Cisco 3825 Non Proprietary Security Policy
Integrated services routers fips 140-2
Hide thumbs
Also See for 3825:
- Software configuration manual (358 pages) ,
- Installation and upgrades (20 pages) ,
- Quick start manual (138 pages)
Table of Contents
Advertisement
Quick Links
Cisco 3825 and Cisco 3845 Integrated Services
Routers FIPS 140-2 Non Proprietary Security
Policy
Level 2 Validation
Version 1.1
November 1, 2005
Introduction
This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 3825 and
Cisco 3845 Integrated Services Routers without an AIM card installed. This security policy describes
how the Cisco 3825 and Cisco 3845 Integrated Services Routers (Hardware Version: Cisco 3825 or
Cisco 3845; Firmware Version: IOS 12.3(11)T03) meet the security requirements of FIPS 140-2, and
how to operate the router with on-board crypto enabled in a secure FIPS 140-2 mode. This policy was
prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 3825 and Cisco 3845 Integrated
Services Routers.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
•
•
•
•
•
•
•
•
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2005 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
Related Documentation, page 24
Obtaining Documentation, page 25
Documentation Feedback, page 26
Cisco Product Security Overview, page 26
Obtaining Technical Assistance, page 27
Advertisement
Table of Contents
Related Manuals for Cisco 3825
Summary of Contents for Cisco 3825
-
Page 1: Table Of Contents
Cisco 3845; Firmware Version: IOS 12.3(11)T03) meet the security requirements of FIPS 140-2, and how to operate the router with on-board crypto enabled in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 3825 and Cisco 3845 Integrated Services Routers. -
Page 2: Cisco 3825 And Cisco 3845 Routers
• for answers to technical or sales-related questions for the module. Terminology In this document, the Cisco 3825 or Cisco 3845 routers are referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this... - Page 3 The Cisco 3825 Cryptographic Module Physical Characteristics Figure 1 The Cisco 3825 Router is a multiple-chip standalone cryptographic module. The router has a processing speed of 500MHz. Depending on configuration, either the internal Safenet chip or the IOS software is used for cryptographic operations.
- Page 4 Figure 3 Cisco 3825 Front Panel Physical Interfaces The Cisco 3825 router features a console port, auxiliary port, dual Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two 10/100/1000 Gigabit Ethernet RJ45 ports, two Enhanced Network Module (ENM) slots, small form factor pluggable (SFP), redundant power supply (RPS) inlet, power inlet, and Compact Flash (CF) drive.
- Page 5 Activity Compact Flash PVDM3 PVDM2 PVDM1 PVDM0 AIM1 AIM0 Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01 Cisco 3825 Front Panel Indicators State Description Solid Green Normal System Operation. Blinking Green Booting or in ROM monitor (ROMMON) mode.
- Page 6 ENM Slots 10/100/1000 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slots Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy State Description Green (Blinking) Blinking frequency indicates port speed. Solid Green Ethernet link is established...
- Page 7 The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01...
- Page 8 The interfaces for the router are located on the front and rear panel as shown in respectively. Figure 5 Cisco 3845 Front Panel Physical Interfaces Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy The Cisco 3845 Router Case Figure 5 Figure...
- Page 9 HWIC 2 Do Not Remove During Network Operation The Cisco 3845 router features a console port, auxiliary port, dual Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two 10/100/1000 Gigabit Ethernet RJ45 ports, four Enhanced Network Module (ENM) slots, small form factor pluggable (SFP), power inlets, and Compact Flash (CF) drive.
- Page 10 Auxiliary Power2 Activity Compact Flash PVDM3 PVDM2 PVDM1 PVDM0 Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy State Description Solid Green Normal System Operation. Blinking Green Booting or in ROM monitor (ROMMON) mode. Amber Powered, but malfunctioning.
- Page 11 ENM Slots 10/100/1000 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slots Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01 Cisco 3845 Front Panel Indicators (Continued) Green AIM1 present and enabled. Amber AIM1 present with failure.
-
Page 12: Roles And Services
Tamper evident seal will be placed over the card in the drive. Roles and Services Authentication in Cisco 3825 and Cisco 3845 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. -
Page 13: Crypto Officer Services
Tamper evidence label A shall be placed so that one half of the label covers the top of the front panel Step 2 and the other half covers the enclosure. Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01 Cisco 3825 and Cisco 3845 Routers... - Page 14 Tamper evidence labels D and E should be placed so that one half of each label covers the side of right Step 4 ENM modules and the other half covers the enclosure. Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy show the tamper evidence label placements for the Cisco 3825. OL-8662-01...
-
Page 15: Cryptographic Key Management
Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and entered electronically or via Internet Key Exchange (IKE). Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01 show the tamper evidence label placements for the Cisco 3845. -
Page 16: Key Zeroization
DRAM; therefore this command will completely zeroize this key. The following command will zeroize the pre-shared keys from the DRAM: no set session-key inbound ah spi hex-key-data • Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01... - Page 17 /AES IKE session SHA-1 The IKE session authentication key. authentication HMAC or DES MAC Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01 Cisco 3825 and Cisco 3845 Routers Zeroization Storage Method DRAM Automatically every...
- Page 18 The plaintext password of the CO role. This password Secret password is zeroized by overwriting it with a new password. Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy NVRAM “# no crypto isakmp (plaintext or key”...
- Page 19 Security Relevant Data Item PRNG Seed DH private exponent DH public key Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01 Role and Service Access to CSP Cisco 3825 and Cisco 3845 Routers NVRAM...
- Page 20 DH public key skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key IPSec encryption key Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01...
- Page 21 The router includes an array of self-tests that are run during startup and periodically during operations. All self-tests are Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy OL-8662-01...
- Page 22 IPSec, and a continuous random number generator test. If any of the self-tests fail, the router transitions into an error state. In the error state, all secure data transmission is halted and the router outputs status information indicating the failure.
-
Page 23: Secure Operation Of The Cisco 3825 Or Cisco 3845 Router
Secure Operation of the Cisco 3825 or Cisco 3845 router The Cisco 3825 and Cisco 3845 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. -
Page 24: Remote Access
Note that all users must still authenticate after remote access is granted. Related Documentation For more information about the Cisco 3825 and Cisco 3845 Integrated Services Router, refer to the following documents: Cisco 3800 Series Integrated Services Routers Quick Start Guides •... -
Page 25: Obtaining Documentation
Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. -
Page 26: Documentation Feedback
Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html... -
Page 27: Obtaining Technical Assistance
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &... -
Page 28: Submitting A Service Request
Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. - Page 29 Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and •...
- Page 30 Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the...