Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks NN46120-104 manual Conclusion, RC4 KAT

Models: NN46120-104

1 300

Download 300 pages 2.66 Kb

Page 252

252 HSM Security Policy

Self-Test	FIPS 140-1	Non-FIPS	When performed
	Mode	140-1 Mode

RC4 KAT	No	Yes	Power-up, Self-Test
			Service (ondemand)

RSA Key Gene	Yes	Yes	Generate And Store
ration Pairwise			RSA Key Pair Service,
Consistency Test			Generate And Return
			RSA Key Pair Service

Statistical	Yes	Yes	Power-up, Self-Test
Random Number			Service (ondemand)
Generator Tests
(Monobit, Poker,
Runs, Long Run)

Continuous	Yes	Yes	Whenever a pseudorand
Random Number			om number is generated:
Generator Test			key generation, Generate
			Random Number Service

Firmware RSA	Yes	Yes	Power-up, Self-Test
Signature			Service (ondemand),
Verification Test			Firmware Update, Verify
			Firmware Image Service

13.0 Conclusion

The HSM provides FIPS 140-1 Level 3 cryptographic processing, acceleration and security for RSA signing and verifying functions. In the non-FIPS140-1 mode, it can also bulk data cryptographic algorithms for PKI certificate server, firewall and web server equipment. It is suitable for use in applications requiring up to 200 public key transactions per second where protecting critical security parameters is a high priority. Industries requiring this high level of performance and security include (but are

not limited to) banking, telecommunications, e-commerce, and medical services. In the area of self-test, the HSM provides capabilities consistent with FIPS 140-1 Level 4.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

