Download Print this page

Cisco 2651 User Manual

Non-proprietary security policy.
Hide thumbs

Advertisement

Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725,
and 3745 Modular Access Routers and 7206-VXR
NPE-400 Router FIPS 140-2 Non-Proprietary

Security Policy

Level 2 Validation
Version 2.4
November 19, 2004
Introduction
This is the non-proprietary Cryptographic Module Security Policy for the Cisco 1721, 1760, 2621XM,
2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 routers. This security policy describes how the
routers meet the security requirements of FIPS 140-2, and how to operate the routers in a secure FIPS
140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 certification of the routers.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers,
page 3
Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR
NPE-400 Routers, page 42
Related Documentation, page 44
Obtaining Documentation, page 45
Documentation Feedback, page 46

Advertisement

   Related Manuals for Cisco 2651

   Summary of Contents for Cisco 2651

  • Page 1: Security Policy

    The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers, • page 3 Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR • NPE-400 Routers, page 42 Related Documentation, page 44 •...

  • Page 2: Document Organization

    “Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers” section specifically addresses the required configuration for the FIPS-mode of operation. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 3: Table Of Contents

    Roles and Services, page 27 • Physical Security, page 29 • Cryptographic Key Management, page 36 • Self-Tests, page 42 • Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 4: The Cisco 1721/1760 Cryptographic Module

    Figure 2 demonstrates the proper application of the shield. Figure 2 Cisco 1760 Opacity Shield Application Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 5: Cisco 1721 And 1760 Module Interfaces

    Cisco 1721 and 1760 Module Interfaces The interfaces for the router are located on the rear panel of the Cisco 1721 and the front panel of the Cisco 1760 as shown in...

  • Page 6

    The front panel of the 1760 displays whether or not the router is booted, overall activity/link status, collision information, and specific information for each installed interface. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 7

    2-port serial cards—Blinks when data is being sent to or received from the first port on the 2-port card in the WIC1 slot Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 8

    ISDN—On when the first ISDN B channel is connected Serial, CSU/DSU, and VIC—Blinks when data is being sent to or received from port 0 in slot 1 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 9

    WIC/VIC Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 10: The Cisco 2621xm/2651xm Cryptographic Module

    ETHERNET 0 ACT CONSOLE 10/100BASE-T Ethernet 0/1 (RJ-45) 10/100BASE-T Network Auxiliary port Ethernet 0/0 module (RJ-45) Console (RJ-45) port (RJ-45) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 11

    10/1 00 ETH ERN ET 0/0 CON SOL E 10/100BASE-T Auxiliary 10/100BASE-T Ethernet 0/0 port (RJ-45) Ethernet 0/1 (RJ-45) (RJ-45) Console port (RJ-45) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 12

    1. RPS = Redundant Power System All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 13: The Cisco 2691 Cryptographic Module

    SEE MAN UAL BEF DS U ORE INS TAL LAT ION SEE MAN UAL BEF ORE INS TAL LAT ION Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 14: Cisco 2691 Module Interfaces

    Network Module (just as they don't pass through the LAN ports). Network modules do not perform any cryptographic functions. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 15

    The speed of the interface is 10 Mbps or no link is established The Flash device is being accessed in either READ or WRITE mode The Flash device is not being accessed Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 16

    System activity All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 17

    Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 18: The Cisco 3725/3745 Cryptographic Module

    Cisco 3725 and 3745 Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 19

    All Cisco 3700 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 20

    UAL BEF ORE INS TAL LAT ION FastEthernet 0/1 FastEthernet 0/0 ETM NPA AIM1 AIM0 FastEthernet 0/0 FastEthernet 0/1 POWER SYSTEM Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 21

    Reserved for future development AIM0 Solid green Advanced Integration Module (AIM) present and enabled Amber AIM present with failure AIM1 AIM not present Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 22

    Blinking green Running ROM monitor with no errors detected Amber Router is receiving power but malfunctioning Router is not receiving power Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 23

    Compact Flash slot 10/100BASE-TX LAN Port Control Input Interface WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 24: The Cisco 7206 Vxr Npe-400 Cryptographic Module

    (I/O) controller, and one slot for a network processing engine or network services engine. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 25: Cisco 7206 Vxr Npe-400 Module Interfaces

    Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 26

    If the port is configured for 10-Mbps operation, or if it is configured for autonegotiation and the port has detected a valid link at 10 Mbps, the LED remains off. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 27: Roles And Services

    “Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers” section on page 42 for more information. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 28: Crypto Officer Services

    Terminal Functions—adjust the terminal session (e.g., lock the terminal, adjust flow control) • Directory Services—display directory of files kept in flash memory • Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 29: Physical Security

    Any attempt to remove the enclosure will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 30

    Network Module slot. Any attempt to remove a Network Module will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 31

    WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 32

    WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 33

    Compact Flash slot. Any attempt to remove a CF card will leave tamper evidence. The labels completely cure within five minutes. Step 12 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 34

    Step 10 so that one half of the label covers the enclosure and the other half covers the network processing engine. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 35

    The word "OPEN" may appear if the label was peeled back. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 36: Cryptographic Key Management

    CSP 11 This key generates keys 3, 4, 5 and 6. This key is zeroized after DRAM generating those keys. (plaintext) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 37

    One can turn off the router to zeroize this (plaintext) key because it is stored in DRAM. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 38

    Table Table 19 Role and Service Access to CSPs SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 CSP 2 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 39

    CSP 5 CSP 6 CSP 7 CSP 8 CSP 9 CSP 10 CSP 11 CSP 12 CSP 13 CSP 14 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 40

    CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 CSP 24 CSP 25 CSP 26 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 41

    Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE protocol. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 42: Self-tests

    FIPS mode. Operating these routers without maintaining the following settings will remove the module from the FIPS approved mode of operation. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 43: Initial Setup

    The Crypto Officer must perform the initial configuration. Cisco IOS version 12.3(3d) is the only allowable image; no other image may be loaded. For Cisco 1700, 2600, and 3700 series routers, the value of the boot field must be 0x0101. For Cisco •...

  • Page 44: Remote Access

    Software Configuration Guide for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series • Routers • Cisco 3725 Router Quick Start Guide Cisco 3745 Router Quick Start Guide • Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 45: Obtaining Documentation

    Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 46: Documentation Feedback

    Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 47: Obtaining Additional Publications And Information

    You can access Packet magazine at this URL: http://www.cisco.com/packet Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

  • Page 48

    You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj Training—Cisco offers world-class networking training. Current offerings in network training are • listed at this URL: http://www.cisco.com/en/US/learning/index.html Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

Comments to this Manuals

Symbols: 0
Latest comments: