Nortel Networks 4500 FIPS manual Crypto Officer Services

∙IPSec Protocol Tunnels

∙PPTP Protocol Tunnels

∙L2TP Protocol Tunnels

∙L2F Protocol Tunnels

∙Change Password

2.4.1Crypto Officer Services

There is a factory default login ID and password, which allows access to the Crypto Officer role. This initial account is the primary administrator's account for the Switch, and guarantees that at least one account is able to assume the Crypto Officer role and completely manage the switch and users. (This initial account always has manage switch and manage users rights.) An administrator of the switch may assign permission to access the Crypto Officer role to additional accounts, thereby creating additional administrators. Administrators may always access the switch and authenticate themselves via the serial port. They may also authenticate as a User over a secure tunnel and then authenticate to the switch as a Crypto Officer in order to manage the switch. An administrator can also configure the switch to allow or disallow management via a private LAN interface, without using a secure tunnel. Initially the default configuration allows HTTP management on the private LAN interface of the Switch without requiring a secure tunnel.

At the highest level, Crypto Officer services include the following:

∙Configure the Switch: to define network interfaces and settings, set the protocols the switch will support, define routing tables, set system date and time, load authentication information, etc.

∙Create User Groups : to define common sets of user permissions such as access hours, user priority, password restrictions, protocols allowed, filters applied, and types of encryption allowed. Administrators can create, edit and delete User Groups, which effectively defines the permission sets for a number of Users.

∙Create Users : to define User accounts and assign them permissions using User Groups. Every User may be assigned a separate ID and password for IPSec, PPTP, L2TP, and L2F, which allow access to the User roles. Additionally, an account may be assigned an Administration ID, allowing access to the Crypto Officer role. Each Administrator ID is assigned rights to Manage the Switch (either none, view switch, or manage switch) and rights to Manage Users (either none, view users, or manage users).

∙Define Rules and Filters : to create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. The administrator may use any of the pre-defined Rules or create custom Rules to be included in each Filter.