Administration of the Avaya G350 Media Gateway - Avaya Support
Administration of the Avaya G350 Media Gateway - Avaya Support Administration of the Avaya G350 Media Gateway - Avaya Support
FIPSSecurity levelThe cryptographic module meets the overall requirements applicable to Level 1 security ofFIPS 140-2.Table 1: Module security level specificationSecurity Requirements SectionLevelCryptographic Module Specification 1Module Port and Interfaces 1Roles, Services and Authentication 2Finite State Model 1Physical Security 1Operational EnvironmentN/ACryptographic Key Management 1EMI/EMC 1Self-Tests 1Design Assurance 3Mitigation of Other AttacksN/AOperational environmentThe FIPS 140-2 Area 6 Operational Environment requirements are not applicable because thedevice does not support the loading and execution of un-trusted code. Avaya digitally signsfirmware images of the crypto module using RSA SHA1 digital signature. Through thissignature, the crypto module verifies the authenticity of any update to its firmware image.Assumptions of rolesThe cryptographic module supports eight distinct operator roles: Cryptographic-Officer, Read/Write User, Read-only User, RADIUS Server, OSPF Router Peer, PPPoE Client, IKE Peer, andSerial Number Peer.The cryptographic module enforces the separation of roles using operator authentication. Referto Table 14 for further information.294 Administration of the Avaya G350 Media Gateway
OverviewTable 14: Roles and required identification and authentication 1 of 2RoleType ofauthenticationAuthentication dataDescriptionCryptographic-Officer(Admin User)Identity-based operatorauthenticationUsername andPassword. The modulestores user identityinformation internallythrough the use of anexternal Radius Serverdatabase.The owner of thecryptographic modulewho has full access to themodule’s servicesUser(Read/Write User)Identity-based operatorauthenticationUsername andPassword. The modulestores user identityinformation internallythrough the use of anexternal Radius Serverdatabase.An assistant to the AdminUser who has read/writeaccess to a subset ofconfiguration and statusindicationsRead-only UserIdentity-based operatorauthenticationUsername andPassword. The modulestores user identityinformation internallythrough the use of anexternal Radius Serverdatabase.An assistant to the AdminUser who has read-onlyaccess to a subset ofmodule configuration andstatus indicationsRADIUS ServerRole-based operatorauthenticationShared Radius secret.Gateway authenticatesRadius serverresponse by examiningthe MD5 hash of theshared secret, therequest Authenticator,and other responsevalues in a responsemessage.An entity authenticates tothe module for thepurpose of permitting/denying access toservicesOSPF Router PeerRole-based operatorauthenticationRouter peer Secret.Authentication ofOSPF protocolexecuted by examiningthe authentication fieldin OSPF packetcarrying MD5 hash ofthe packet and thesecret.An entity authenticates tothe module for thepurpose of permitting/denying access toservices1 of 2Issue 3 January 2005 295
- Page 244 and 245: Configuring IPSec VPNip-rule 70sour
- Page 246 and 247: Configuring IPSec VPNFigure 21: Ful
- Page 248 and 249: Configuring IPSec VPNConfiguration
- Page 250 and 251: Configuring IPSec VPNip-rule 30sour
- Page 252 and 253: Configuring IPSec VPN252 Administra
- Page 254 and 255: Configuring policyAccess control li
- Page 256 and 257: Configuring policyDefining policy l
- Page 258 and 259: Configuring policyAttaching policy
- Page 260 and 261: Configuring policyDevice-wide polic
- Page 262 and 263: Configuring policyEditing and creat
- Page 264 and 265: Configuring policySource and destin
- Page 266 and 267: Configuring policyComposite operati
