Cisco 2651 User Manual

Non-proprietary security policy

Hide thumbs

Table Of Contents

Table of Contents

Quick Links

Download this manual

The Cisco 1721, 1760, 2621Xm, 2651Xm, 2691, 3725, 3745, and

Cisco 2621Xm and 2651Xm Module Interfaces

Cisco 3725 and 3745 Module Interfaces

The Cisco 3725/3745 Cryptographic Module

Initial Setup

Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725,

and 3745 Modular Access Routers and 7206-VXR

NPE-400 Router FIPS 140-2 Non-Proprietary

Security Policy

Level 2 Validation

Version 2.4

November 19, 2004

Introduction

This is the non-proprietary Cryptographic Module Security Policy for the Cisco 1721, 1760, 2621XM,

2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 routers. This security policy describes how the

routers meet the security requirements of FIPS 140-2, and how to operate the routers in a secure FIPS

140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 certification of the routers.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for

Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More

information about the FIPS 140-2 standard and validation program is available on the NIST website at

http://csrc.nist.gov/cryptval/.

This document contains the following sections:

•

Corporate Headquarters:

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Introduction, page 1

The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers,

page 3

Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR

NPE-400 Routers, page 42

Summary of Contents for Cisco 2651

Page 1: Security Policy
The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers, • page 3 Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR • NPE-400 Routers, page 42 Related Documentation, page 44 •...
Page 2: Document Organization
“Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers” section specifically addresses the required configuration for the FIPS-mode of operation. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 3: Table Of Contents
Roles and Services, page 27 • Physical Security, page 29 • Cryptographic Key Management, page 36 • Self-Tests, page 42 • Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 4: The Cisco 1721/1760 Cryptographic Module
Figure 2 demonstrates the proper application of the shield. Figure 2 Cisco 1760 Opacity Shield Application Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 5: Cisco 1721 And 1760 Module Interfaces
Cisco 1721 and 1760 Module Interfaces The interfaces for the router are located on the rear panel of the Cisco 1721 and the front panel of the Cisco 1760 as shown in...
Page 6 The front panel of the 1760 displays whether or not the router is booted, overall activity/link status, collision information, and specific information for each installed interface. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 7 2-port serial cards—Blinks when data is being sent to or received from the first port on the 2-port card in the WIC1 slot Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 8 ISDN—On when the first ISDN B channel is connected Serial, CSU/DSU, and VIC—Blinks when data is being sent to or received from port 0 in slot 1 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 9 WIC/VIC Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 10: The Cisco 2621Xm/2651Xm Cryptographic Module
ETHERNET 0 ACT CONSOLE 10/100BASE-T Ethernet 0/1 (RJ-45) 10/100BASE-T Network Auxiliary port Ethernet 0/0 module (RJ-45) Console (RJ-45) port (RJ-45) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 11 10/1 00 ETH ERN ET 0/0 CON SOL E 10/100BASE-T Auxiliary 10/100BASE-T Ethernet 0/0 port (RJ-45) Ethernet 0/1 (RJ-45) (RJ-45) Console port (RJ-45) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 12 1. RPS = Redundant Power System All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 13: The Cisco 2691 Cryptographic Module
SEE MAN UAL BEF DS U ORE INS TAL LAT ION SEE MAN UAL BEF ORE INS TAL LAT ION Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 14: Cisco 2691 Module Interfaces
Network Module (just as they don't pass through the LAN ports). Network modules do not perform any cryptographic functions. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 15 The speed of the interface is 10 Mbps or no link is established The Flash device is being accessed in either READ or WRITE mode The Flash device is not being accessed Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 16 System activity All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 17 Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 18: The Cisco 3725/3745 Cryptographic Module
Cisco 3725 and 3745 Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 19 All Cisco 3700 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 20 UAL BEF ORE INS TAL LAT ION FastEthernet 0/1 FastEthernet 0/0 ETM NPA AIM1 AIM0 FastEthernet 0/0 FastEthernet 0/1 POWER SYSTEM Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 21 Reserved for future development AIM0 Solid green Advanced Integration Module (AIM) present and enabled Amber AIM present with failure AIM1 AIM not present Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 22 Blinking green Running ROM monitor with no errors detected Amber Router is receiving power but malfunctioning Router is not receiving power Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 23 Compact Flash slot 10/100BASE-TX LAN Port Control Input Interface WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 24: The Cisco 7206 Vxr Npe-400 Cryptographic Module
(I/O) controller, and one slot for a network processing engine or network services engine. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 25: Cisco 7206 Vxr Npe-400 Module Interfaces
Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 26 If the port is configured for 10-Mbps operation, or if it is configured for autonegotiation and the port has detected a valid link at 10 Mbps, the LED remains off. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 27: Roles And Services
“Secure Operation of the Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers” section on page 42 for more information. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 28: Crypto Officer Services
Terminal Functions—adjust the terminal session (e.g., lock the terminal, adjust flow control) • Directory Services—display directory of files kept in flash memory • Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 29: Physical Security
Any attempt to remove the enclosure will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 30 Network Module slot. Any attempt to remove a Network Module will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 31 WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 32 WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 33 Compact Flash slot. Any attempt to remove a CF card will leave tamper evidence. The labels completely cure within five minutes. Step 12 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 34 Step 10 so that one half of the label covers the enclosure and the other half covers the network processing engine. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 35 The word "OPEN" may appear if the label was peeled back. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 36: Cryptographic Key Management
CSP 11 This key generates keys 3, 4, 5 and 6. This key is zeroized after DRAM generating those keys. (plaintext) Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 37 One can turn off the router to zeroize this (plaintext) key because it is stored in DRAM. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 38 Table Table 19 Role and Service Access to CSPs SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 CSP 2 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 39 CSP 5 CSP 6 CSP 7 CSP 8 CSP 9 CSP 10 CSP 11 CSP 12 CSP 13 CSP 14 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 40 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 CSP 24 CSP 25 CSP 26 Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 41 Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE protocol. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 42: Self-Tests
FIPS mode. Operating these routers without maintaining the following settings will remove the module from the FIPS approved mode of operation. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 43: Initial Setup
The Crypto Officer must perform the initial configuration. Cisco IOS version 12.3(3d) is the only allowable image; no other image may be loaded. For Cisco 1700, 2600, and 3700 series routers, the value of the boot field must be 0x0101. For Cisco •...
Page 44: Remote Access
Software Configuration Guide for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series • Routers • Cisco 3725 Router Quick Start Guide Cisco 3745 Router Quick Start Guide • Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 45: Obtaining Documentation
Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 46: Documentation Feedback
Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly. Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 47: Obtaining Additional Publications And Information
You can access Packet magazine at this URL: http://www.cisco.com/packet Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...
Page 48 You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj Training—Cisco offers world-class networking training. Current offerings in network training are • listed at this URL: http://www.cisco.com/en/US/learning/index.html Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary OL-6083-01...

This manual is also suitable for:

1721 1760 2621xm 2651xm 2691 3725 ... Show all