Image 252

Nortel Networks NN46120-104 manual Conclusion, RC4 KAT

Contents

User Guide Export LicensingContents Upgrading the NVG Software Snmp Agent 183 Copyright 2007-2008 Nortel Networks Preface Who Should Use This Book Related documentation VPN Gateway 6.0 Application Guide for SSL AccelerationProduct Names How This Book Is Organized Users GuideAppendices Adding User Preferences Attribute to Active Directory Typographic Conventions AaBbCc123Host# telnet IP Address How to Get Help Getting help from the Nortel Web siteIntroducing the VPN Gateway VPNSSL Acceleration VPN Hardware Platforms Feature List Software FeaturesWeb Portal Transparent Mode Access User AuthenticationUser Authorization Secure Service Partitioning Client SecurityAccounting and Auditing NetworkingBranch Office Tunnels Portal GuardSSL Acceleration Scalability and Redundancy Certificate and Key ManagementPublic Key Infrastructure Supported Key and Certificate Formats Supported Handshake ProtocolsHash Algorithms Cipher SuitesVirtual Desktop Secure Portable Office SPO ClientIntroducing the VPN Gateway Introducing the ASA 310-FIPS HSM Overview Extended Mode vs. Fips Mode FIPS140-1 Level 3 SecurityConcept of iKey Authentication Types of iKeysWrap Keys for ASA 310-FIPS Clusters Available Operations and iKeys Required CODE-USERHSM-SO HSM-US Additional HSM Information Introducing the ASA 310-FIPS Initial Setup Clusters New and JoinConﬁguration is Replicated among Master NVGs Clustering Over Multiple SubnetsIP Address Types Ports Interfaces One-Armed ConﬁgurationTwo-Armed Conﬁguration Two-Armed Configuration without Application Switch Conﬁguration at Boot Up Setup MenuInstalling an NVG in a New Cluster Setting Up a One-Armed ConﬁgurationStep Action Choose new from the Setup menu Specify the port you want to use for network connectivityEnter a default gateway address Enter network mask and Vlan tag IDEnter a Management IP address MIP Setting Up a Two-Armed Conﬁguration Configure the management interface port numberSpecify the host IP address for the current VPN Gateway Enter a default gateway address on the traffic interface Specify a new port number for the traffic interfaceSpecify a host IP address on the traffic public interface Interface gateway IP addressComplete the New Setup SelectPress Enter if correct Enter if correctTo accept WizardEnter to accept Create the account10.10.20.99 Enter Network mask for the pool range Creating IP poolSettings Created by the VPN Quick Setup Wizard Basic VPN Setup Default NetworkDefault Services Joining a VPN Gateway to an Existing Cluster Specify the port to be used for network connectivity Enter the VPN Gateway ’s host IP addressStep Action Choose join from the Setup menu Enter the Management IP address MIP of the existing clusterAccepts Complete the Join Setup Enter the default gateway on the traffic interfaceSpecify the VPN Gateway type Wait until the Setup utility has finished Admin userAs slave Installing an ASA 310-FIPS Installing an ASA 310-FIPS in a New ClusterUse Fips or Extended Security Mode? fips/extended HSM-SO password HSM-SO password, or use the same HSM-SO password as for Card Press Enter to select new Adding an ASA 310-FIPS to an Existing Cluster Setup Menu Join Join an existing iSD cluster New Adding an ASA 310-FIPS to an Existing Cluster Re-enter to confirm HSM-SO iKey has been updated For this HSM cardVerify that CODE-SO iKey black is inserted in card ClusterThat you used in Step End Reinstalling the Software Log in as user boot, password ForgetMeContinue y/n? y Press Enter to continue Tag id or EnterIf correct Restarting system Alteon WebSystems,I nc C Booting Login Upgrading the NVG Software Performing Minor/Major Release Upgrades Main# boot/software/downloadActivating the Software Upgrade Package Enter the host name or IP address of the serverEnter hostname or IP address of server server host Name or IPAt the Software Management# prompt, enter Software Management# curActivate ok, relogin Main# boot/software/curHere Upgrading the NVG Software Managing Users and Groups User Rights and Group Membership Step Action Log in to the NVG cluster as the admin user Access the User MenuAdding a New User Add the new user and designate a user nameDefine a login password for the user User# edit certadminAssign the new user to a user group Verify and apply the group assignmentGroups# /cfg/sys/user User# edit certadmin Apply the changesRemove the admin user from the certadmin group User# edit adminVerify and apply the changes Adding Users through Radius Login certadmin Changing a Users Group AssignmentStep Action Log in to the NVG cluster User admin# groups/add Enter group name certadmin Changing a Users Password Changing Your Own PasswordType the passwd command to change your current password Changing Another Users Password Type the password command to initialize