Avaya Configuring Data Encryption Services Manual de usuario

Part No. 117386-B Rev 00February 1998BayRS Version 12.10Site Manager Software Version 6.10 Configuring Data Encryption Services

117386-B Rev 00xi About This GuideIf you are responsible for configuring and managing Bay Networks® routers, read this guide to learn how to configure

Configuring Data Encryption Servicesxii117386-B Rev 00Conventionsangle brackets (< >) Indicate that you choose the text to enter based on the de

About This Guide117386-B Rev 00xiii AcronymsANSI American National Standards InstituteDES Data Encryption StandardDLCI data link connection identifier

Configuring Data Encryption Servicesxiv117386-B Rev 00Bay Networks Customer ServiceYou can purchase a support contract from your Bay Networks distribu

About This Guide117386-B Rev 00xv Bay Networks Educational ServicesThrough Bay Networks Educational Services, you can attend classes and purchase CDs,

117386-B Rev 001-1 Chapter 1Data Encryption OverviewBay Networks data encryption services enable you to protect sensitive traffic on your network. Enc

Configuring Data Encryption Services1-2117386-B Rev 00Data Encryption Standard (DES)Bay Networks bases encryption services on DES, which the United St

Data Encryption Overview117386-B Rev 001-3 Message Digest 5 (MD5)MD5 is a secure hash algorithm, and is a component in a number of IETF standard proto

ii117386-B Rev 004401 Great America Parkway 8 Federal StreetSanta Clara, CA 95054 Billerica, MA 01821Copyright © 1998 Bay Networks, Inc.All rights res

Configuring Data Encryption Services1-4117386-B Rev 00Site SecurityCarefully restrict unauthorized access to routers that encrypt data and the worksta

Data Encryption Overview117386-B Rev 001-5 Figure 1-1. Hierarchy of Encryption KeysThe keys are the:• Node Protection Key (NPK). It encrypts the LTSS.

Configuring Data Encryption Services1-6117386-B Rev 00Node Protection Key (NPK) The NPK encrypts and decrypts LTSSs. The NPK is stored in the router’s

Data Encryption Overview117386-B Rev 001-7 The easiest way to enter the NPK is to use a text editor in read-only mode to display the contents of the f

Configuring Data Encryption Services1-8117386-B Rev 00The key manager uses an RNG to generate LTSSs, and you specify a name for each of these values.

Data Encryption Overview117386-B Rev 001-9 The TEK automatically changes according to the values in the TEK Change Seconds and TEK Change Bytes parame

117386-B Rev 002-1 Chapter 2Considerations Before You Enable EncryptionThis chapter presents some essential points that you should consider in prepari

Configuring Data Encryption Services2-2117386-B Rev 00Synchronizing Router ClocksThe Master Encryption Key (MEK) must be the same at both ends of a li

Considerations Before You Enable Encryption117386-B Rev 002-3 Enabling compression improves bandwidth efficiency by eliminating redundant strings in d

117386-B Rev 00iiiBay Networks, Inc. Software License AgreementNOTICE: Please carefully read this license agreement before copying or using the accom

Configuring Data Encryption Services2-4117386-B Rev 001.Log on as superuser.% su2.Enter the superuser password.password <password>3.Move to the

117386-B Rev 003-1 Chapter 3Enabling EncryptionThis chapter describes how to configure data encryption. Before You BeginBefore you can start data encr

Configuring Data Encryption Services3-2117386-B Rev 00Starting EncryptionTo enable Bay Networks data encryption on your network, you must:1.Create the

Enabling Encryption117386-B Rev 003-3 Creating Seeds on a PCTo use a PC to create seeds that the WEP software uses to generate NPKs and LTSSs, you iss

Configuring Data Encryption Services3-4117386-B Rev 00WEP asks:Do you wish to create the LTSS or NPK Key File? [LTSS]:3.Press Return to create the LTS

Enabling Encryption117386-B Rev 003-5 Creating Seeds on a UNIX PlatformTo create a seed on a UNIX platform: 1.Set the environment variable for the pat

Configuring Data Encryption Services3-6117386-B Rev 00Running the WEP wfkseed CommandThe wfkseed command creates the seed that enables you to generate

Enabling Encryption117386-B Rev 003-7 Creating Seeds on the RouterUsing the Technician Interface, you create one seed for the NPK using the kseed comm

Configuring Data Encryption Services3-8117386-B Rev 00The file name that stores NPKs on both PC and UNIX platforms is wep_npk.datCreating LTSSsTo gene

Enabling Encryption117386-B Rev 003-9 Entering an NPK on a RouterThe router stores its NPK in nonvolatile memory. To enter the NPK, you work in the se

iv117386-B Rev 00its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, d

Configuring Data Encryption Services3-10117386-B Rev 005.At the SSHELL prompt, enter the kset command followed by a space, and paste in the NPK.kset n

Enabling Encryption117386-B Rev 003-11 Changing an NPK on a RouterTo change the router NPK value, follow the procedure in the section, “Entering an NP

Configuring Data Encryption Services3-12117386-B Rev 00The kseed command creates the seed that enables WEP to generate random numbers. To create a TEK

Enabling Encryption117386-B Rev 003-13 5.Exit the secure shell by entering:kexitYou return to the regular prompt.Starting Encryption for PPPTo configu

Configuring Data Encryption Services3-14117386-B Rev 003.Enter the NPK.You need to do this once for each router or configuration file.After you enter

Enabling Encryption117386-B Rev 003-15 5.Set the Encrypt Enable parameter to Enable.The Encrypt Enable parameter defaults to Disable. Both the Encrypt

Configuring Data Encryption Services3-16117386-B Rev 00Starting Encryption for Frame RelayTo configure encryption for frame relay:1.Insert the floppy

Enabling Encryption117386-B Rev 003-17 3.Enter the NPK.You need to do this once for each router or configuration file.After you enter the NPK, the rem

Configuring Data Encryption Services3-18117386-B Rev 005.Set the Enable Encryption parameter to Enable.The Encrypt Enable parameter defaults to Disabl

Enabling Encryption117386-B Rev 003-19 Configuring WEP ParametersWEP has both line and circuit interface parameters. WEP parameters have default value

117386-B Rev 00vContents About This GuideBefore You Begin ...

Configuring Data Encryption Services3-20117386-B Rev 00Select the encryption strength that is appropriate for your network. Note that you can select b

Enabling Encryption117386-B Rev 003-21 To set the TEK Change Seconds parameter for a line:4.Click on Done to exit the window.Configuring WEP Interface

Configuring Data Encryption Services3-22117386-B Rev 002.Select the encryption strength for this interface.Encryption is available in two versions, re

Enabling Encryption117386-B Rev 003-23 The TEK Change Seconds parameter sets the number of seconds between changes in the value of the TEK. To set the

Configuring Data Encryption Services3-24117386-B Rev 00To disable data encryption on a frame relay circuit, follow these instructions:Deleting Encrypt

Enabling Encryption117386-B Rev 003-25 Deleting Encryption from a RouterTo delete encryption from all circuits on which it is currently configured:1.I

117386-B Rev 00A-1 Appendix AEncryption ParametersThis appendix contains parameter descriptions for PPP and frame relay encryption parameters, and for

Configuring Data Encryption ServicesA-2117386-B Rev 00Parameter: Encrypt EnablePath: PPP: Configuration Manager > Protocols > PPP > PPP Inter

Encryption Parameters117386-B Rev 00A-3 Parameter: LTSS ValuePath: PPP: Configuration Manager > Protocols > PPP > PPP Interface Lists windowF

vi117386-B Rev 00Chapter 2 Considerations Before You Enable EncryptionRequirements for Enabling Encryption ...

Configuring Data Encryption ServicesA-4117386-B Rev 00WEP Line ParametersParameter: EnablePath: Configuration Manager > Protocols > WEP > Lin

Encryption Parameters117386-B Rev 00A-5 WEP Circuit Interface ParametersParameter: TEK Change (Bytes)Path: Configuration Manager > Protocols > W

Configuring Data Encryption ServicesA-6117386-B Rev 00Parameter: Cipher Mode MaskPath: Configuration Manager > Protocols > WEP > Circuit Inte

Encryption Parameters117386-B Rev 00A-7 Parameter: TEK Change (Seconds)Path: Configuration Manager > Protocols > WEP > LinesDefault: 10 secon

117386-B Rev 00B-1 Appendix BDefinitions of k CommandsThis appendix contains definitions of the “k” commands that you use to work in the secure shell

117386-B Rev 00Index-1Numbers40-bit and 56-bit encryption, 1-2, 2-1AAN routers, using encryption, 2-2authentication, 1-3Cchangingan LTSS, 3-11an NPK,

Index-2117386-B Rev 00Ffloppy disks, for storing key files, 1-8, 2-3Ggeneratinga TEK, 3-11an LTSS, 3-8an NPK, 3-7Kk commands, B-1key filessecurity, 1-

117386-B Rev 00Index-3setting a path to the key files (UNIX platform), 3-5setting change ratesMEK, 3-15, 3-18TEK, 3-20, 3-22starting encryptionframe r

117386-B Rev 00viiChanging LTSSs ...3-11Creati

117386-B Rev 00ixFiguresFigure 1-1. Hierarchy of Encryption Keys ..................1-5