Page 65

Page 65 of 68

Secure Operation of the Brick 350 and Brick 1000 VPN Firewalls

The Brick 350 and Brick 1000 modules meet all the Level 2 requirements for FIPS 140-2.

Follow the setting instructions provided below to place the module in FIPS mode. Operating this

module without maintaining the following settings will remove the module from the FIPS

approved mode of operation.

3.1

Initial Setup

1. After removing the module from the packaging, the Crypto Officer must verify that the

tamper evidence warranty sticker(s) have not been compromised. If the warranty

sticker(s) shows signs of tampering, then the Crypto Officer shall consider the module to

have been compromised in transit and must not use the module. The Crypto Officer shall

contact Lucent for further instructions.

2. The Crypto Officer must apply tamper evidence labels as described in Section 2.4 of this

document.

3. Only a Crypto Officer may open the chassis. When removing the tamper evidence label,

the Crypto Officer should remove the entire label from the module and clean the cover of

any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-

apply tamper evidence labels on the module as described in Section 2.4.

4. For the Brick 1000 module: The Crypto Officer must apply the opacity shield as

described in Section 2.1 of this document.

3.2

Module Initialization and Configuration

1. The Crypto Officer must perform the initial configuration. Lucent LVF version 7.2.292

is the only allowable image; no other images may be loaded.

2. The Crypto Officer must include the following command in the configuration file

(inferno.ini):

fips=y

(Note: The Crypto Officer may use the Lucent LSMS for this purpose. The Crypto

Officer may toggle the FIPS checkbox from the `Brick Editor' screen under the `Options'

tab.)

3. The Crypto Officer must set a password on the Console/Serial/Keyboard/Monitor ports

via the following configuration file ("inferno.ini") command:

RemoteLoginId=<SHA-1 hash of the desired password>

(Note: The Crypto Officer may use the Lucent LSMS for this purpose. The Crypto

Officer may toggle the 'Enable Serial Port' checkbox and type in a password, followed by

a verification of the same password.)

4. The Crypto Officer must not execute the "bootstrap", "adproxy", "setauth", "wlstate",

"redirect", and "rlstate" commands while the module is in a FIPS approved mode of

operation.

5. For detailed instructions on the installation and configuration process, please see Chapter

3 of the Lucent Security Management Server, Administration Guide.