 15
3 SecureOperationoftheContivitySwitch
TheContivitySwitchisaversatilemachine;itcanberuninaNormalOperatingModeor
aFIPSOperatingMode(FIPSmode).InFIPSmode,theswitchmeetsalltheLevel2
requirementsforFIPS140-1.ToplacethemoduleinFIPSmode,clickthe“FIPS
Enabled”buttonontheServicesAvailablemanagementscreenandrestartthemodule.A
numberofconfigurationsettingsarerecommendedwhenoperatingtheContivitySwitch
inaFIPS140-1compliantmanner.Otherchangesarerequiredinordertomaintain
compliancewithFIPS140-1requirements.Theseincludethefollowing:
Recommended
Changethedefaultadministratorpasswordontheswitch.
Disableallmanagementprotocolsoverprivatenon-tunneledinterfaces
Required
Selectthe“FIPSEnabled”buttonontheServiceAvailableManagementscreens
andrestartthemodule.
Applythetamperevidentlabelsasdescribedinsection2.3
Disablecryptographicservicesthatemploynon-FIPSapprovedalgorithms.
ForIPSec:WhenoperatingthedeviceinaFIPS140-1compliantmanner,
onlytheTripleDESESP,DESESP,andHMAC-SHAAHmaybe
enabled.MD5isnotanapprovedFIPSalgorithm.
ForPPTPandL2TP:WhenoperatedinaFIPS140-1compliantmanner,
MS-CHAPandCHAParenotenabledwithRC4encryption.
ForL2P:CHAPmustbedisabledtooperateinaFIPScompliantmanner.
TheinternalLDAPdatabasemustbeusedinplaceofanexternalLDAP
server.
SecureSocketsLayer(SSL)cannotbeusedtoestablishsecureconnections
ForRoutingInformationProtocol(RIP)–InFIPSmode,MD5mustbe
disabled.
ThereareseveralservicesthatareaffectedbytransitioningthemoduleintoFIPS
compliantmode.WhenthemoduleisrestartedinFIPSmode,severaladministrative
servicesaccessingtheshell,includingthedebuggingscripts,aredisabled.Whenthe
moduleisinFIPSmode,theadministratorisgivenadditionalauthoritytoresetthe
defaultadministrator’spasswordandusername.Theintegratedfirewallprogram,by
Checkpoint,andtherestorecapabilitiesaredisabledduringFIPSmode.TheFTPdemon
isalsoturnedoff,preventinganyoutsideintruderfromFTPingintotheserver.Inorder
totransitionthemodeoutofFIPSmode,theFIPSdisablebutton,ontheServices
Availablemanagementscreen,mustbeclickedandthemodulemustberestarted.
WhentransitioningthemodulefromNon-FIPSmodetoFIPSmode,theCryptoOfficer
shouldensurethatthemoduleisrunningonlytheNortelsupplied,FIPS140-1validated
firmware.Ifthereisaconcernthatthefirmwarehasbeenmodifiedduringoperationin
Non-FIPSmode(Thismightbedonebyanunauthenticatedmaliciousremoteuserwho