Avaya Configuring Data Encryption Services User Manual Page 1

Part No. 117386-A Rev. ASeptember 1997BayRS Version 12.00Site Manager Software Version 6.00 Configuring Data Encryption Services

117386-A Rev. A xi About This Guide If you are responsible for configuring and managing Bay Networks ® routers, read this guide to learn how to confi

Configuring Data Encryption Servicesxii 117386-A Rev. A Conventions angle brackets (< >) Indicate that you choose the text to enter based on th

About This Guide 117386-A Rev. A xiii Acronyms ANSI American National Standards InstituteBRI Basic Rate InterfaceDES Data Encryption StandardDLCI da

Configuring Data Encryption Servicesxiv 117386-A Rev. A The Bay Networks Press catalog is available on the World Wide Web at support.baynetworks.com

About This Guide 117386-A Rev. A xv If you purchased a Bay Networks service program, call one of the following Bay Networks Technical Solutions Cent

117386-A Rev. A 1-1 Chapter 1Data Encryption Overview Bay Networks data encryption services enable you to protect sensitive traffic on your network.

Configuring Data Encryption Services1-2 117386-A Rev. A Data Encryption Standard (DES) Bay Networks bases encryption services on DES, which the Unite

Data Encryption Overview 117386-A Rev. A 1-3 Message Digest 5 (MD5) MD5 is a secure hash algorithm, and is a component in a number of IETF standard

ii 117386-A Rev. A 4401 Great America Parkway 8 Federal StreetSanta Clara, CA 95054 Billerica, MA 01821 Copyright © 1997 Bay Networks, Inc. All right

Configuring Data Encryption Services1-4 117386-A Rev. A Site Security Carefully restrict access to routers that encrypt data and the workstations you

Data Encryption Overview 117386-A Rev. A 1-5 Figure 1-1. Hierarchy of Encryption Keys The keys are the• Node Protection Key (NPK). It encrypts the L

Configuring Data Encryption Services1-6 117386-A Rev. ANode Protection Key (NPK) The NPK encrypts and decrypts LTSSs.The NPK is stored in the router’s

Data Encryption Overview117386-A Rev. A 1-7 The easiest way to enter the NPK is to use a text editor in read-only mode to display the contents of the

Configuring Data Encryption Services1-8 117386-A Rev. AMaster Encryption Key (MEK)The MEK encrypts the Traffic Encryption Key (TEK). The LTSS for a cir

117386-A Rev. A 2-1 Chapter 2Implementation NotesThis chapter describes special issues that you may encounter in configuring and running encryption.Req

Configuring Data Encryption Services2-2 117386-A Rev. ASynchronizing Router ClocksThe Master Encryption Key must be the same at both ends of a link. T

Implementation Notes117386-A Rev. A 2-3 Using Data Compression with EncryptionYou can configure both hardware- and software-based data compression over

Configuring Data Encryption Services2-4 117386-A Rev. AUsing Floppy Disks to Store Key FilesFor security reasons, Bay Networks recommends that you use

117386-A Rev. A 3-1 Chapter 3Enabling EncryptionThis chapter describes how to configure data encryption.Before You BeginBefore you can start data encry

117386-A Rev. A iii Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the

Configuring Data Encryption Services3-2 117386-A Rev. AStarting EncryptionTo use Bay Networks data encryption on your network, you must1. Create the s

Enabling Encryption117386-A Rev. A 3-3 Creating Seeds on a PCTo use a PC to create seeds that the WEP software uses to generate NPKs and LTSSs, issue

Configuring Data Encryption Services3-4 117386-A Rev. A2. Press Return to create the LTSS key file.WEP displays this message:Enter the path of the key

Enabling Encryption117386-A Rev. A 3-5 Creating Seeds on a UNIX PlatformTo create a seed on a UNIX platform:1. Set the environment variable for the pa

Configuring Data Encryption Services3-6 117386-A Rev. ARunning the WEP wfkseed CommandThe wfkseed command creates the seed that enables you to generat

Enabling Encryption117386-A Rev. A 3-7 Creating NPKs and LTSSsAfter you generate the NPK and LTSS seeds, you open Site Manager and use the WEP Key Man

Configuring Data Encryption Services3-8 117386-A Rev. ACreating LTSSsTo generate an LTSS:1. Start Site Manager. Note that you open Site Manager after

