36
Chapter 2 System Overview
— forced password change on initial login
— password storage hashing with Secure Hashing Algorithm 1 (SHA1)
Session Management Enhancements minimizes the vulnerability of logged-on sessions for idle
session time outs.
Account Management includes
•
Minimize the vulnerability of User IDs
— Automatic disabling of unused accounts
— Set-based administration requires user ID and password
Account User ID Access Privilege Management includes the logged-on user ID session and access
display.
These enhancements to user-account access management provide a secure BCM access
environment, which makes it difficult for a malicious user to gain access to a BCM. BCM owners
can enforce secure account-access controls to the BCM to ensure secure BCM management and to
increase protection against potential vulnerabilities.
Secure interface and audit logging
This feature enhances interface security by adding secure access controls, security audit logs
(configchange.systemlog), and system activity by User ID, date, and time. Secure Interface Access
and Communications Controls provide
•
support for Secure Copy (SFTP) SSH encrypted file transfers
•
support for Simple Network Management Protocol (SNMP) v2 and v3, including
encryption provided with v3
•
BCM owner control of Nortel technical support access
•
use of digital signatures and enhanced tamper detection to ensure trusted sources for
software upgrades (patches and software release upgrades)
•
ability to test the system ability to generate alarms and logs, including system security
alarms and logs
Audit log tracks critical changes to the system and the logon attempts, including
•
last successful login identification and interface
•
last failed login attempt and total failed logons since last successful logon
•
configuration change log to track configuration changes to system by User ID
•
RADIUS Support (Centralized Authentication and Radius Client to authenticate and
authorize using a centralized RADIUS server)
In addition to supporting IPsec tunnels for management, the ability to encrypt SNMP and file
transfers provides BCM users an expanded capability set for secure interface communications.
With audit logging of long attempts, the BCM user can track security violation attempts and
determine further action. If you suspect a user ID security breach as a result of system
configuration changes, the audit logging of configuration changes provides traceability to user IDs
and interfaces.
NN40020-200