1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. 7206VXR NPE-400
  6. Instructions manual

Cisco 7206VXR NPE-400 Instructions Manual

Cisco systems router instructions
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
FIPS 140-2 Nonproprietary Security Policy for
Cisco 7206VXR NPE-400 Router with VAM
Introduction
This is a non-proprietary Cryptographic Module Security Policy for Cisco Systems. This security policy
describes how the 7206 VXR NPE-400 with VPN Acceleration Module (VAM) (Hardware Version:
7206-VXR; VAM: Hardware Version 1.0, Board Version A0; Firmware Version: Cisco IOS software
Version12.3(3d)) meets the security requirements of FIPS 140-2 and how to run the module in a secure
FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the module.
This document may be copied in its entirety and without modification. All copies must include the
Note
copyright notice and statements on the last page.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document includes the following sections:
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
FIPS 140-2 Submission Package, page 2
Overview, page 2
Cryptographic Module, page 3
Module Interfaces, page 3
Roles and Services, page 6
Physical Security, page 8
Cryptographic Key Management, page 9
Self-Tests, page 15
Secure Operation, page 16
Obtaining Documentation, page 17

Advertisement

Table of Contents
loading

Related Manuals for Cisco 7206VXR NPE-400

Summary of Contents for Cisco 7206VXR NPE-400

  • Page 1 Cisco 7206VXR NPE-400 Router with VAM Introduction This is a non-proprietary Cryptographic Module Security Policy for Cisco Systems. This security policy describes how the 7206 VXR NPE-400 with VPN Acceleration Module (VAM) (Hardware Version: 7206-VXR; VAM: Hardware Version 1.0, Board Version A0; Firmware Version: Cisco IOS software Version12.3(3d)) meets the security requirements of FIPS 140-2 and how to run the module in a secure...
  • Page 2 • With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is proprietary to Cisco Systems, Inc. and is releasable only under appropriate non-disclosure agreements. For access to these documents, contact Cisco Systems, Inc. See Technical Assistance” section on page...

  • Page 3: Cryptographic Module

    I/O controller The Cisco 7206VXR NPE-400 uses an RM7000 microprocessor that operates at an internal clock speed of 350 MHz. The NPE-400 uses SDRAM for storing all packets received or sent from network interfaces. The SDRAM memory array in the system allows concurrent access by port adapters and the processor.
  • Page 4 Cisco 7206VXR Router Front Panel LEDs C7200-I/O-2FE/E Enabled IO POWER OK Amber Slot 0 Slot 1 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM DUAL FAST ETHERNET INPUT/OUTPUT CONTROLLER Indication Description Green Indicates that the network processing engine or network services engine and the I/O controller are enabled for operation by the system;...
  • Page 5 Indicates the VAM is booting or a packet is being encrypted or decrypted. Indicates an encryption error has occurred. This LED is normally off. FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Module Interfaces ENCRYPT/COMP SA-VAM...

  • Page 6: Roles And Services

    Crypto Officer role. The module supports RADIUS and TACACS+ for authentication and they are used in the FIPS mode. See the information. FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM FIPS 140-2 Logical Interface Data Input Interface...

  • Page 7: Crypto Officer Role

    Terminal Functions: Adjusts the terminal session (e.g., lock the terminal, adjust flow control) • Directory Services: Displays directory of files kept in flash memory • OL-3959-01 “Secure Operation” section on page 16 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Roles and Services for more...

  • Page 8: Physical Security

    The tamper evidence label should be placed so that one half of the label covers the enclosure and the Step 12 other half covers the redundant power supply plate. Allow the labels to cure for five minutes. Step 13 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Figure 4 OL-3959-01...

  • Page 9: Cryptographic Key Management

    (MII receptacle and RJ-45 receptacle) filler plate AC-input Network processing engine power supply or network services engine Power switch FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Cryptographic Key Management Port adapters ETHERNET-10BFL FAST ETHERNET INPUT/OUTPUT CONTROLLER Auxiliary Console...
  • Page 10 CSP9 CSP10 CSP11 CSP12 CSP13 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Description This is the seed key for X9.31 PRNG. This key is stored in DRAM and updated periodically after the generation of 400 bytes;...
  • Page 11 DRAM and not zeroized at runtime. One can turn off the router to zeroize this key because it is stored in DRAM. FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Cryptographic Key Management Storage...
  • Page 12 The services accessing the CSPs, the type of access and which role accesses the CSPs are listed in the Figure FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Description This key is used by the router to authenticate itself to the peer.
  • Page 13 Cryptographic Key Management Figure 6 Role and Service Access to CSPs FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM OL-3959-01...
  • Page 14 The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE protocol. FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM OL-3959-01...

  • Page 15: Key Zeroization

    RSA signature KAT (both signature and verification) – DES KAT – TDES KAT SHA-1 KAT – HMAC-SHA-1 KAT – PRNG KAT – Conditional tests • Pairwise consistency test on RSA signature – OL-3959-01 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Self-Tests...

  • Page 16: Secure Operation

    – Secure Operation The Cisco 7206VXR NPE-400 router with a single VPN Acceleration Module (VAM) meets all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS mode of operation. Operating this router without maintaining the appropriate settings will remove the module from the FIPS approved mode of operation.

  • Page 17: Remote Access

    These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm OL-3959-01 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Obtaining Documentation...

  • Page 18: Ordering Documentation

    Nonregistered Cisco.com users can order documentation through a local account representative by • calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Documentation Feedback You can send comments about technical documentation to bug-doc@cisco.com.

  • Page 19: Cisco Technical Support Website

    Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. OL-3959-01 FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM Obtaining Technical Assistance...

  • Page 20: Obtaining Additional Publications And Information

    • Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ Cisco Press publishes a wide range of general networking, training and certification titles.
  • Page 21 CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...
  • Page 22 Obtaining Additional Publications and Information FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM OL-3959-01...

Table of Contents