Physical Security; Crypto Officer Services - Cisco 2811 Operations

Cisco 2811 and Cisco 2821 Routers

Crypto Officer Services

During initial configuration of the router, the Crypto Officer password (the "enable" password) is
defined. A Crypto Officer can assign permission to access the Crypto Officer role to additional accounts,
thereby creating additional Crypto Officers.
The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto
Officer services consist of the following:
•
•
•
•
•

Physical Security

The router is entirely encased by a metal, opaque case. The rear of the unit contains HWIC/WIC/VIC
connectors, LAN connectors, a CF drive, power connector, console connector, auxiliary connector, USB
port, and fast Ethernet connectors. The front of the unit contains the system status and activity LEDs.
The top, side, and front portion of the chassis can be removed to allow access to the motherboard,
memory, AIM slot, and expansion slots.
Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be
accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as
follows:
To apply serialized tamper-evidence labels to the Cisco 2811:
Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based
Step 1
cleaning pads are recommended for this purpose. The temperature of the router should be above 10 C.
The tamper evidence label should be placed so that one half of the label covers the front panel and the
Step 2
other half covers the enclosure.
The tamper evidence label should be placed over the CF card in the slot so that any attempt to remove
Step 3
the card will show sign of tampering.
The tamper evidence label should be placed so that the one half of the label covers the enclosure and the
Step 4
other half covers the port adapter slot.
Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy
12
Configure the router—Define network interfaces and settings, create command aliases, set the
protocols the router will support, enable interfaces and network services, set system date and time,
and load authentication information.
Define Rules and Filters—Create packet Filters that are applied to User data streams on each
interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based
on characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet
direction.
View Status Functions—View the router configuration, routing tables, active sessions, use gets to
view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review
accounting logs, and view physical interface status.
Manage the router—Log off users, shutdown or reload the router, manually back up router
configurations, view complete configurations, manage user rights, and restore router configurations.
Set Encryption/Bypass—Set up the configuration tables for IP tunneling. Set keys and algorithms
to be used for each IP range or allow plaintext packets to be set from specified IP address.
OL-8663-01