Cisco 2621 User Manual page 24

Secure Operation of the Cisco 2651 Router
Secure Operation of the Cisco 2651 Router
The Cisco 2651 router meets all the Level 2 requirements for FIPS 140-1. Follow the setting instructions
provided below to place the module in FIPS mode. Operating this router without maintaining the
following settings will remove the module from the FIPS approved mode of operation.
Initial Setup
The Crypto Officer must apply tamper evidence labels as described in the
Step 1
on page 7
and any tamper evidence labels not used should also be stored securely.
Step 2 Only a Crypto Officer may add and remove network modules. When removing the tamper evidence
label, the Crypto Officer should remove the entire label from the router and clean the cover of any
grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper
evidence labels on the router as described inthe
Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper evidence
Step 3
label, the Crypto Officer should remove the entire label from the router and clean the cover of any
grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper
evidence labels on the router as described in the
System Initialization and Configuration
The Crypto Officer must perform the initial configuration. The IOS version shipped with the router,
Step 1
version 12.1(5)T, is the only allowable image. No other image may be loaded.
The value of the boot field must be 0x0101 (the factory default). This setting disables break from the
Step 2
console to the ROM monitor and automatically and boots the IOS image. From the "configure terminal"
command line, the Crypto Officer enters the following syntax:
config-register 0x0101
Step 3 The Crypto Officer must create the "enable" password for the Crypto Officer role. The password must
be at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. The
Crypto Officer enters the following syntax at the "#" prompt:
enable secret [PASSWORD]
The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and
Step 4
authentication of the console port is required for Users. From the "configure terminal" command line,
the Crypto Officer enters the following syntax:
line con 0
password [PASSWORD]
login local
The Crypto Officer shall only assign users to a privilege level 1 (the default).
Step 5
The Crypto Officer shall not assign a command to any privilege level other than its default.
Step 6
Cisco 2651 Modular Access Router Security Policy
10
of this document. The Crypto Officer must securely store tamper evidence labels before use,
"Physical Security" section on page 7
"Physical Security" section on page
"Physical Security" section
7.
78-13697-01