manualshive.com logo in svg

Cisco 1841 - 3G Bundle Router, User Manual

Introducing the Cisco 1841 - 3G Bundle Router - your ultimate networking solution. Explore its features, detailed specifications, and configuration guidelines with our comprehensive Datasheet and User Manual. Download these resources for free exclusively from manualshive.com, and empower yourself with the essential knowledge to maximize this product's potential.

Share
Download
background image

 

12

Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus 

OL-8719-01

  Cisco 1841 and Cisco 2801 Routers

Step 3

The tamper evidence label should be placed over the CF card in the slot so that any attempt to remove 
the card will show sign of tampering. 

Step 4

The tamper evidence label should be placed so that the one half of the label covers the enclosure and the 
other half covers the port adapter slot. 

Step 5

The labels completely cure within five minutes.

Figure 8

 and 

Figure 9

 show the tamper evidence label placements for the 2821.

Figure 8

Cisco 2801 Tamper Evident Label Placement (Back View)

Figure 9

Cisco 2801 Tamper Evident Label Placement (Front View)

The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any 
attempt to open the router will damage the tamper evidence seals or the material of the module cover. 
Since the tamper evidence seals have non-repeated serial numbers, they can be inspected for damage and 
compared against the applied serial numbers to verify that the module has not been tampered. Tamper 
evidence seals can also be inspected for signs of tampering, which include the following: curled corners, 
bubbling, crinkling, rips, tears, and slices. The word “OPEN” may appear if the label was peeled back.

Cryptographic Key Management

The router securely administers both cryptographic keys and other critical security parameters such as 
passwords. The tamper evidence seals provide physical protection for all keys. All keys are also 
protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto 
Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and 
entered electronically or via Internet Key Exchange (IKE).

The routers support the following FIPS 140-2 approved algorithm implementations: 

  •

Software (IOS) implementations

  –

AES

Summary of Contents for 1841 - 3G Bundle Router

Page 1: ...41 or 2801 AIM VPN BPII Plus Version 1 0 Board Version C1 AIM VPN EPII Plus Version 1 0 Board Version D0 Firmware Version 12 3 11 T03 meet the security requirements of FIPS 140 2 and how to operate the router in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS 140 2 validation of the Cisco 1841 and Cisco 2801 Integrated Services Routers FIPS 140 2 Federal Information P...

Page 2: ...st gov cryptval contains contact information for answers to technical or sales related questions for the module Terminology In this document the Cisco 1841 or Cisco 2801 routers are referred to as the router the module or the system Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evi...

Page 3: ...d FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case shown in Figure 1 All of the functionality discussed in this document is provided by components within this cryptographic boundary The interface for the router is located on the rear panel as shown in Figure 2 Figure 2 Cisco 1841 Rear Panel Physical Interfaces The Cisco 184...

Page 4: ...e 3 describes the meaning of Ethernet LEDs on the rear panel Table 1 Cisco 1841 Front Panel Indicators Name State Description System OK Solid Green Blinking Green Router has successfully booted up and the software is functional Booting or in ROM monitor ROMMON mode System Activity Solid Green Blinking Green Off System is actively transferring packets System is servicing interrupts No interrupts or...

Page 5: ...ull Duplex Half Duplex Speed Solid Green Off 100 Mbps 10 Mbps Link Solid Green Off Ethernet link is established No link established Table 4 Cisco 1841 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Port Data Input Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Po...

Page 6: ...le Physical Characteristics Figure 3 The Cisco 2801 router case The Cisco 2801 router is a multiple chip standalone cryptographic module The router has a processing speed of 240MHz Depending on configuration either the installed AIM VPN BPII Plus module onboard FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case Figure 3 All o...

Page 7: ...the power inlet and on off switch The front panel contains the following 1 VIC slot 2 HWIC WIC VIC slot 0 3 WIC VIC slot 4 HWIC WIC VIC slot 1 5 Console port 6 FE ports 7 System status and activity LEDs 8 Inline power LED 9 USB port 10 FE LEDs 11 Auxiliary port 12 CF LED 13 CF drive The rear panel contains the following 1 Power inlet 2 Power switch 3 Ground connector Table 5 provides more detailed...

Page 8: ... Orange Off PVDM0 installed and initialized PVDM0 installed and initialized error PVDM0 not installed AIM1 Solid Green Solid Orange Off AIM1 installed and initialized AIM1 installed and initialized error AIM1 not installed AIM0 Solid Green Solid Orange Off AIM0 installed and initialized AIM0 installed and initialized error AIM0 not installed Table 5 Cisco 2801 Front Panel Indicators Continued Tabl...

Page 9: ... roles in the router that operators can assume the Crypto Officer role and the User role The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services while the Users exercise only the basic User services The module supports RADIUS and TACACS for authentication A complete description of all the management and configurati...

Page 10: ... interfaces and network services set system date and time and load authentication information Define Rules and Filters Create packet Filters that are applied to User data streams on each interface Each Filter consists of a set of Rules which define a set of packets to permit or deny based on characteristics such as protocol ID addresses ports TCP connection establishment or packet direction View S...

Page 11: ... the enclosure and the other half covers the port adapter slot Step 4 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the rear panel Step 5 The labels completely cure within five minutes Figure 6 and Figure 7 show the tamper evidence label placements for the Cisco 1841 Figure 6 Cisco 1841 Tamper Evident Label Placement Bac...

