Strength Of Authentication; Physical Security - Cisco 2811 - Voice Security Bundle Router Operations

2.3.4 Strength of Authentication

The security policy stipulates that all user passwords must be 8 alphanumeric characters, so the
password space is 2.8 trillion possible passwords. The possibility of randomly guessing a
password is thus far less than one in one million. To exceed a one in 100,000 probability of a
successful random password guess in one minute, an attacker would have to be capable of 28
million password attempts per minute, which far exceeds the operational capabilities of the
module to support.
When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit,
thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an
attacker would have a 1 in 2 chance of randomly obtaining the key, which is much stronger
80
than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability
of a successful random key guess in one minute, an attacker would have to be capable of
approximately 1.8x10 attempts per minute, which far exceeds the operational capabilities of the
21
modules to support.
When using preshared key based authentication, the security policy stipulates that all preshared
keys must be 8 alphanumeric characters, so the key space is 2.8 trillion possible combinations.
The possibility of randomly guessing this is thus far less than one in one million. To exceed a
one in 100,000 probability of a successful random guess in one minute, an attacker would have
to be capable of 28 million attempts per minute, which far exceeds the operational capabilities of
the module to support.

2.4 Physical Security

The router is entirely encased by a metal, opaque case. The rear of the unit contains
HWIC/WIC/VIC connectors, LAN connectors, a CF drive, power connector, console connector,
auxiliary connector, USB port, and fast Ethernet connectors. The front of the unit contains the
system status and activity LEDs. The top, side, and front portion of the chassis can be removed
to allow access to the motherboard, memory, AIM slot, and expansion slots.
The Cisco 2811 and 2821 routers require that a special opacity shield be installed over the side
air vents in order to operate in FIPS-approved mode. The shield decreases the surface area of the
vent holes, reducing visibility within the cryptographic boundary to FIPS-approved
specifications.
Install the opacity plates as specified in the pictures below:
© Copyright 2007 Cisco Systems, Inc.
14
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.