Brocade® DCX, DCX 8510-8, DCX-4S and DCX 8510-4 Backbones ...
Brocade® DCX, DCX 8510-8, DCX-4S and DCX 8510-4 Backbones ...
Brocade® DCX, DCX 8510-8, DCX-4S and DCX 8510-4 Backbones ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Diffie-Hellman (DH) with 1024 bit or 2048 bit modulus (key agreement; key establishment<br />
methodology provides 80 bits of encryption strength)<br />
SNMPv3 (Cryptographic functionality does not meet FIPS requirements <strong>and</strong> is considered plaintext)<br />
HMAC-MD5 to support RADIUS authentication<br />
NDRNG – used for seeding Approved RNG<br />
SSHv2 KDF<br />
TLS KDF with HMAC-MD5<br />
TLS<br />
SSHv2<br />
RSA Key Transport (Key establishment methodology; 1024-bit keys provide 80-bits of encryption<br />
strength for TLS, use 2048-bit keys for SSH public key authentication)<br />
MD5 (used for password hash)<br />
RADIUS PEAP MS-CHAP V2<br />
Non-deterministic r<strong>and</strong>om number generator for seeding ANSI X9.31 DRNG<br />
The initial state of the cryptographic module is not in a FIPS-compliant state. The cryptographic module<br />
contains four default accounts: root, factory, admin, <strong>and</strong> user. Each default account has a public, default<br />
password.<br />
The cryptographic module may be configured for FIPS mode via execution of the following procedure:<br />
1) Perform zeroization operation<br />
2) Change passwords for all existing user accounts.<br />
3) Disable Telnet, HTTP, Remote Procedure Call (RPC)<br />
4) Enable HTTPS, Secure-RPC<br />
5) Do not use FTP<br />
a) Config Upload<br />
b) Config Download<br />
c) Support Save<br />
d) FW Download<br />
6) Disable Root Access<br />
7) Disable Boot PROM Access<br />
8) Do not use MD5 within Authentication Protocols; Diffie-Hellman with Challenge-H<strong>and</strong>shake<br />
Authentication Protocol (DH-CHAP) <strong>and</strong> FCAP.<br />
9) Do not define FCIP IKE or IPSec policies.<br />
10) Disable Management Interface IPSec/IKE<br />
11) Disable In-B<strong>and</strong> Management Interface<br />
12) Disable In-Flight Encryption<br />
13) Configure LDAP to use certificate-based authentication.<br />
14) Configure SNMP Access List for read-only access.<br />
15) Enable Self-Tests<br />
16) Within Radius, only use PEAP MS-CHAP V2. Configure RADIUS Server to only use PEAP MS-CHAP V2.<br />
17) Enable Signed FW Download<br />
18) Install removable front cover (as applicable) <strong>and</strong> apply tamper labels<br />
19) Enable FIPS mode via the “fipscfg – enable fips” comm<strong>and</strong><br />
Brocade Communications FOS 7.0.0b or FOS 7.0.0b1 <strong>DCX</strong> Security Policy v2.0 11