Page 12: ...age the tamper evidence seals or the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears ...

Page 13: ...ing are not FIPS 140 2 approved algorithms RC4 MD5 HMAC MD5 RSA and DH however again DH is allowed for use in key establishment The module contains a HiFn 7814 W cryptographic accelerator chip integrated in the AIM card Unless the AIM card is disabled by the Crypto Officer with the no crypto engine aim command the HiFn 7814 W provides AES 128 bit 192 bit and 256 bit DES 56 bit for legacy use only ...

Page 14: ...n in NVRAM in order to completely zeroize the keys The following commands will zeroize the pre shared keys from the DRAM no crypto isakmp key key string address peer address no crypto isakmp key key string hostname peer hostname The DRAM running configuration must be copied to the start up configuration in NVRAM in order to completely zeroize the keys The module supports the following keys and cri...

Page 15: ...ID generation This key is embedded in the module binary image and can be deleted by erasing the Flash NVRAM plaintext Deleted by erasing the flash IPSec encryption key DES TDES AES The IPSec encryption key Zeroized when IPSec session is terminated DRAM plaintext Automatically when IPSec session terminated IPSec authentication key HMAC SHA 1 The IPSec authentication key The zeroization is the same ...

Page 16: ...red Secret The password of the User role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable password Shared Secret The plaintext password of the CO role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable secret Shared Secret The ciphertext password of the CO role However ...

Page 17: ...ervice Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions Bypass Change WAN Interface Cards Security Relevant Data Item PRNG Seed r d r w d DH private exponent r r w d DH public key r r w d skeyid r r w d skeyid_d r r w d sk...

Page 18: ...Authentication key r d r w Router authentication key 2 r r w d SSH session key r r w d User password r r w d Enable password r w d Table 9 Role and Service Access to CSP Continued Note An enpty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory S...

Page 19: ...iodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to transit...

Page 20: ...er Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Conditional tests Conditional bypass test Continuous random number generation test Self tests performed by the Onboard FPGA FPGA Self Tests POST tests AES Known Answer Test Firmware integrity test HMAC SHA 1 Known Answer Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Self tests performed by AIM ...

Page 21: ...e without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS...

Page 22: ...y gets are allowed under SNMP v2C SSL is not an approved protocol and shall not be used in FIPS mode of operations Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec using FIPS approved algorithms Note that all us...

Page 23: ...literature are available in the Product Documentation DVD package which may have shipped with your product The Product Documentation DVD is updated regularly and may be more current than printed documentation The Product Documentation DVD is a comprehensive library of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installa...

Page 24: ... Cisco provides a free online Security Vulnerability Policy portal at this URL http www cisco com en US products products_security_vulnerability_policy html From this site you can perform these tasks Report security vulnerabilities in Cisco products Obtain assistance with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security a...

Page 25: ... not have a valid Cisco service contract contact your reseller Cisco Technical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco T...

Page 26: ...st of Cisco TAC contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to reso...

Page 27: ...ue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterit...

Page 28: ...ogo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Re...

Reviews:

No comments

Related manuals for 1841 - 3G Bundle Router

D-Link Express Ethernetwork DI-704P Quick Install Manual preview
Express Ethernetwork DI-704P
Brand: D-Link Pages: 17
Baracoda All in One Printer Communication Protocol Manual preview
All in One Printer
Brand: Baracoda Pages: 42
PaloAlto Networks ION 1200 Series Hardware Reference Manual preview
ION 1200 Series
Brand: PaloAlto Networks Pages: 90
Far Tools MR 40PB Original Manual Translation preview
MR 40PB
Brand: Far Tools Pages: 24
Grundig GSS STC 160 Assembly Instruction Manual preview
GSS STC 160
Brand: Grundig Pages: 24
Hi-flying HF-LPB User Manual preview
HF-LPB
Brand: Hi-flying Pages: 59
Matrix Switch Corporation MSC-2HD1624S Product Manual preview
MSC-2HD1624S
Brand: Matrix Switch Corporation Pages: 54
Extreme Networks ExtremeCloud Appliance E1120 User Manual preview
ExtremeCloud Appliance E1120
Brand: Extreme Networks Pages: 219
Linksys WAG120N Datasheet preview
WAG120N
Brand: Linksys Pages: 2
OST RuggedNet 10G/Si User Manual preview
RuggedNet 10G/Si
Brand: OST Pages: 8
Williams Sound DW SY 1 User Manual preview
DW SY 1
Brand: Williams Sound Pages: 2
Linksys WRT330N - Wireless-N Gigabit Gaming Router Wireless User Manual preview
WRT330N - Wireless-N Gigabit Gaming Router Wireless
Brand: Linksys Pages: 92
Network Instruments WAN Probe Kit Installation & Quick Start Manual preview
WAN Probe Kit
Brand: Network Instruments Pages: 44
Hanwha Vision XRN-3210B4 User Manual preview
XRN-3210B4
Brand: Hanwha Vision Pages: 131
Baicells Aurora243 Installation Manual preview
Aurora243
Brand: Baicells Pages: 38
Zmotion ECI3808 Manual preview
ECI3808
Brand: Zmotion Pages: 57
ZKTeco BioSense Series User Manual preview
BioSense Series
Brand: ZKTeco Pages: 96
NAVI R330g Quick Setup Manual preview
R330g
Brand: NAVI Pages: 18

Brands by name

Popular brands

Load more brands