Nortel Networks 4500 FIPS User Manual
Page 14
© Copyright 2000 Nortel Networks.
14
Recommended
•
Change the default administrator password on the switch.
•
Disable all management protocols over private non-tunnelled interfaces
Required
•
Select the “FIPS Enabled” button on the Service Available Management screens and
restart the module.
•
Apply the tamper evident labels as described in section 2.3
•
Disable cryptographic services that employ non-FIPS approved algorithms.
•
For IPSec: When operating the device in a FIPS 140-1 compliant manner, only
the Triple DES ESP, DES ESP, and HMAC-SHA AH may be enabled. MD5
is not an approved FIPS algorithm.
•
For PPTP and L2TP: When operated in a FIPS 140-1 compliant manner, MS-
CHAP and CHAP are not enabled with RC4 encryption.
•
For L2P: CHAP must be disable to operate in a FIPS compliant manner.
•
The internal LDAP database must be used in place of an external LDAP server.
•
SSL cannot be used to establish secure connections
•
For RIP – In FIPS mode, MD5 must be disabled.
Note: A switch that has a Hardware Accelerator installed cannot be run in FIPS mode.
There are several services that are effected by transitioning the module into FIPS compliant
mode. When the module is restarted in FIPS mode, several administrative services accessing
the shell, including the debugging scripts, are disabled. RSA digital signatures are disabled in
FIPS mode, because RSA digital signature is not a FIPS approved algorithm. When the module
is in FIPS mode, the administrator is given additional authority to reset the default
administrator’s password and username. The integrated firewall program, by Checkpoint, and
the restore capabilities are disabled during FIPS mode. The FTP demon is also turned off,
preventing any outside intruder from FTPing into the server.
In order to transition the mode out of FIPS mode, the FIPS disable button, on the Services
Available management screen, must be clicked and the module must be restarted.