Bay Networks 5390 Administering page 491

Configuring the IP Basic Security Option (IPSO)
The Department of Defense Basic Security Option for IP identifies the U.S. classification level at
which an IP datagram is to be protected and the authorities whose protection rules apply to each
datagram, as defined in RFC 1108. The Model 5390 server partially implements this security option
by adding the IPSO classification level to packets generated by telnet or rlogin running on a Model
5390 dedicated, adaptive, or CLI port. (The CLI port can be an auto_detect or auto_adapt port
that the user has put into cli mode by pressing Return when first connected to the port.) The Model
5390 server does not add the option to locally generated system packets, such as ICMP messages
and RIP updates. Nor does the Model 5390 server check incoming packets for the presence of the
IP Security Option.
To set the IPSO for packets generated on a port:
1
Use the na utility, the superuser CLI admin command, or SNMP to set the Model 5390
parameter enable_security to Y (the default is N).
2
Use na, admin, or SNMP to set the serial line port parameter ipso_class to one of the
following values: topsecret, secret, confidential, unclassified, or none. If you specify none
(the default), the Model 5390 server does not add the option to packets.
The following sample su session causes a basic security option of secret to be included in all packets
generated by ports 1 and 2.
annex: su
Password:
annex# admin
Annex administration Remote Annex R10.1, 24 ports
admin: set port=1,2 ipso_class secret
admin: set port mode cli
admin:
893-741-B
NOTE: The Model 5390 ftp daemon is compatible with all versions of
UNIX ftp. You can completely disable the Model 5390 ftp daemon by
setting ftpd in the disabled_modules parameter.
NOTE: The ipso_class parameter is also an object in the Bay Networks
private-enterprise MIB and can be set via SNMP (for more details, see
Simple Network Management Protocol (SNMP) starting on page B2-1).
Using Model 5390 Security
A15-71