30Introducing the ASA 310-FIPS

The Concept of iKey Authentication

Access to sensitive data on a ASA 310-FIPS is protected by a combination of hardware tokens (called iKeys), passwords, and encryption procedures.

The iKey is a cryptographic token that is used as part of the authentication process for certain operations involving the HSM cards. Whenever you perform an operation on the ASA 310-FIPS calling for iKey authentication, you are prompted by the Command Line Interface to insert the requested iKey into the USB port on the appropriate HSM card. (When prompted for a particular iKey, a flashing LED always directs you to the correct HSM card.)

Types of iKeys

For each HSM card there are two unique iKeys used for identity-based authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of these iKeys define the two user roles available: Security Officer and User. A password must be defined for each user role, and the passwords are directly associated with the corresponding iKey. The ASA 310-FIPS is equipped with two HSM cards, and you therefore need to maintain two pairs of HSM-SO and HSM-USER iKeys with their associated passwords for each single ASA 310-FIPS device.

After a HSM card has been initialized, that card will only accept the HSM-SO and HSM-USER iKeys that were used when initializing that particular card. You cannot create backup copies of the associated HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER password cannot be retrieved. It is therefore extremely important that you establish routines for how the iKeys are handled.

Wrap Keys for ASA 310-FIPS Clusters

In addition to the HSM-SO and HSM-USER iKeys specific for each HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be maintained for each cluster of ASA 310-FIPS units.

Note: You are strongly recommended to label two of the black HSM-CODE iKeys "CODE-SO" and "CODE-USER" respectively; these iKeys will be referred to as such both in the documentation and in the Command Line Interface.

During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is automatically generated. The wrap key is a secret shared among all ASA 310-FIPS in the cluster. It encrypts and decrypts sensitive information that is sent over the PCI bus within an ASA 310-FIPS, and over the network among the ASA 310-FIPS devices in the cluster. By inserting the CODE-SO iKey and the CODE-USER iKey in turns when requested

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

Page 30
Image 30
Nortel Networks NN46120-104 manual Concept of iKey Authentication, Types of iKeys, Wrap Keys for ASA 310-FIPS Clusters

NN46120-104 specifications

Nortel Networks NN46120-104 is a versatile and efficient telecommunications hardware platform designed to meet the demands of modern networking environments. As a part of Nortel’s extensive portfolio, this device showcases the company’s commitment to innovation and reliability in the telecom sector.

One of the main features of the NN46120-104 is its robust performance capabilities. This platform is capable of handling high traffic volumes, making it suitable for medium to large enterprises. With its advanced routing capabilities and support for various protocols, the device ensures seamless communication across multiple network segments, providing efficient data transfer and connectivity.

The NN46120-104 is built upon the foundation of Nortel's renowned Layer 3 switching technology. This allows it to intelligently direct data packets based on their IP addresses, optimizing both speed and reliability. The inclusion of Virtual LAN (VLAN) support enhances network segmentation, improving security and management while reducing broadcast domains.

In terms of interface options, the NN46120-104 supports an array of Ethernet configurations, including Gigabit and Fast Ethernet ports. This flexibility allows organizations to tailor their networking solutions to their specific needs while enabling easy upgrades as technology evolves. The device also supports Power over Ethernet (PoE), facilitating the deployment of powered devices like IP phones and wireless access points without the need for additional power sources.

Another significant characteristic of the NN46120-104 is its robustness in terms of security features. With support for advanced security protocols and features such as Access Control Lists (ACLs), the device helps safeguard sensitive data by controlling traffic flow and restricting unauthorized access.

Additionally, the NN46120-104 is designed for ease of management. It offers an intuitive interface and supports various management protocols, including Simple Network Management Protocol (SNMP), enabling administrators to monitor and configure the device efficiently.

In summary, the Nortel Networks NN46120-104 combines high performance, extensive connectivity options, advanced security features, and ease of management, making it a formidable choice for enterprises looking to enhance their network infrastructure. Its capabilities align well with the rigorous demands of today’s digital communication landscape, ensuring reliability and efficiency in organizational operations.