- Page 268 and 269: Configuring policy●●●CoS —
- Page 270 and 271: Configuring policyThe following com
- Page 272 and 273: Configuring policySimulating packet
- Page 274 and 275: Configuring policy-based routingPol
- Page 276 and 277: Configuring policy-based routingCon
- Page 278 and 279: Configuring policy-based routing●
- Page 280 and 281: Configuring policy-based routingMod
- Page 282 and 283: Configuring policy-based routingEdi
- Page 284 and 285: Configuring policy-based routingIn
- Page 286 and 287: Configuring policy-based routingThe
- Page 288 and 289: Setting synchronizationIf, for any
- Page 290 and 291: FIPSFigure 26: Image of the cryptog
- Page 292 and 293: FIPSSupported algorithmsThe cryptog
- Page 296 and 297: FIPSTable 14: Roles and required id
- Page 298 and 299: FIPSTable 15: Critical security par
- Page 300 and 301: FIPSCSP access rights within roles
- Page 302 and 303: FIPSTable 18 shows Role and Service
- Page 304 and 305: FIPSTable 18: Role and service acce
- Page 306 and 307: FIPSPassword guidelinesBelow are ge
- Page 308 and 309: FIPS2. Define the PMI (Primary Mana
- Page 310 and 311: FIPS10. Physically disconnect all n
- Page 312 and 313: FIPS18. To configure all interfaces
- Page 314 and 315: FIPS●Use the snmp-server user use
- Page 316 and 317: FIPS●●TFTPSNMPExample:G350-001(
- Page 318 and 319: FIPSG350-N(super)# ip crypto-list 9
- Page 320 and 321: FIPSError statesTable 19 describes
- Page 322 and 323: FIPSConsiderationsThe following rul
- Page 324 and 325: Traps and MIBsNameParameters(MIB va
- Page 326 and 327: Traps and MIBsNameParameters(MIB va
- Page 328 and 329: Traps and MIBsNameParameters(MIB va
- Page 330 and 331: Traps and MIBsNameParameters(MIB va
- Page 332 and 333: Traps and MIBsMIB FileIP-FORWARD-MI
- Page 334 and 335: Traps and MIBsObjectOIDgenOpResetSu
- Page 336 and 337: Traps and MIBsThe following table p
- Page 338 and 339: Traps and MIBsObject OIDipCidrRoute
- Page 340 and 341: Traps and MIBsObject OIDgenMemUtili
- Page 342 and 343: Traps and MIBsObject OIDdsx1Circuit
FIPSSecurity levelThe cryptographic module meets <strong>the</strong> overall requirements applicable to Level 1 security <strong>of</strong>FIPS 140-2.Table 1: Module security level specificationSecurity Requirements SectionLevelCryptographic Module Specification 1Module Port and Interfaces 1Roles, Services and Au<strong>the</strong>ntication 2Finite State Model 1Physical Security 1Operational EnvironmentN/ACryptographic Key Management 1EMI/EMC 1Self-Tests 1Design Assurance 3Mitigation <strong>of</strong> O<strong>the</strong>r AttacksN/AOperational environmentThe FIPS 140-2 Area 6 Operational Environment requirements are not applicable because <strong>the</strong>device does not support <strong>the</strong> loading and execution <strong>of</strong> un-trusted code. <strong>Avaya</strong> digitally signsfirmware images <strong>of</strong> <strong>the</strong> crypto module using RSA SHA1 digital signature. Through thissignature, <strong>the</strong> crypto module verifies <strong>the</strong> au<strong>the</strong>nticity <strong>of</strong> any update to its firmware image.Assumptions <strong>of</strong> rolesThe cryptographic module supports eight distinct operator roles: Cryptographic-Officer, Read/Write User, Read-only User, RADIUS Server, OSPF Router Peer, PPPoE Client, IKE Peer, andSerial Number Peer.The cryptographic module enforces <strong>the</strong> separation <strong>of</strong> roles using operator au<strong>the</strong>ntication. Referto Table 14 for fur<strong>the</strong>r information.294 <strong>Administration</strong> <strong>of</strong> <strong>the</strong> <strong>Avaya</strong> <strong>G350</strong> <strong>Media</strong> <strong>Gateway</strong>