FIPS
CHAP authentication services must be shut down
●
Modem dial backup must be disabled
●
CNA (Chatter) test plug application must be shut down
●
SLS must be shut down
●
Telnet service must be confined to IPSEC encrypted tunnel
●
SNMP must be confined to SNMPv3 authentication service over an IPSEC encrypted
●
tunnel
TFTP configuration upload/download service must be confined to IPSEC encrypted tunnel
●
FTP configuration upload/download service must be confined to IPSEC encrypted tunnel
●
SCP client service must not be used
●
Usage of Diffie-Hellman Group 1 for IKE key negotiation must be suppressed
●
Usage of MD5 for IKE must be suppressed
●
Usage of MD5 for ESP authentication operation in IPSEC must be suppressed
●
Configuration channel between ICC/LSP (S8300) and Gateway (MGP) must be
●
suppressed
FIPS-related CLI commands
zeroize
●
enhanced security
●
●
show self-test-status
For a full description see Avaya G250 and Avaya G350 CLI Reference, 03-300437
Prerequisites for entering FIPS mode
User type – crypto officer
●
FIPS-approved hardware. Version 3.0.x or higher.
●
FIPS-approved Media Gateway firmware. Refer to the "Validation Lists for cryptographic
●
Standards" on the NIST Web site:
Valid VPN license
●
606 Administration for the Avaya G250 and Avaya G350 Media Gateways
http://crc.nist.gov/cryptval/aes/aesval.html