Enabling Encryption117386-A Rev. A 3-9 Entering an NPK on a RouterThe router stores its NPK in nonvolatile RAM. To enter the NPK, you work in the secu

Configuring Data Encryption Services3-10 117386-A Rev. A6. Save the configuration file.7. Exit the secure shell by enteringkexitYou return to the regula

Enabling Encryption117386-A Rev. A 3-11 Changing an NPK in the MIBTo change the MIB NPK value:1. At any shell prompt on a UNIX platform, or at the DOS

iv 117386-A Rev. A its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files,

Configuring Data Encryption Services3-12 117386-A Rev. AThe kseed command creates the seed that enables WEP to generate random numbers. To create a TE

Enabling Encryption117386-A Rev. A 3-13 5.Exit the Secure Shell by enteringkexitYou return to the regular prompt.Starting Encryption for PPPTo configur

Configuring Data Encryption Services3-14 117386-A Rev. A3. Enter the NPK.You need to do this once for each router or configuration file.After you enter

Enabling Encryption117386-A Rev. A 3-15 The Encrypt Enable parameter defaults to Disable. Both the PPP Encrypt Enable parameter and the WEP Enable par

Configuring Data Encryption Services3-16 117386-A Rev. A2. Select the WEP protocol.3. Enter the NPK.You need to do this once for each router or configu

Enabling Encryption117386-A Rev. A 3-17 4.Enter the LTSS Value and LTSS Name.5. Enable Encryption.The Encrypt Enable parameter defaults to Disable. Bo

Configuring Data Encryption Services3-18 117386-A Rev. AConfiguring WEP ParametersWEP has both line and circuit interface parameters. WEP parameters ha

Enabling Encryption117386-A Rev. A 3-19 TEK Change BytesThe TEK Change Bytes parameter sets the number of bytes between changes in the value of the TE

Configuring Data Encryption Services3-20 117386-A Rev. ADeleting Encryption from a RouterTo delete encryption from all circuits on which it is current

117386-A Rev. A A-1 Appendix AEncryption ParametersThis appendix contains parameter descriptions for Frame Relay and PPP encryption parameters, and fo

117386-A Rev. A v Contents About This Guide Before You Begin ...

Configuring Data Encryption ServicesA-2 117386-A Rev. AParameter: Encrypt EnablePath: PPP: Configuration Manager > Protocols > PPP > PPP Inter

Encryption Parameters117386-A Rev. A A-3 Parameter: LTSS ValuePath: PPP: Configuration Manager > Protocols > PPP > PPP Interface Lists windowF

Configuring Data Encryption ServicesA-4 117386-A Rev. AWEP Line ParametersParameter: EnablePath: Configuration Manager > Protocols > WEP > Lin

Encryption Parameters117386-A Rev. A A-5 WEP Circuit Interface ParametersParameter: TEK Change (Bytes)Path: Configuration Manager > Protocols > W

Configuring Data Encryption ServicesA-6 117386-A Rev. AParameter: Cipher Mode MaskPath: Configuration Manager > Protocols > WEP > Circuit Inte

Encryption Parameters117386-A Rev. A A-7 Parameter: TEK Change (Seconds)Path: Configuration Manager > Protocols > WEP > LinesDefault: 10 secon

117386-A Rev. A B-1 Appendix BDefinitions of k CommandsThis appendix contains definitions of the k commands that you use to work in the secure shell of

117386-A Rev. A Index-1Numbers40-bit and 56-bit encryption, 1-2, 2-1AAN routers, using encryption, 2-2authentication, 1-3BBay Networks Press, xiiiCcha

vi 117386-A Rev. A Chapter 2 Implementation Notes Requirements for Enabling Encryption ...

Index-2 117386-A Rev. Aencryption strength, selecting 40-bit or 56-bit, 2-1, 3-18entering an NPK on a router, 3-9Ffloppy disks, for storing key files, 1

117386-A Rev. A Index-3Ssecure shell, 3-9secure shell password, 1-6, 1-7, 3-12security, 1-2, 1-3, 1-7seedscreating, 3-2 to 3-6seeds, defined, 1-5SEO so

117386-A Rev. A viiStarting Encryption for PPP ...3-13Starting

117386-A Rev. A ix Figure Figure 1-1. Hierarchy of Encryption Keys ..................1-5