Table of Contents
Advertisement
Secure Operation of the Cisco 7206 VXR NPE-400 Router
•
•
•
•
•
Non FIPS-Approved Algorithms
•
Protocols
•
•
Remote Access
•
Cisco 7206 VXR Router with ISA Security Policy
12
The crypto officer must create the "enable" password for the crypto officer role. The password must
be at least 8 characters and is entered when the crypto officer first engages the enable command.
The crypto officer enters the following syntax at the "#" prompt:
enable secret [PASSWORD]
The crypto officer must always assign passwords (of at least 8 characters) to users. Identification
and authentication of the console port is required for users. From the configure terminal command
line, the crypto officer enters the following syntax:
line con 0
password [PASSWORD]
login local
The crypto officer shall only assign users to a privilege level 1 (the default).
The crypto officer shall not assign a command to any privilege level other than its default.
The PCMCIA Flash memory card slot is not configured in FIPS mode. Its use is restricted via tamper
evidence labels. See the
"Physical
The following algorithms are not FIPS approved and should be disabled:
RSA for encryption
–
MD-5 for signing
–
AH-SHA-HMAC
–
ESP-SHA-HMAC
–
HMAC SHA-1
–
The following network services affect the security data items and must not be configured: NTP,
TACACS+, RADIUS, Kerberos.
SNMP v3 over a secure IPSec tunnel can be employed for authenticated, secure SNMP Gets and
Sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under
SNMP v2C.
Auxiliary terminal services must be disabled, except for the console. The following configuration
disables login services on the auxiliary console line.
line aux 0
no exec
Security" section for more details.
Advertisement
Table of Contents
