Part No. 117386-A Rev. ASeptember 1997BayRS Version 12.00Site Manager Software Version 6.00 Configuring Data Encryption Services
117386-A Rev. A xi About This Guide If you are responsible for configuring and managing Bay Networks ® routers, read this guide to learn how to confi
Configuring Data Encryption Servicesxii 117386-A Rev. A Conventions angle brackets (< >) Indicate that you choose the text to enter based on th
About This Guide 117386-A Rev. A xiii Acronyms ANSI American National Standards InstituteBRI Basic Rate InterfaceDES Data Encryption StandardDLCI da
Configuring Data Encryption Servicesxiv 117386-A Rev. A The Bay Networks Press catalog is available on the World Wide Web at support.baynetworks.com
About This Guide 117386-A Rev. A xv If you purchased a Bay Networks service program, call one of the following Bay Networks Technical Solutions Cent
117386-A Rev. A 1-1 Chapter 1Data Encryption Overview Bay Networks data encryption services enable you to protect sensitive traffic on your network.
Configuring Data Encryption Services1-2 117386-A Rev. A Data Encryption Standard (DES) Bay Networks bases encryption services on DES, which the Unite
Data Encryption Overview 117386-A Rev. A 1-3 Message Digest 5 (MD5) MD5 is a secure hash algorithm, and is a component in a number of IETF standard
ii 117386-A Rev. A 4401 Great America Parkway 8 Federal StreetSanta Clara, CA 95054 Billerica, MA 01821 Copyright © 1997 Bay Networks, Inc. All right
Configuring Data Encryption Services1-4 117386-A Rev. A Site Security Carefully restrict access to routers that encrypt data and the workstations you
Data Encryption Overview 117386-A Rev. A 1-5 Figure 1-1. Hierarchy of Encryption Keys The keys are the• Node Protection Key (NPK). It encrypts the L
Configuring Data Encryption Services1-6 117386-A Rev. ANode Protection Key (NPK) The NPK encrypts and decrypts LTSSs.The NPK is stored in the router’s
Data Encryption Overview117386-A Rev. A 1-7 The easiest way to enter the NPK is to use a text editor in read-only mode to display the contents of the
Configuring Data Encryption Services1-8 117386-A Rev. AMaster Encryption Key (MEK)The MEK encrypts the Traffic Encryption Key (TEK). The LTSS for a cir
117386-A Rev. A 2-1 Chapter 2Implementation NotesThis chapter describes special issues that you may encounter in configuring and running encryption.Req
Configuring Data Encryption Services2-2 117386-A Rev. ASynchronizing Router ClocksThe Master Encryption Key must be the same at both ends of a link. T
Implementation Notes117386-A Rev. A 2-3 Using Data Compression with EncryptionYou can configure both hardware- and software-based data compression over
Configuring Data Encryption Services2-4 117386-A Rev. AUsing Floppy Disks to Store Key FilesFor security reasons, Bay Networks recommends that you use
117386-A Rev. A 3-1 Chapter 3Enabling EncryptionThis chapter describes how to configure data encryption.Before You BeginBefore you can start data encry
117386-A Rev. A iii Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the
Configuring Data Encryption Services3-2 117386-A Rev. AStarting EncryptionTo use Bay Networks data encryption on your network, you must1. Create the s
Enabling Encryption117386-A Rev. A 3-3 Creating Seeds on a PCTo use a PC to create seeds that the WEP software uses to generate NPKs and LTSSs, issue
Configuring Data Encryption Services3-4 117386-A Rev. A2. Press Return to create the LTSS key file.WEP displays this message:Enter the path of the key
Enabling Encryption117386-A Rev. A 3-5 Creating Seeds on a UNIX PlatformTo create a seed on a UNIX platform:1. Set the environment variable for the pa
Configuring Data Encryption Services3-6 117386-A Rev. ARunning the WEP wfkseed CommandThe wfkseed command creates the seed that enables you to generat
Enabling Encryption117386-A Rev. A 3-7 Creating NPKs and LTSSsAfter you generate the NPK and LTSS seeds, you open Site Manager and use the WEP Key Man
