Cryptographic Key Management - Cisco 2621 User Manual

Modular access router security policy

Hide thumbs Also See for 2621:

Configuration manual (196 pages)

Hardware installation manual (104 pages)

User manual (92 pages)

Table Of Contents

Table of Contents

Figure 6

The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any

attempt to open the router, remove network modules or WIC cards, or the front faceplate will damage

the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper

evidence labels have non-repeated serial numbers, the labels may be inspected for damage and compared

against the applied serial numbers to verify that the module has not been tampered. Tamper evidence

labels can also be inspected for signs of tampering, which include the following: curled corners,

bubbling, crinkling, rips, tears, and slices. The word "Opened" may appear if the label was peeled back.

Cryptographic Key Management

The router securely administers both cryptographic keys and other critical security parameters such as

passwords. The tamper evidence seals provide physical protection for all keys. Keys are also password

protected and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered

electronically via manual key exchange or Internet Key Exchange (IKE). The 2621 router supports the

following FIPS-approved algorithms: DES. 3DES, and SHA-1. These algorithms received certification

numbers 74, 17, and 26 respectively.

Self-Tests

In order to prevent any secure data being released, it is important to test the cryptographic components

of a security module to insure all components are functioning correctly. The router includes an array of

self-tests that are run during startup and periodically during operations. The self-test run at power-up

includes a cryptographic known answer tests (KAT) on the FIPS-approved cryptographic algorithms

(DES, 3DES), on the message digest (SHA-1) and on Diffie-Hellman algorithm. Also performed at

startup are software integrity test using an EDC, and a set of Statistical Random Number Generator

(RNG) tests. The following tests are also run periodically or conditionally: a Bypass Mode test

performed conditionally prior to executing IPSec, a software load test for upgrades and the continuous

random number generator test. If any of these self-tests fail, the router will transition into an error state.

Within the error state, all secure data transmission is halted and the router outputs status information

indicating the failure.

78-13824-01

Tamper-Evident Labels

SERIAL 1

SERIAL 0

CONN

WIC

CONN

2A/S

SEE MANUAL BEFORE INSTALLATION

LINK

ETHERNET 1

ACT

RPS ACTIVITY

Cisco 2611

SERIAL 1

100-240V– 1A

50/60 Hz 47 W

SERIAL 0

CONN

WIC

CONN

SEE MANUAL BEFORE INSTALLATION

LINK

ETHERNET 0 ACT

CONSOLE

AUX

Cisco 2600

SERIES

Cisco 2621 Modular Access Router Security Policy

Cisco 2621 Modular Access Routers

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

Cryptographic Key Management - Cisco 2621 User Manual

Cryptographic Key Management

Hide quick links:

Related Manuals for Cisco 2621

Related Content for Cisco 2621

Table of Contents