Enterasys C3G124-24 - Setting the Security Mode; About the Security Mode

Enterasys C3G124-24

954 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Enterasys C3 Configuration Guide 7-1

7

Setting the Security Mode

This chapter describes how to configure the switch security mode.

About the Security Mode

The security mode of a switch determines how the switch performs all cryptographic functions.

The security mode is set with the “set security profile” command. Currently, the modes supported

are:

• Normal, when all supported cryptographic algorithms are available to be selected and used.

• Federal Information Processing Standard (FIPS) 140-2 mode, when the switch adheres to the

FIPS 140-2 Security Requirements for Cryptographic Modules. In this mode, all cryptographic

functions are performed by the FIPs Cryptographic Module, including SSH, SSL, SNMPv3,

and password encryption. Optional selection of non-FIPS approved algorithms will fail.

FIPS mode is disabled by default. It can be enabled using the "set security profile c2" command.

FIPS mode is persistent and shown in the running configuration. When changing between Normal

and FIPS mode, a system reboot is required, indicated by a warning message:

Warning: Changing the security profile requires system reset.

Do you want to continue (y/n) [n]?

FIPS mode can be cleared using the "clear security profile" command.

When FIPS mode (security profile = c2) is enabled, FIPS cryptographic module initialization is

invoked as per Section 2.3 of the OpenSSL FIPS 140-2 Security Policy.

When FIPS mode (security profile = c2) is enabled, the default authentication mechanism for

SNMPv3 is HMAC-SHA-1. The entire SNMPv3 message will be checked for integrity using

HMAC-SHA-1. The authentication option of the "set snmp user" command will not accept MD5 as

an option. Only the FIPS cryptographic module will be used for HMAC-SHA-1 even if this same

algorithm is provided by other functions.

When FIPS mode (security profile = c2) is enabled, the encryption mechanism for SNMPv3 will be

AES-128. The encryption option of the "set snmp user" command will not accept DES as an option

while in FIPS mode. Only the FIPS cryptographic module will be used for AES-128 even if this

same algorithm is provided by other functions.

The switch ensures that passwords are safeguarded during transit and while in storage using FIPS

140-2 commercial encryption provided by the FIPS module."

For information about... Refer to page...

About the Security Mode 7-1

Additional Security Feature Information 7-2

Commands 7-2

Table of Contents

Related product manuals

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Preview: SecureStack C2 C2G124-24

SecureStack C2 C2G124-24

Preview: Enterasys D-Series

Enterasys D-Series

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Enterasys A4H124-48P

Enterasys 08G20G4-48

Preview: Enterasys B5G124-24P2

Enterasys B5G124-24P2

Enterasys SSA-G1018-0652

Preview: Enterasys Matrix 2G4072-52

Enterasys Matrix 2G4072-52

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24

Preview: Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1H582-51

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P