Table of Contents
Advertisement
Quick Links
Cisco 7206 VXR Router with ISA Security Policy
Introduction
This nonproprietary Cryptographic Module Security Policy describes how the 7206 VXR NPE-400
routers meet the security requirements of Federal Information Processing Standards (FIPS) 140-1, and
how they operate in a secure FIPS 140-1 mode. The policy was prepared as part of the Level 2 FIPS
140-1 certification of the 7206 VXR NPE-400 router.
This document may be copied in its entirety and without modification. All copies must include the
Note
copyright notice and statements on the last page.
The FIPS 140-1 publication, "Security Requirements for Cryptographic Modules" details the U.S.
Government requirements for cryptographic modules. More information about the FIPS 140-1 standard
and validation program is available at the following National Institute of Standards and Technology
(NIST) website:
http://csrc.nist.gov/cryptval/
This document contains the following sections:
Introduction, page 1
•
The 7206 VXR NPE-400 Router, page 2
•
•
Secure Operation of the Cisco 7206 VXR NPE-400 Router, page 11
Obtaining Documentation, page 13
•
Obtaining Technical Assistance, page 14
•
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2001. Cisco Systems, Inc. All rights reserved.
Advertisement
Table of Contents
Related Manuals for Cisco Router Cisco 7206 VXR
Summary of Contents for Cisco Router Cisco 7206 VXR
- Page 1 Secure Operation of the Cisco 7206 VXR NPE-400 Router, page 11 Obtaining Documentation, page 13 • Obtaining Technical Assistance, page 14 • Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright © 2001. Cisco Systems, Inc. All rights reserved.
-
Page 2: Document Organization
FIPS 140-1 cryptographic module security policy. For more information on Cisco 7206 VXR NPE-400 router and the entire 7200 series, check the following sources: The Cisco Systems website contains information on the full line of Cisco Systems products. Refer •... - Page 3 Cisco 7200 VXR routers accommodate a variety of network interface port adapters and an I/O controller. A Cisco 7200 VXR router equipped with an NPE-400 can support up to six high-speed port adapters and can also support higher-speed port adapter interfaces including Gigabit Ethernet and OC-12 ATM. Cisco 7200 VXR routers also contain bays for up to two AC-input or DC-input power supplies.
-
Page 4: Module Interfaces
The 7206 VXR NPE-400 Router The NPE-400 has three levels of cache: a primary and a secondary cache that are internal to the microprocessor, and a tertiary 4-MB external cache that provides additional high-speed storage for data and instructions. Cisco 7206 VXR routers come equipped with one 280W AC-input power supply. (A 280W DC-input power supply option is available.) A power supply filler plate is installed over the second power supply bay. - Page 5 Table 1 Front Panel LEDs and Descriptions Enabled IO POWER OK Slot 0 Slot 1 Link 100 Mbps All of these physical interfaces are separated into the logical interfaces from FIPS as described in Table Integrated Service Adapter The ISA is a single-width service adapter. It provides high-performance, hardware-assisted tunneling and encryption services suitable for VPN applications.
- Page 6 The 7206 VXR NPE-400 Router Figure 3 LEDs for ISA Crypto Card Refer to Table 2 for further description of the ISA LEDs Table 2 ISA LEDs and Descriptions Indication ENABLED Green BOOT Amber Pulse Amber ERROR Amber All of these physical interfaces are separated into the logical interfaces from FIPS as described in Table Cisco 7206 VXR Router with ISA Security Policy ENCRYPT/COMP...
-
Page 7: Roles And Services
Table 3 FIPS 140-1 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port Port Adapter Interface Service Module Interface Console Port Auxiliary Port* PCMCIA Slot* 10/100BASE-TX LAN Port Port Adapter Interface Service Module Interface Console Port Auxiliary Port* PCMCIA Slot* Power Switch Console Port Auxiliary Port* 10/100BASE-TX LAN Port... -
Page 8: User Services
The 7206 VXR NPE-400 Router Cryptographic Officer Services During initial configuration of the router, a cryptographic officer (crypto officer) password (the “enable” password) is defined and all management services are available from this role. The crypto officer connects to the router through the console port through the terminal program. A crypto officer can assign permission to access the crypto officer role to additional accounts, thereby creating additional crypto officers. - Page 9 Once the router has been configured to meet FIPS 140-1 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based •...
- Page 10 The 7206 VXR NPE-400 Router Figure 4 shows the tamper evidence label placements. Figure 4 Tamper Evidence Label Placement Port adapter lever I/O controller Chassis grounding receptacles The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to remove port adapters or service modules will damage the tamper evidence seals or the painted surface and metal of the module cover.
-
Page 11: Cryptographic Key Management
Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys are also password protected and can be zeroized by the crypto officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). -
Page 12: Remote Access
Secure Operation of the Cisco 7206 VXR NPE-400 Router The crypto officer must create the “enable” password for the crypto officer role. The password must • be at least 8 characters and is entered when the crypto officer first engages the enable command. The crypto officer enters the following syntax at the “#”... -
Page 13: Obtaining Documentation
The crypto officer must configure the module so that any remote connections via telnet are secured through IPSec. Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: http://www.cisco.com... -
Page 14: Obtaining Technical Assistance
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Attn Document Resource Connection Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. -
Page 15: Contacting Tac By Telephone
RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified... - Page 16 Obtaining Technical Assistance Cisco 7206 VXR Router with ISA Security Policy...