Nokia IP265 Security Guide - Page 14

SSH, RSA-based authentication TLS, IKE and SSH, DSA-based - base system

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 14 highlights

Service Description Input Output Communication (SIC): establish trust between management server and the module to allow configuration of the module's services and configuration data (SIC policy) commands Critical Security Parameter (CSP) Access (read/write access) Monitoring: provides detailed information for both monitoring of connection activities and the system status Commands Status of commands and status information (logs) None 2.4.2 User Role The User role accesses the module IPSec and IKE services. Service descriptions, inputs, and outputs are listed in Table 4. Service IKE Description Access the module IKE functionality to authenticate to the module and negotiate IKE and IPSec session keys Input IKE inputs and data Output IKE outputs, status, and data IPSec Access the module's IPSec services in order to secure network traffic IPSec inputs, commands, and data IPSec outputs, status, and data CSP RSA key pair for IKE (read access); DiffieHellman key pair for IKE (read/write access); preshared keys for IKE (read access) Session keys for IPSec (read/write access) Table 4 - User Services, Descriptions, Inputs and Outputs 2.4.3 Authentication Mechanisms The modules implement password-based authentication (console and SSH), RSA-based authentication (TLS, IKE and SSH), DSA-based authentication (SSHv2). HMAC SHA-1 is used for data packet integrity during authentication functions (IKE with pre-shared keys). 2.4.3.1 Crypto Officer Authentication The Crypto Officer must successfully authenticate before a management interface can be accessed. The authentication methods are described below. © Copyright 2005, 2006, 2007 Nokia Page 14 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
Service
Description
Input
Output
Critical Security
Parameter
(CSP) Access
Communication (SIC): establish trust
between management server and the
module to allow configuration of the
module’s services
and
configuration
data (SIC
policy)
commands
(read/write access)
Monitoring: provides detailed
information for both monitoring of
connection activities and the system
status
Commands
Status of
commands
and status
information
(logs)
None
2.4.2
User Role
The User role accesses the module IPSec and IKE services. Service
descriptions, inputs, and outputs are listed in Table 4.
Service
Description
Input
Output
CSP
IKE
Access the module IKE
functionality to
authenticate to the
module and negotiate IKE
and IPSec session keys
IKE inputs and data
IKE outputs,
status, and data
RSA key pair for
IKE (read
access); Diffie-
Hellman key
pair for IKE
(read/write
access); pre-
shared keys for
IKE (read
access)
IPSec
Access the module’s
IPSec services in
order to secure
network traffic
IPSec inputs,
commands, and
data
IPSec outputs,
status, and data
Session keys for
IPSec
(read/write
access)
Table 4 – User Services, Descriptions, Inputs and Outputs
2.4.3
Authentication Mechanisms
The modules implement password-based authentication (console and
SSH), RSA-based authentication (TLS, IKE and SSH), DSA-based
authentication (SSHv2). HMAC SHA-1 is used for data packet integrity
during authentication functions (IKE with pre-shared keys).
2.4.3.1
Crypto Officer Authentication
The Crypto Officer must successfully authenticate before a management
interface can be accessed. The authentication methods are described
below.
© Copyright 2005, 2006, 2007
Nokia
Page 14 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.