Download Print this page

Advertisement

Cisco 2621 Modular Access Router Security
Policy
Introduction
This is a non-proprietary Cryptographic Module Security Policy for the Cisco 2621 router. This security
policy describes how the 2621 router meets the security requirements of FIPS 140-1, and how to operate
the 2621 router in a secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1
certification of the 2621 router.
This document may be copied in its entirety and without modification. All copies must include the
Note
copyright notice and statements on the last page.
FIPS 140-1 (Federal Information Processing Standards Publication 140-1 - Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-1 standard and validation program is available on the NIST website at
the following NIST website:
http://csrc.nist.gov/cryptval/
This document contains the following sections:
Introduction, page 1
Cisco 2621 Modular Access Routers, page 2
Secure Operation of the Cisco 2621 Router, page 10
Obtaining Documentation, page 11
Obtaining Technical Assistance, page 12
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2001. Cisco Systems, Inc. All rights reserved.

Advertisement

   Related Manuals for Cisco 2621

   Summary of Contents for Cisco 2621

  • Page 1

    2621 router meets the security requirements of FIPS 140-1, and how to operate the 2621 router in a secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1 certification of the 2621 router.

  • Page 2: Document Organization

    Cisco 2621 Modular Access Routers References This document deals only with operations and capabilities of the 2621 router in the technical terms of a FIPS 140-1 cryptographic module security policy. More information is available on the 2621 router and the entire 2600 Series from the following sources: •...

  • Page 3

    Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor...

  • Page 4

    The AIM slot supports integration of advanced services such as hardware-assisted data compression and encryption. All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial On Demand Routing, ideal for back-up WAN connectivity.

  • Page 5

    500 ms OFF, 2 sec between codes) Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity All of these physical interfaces are separated into the logical interfaces from FIPS as described in the...

  • Page 6: Roles And Services

    An administrator of the router may assign permission to access the Administrator role to additional accounts, thereby creating additional administrators. At the highest level, Crypto Officer services include the following: Cisco 2621 Modular Access Router Security Policy 78-13824-01...

  • Page 7: Physical Security

    Section 3.1, Number 3 of this document. A complete description of all the management and configuration capabilities of the Cisco 2621 router can be found in the Performing Basic System Management manual and in the online help for the router.

  • Page 8

    WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. The labels completely cure within five minutes. Step 7 Cisco 2621 Modular Access Router Security Policy 78-13824-01...

  • Page 9: Cryptographic Key Management

    Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The 2621 router supports the following FIPS-approved algorithms: DES. 3DES, and SHA-1. These algorithms received certification numbers 74, 17, and 26 respectively.

  • Page 10: Initial Setup

    Secure Operation of the Cisco 2621 Router Secure Operation of the Cisco 2621 Router The Cisco 2621 router meets all the Level 2 requirements for FIPS 140-1. Follow the setting instructions provided below to place the module in FIPS mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation.

  • Page 11: Remote Access

    IPSec. Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: http://www.cisco.com • • http://www-china.cisco.com •...

  • Page 12: Ordering Documentation

    800 553-NETS(6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

  • Page 13: Technical Assistance Center

    P4—You need information or assistance on Cisco product capabilities, product installation, or basic • product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.cisco.com/register/ If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users...

  • Page 14

    RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified...

  • Page 15

    Cisco 2651 router meets the security requirements of FIPS 140-1, and how to operate the Cisco 2651 router in a secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1 certification of the Cisco 2651 router.

  • Page 16

    Terminology In this document, the Cisco 2651 router is referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the complete FIPS 140-1 Submission Package. In addition to this document, the complete Submission Package contains: •...

  • Page 17

    Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor...

  • Page 18

    Cisco 2651 Modular Access Routers The Cisco 2600 series features single or dual fixed LAN interfaces, a network module slot, two Cisco WAN interface card (WIC) slots, and a new Advanced Integration Module (AIM) slot. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet;...

  • Page 19

    500 ms OFF, 2 sec between codes) Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity All of these physical interfaces are separated into the logical interfaces from FIPS as described in the...

