Avaya Configuring Data Encryption Services Manuale Utente

Part No. 303520-A Rev. 00October 1998BayRS Version 13.00Site Manager Software Version 7.00 Configuring Data Encryption Services

303520-A Rev. 00xi PrefaceThis guide describes how to configure data encryption on a Bay Networks® router.Before You BeginBefore using this guide, you

Configuring Data Encryption Servicesxii303520-A Rev. 00Text ConventionsThis guide uses the following text conventions:angle brackets (< >) Indic

Preface303520-A Rev. 00xiii Acronymsitalic text Indicates file and directory names, new terms, book titles, and variables in command syntax descriptio

Configuring Data Encryption Servicesxiv303520-A Rev. 00Bay Networks Technical PublicationsYou can now print Bay Networks technical manuals and release

Preface303520-A Rev. 00xv How to Get HelpFor product assistance, support contracts, or information about educational services, go to the following URL

303520-A Rev. 001-1 Chapter 1Data Encryption OverviewBay Networks data encryption services enable you to protect sensitive traffic on your network. En

Configuring Data Encryption Services1-2303520-A Rev. 00Data Encryption Standard (DES)Bay Networks bases encryption services on DES, which the United S

Data Encryption Overview303520-A Rev. 001-3 Message Digest 5 (MD5)MD5 is a secure hash algorithm, and is a component in a number of IETF standard prot

ii303520-A Rev. 004401 Great America Parkway 8 Federal StreetSanta Clara, CA 95054 Billerica, MA 01821Copyright © 1998 Bay Networks, Inc.All rights re

Configuring Data Encryption Services1-4303520-A Rev. 00Site SecurityCarefully restrict unauthorized access to routers that encrypt data and the workst

Data Encryption Overview303520-A Rev. 001-5 Figure 1-1. Hierarchy of Encryption KeysThe keys are the:• Node Protection Key (NPK). It encrypts the LTSS

Configuring Data Encryption Services1-6303520-A Rev. 00Node Protection Key (NPK) The NPK encrypts and decrypts LTSSs. The NPK is stored in the router’

Data Encryption Overview303520-A Rev. 001-7 The easiest way to enter the NPK is to use a text editor in read-only mode to display the contents of the

Configuring Data Encryption Services1-8303520-A Rev. 00The key manager uses an RNG to generate LTSSs, and you specify a name for each of these values.

Data Encryption Overview303520-A Rev. 001-9 The TEK automatically changes according to the values in the TEK Change Seconds and TEK Change Bytes param

303520-A Rev. 002-1 Chapter 2Considerations Before You Enable EncryptionThis chapter presents some essential points that you should consider in prepar

Configuring Data Encryption Services2-2303520-A Rev. 00Synchronizing Router ClocksThe Master Encryption Key (MEK) must be the same at both ends of a l

Considerations Before You Enable Encryption303520-A Rev. 002-3 Enabling compression improves bandwidth efficiency by eliminating redundant strings in

303520-A Rev. 00iiiBay Networks, Inc. Software License AgreementNOTICE: Please carefully read this license agreement before copying or using the acco

Configuring Data Encryption Services2-4303520-A Rev. 001.Log on as superuser.% su2.Enter the superuser password.password <password>3.Move to the

303520-A Rev. 003-1 Chapter 3Enabling EncryptionThis chapter describes how to configure data encryption. Before You BeginBefore you can start data enc

Configuring Data Encryption Services3-2303520-A Rev. 00Starting EncryptionTo enable Bay Networks data encryption on your network, you must:1.Create th

Enabling Encryption303520-A Rev. 003-3 Creating Seeds on a PCTo use a PC to create seeds that the WEP software uses to generate NPKs and LTSSs, you is

Configuring Data Encryption Services3-4303520-A Rev. 00WEP asks:Do you wish to create the LTSS or NPK Key File? [LTSS]:3.Press Return to create the LT

Enabling Encryption303520-A Rev. 003-5 Creating Seeds on a UNIX PlatformTo create a seed on a UNIX platform: 1.Set the environment variable for the pa

Configuring Data Encryption Services3-6303520-A Rev. 00Running the WEP wfkseed CommandThe wfkseed command creates the seed that enables you to generat

Enabling Encryption303520-A Rev. 003-7 Creating Seeds on the RouterUsing the Technician Interface, you create one seed for the NPK using the kseed com

Configuring Data Encryption Services3-8303520-A Rev. 00The file name that stores NPKs on both PC and UNIX platforms is wep_npk.dat.Creating LTSSsTo ge

Enabling Encryption303520-A Rev. 003-9 Entering an NPK on a RouterThe router stores its NPK in nonvolatile memory. To enter the NPK, you work in the s

iv303520-A Rev. 00its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files,

Configuring Data Encryption Services3-10303520-A Rev. 005.At the SSHELL prompt, enter the kset command followed by a space, and paste in the NPK.kset

Enabling Encryption303520-A Rev. 003-11 Changing an NPK on a RouterTo change the router NPK value, follow the procedure in the section, “Entering an N

Configuring Data Encryption Services3-12303520-A Rev. 00The kseed command creates the seed that enables WEP to generate random numbers. To create a TE

Enabling Encryption303520-A Rev. 003-13 5.Exit the secure shell by entering:kexitYou return to the regular prompt.Starting Encryption for PPPTo config

Configuring Data Encryption Services3-14303520-A Rev. 003.Enter the NPK.You need to do this once for each router or configuration file.After you enter

Enabling Encryption303520-A Rev. 003-15 5.Set the Encrypt Enable parameter to Enable.The Encrypt Enable parameter defaults to Disable. Both the Encryp

Configuring Data Encryption Services3-16303520-A Rev. 00Starting Encryption for Frame RelayTo configure encryption for frame relay:1.Insert the floppy

Enabling Encryption303520-A Rev. 003-17 3.Enter the NPK.You need to do this once for each router or configuration file.After you enter the NPK, the re

Configuring Data Encryption Services3-18303520-A Rev. 005.Set the Enable Encryption parameter to Enable.The Encrypt Enable parameter defaults to Disab

Enabling Encryption303520-A Rev. 003-19 Configuring WEP ParametersWEP has both line and circuit interface parameters. WEP parameters have default valu

303520-A Rev. 00vContentsPrefaceBefore You Begin ...

Configuring Data Encryption Services3-20303520-A Rev. 00Select the encryption strength that is appropriate for your network. Note that you can select

Enabling Encryption303520-A Rev. 003-21 To set the TEK Change Seconds parameter for a line:4.Click on Done to exit the window.Configuring WEP Interfac

Configuring Data Encryption Services3-22303520-A Rev. 002.Select the encryption strength for this interface.Encryption is available in two versions, r

Enabling Encryption303520-A Rev. 003-23 The TEK Change Seconds parameter sets the number of seconds between changes in the value of the TEK. To set th

Configuring Data Encryption Services3-24303520-A Rev. 00To disable data encryption on a frame relay circuit, follow these instructions:Deleting Encryp

Enabling Encryption303520-A Rev. 003-25 Deleting Encryption from a RouterTo delete encryption from all circuits on which it is currently configured:1.

303520-A Rev. 00A-1 Appendix AEncryption ParametersThis appendix contains parameter descriptions for PPP and frame relay encryption parameters, and fo

Configuring Data Encryption ServicesA-2303520-A Rev. 00Parameter: Encrypt EnablePath: PPP: Configuration Manager > Protocols > PPP > PPP Inte

Encryption Parameters303520-A Rev. 00A-3 Parameter: LTSS ValuePath: PPP: Configuration Manager > Protocols > PPP > PPP Interface Lists window

vi303520-A Rev. 00Chapter 2 Considerations Before You Enable EncryptionRequirements for Enabling Encryption ...

Configuring Data Encryption ServicesA-4303520-A Rev. 00WEP Line ParametersParameter: EnablePath: Configuration Manager > Protocols > WEP > Li

Encryption Parameters303520-A Rev. 00A-5 WEP Circuit Interface ParametersParameter: TEK Change (Bytes)Path: Configuration Manager > Protocols >

Configuring Data Encryption ServicesA-6303520-A Rev. 00Parameter: Cipher Mode MaskPath: Configuration Manager > Protocols > WEP > Circuit Int

Encryption Parameters303520-A Rev. 00A-7 Parameter: TEK Change (Seconds)Path: Configuration Manager > Protocols > WEP > LinesDefault: 10 seco

303520-A Rev. 00B-1 Appendix BDefinitions of k CommandsThis appendix contains definitions of the “k” commands that you use to work in the secure shell

303520-A Rev. 00Index-1Numbers40-bit and 56-bit encryption, 1-2, 2-1Aacronyms, xiiiAN routers, using encryption, 2-2authentication, 1-3Cchangingan LTS

Index-2303520-A Rev. 00Ffloppy disks, for storing key files, 1-8, 2-3Ggeneratinga TEK, 3-11an LTSS, 3-8an NPK, 3-7Kk commands, B-1key filessecurity, 1

303520-A Rev. 00Index-3seedscreating, 3-2 to 3-6defined, 1-5SEO software license agreement, 1-2setting a path to the key files (UNIX platform), 3-5set

303520-A Rev. 00viiChanging LTSSs ...3-11Creat

303520-A Rev. 00ixFiguresFigure 1-1. Hierarchy of Encryption Keys ..................1-5