FIPS mode, the Crypto Officer must follow the procedure outlined in Table 3 below. For details on individual router commands, use the online help facility or review the Enterprise OS Software User Guide, version 15.4 and the Enterprise OS Software Reference Guide, version 15.4.
Step | Description |
|
|
1. | Configure the parameters for the IKE negotiations using the IKEProfile command. For FIPS |
| mode, only the following values are allowed: |
| Encryption Algorithm (AES or 3DES), Hash Algorithm (SHA), and Authentication Method |
| (PreSharedKey). |
|
|
2. | Manually establish via the local console port the |
| protocol using: |
| ADD |
| The PSK must be at least 80 bits in length with at least 80 bits of entropy. |
|
|
3. | Configure Ipsec and FRF.17 selector lists using the command |
| ADD |
| For FIPS mode, the selector list must be configured to encrypt all packets on an encrypted port, |
| e.g. ADD |
|
|
4. | If Ipsec is used, configure Ipsec transform lists using the ADD |
| command. For FIPS mode, only the following values are allowed: Encryption Transform (ESP- |
| 3DES, or |
|
|
5. | If FRF.17 is used, configure FRF.17 transform lists using the ADD |
| TransformLIst command. For FIPS mode, only the following values are allowed: Encryption |
| Transform |
|
|
6. | For each port for which encrypted is required, bind a dynamic policy to the ports using |
| ADD [!<portlist>] |
| <mode> <selctrlist_name> <xfrmlist_name> [<pfs>] [<lifetime>] [<preconnect>] |
| To be in FIPS mode, the selector list and transform list names must be defined as in previous |
| steps. |
|
|
7. | For each port for which encryption is required, enable encryption on that port using |
| SETDefault [!<portlist>] |
|
|
8. | |
|
|
| Table 3 – FIPS Approved mode configuration |
To review the cryptographic configuration of the router, use the following command:
Page 6