the password changeApply the changes User# del certadmin Deleting a UserUser# list Oper Root Admin Certadmin User# apply Certiﬁcates and Client Authentication Generating and Submitting a CSR Using the CLI ~ ! @ # $ % * / \ ? Apply your changes Save the CSR to a fileSave the private key to a file KEY----- and -----END RSA Private KEY Open and copy the CSRSubmit the CSR to Verisign, Entrust, or any other CA Adding Certiﬁcates to the NVG PEM NET DERCopy the contents of your certificate file Copy-and-Paste CertiﬁcatesCertificate 1# apply Changes applied successfully Copy the contents of your private key file Paste the contents of the key file at the command promptCopy-and-Paste Private Key Using TFTP/FTP/SCP/SFTP to add Certiﬁcates and Keys Enter the desired file name Name or IP addressAdd your private key if in a separate file End Update Existing Certiﬁcate Create a New CertiﬁcateStep Action Check the certificate numbers currently in use Add a certificate with a new certificate numberConﬁgure a Virtual SSL Server to Require a Client Certiﬁcate Step ActionApply your settings Main# cfg/cur sslSSL# server RequireGenerating client certiﬁcates Enter for client certificateSpecify the validity period, key size, and serial number Key size 512/1024 Serial number of client certificate Main# cfg/ssl/server Export Client Certiﬁcate ComCert.pfx Transmit Private Key and Certiﬁcate to User Revoking Client Certiﬁcates Issued by an External CA Managing Revocation of Client CertiﬁcatesDownload and add a CRL from a TFTP/FTP/SCP/SFTP server Crl.der Crl.ascii Creating Your Own Certiﬁcate Revocation List Automatic CRL Retrieval Http//10.42.128.30/server.crl Main /cfg/cert 1/revoke/automaticInfo/certs command Enter the password in the Ndic login screen Click Connect Client certiﬁcate supportClick Connect Signing CSRs Paste the CSRMain# cfg/ssl/server #/adv/sslconnect/verify/cacer Generate Test Certiﬁcate Step Action Specify an unused certificate numberProvide the requested information Automatic CRL Retrieval General Commands Show Certiﬁcate InformationShow Subject Information Check if Key and Certiﬁcate MatchShow Key Size Show Key InformationCertificates and Client Authentication Virtual Desktop Running the Virtual Desktop on Client Computers Licensing vdesktopLaunch Vdesktop from Portal Click SaveVirtual Desktop Operations Command Line Interface Connecting to the VPN Gateway ProcedureEstablishing a Console Connection RequirementsEnabling and Restricting Telnet Access Establishing a Telnet ConnectionRunning Telnet Establishing a Connection Using SSH Secure Shell Enabling and Restricting SSH AccessRunning an SSH Client Telnet IP addressEstablishing a Connection Using SSH Secure Shell Accessing the NVG Cluster User Access Level Description Default Account Group Passwo ForgetMCLI vs. Setup Command Line History and Editing Idle Timeout Troubleshooting the NVG Enable Telnet or SSH Access Check the Access ListCannot Connect to VPN Gateway through Telnet or Verify the Current ConﬁgurationCheck the IP Address Conﬁguration Cannot Add an NVG to a Cluster Add Interface 1 IP Addresses and MIP to Access List # /cfg/sys/accesslist/addCannot Contact the MIP Troubleshooting the NVG NVG Stops Responding Telnet or SSH Connection to the Management IP AddressConsole Connection User Password is Lost Administrator User PasswordOperator User Password Root User PasswordPassword enter the admin user password An ASA 310-FIPS Stops Processing TrafﬁcMain# maint/hsm/login Password associated with the HSM-USER iKey for card# /info/events/alarms Resetting HSM Cards on the ASA 310-FIPS Main# /boot/delete End Step Action Existing Transfer the cluster wrap key to card Enter the same secret passphrase as was used Former clusterWait for the setup of the added ASA 310-FIPS to finish Same secret passphrase as was used in the former ClusterMain# cfg/gtcfg User Fails to Connect to the VPN AaaMain# maint/starttrace Dns IkeIpsec IppoolSsl Upref SmbFtp Netdirect NetdirectpacketIs Net Direct enabled and configured correctly? Netdirectpacket End Cannot download the NetDirect Zipped ﬁle from client PC System Diagnostics Installed Certiﬁcates and Virtual SSL ServersNetwork Diagnostics # /cfg/sys/cur # /stats/dump# /info/ethernet # ping IP address of virtual serverActive Alarms and the Events Log File Error Log Files# /cfg/ssl/server #/trace/ssldump # /info/events/downloadUnable to download NetDirect from VPN server Troubleshooting the NVG Appendix Supported Ciphers Supported CiphersSupported Ciphers cont’d Cipher List Formats Modifying a Cipher List Supported Cipher Strings and Meanings Cipher Strings and MeaningsCipher Strings and Meanings cont’d Appendix Snmp Agent Supported MIBs SNMPv2-MIBSNMP-FRAMEWORK-MIB SNMP-TARGET MIBSNMP-USER-BASED-SM-MIB LimitationsIP-MIB ALTEON-ISD-PLATFORM-MIB IANAifType-MIBSupported Traps Following Snmp traps