background image
Non-Proprietary Security Policy, Version 0.18
May 25, 2007
Nortel VPN Router 600, 1700, 1750, 2700, and 5000
Page 20 of 23
© 2007 Nortel Networks
This document may be freely reproduced and distributed whole and intact including this copyright notice.
The Nortel VPN Router 5000 router requires a tamper-evident label on each of the two bezel screws to seal the
module. For the VPN router 5000, labels should be placed in an angle to avoid molding the labels over the curved
handles which would also hide the front LEDs.
Figure 9 - Tamper evidence label for 5000
2.2 Crypto-Officer Guidance
The Crypto-Officer is the administrator for the router and does the initial setup and maintenance.
2.2.1
Initialization
The modules are shipped with a default administrator ID and password. The FIPS Mode of operation can be enabled
from the CLI or web GUI. When FIPS Mode is enabled, the modules automatically reboot and disable the following
features/services.
· Debugging scripts are disabled
· File Transfer Protocol (FTP) is disabled on the public interface
· Telnet is disabled on the public interface
· The `NULL' encryption option is disabled for IPSec services
Additionally the Crypto-Officer must perform these additional actions to put the modules in a FIPS Mode:
· Change the default administrator password
· The Crypto-Officer password must be configured to a minimum length of 8 characters
· RADIUS shared secret must be a minimum length of 6 characters
· Maximum number of login attempts must be configured to five
· RSA key size of 1024 bits or greater should be used
· All cryptographic services (Point-to-Point Tunneling Protocol or PPTP, Layer 2 Tunneling Protocol or
L2TP, Layer 2 Forwarding or L2F etc.) that employ Non-FIPS Approved algorithms must be disabled
· All access to the web based management interface should be over a TLS session (Secure Hypertext Transfer
Protocol or HTTPS) or IPSec VPN Client connection
· Use only TLS and enable Ciphers 1 and 2 from services -> ssltls
· LDAP and LDAP Proxy must be over a TLS session
· The backup interface should be over an IPSec session
· Disable DES (56 and 40 bits)
· Do not perform any firmware upgrades