1. Manuals
  2. Brands
  3. Motorola Manuals
  4. Network Router
  5. S2500
  6. Security manual

Motorola S2500 Security Manual page 6

Motorola network router security policy
Hide thumbs
Table of Contents

Advertisement

Entering FIPS Mode
To enter FIPS mode, the Crypto Officer must follow the procedure outlined in Table 3 below.
For details on individual router commands, use the online help facility or review the Enterprise
OS Software User Guide, version 15.4 and the Enterprise OS Software Reference Guide, version
15.4.
Step
Description
1.
Configure the parameters for the IKE negotiations using the IKEProfile command. For FIPS
mode, only the following values are allowed: Diffie-Hellman Group (Group 2 or Group 5),
Encryption Algorithm (AES or 3DES), Hash Algorithm (SHA), and Authentication Method
(PreSharedKey).
Manually establish via the local console port the pre-shared key (PSK) to be used for the IKE
2.
protocol using:
ADD –CRYPTO FipsPreSharedKey <peer_ID> <pre-shared_key> <pre-shared_key>
The PSK must be at least 80 bits in length with at least 80 bits of entropy.
Configure Ipsec and FRF.17 selector lists using the command
3.
ADD –CRYPTO SelectorLIst
For FIPS mode, the selector list must be configured to encrypt all packets on an encrypted port,
e.g. ADD –CRYPTO SelectorLIst s1 1 Include ANY 0.0.0.0/0 0.0.0.0/0
4.
If Ipsec is used, configure Ipsec transform lists using the ADD –CRYPTO TransformLIst
command. For FIPS mode, only the following values are allowed: Encryption Transform (ESP-
3DES, or ESP-AES) and Authentication Transform (ESP-SHA).
5.
If FRF.17 is used, configure FRF.17 transform lists using the ADD –CRYPTO
TransformLIst command. For FIPS mode, only the following values are allowed: Encryption
Transform (FRF-3DES, or FRF-AES) and Authentication Transform (FRF-SHA).
For each port for which encrypted is required, bind a dynamic policy to the ports using
6.
ADD [!<portlist>] –CRYPTO DynamicPOLicy <policy_name> <priority>
<mode> <selctrlist_name> <xfrmlist_name> [<pfs>] [<lifetime>] [<preconnect>]
To be in FIPS mode, the selector list and transform list names must be defined as in previous
steps.
For each port for which encryption is required, enable encryption on that port using
7.
SETDefault [!<portlist>] –CRYPTO CONTrol = Enabled
FIPS-140-2 mode achieved
8.
To review the cryptographic configuration of the router, use the following command:
Table 3 – FIPS Approved mode configuration
MNR S2500 Security Policy
Version 1.3, Revision Date: 1/13/2009
Page 6
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Motorola S2500

Related Products for Motorola S2500

Table of Contents