are supported by the VPN GatewaySnmp Agent Appendix Syslog Messages Config filesystem corrupt beyond repair List of Syslog MessagesOperating System OS Messages Root filesystem corruptConfig filesystem corrupt Missing files in config filesystemSystem Control Process Messages System started isdssl-versionName isddown Name singlemasterName logopenfailed Name makesoftwarereleasepermanentfailedName copysoftwarereleasefailed Sender IP Name licenseName sslhwfail Name hsmnotloggedinName softwareconfigurationchanged Name partitionednetworkName ssimipishere Name licenseexpiresoonTrafﬁc Processing Messages Javascript error reason for hostpath Vbscript error reason for hostpathJscript.encode error reason Css error reasonHtml error reason Socks error reasonBad Ipport data line in hc script Bad regexp expr in health checkCertificate CRL handling errors Proxy connect host name too long hostGzip error reason TPS license limit limit exceededLicense expired Certificate CRL handling warningsStartup Messages Conﬁguration Reload Messages AAA Subsystem MessagesLog functionality Ldap backends unreachable Vpn=\id\ AuthId=\authid\Host host ip is up accounted for in the license pool IPsec Subsystem Messages All credits are exhausted for IPSec SA Ignoring request to roam from %s to %sPFS is required but not provided by %s Bad clicert, Can’t find issuer in clicert Error while decoding certificate DER IdFailed to allocate IP addr from empty pool Failed to decode client certDeleting the QM replaced by new rekeyed QM Revocation byte length %dLoaded ca certificate %s Loaded server cert %sSyslog Messages in Alphabetical Order Syslog Messages in Alphabetical OrderSyslog Messages in Alphabetical Order cont’d Config filesystem re-initialized Down AAA Html IPsec Isakmp SA Established Isddown Cfg/sys/cur command Gateway but /cfg/vpn # /ser Loaded server id *will not Processing Received Delete Isakmp SA Socks error reason System started isdssl-version VPN LoginFailed Vpn=id OpenSSL License Issues Appendix License InformationOriginal SSLeay License GNU General Public License GNU General Public LicenseTerms and Conditions for COPYING, Distribution Modification 227 License Information No Warranty Apache Software License, Version 231 License Information Appendix HSM Security Policy ScopeApplicable Documents OverviewCapabilities Algorithm How it is used by the HSM module Used Fips Mode?SHA-1 Physical Security Module InterfacesComponents Deﬁnition of Security Relevant Data Items HSM Security Policy Roles and Services Services User CreationYES Service FIPS140-1 Level 3 Mode EPK, DPK EPK MK, Sopin Key Management Key GenerationKey Storage Key Entry and OutputKey Distribution Fips 140-1 Mode ModesKey Destruction Key ArchivingNon-FIPS 140-1 Mode Self-TestsConclusion RC4 KATAppendix Deﬁnition of Key Codes Syntax Description Allowed Special CharactersRedeﬁnable Keys Allowed Special Characters ExplanationExample of a Key Code Deﬁnition File Appendix SSH host keys Methods for Protection VPN Gateway SSH host keys 261 Install All Administrative Tools Windows 2000 Server Register the Schema Management dll Windows ServerStep Action Click Start and select Run Add Standalone Snap-in window is displayed Under Snap-in, select Active Directory Schema and click Add Create a Shortcut to the Console WindowPermit Write Operations to the Schema Windows 2000 Server Right-click Attributes, point to New and select AttributeClick Continue Create New Class Create the isdUserPrefs attribute as shown Click OKCreate the nortelSSLOffload class as shown Add isdUserPrefs Attribute to nortelSSLOffload Class Click Next Click FinishAdd the nortelSSLOffload Class to the User Class Click OK Adding User Preferences Attribute to Active Directory Appendix Using the Port Forwarder API General Creating a Port Forwarder =1&c=1Demo Application Content.zip file Creating a Port Forwarder Authenticator ExampleExample Using the Port Forwarder API Adding a Port Forwarder Logger Using the Port Forwarder API Example Connecting Through a Proxy Monitoring the Port Forwarder StatusStatistics Using the Port Forwarder API Access Rules CLI Command Line InterfaceGlossary Base ProfileCluster of VPN Gateways Console ConnectionCRL Certificate Revocation List CSR Certificate Signing RequestDIP Destination IP Address DPort Destination PortDTE Data Terminal Equipment Extended ProfileHttp Proxy IP InterfaceMaster MIB Management Information BaseNslookup NTP Network Time ProtocolPassphrase PEM Privacy Enhanced MailSetup Utility PortalPort Forwarder Real Server GroupSIP Source IP Address SlaveSnmp Simple Network Management Protocol SPort Source PortSSL Secure Sockets Layer Protocol SSL VPN clientSTP Spanning Tree Protocol TLS Transport Layer SecurityVIP Virtual Server IP Address Virtual RouterVirtual SSL Server Vlan Virtual Local Area Network509 Index HSM SSL 298 Page User Guide