Recommended
∙Change the default administrator password on the switch.
∙Disable all management protocols over private non- tunnelled interfaces
Required
∙Select the “FIPS Enabled” button on the Service Available Management screens and restart the module.
∙Apply the tamper evident labels as described in section 2.3
∙Disable cryptographic services that employ
∙For IPSec: When operating the device in a FIPS
∙For PPTP and L2TP: When operated in a FIPS
∙For L2P: CHAP must be disable to operate in a FIPS compliant manner.
∙The internal LDAP database must be used in place of an external LDAP server.
∙SSL cannot be used to establish secure connections
∙For RIP – In FIPS mode, MD5 must be disabled.
Note: A switch that has a Hardware Accelerator installed cannot be run in FIPS mode.
There are several services that are effected by transitioning the module into FIPS compliant mode. When the module is restarted in FIPS mode, several administrative services accessing the shell, including the debugging scripts, are disabled. RSA digital signatures are disabled in FIPS mode, because RSA digital signature is not a FIPS approved algorithm. When the module is in FIPS mode, the administrator is given additional authority to reset the default administrator’s password and username. The integrated firewall program, by Checkpoint, and the restore capabilities are disabled during FIPS mode. The FTP demon is also turned off, preventing any outside intruder from FTPing into the server.
In order to transition the mode out of FIPS mode, the FIPS disable button, on the Services Available management screen, must be clicked and the module must be restarted.
© Copyright 2000 Nortel Networks. | 14 |
