Recommended

Change the default administrator password on the switch.

Disable all management protocols over private non- tunnelled interfaces

Required

Select the “FIPS Enabled” button on the Service Available Management screens and restart the module.

Apply the tamper evident labels as described in section 2.3

Disable cryptographic services that employ non-FIPS approved algorithms.

For IPSec: When operating the device in a FIPS 140-1 compliant manner, only the Triple DES ESP, DES ESP, and HMAC-SHA AH may be enabled. MD5 is not an approved FIPS algorithm.

For PPTP and L2TP: When operated in a FIPS 140-1 compliant manner, MS- CHAP and CHAP are not enabled with RC4 encryption.

For L2P: CHAP must be disable to operate in a FIPS compliant manner.

The internal LDAP database must be used in place of an external LDAP server.

SSL cannot be used to establish secure connections

For RIP – In FIPS mode, MD5 must be disabled.

Note: A switch that has a Hardware Accelerator installed cannot be run in FIPS mode.

There are several services that are effected by transitioning the module into FIPS compliant mode. When the module is restarted in FIPS mode, several administrative services accessing the shell, including the debugging scripts, are disabled. RSA digital signatures are disabled in FIPS mode, because RSA digital signature is not a FIPS approved algorithm. When the module is in FIPS mode, the administrator is given additional authority to reset the default administrator’s password and username. The integrated firewall program, by Checkpoint, and the restore capabilities are disabled during FIPS mode. The FTP demon is also turned off, preventing any outside intruder from FTPing into the server.

In order to transition the mode out of FIPS mode, the FIPS disable button, on the Services Available management screen, must be clicked and the module must be restarted.

© Copyright 2000 Nortel Networks.

14

Page 14
Image 14
Nortel Networks 4500 FIPS manual Recommended, Required