  • Page 20

    Power Interface *The auxiliary port must be disabled in FIPS mode. See the “Secure Operation of the Cisco 2651 Router” section on page In addition to the built-in interfaces, the router also has approximately 70 network modules that can optionally be placed in an available slot. These networks modules have many embodiments, including multiple Ethernet, token ring, and modem cards to handle frame relay, ATM, and ISDN connections.

  • Page 21

    “Physical Security” section on page 7 of this document. A complete description of all the management and configuration capabilities of the Cisco 2651 router can be found in the Performing Basic System Management manual and in the online help for the router.

  • Page 22

    WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. The labels completely cure within five minutes. Step 7 Cisco 2651 Modular Access Router Security Policy 78-13697-01...

  • Page 23

    Internet Key Exchange (IKE). The Cisco 2651router contains a cryptographic accelerator card, which provides DES (56-bit) and 3DES (168-bit) IPSec encryption at up to 32Mbps (3DES, 96Mbps DES), MD5 and SHA-1 hashing, and has hardware support for DH, RSA, and DSA key generation.

  • Page 24

    Secure Operation of the Cisco 2651 Router Secure Operation of the Cisco 2651 Router The Cisco 2651 router meets all the Level 2 requirements for FIPS 140-1. Follow the setting instructions provided below to place the module in FIPS mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation.

  • Page 25

    IPSec. Network Modules and WAN Interface Cards With over 70 modular interface options, the Cisco 2651 provides solutions for data, voice, video, hybrid dial access, virtual private networks (VPNs), and multi-protocol data routing. The high-performance, modular architecture protects customers' investment in network technology and integrates the functions of several devices into a single, manageable solution.

  • Page 26: Network Modules

    LAN ports. Furthermore, network modules do not perform any cryptographic functions. The Cisco 2651 block diagram clearly depicts the distinction between the network module slot and the AIM socket. The block diagram for the crypto card clearly delineates that the network modules and network module expansion bus have no direct interaction with the crypto card.

  • Page 27

    NM-4B-S/T= 4-Port ISDN-BRI with NT-1 Network Module NM-4B-U 4-Port ISDN-BRI with NT-1 Network Module NM-4B-U= 8-Port Async/Sync Serial Network Module NM-8A/S 8-Port Async/Sync Serial Network Module NM-8A/S= 8-Port ISDN-BRI Network Module NM-8B-S/T Cisco 2651 Modular Access Router Security Policy 78-13697-01...

  • Page 28

    8-port T1 ATM Network Module with IMA NM-8T1-IMA 8-port T1 ATM Network Module with IMA NM-8T1-IMA= 16 Port Analog Modem Network Module NM-16AM 16 Port Analog Modem Network Module Spare NM-16AM= Blank Network Module Panel NM-BLANK-PANEL= Cisco 2651 Modular Access Router Security Policy 78-13697-01...

  • Page 29

    Two-Slot Voice/fax Network Module NM-2V Two-Slot Voice/fax Network Module-Spare NM-2V= Voice/Fax Interface Card for Voice/Fax Modules Supported Cisco 2600 Voice/Fax Interface Card for Voice/Fax Modules Part Number Two-port Voice Interface Card - FXS VIC-2FXS Two-port Voice Interface Card - FXS-Spare...

  • Page 30

    Tables of Supported Cards Cisco 2600 Voice/Fax Interface Card for Voice/Fax Modules Part Number Two-port Voice Interface Card - FXO (for Australia) VIC-2FXO-M3= Two-port Voice Interface Card - BRI (Terminal) VIC-2BRI-S/T-TE Two-port Voice Interface Card - BRI (Terminal) VIC-2BRI-S/T-TE= Multiflex Voice / WAN interface Cards Supported...

  • Page 31

    2-Port Async/Sync Serial WAN interface card spare WIC-2A/S= Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.com •...

  • Page 32

    Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract. Contacting TAC by Using the Cisco TAC Website...

  • Page 33

    RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified...

  • Page 34

    Obtaining Technical Assistance Cisco 2651 Modular Access Router Security Policy 78-13697-01...

Comments to this Manuals

Symbols: 0
Latest comments: