Carrier Access Broadmore 1750 User Manual
Page 270
11-4
Broadmore 1750 - Release 4.6
Security Management (FIPS Mode)
Security Guidance
Potential Security Vulnerabilities
(1) Disabling fipsmode deletes existing user access accounts and cryptographic
keys and reverts the Broadmore to the factory default SuperUser ID and
password, which can deny management access and compromise security. No one
can log in till the Broadmore is rebooted. It is recommended that the fipsmode be
changed only during initial setup and decommissioning.
(2) The Broadmore accepts loose source routed IP packets, so it is recommended
that source routed packets be dropped on routers and firewalls. (See
manufacturer’s instructions.)
(3) The Broadmore RS-232 COM 1 serial port used for “Craft Access” does not
immediately terminate a management session if a user disconnects without typing
“exit”. During the following timeout period, another user can connect without
logging into the RS-232 port and other users are denied access through the
ethernet port. It is recommended that all accounts be created with “Remote
Access” only, except for one failsafe SuperUser account with “Craft Access.”
The craft password should be stored safely in the NOC. When needed, the
SuperUser can log into the craft port, fix things, change the password, log out,
and store the new password back in the NOC.
Initialization and Verification – When the Broadmore is powered up in the
FIPS mode, the FIPS 140-2 validated software will perform a self-test to verify
software integrity and cryptographic functions. To verify that the Broadmore is
operating in FIPS mode, see “Help About Security” on page
Key Management – A DSA private hosts key is required for SSH2 connection
to the Broadmore. A default key is provided for use in initializing the Broadmore
after installation at the customer site. The SuperUser should change this key
before making the Broadmore operational and change it periodically in
accordance with local security practice.
System Clock – The system clock is used to time stamp all events recorded in the
system log and user audit log. To set the system clock, see “System Clock” on
page
.