Roles and Services | Nortel Networks NN46120-104 instruction

9.0 Roles and Services 241

9.0Roles and Services

9.1Roles

The HSM supports two roles. These are the User role and the Security Officer role. Each role has a username and an iKey ID that are selectable by the security officer. The module must be handled in a secure manner prior to initialization because authentication is not required to initialize the module. Cryptographic keys and user-defined data which is created by a specific authenticated user cannot be deleted or modified by another user, regardless of the role. For example, a specific user of the User role may not delete or modify keys or data created by a different user of either the User or SO roles. The SO and User roles cannot operate simultaneously. Only one authenticated user is allowed at a time.

9.1.1 User

The User role can perform cryptographic operations using private keys which are encrypted and stored in flash. The User role cannot create a user.

9.1.2 Security Officer

The Security Officer role can also perform cryptographic operations using private keys which are encrypted and stored in flash. Additionally, the Security Officer may create a user, update the HSM firmware, or command the HSM to "uninitialize."

9.2 Authentication

The HSM uses identity-based authentication to allow subjects to assume one of the two roles. Usernames are transmitted to the HSM over the PCI interface to identify the user. A corresponding personal identification number (SOPIN or UserPIN as described in section 8.0) is input to the HSM from an iKey token over the trusted USB interface. This PIN is hashed and compared with a hash value which is stored in flash and associated with the user’s name on the HSM. If the two hash values match, the user is authenticated and assigned a role that is associated with the user’s name. To increase security in case the iKey token is compromised, an iKey ID is used to unlock the plaintext PIN that is stored in the iKey. This plaintext iKey ID is input into the module in plaintext

as part of the Login service. The module provides a SHA-1 of this iKey ID to the iKey token to unlock the PIN. Because the iKey ID does not authenticate the user to the module, but rather unlocks the plaintext PIN from the iKey, the iKey ID is not an SRDI.

9.3 Initialization

The HSM is shipped in an un-initialized state. At this point, it contains no private or secret keys. The Security Officer initializes the board. Performing this function generates an internally stored master key, and generates a random PIN, which is stored in the Security Officer’s

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

NN46120-104 specifications

Nortel Networks NN46120-104 is a versatile and efficient telecommunications hardware platform designed to meet the demands of modern networking environments. As a part of Nortel’s extensive portfolio, this device showcases the company’s commitment to innovation and reliability in the telecom sector.

One of the main features of the NN46120-104 is its robust performance capabilities. This platform is capable of handling high traffic volumes, making it suitable for medium to large enterprises. With its advanced routing capabilities and support for various protocols, the device ensures seamless communication across multiple network segments, providing efficient data transfer and connectivity.

The NN46120-104 is built upon the foundation of Nortel's renowned Layer 3 switching technology. This allows it to intelligently direct data packets based on their IP addresses, optimizing both speed and reliability. The inclusion of Virtual LAN (VLAN) support enhances network segmentation, improving security and management while reducing broadcast domains.

In terms of interface options, the NN46120-104 supports an array of Ethernet configurations, including Gigabit and Fast Ethernet ports. This flexibility allows organizations to tailor their networking solutions to their specific needs while enabling easy upgrades as technology evolves. The device also supports Power over Ethernet (PoE), facilitating the deployment of powered devices like IP phones and wireless access points without the need for additional power sources.

Another significant characteristic of the NN46120-104 is its robustness in terms of security features. With support for advanced security protocols and features such as Access Control Lists (ACLs), the device helps safeguard sensitive data by controlling traffic flow and restricting unauthorized access.

Additionally, the NN46120-104 is designed for ease of management. It offers an intuitive interface and supports various management protocols, including Simple Network Management Protocol (SNMP), enabling administrators to monitor and configure the device efficiently.

In summary, the Nortel Networks NN46120-104 combines high performance, extensive connectivity options, advanced security features, and ease of management, making it a formidable choice for enterprises looking to enhance their network infrastructure. Its capabilities align well with the rigorous demands of today’s digital communication landscape, ensuring reliability and efficiency in organizational operations.

Nortel Networks NN46120-104 manual Roles and Services

Models: NN46120-104