 11
IPSecProtocolTunnels
PPTPProtocolTunnels
L2TPProtocolTunnels
L2FProtocolTunnels
ChangePassword
2.4.1 CryptoOfficerServices
ThereisafactorydefaultloginIDandpassword,whichallowsaccesstotheCrypto
Officerrole.Thisinitialaccountistheprimaryadministrator'saccountfortheSwitch,
andguaranteesthatatleastoneaccountisabletoassumetheCryptoOfficerroleand
completelymanagetheswitchandusers.Theswitchcanalsobeconfiguredto
authenticatebasedonRSAdigitalsignatures.Anadministratoroftheswitchmayassign
permissiontoaccesstheCryptoOfficerroletoadditionalaccounts,therebycreating
additionaladministrators.EachadministratorwouldhaveaseparateIDandpassword.
Administratorsmayalwaysaccesstheswitchandauthenticatethemselvesviatheserial
port.TheymayalsoauthenticateasaUseroverasecuretunnelandthenauthenticateto
theswitchasaCryptoOfficerinordertomanagetheswitch.Anadministratorcanalso
configuretheswitchtoallowordisallowmanagementviaaprivateLANinterface,
withoutusingasecuretunnel.InitiallythedefaultconfigurationallowsHTTP
managementontheprivateLANinterfaceoftheSwitchwithoutrequiringasecure
tunnel.
Atthehighestlevel,CryptoOfficerservicesincludethefollowing:
ConfiguretheSwitch:todefinenetworkinterfacesandsettings,setthe
protocolstheswitchwillsupport,defineroutingtables,setsystemdateand
time,loadauthenticationinformation,etc.
CreateUserGroups:todefinecommonsetsofuserpermissionssuchas
accesshours,userpriority,passwordrestrictions,protocolsallowed,filters
applied,andtypesofencryptionallowed.Administratorscancreate,editand
deleteUserGroups,whicheffectivelydefinesthepermissionsetsfora
numberofUsers.
CreateUsers:todefineUseraccountsandassignthempermissionsusing
UserGroups.EveryUsermaybeassignedaseparateIDandpasswordfor
IPSec,PPTP,L2TP,andL2F,whichallowaccesstotheUserroles.
Additionally,anaccountmaybeassignedanAdministrationID,allowing
accesstotheCryptoOfficerrole.EachAdministratorIDisassignedrightsto
ManagetheSwitch(eithernone,viewswitch,ormanageswitch)andrightsto
ManageUsers(eithernone,viewusers,ormanageusers).
DefineRulesandFilters:tocreatepacketFiltersthatareappliedtoUser
datastreamsoneachinterface.EachFilterconsistsofasetofRules,which
defineasetofpacketstopermitordenybasedoncharacteristicssuchas
protocolID,addresses,ports,TCPconnectionestablishment,orpacket