Security guidance, Security guidance -3 – Carrier Access Broadmore 1750 User Manual
Page 247
Broadmore 1750 - Release 4.6
10-3
Security
Management
Security Guidance
Security Guidance
Receipt and Inspection – Broadmore components containing operating system
software are packaged and sealed at the factory with tamper-proof security tape.
Upon receipt, carefully examine the security sealing tapes on the shipping
containers for any signs of tampering. (See “Receipt” on page
Security – Broadmore components containing operating system software (CPU
modules, memory modules, and storage media) should be handled in accordance
with applicable security procedures.
Initial Login – The Broadmore is shipped with a default username and password
for logging in the first time. A SuperUser should log in the first time to configure
the Broadmore for secure operation.
For maximum security, perform the following steps:
(1) configure IP access (via ethernet, LANE, or CIP)
(2) create a temporary SuperUser account
(4) delete the public SYSADMIN account and log out
(5) after logging in securely, you can safely create user accounts and configure
the Broadmore for secure operation.
Security Modes – The Broadmore is shipped with security turned off. Only a
SuperUser can change the FIPS and SecurID modes. If these security modes are
required, see next chapter.
Potential Security Vulnerabilities
(1) The Broadmore accepts loose source routed IP packets, so it is recommended
that source routed packets be dropped on routers and firewalls. (See
manufacturer’s instructions.)
(2) The Broadmore RS-232 COM 1 serial port used for “Craft Access” does not
immediately terminate a management session if a user disconnects without typing
“exit”. During the following timeout period, another user can connect without
logging into the RS-232 port and other users are denied access through the
ethernet port. It is recommended that all accounts be created with “Remote
Access” only, except for one failsafe SuperUser account with “Craft Access.”
The craft password should be stored safely in the NOC. When needed, the
SuperUser can log into the craft port, fix things, change the password, log out,
and store the new password back in the NOC.