Configuring Data Encryption Services3-8 117386-A Rev. ACreating LTSSsTo generate an LTSS:1. Start Site Manager. Note that you open Site Manager after
Enabling Encryption117386-A Rev. A 3-9 Entering an NPK on a RouterThe router stores its NPK in nonvolatile RAM. To enter the NPK, you work in the secu
Configuring Data Encryption Services3-10 117386-A Rev. A6. Save the configuration file.7. Exit the secure shell by enteringkexitYou return to the regula
Enabling Encryption117386-A Rev. A 3-11 Changing an NPK in the MIBTo change the MIB NPK value:1. At any shell prompt on a UNIX platform, or at the DOS
iv 117386-A Rev. A its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files,
Configuring Data Encryption Services3-12 117386-A Rev. AThe kseed command creates the seed that enables WEP to generate random numbers. To create a TE
Enabling Encryption117386-A Rev. A 3-13 5.Exit the Secure Shell by enteringkexitYou return to the regular prompt.Starting Encryption for PPPTo configur
Configuring Data Encryption Services3-14 117386-A Rev. A3. Enter the NPK.You need to do this once for each router or configuration file.After you enter
Enabling Encryption117386-A Rev. A 3-15 The Encrypt Enable parameter defaults to Disable. Both the PPP Encrypt Enable parameter and the WEP Enable par
Configuring Data Encryption Services3-16 117386-A Rev. A2. Select the WEP protocol.3. Enter the NPK.You need to do this once for each router or configu
Enabling Encryption117386-A Rev. A 3-17 4.Enter the LTSS Value and LTSS Name.5. Enable Encryption.The Encrypt Enable parameter defaults to Disable. Bo
Configuring Data Encryption Services3-18 117386-A Rev. AConfiguring WEP ParametersWEP has both line and circuit interface parameters. WEP parameters ha
Enabling Encryption117386-A Rev. A 3-19 TEK Change BytesThe TEK Change Bytes parameter sets the number of bytes between changes in the value of the TE
Configuring Data Encryption Services3-20 117386-A Rev. ADeleting Encryption from a RouterTo delete encryption from all circuits on which it is current
117386-A Rev. A A-1 Appendix AEncryption ParametersThis appendix contains parameter descriptions for Frame Relay and PPP encryption parameters, and fo
117386-A Rev. A v Contents About This Guide Before You Begin ...
Configuring Data Encryption ServicesA-2 117386-A Rev. AParameter: Encrypt EnablePath: PPP: Configuration Manager > Protocols > PPP > PPP Inter
Encryption Parameters117386-A Rev. A A-3 Parameter: LTSS ValuePath: PPP: Configuration Manager > Protocols > PPP > PPP Interface Lists windowF
Configuring Data Encryption ServicesA-4 117386-A Rev. AWEP Line ParametersParameter: EnablePath: Configuration Manager > Protocols > WEP > Lin
Encryption Parameters117386-A Rev. A A-5 WEP Circuit Interface ParametersParameter: TEK Change (Bytes)Path: Configuration Manager > Protocols > W
Configuring Data Encryption ServicesA-6 117386-A Rev. AParameter: Cipher Mode MaskPath: Configuration Manager > Protocols > WEP > Circuit Inte
Encryption Parameters117386-A Rev. A A-7 Parameter: TEK Change (Seconds)Path: Configuration Manager > Protocols > WEP > LinesDefault: 10 secon
117386-A Rev. A B-1 Appendix BDefinitions of k CommandsThis appendix contains definitions of the k commands that you use to work in the secure shell of
117386-A Rev. A Index-1Numbers40-bit and 56-bit encryption, 1-2, 2-1AAN routers, using encryption, 2-2authentication, 1-3BBay Networks Press, xiiiCcha
vi 117386-A Rev. A Chapter 2 Implementation Notes Requirements for Enabling Encryption ...
Index-2 117386-A Rev. Aencryption strength, selecting 40-bit or 56-bit, 2-1, 3-18entering an NPK on a router, 3-9Ffloppy disks, for storing key files, 1
117386-A Rev. A Index-3Ssecure shell, 3-9secure shell password, 1-6, 1-7, 3-12security, 1-2, 1-3, 1-7seedscreating, 3-2 to 3-6seeds, defined, 1-5SEO so
117386-A Rev. A viiStarting Encryption for PPP ...3-13Starting
117386-A Rev. A ix Figure Figure 1-1. Hierarchy of Encryption Keys ..................1-5
Comments to this Manuals