beautypg.com

User role, Authentication mechanisms, Physical security – Enterasys Networks XSR-1805 User Manual

Page 14: User role authentication mechanisms

background image

Firewall authorization

information for
network traffic that
flows through the
box.

configuration data.

commands and
configuration data.

Table 4 – Crypto Officer Services, Descriptions, Inputs and Outputs, and CSPs

User Role

The User role accesses the module’s IPSec and IKE services. Service
descriptions, inputs and outputs, and CSPs are listed in the following
table:

Service

Description

Input

Output

CSP

IKE

Access the module IKE
functionality to
authenticate to the
module and negotiate IKE
and IPSec session keys

IKE inputs and data IKE outputs,

status, and data

RSA key pair for
IKE (read
access); Diffie-
Hellman key
pair for IKE
(read and write
access); pre-
shared keys for
IKE (read
access)

IPSec

Access the module’s
IPSec services in order to
secure network traffic

IPSec inputs,
commands, and
data

IPSec outputs,
status, and data

Session keys for
IPSec (read and
write access)

Table 5 – User Services, Descriptions, Inputs and Outputs

Authentication Mechanisms

The module supports role-based and identity-based authentication. Role-
based authentication is performed before the Super Crypto Officer enters
Bootrom monitor mode and authenticates with just a password (and no
user ID). Identity-based authentication is performed for all other types of
Crypto Officer and User authentication. These include password-based
authentication, RSA-based authentication, and HMAC-based
authentication mechanisms.

The estimated strength of each authentication mechanism is described
below.

Authentication Type

Role

Strength

Password-based
authentication (CLI, SNMP,
and Bootrom monitor mode)

Crypto Officer

Passwords are required to be at least six
characters long. Numeric, alphabetic (upper
and lowercase), and keyboard and
extended characters can be used, which
gives a total of 95 characters to choose
from.

Considering only the case-insensitive

alphabet using a password with repetition,
the number of potential passwords is 26^6.

RSA-based authentication
(IKE)

User

RSA signing and verification is used to
authenticate to the module during IKE. This

© Copyright 2003

Enterasys Networks

Page 14 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

This manual is related to the following products:
See also other documents in the category Enterasys Networks Hardware: