manualshive.com logo in svg

Cisco 1841 - 3G Bundle Router, User Manual

Introducing the Cisco 1841 - 3G Bundle Router - your ultimate networking solution. Explore its features, detailed specifications, and configuration guidelines with our comprehensive Datasheet and User Manual. Download these resources for free exclusively from manualshive.com, and empower yourself with the essential knowledge to maximize this product's potential.

Share
Download
background image

 

16

Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus 

OL-8719-01

  Cisco 1841 and Cisco 2801 Routers

Note

All RSA operations are prohibited by policy, and commands that can be executed by Officer are shown 
“# command”.

Router 
authentication 
key 2

Shared 
Secret

This key is used by the router to authenticate 
itself to the peer. The key is identical to Router 
authentication key 1 except that it is retrieved 
from the local database (on the router itself). 
Issuing the “no username password” zeroizes the 
password (that is used as this key) from the local 
database.

NVRAM 
(plaintext)

“# no username password”

SSH session 
key

Various 
symmetric

This is the SSH session key. It is zeroized when 
the SSH session is terminated.

DRAM 
(plaintext)

Automatically when SSH 
session terminated

User password

Shared 
Secret

The password of the User role. This password is 
zeroized by overwriting it with a new password.

NVRAM 
(plaintext)

Overwrite with new 
password

Enable 
password

Shared 
Secret

The plaintext password of the CO role. This 
password is zeroized by overwriting it with a new 
password.

NVRAM 
(plaintext)

Overwrite with new 
password

Enable secret

Shared 
Secret

The ciphertext password of the CO role. 
However, the algorithm used to encrypt this 
password is not FIPS approved. Therefore, this 
password is considered plaintext for FIPS 
purposes. This password is zeroized by 
overwriting it with a new password.

NVRAM 
(plaintext)

Overwrite with new 
password

RADIUS secret Shared 

Secret

The RADIUS shared secret. This shared secret is 
zeroized by executing the “no radius-server key” 
command.

NVRAM 
(plaintext), 
DRAM 
(plaintext)

“# no radius-server key”

 
secret

Shared 
Secret

The  shared secret. This shared secret 
is zeroized by executing the “no tacacs-server 
key” command.

NVRAM 
(plaintext), 
DRAM 
(plaintext)

“# no tacacs-server key”

Table 8

Cryptographic Keys and CSPs (Continued)

Summary of Contents for 1841 - 3G Bundle Router

Page 1: ...41 or 2801 AIM VPN BPII Plus Version 1 0 Board Version C1 AIM VPN EPII Plus Version 1 0 Board Version D0 Firmware Version 12 3 11 T03 meet the security requirements of FIPS 140 2 and how to operate the router in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS 140 2 validation of the Cisco 1841 and Cisco 2801 Integrated Services Routers FIPS 140 2 Federal Information P...

Page 2: ...st gov cryptval contains contact information for answers to technical or sales related questions for the module Terminology In this document the Cisco 1841 or Cisco 2801 routers are referred to as the router the module or the system Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evi...

Page 3: ...d FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case shown in Figure 1 All of the functionality discussed in this document is provided by components within this cryptographic boundary The interface for the router is located on the rear panel as shown in Figure 2 Figure 2 Cisco 1841 Rear Panel Physical Interfaces The Cisco 184...

Page 4: ...e 3 describes the meaning of Ethernet LEDs on the rear panel Table 1 Cisco 1841 Front Panel Indicators Name State Description System OK Solid Green Blinking Green Router has successfully booted up and the software is functional Booting or in ROM monitor ROMMON mode System Activity Solid Green Blinking Green Off System is actively transferring packets System is servicing interrupts No interrupts or...

Page 5: ...ull Duplex Half Duplex Speed Solid Green Off 100 Mbps 10 Mbps Link Solid Green Off Ethernet link is established No link established Table 4 Cisco 1841 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Port Data Input Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Po...

Page 6: ...le Physical Characteristics Figure 3 The Cisco 2801 router case The Cisco 2801 router is a multiple chip standalone cryptographic module The router has a processing speed of 240MHz Depending on configuration either the installed AIM VPN BPII Plus module onboard FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case Figure 3 All o...

Page 7: ...the power inlet and on off switch The front panel contains the following 1 VIC slot 2 HWIC WIC VIC slot 0 3 WIC VIC slot 4 HWIC WIC VIC slot 1 5 Console port 6 FE ports 7 System status and activity LEDs 8 Inline power LED 9 USB port 10 FE LEDs 11 Auxiliary port 12 CF LED 13 CF drive The rear panel contains the following 1 Power inlet 2 Power switch 3 Ground connector Table 5 provides more detailed...

Page 8: ... Orange Off PVDM0 installed and initialized PVDM0 installed and initialized error PVDM0 not installed AIM1 Solid Green Solid Orange Off AIM1 installed and initialized AIM1 installed and initialized error AIM1 not installed AIM0 Solid Green Solid Orange Off AIM0 installed and initialized AIM0 installed and initialized error AIM0 not installed Table 5 Cisco 2801 Front Panel Indicators Continued Tabl...

Page 9: ... roles in the router that operators can assume the Crypto Officer role and the User role The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services while the Users exercise only the basic User services The module supports RADIUS and TACACS for authentication A complete description of all the management and configurati...

Page 10: ... interfaces and network services set system date and time and load authentication information Define Rules and Filters Create packet Filters that are applied to User data streams on each interface Each Filter consists of a set of Rules which define a set of packets to permit or deny based on characteristics such as protocol ID addresses ports TCP connection establishment or packet direction View S...

Page 11: ... the enclosure and the other half covers the port adapter slot Step 4 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the rear panel Step 5 The labels completely cure within five minutes Figure 6 and Figure 7 show the tamper evidence label placements for the Cisco 1841 Figure 6 Cisco 1841 Tamper Evident Label Placement Bac...

Page 12: ...age the tamper evidence seals or the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears ...

Page 13: ...ing are not FIPS 140 2 approved algorithms RC4 MD5 HMAC MD5 RSA and DH however again DH is allowed for use in key establishment The module contains a HiFn 7814 W cryptographic accelerator chip integrated in the AIM card Unless the AIM card is disabled by the Crypto Officer with the no crypto engine aim command the HiFn 7814 W provides AES 128 bit 192 bit and 256 bit DES 56 bit for legacy use only ...

Page 14: ...n in NVRAM in order to completely zeroize the keys The following commands will zeroize the pre shared keys from the DRAM no crypto isakmp key key string address peer address no crypto isakmp key key string hostname peer hostname The DRAM running configuration must be copied to the start up configuration in NVRAM in order to completely zeroize the keys The module supports the following keys and cri...

Page 15: ...ID generation This key is embedded in the module binary image and can be deleted by erasing the Flash NVRAM plaintext Deleted by erasing the flash IPSec encryption key DES TDES AES The IPSec encryption key Zeroized when IPSec session is terminated DRAM plaintext Automatically when IPSec session terminated IPSec authentication key HMAC SHA 1 The IPSec authentication key The zeroization is the same ...

Page 16: ...red Secret The password of the User role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable password Shared Secret The plaintext password of the CO role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable secret Shared Secret The ciphertext password of the CO role However ...

Page 17: ...ervice Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions Bypass Change WAN Interface Cards Security Relevant Data Item PRNG Seed r d r w d DH private exponent r r w d DH public key r r w d skeyid r r w d skeyid_d r r w d sk...

Page 18: ...Authentication key r d r w Router authentication key 2 r r w d SSH session key r r w d User password r r w d Enable password r w d Table 9 Role and Service Access to CSP Continued Note An enpty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory S...

Page 19: ...iodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to transit...

Page 20: ...er Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Conditional tests Conditional bypass test Continuous random number generation test Self tests performed by the Onboard FPGA FPGA Self Tests POST tests AES Known Answer Test Firmware integrity test HMAC SHA 1 Known Answer Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Self tests performed by AIM ...

Page 21: ...e without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS...

Page 22: ...y gets are allowed under SNMP v2C SSL is not an approved protocol and shall not be used in FIPS mode of operations Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec using FIPS approved algorithms Note that all us...

Page 23: ...literature are available in the Product Documentation DVD package which may have shipped with your product The Product Documentation DVD is updated regularly and may be more current than printed documentation The Product Documentation DVD is a comprehensive library of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installa...

Page 24: ... Cisco provides a free online Security Vulnerability Policy portal at this URL http www cisco com en US products products_security_vulnerability_policy html From this site you can perform these tasks Report security vulnerabilities in Cisco products Obtain assistance with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security a...

Page 25: ... not have a valid Cisco service contract contact your reseller Cisco Technical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco T...

Page 26: ...st of Cisco TAC contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to reso...

Page 27: ...ue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterit...

Page 28: ...ogo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Re...

Reviews:

No comments

Related manuals for 1841 - 3G Bundle Router

D-Link DIR-862L Manual preview
DIR-862L
Brand: D-Link Pages: 4
D-Link DIR-860L Quick Install Manual preview
DIR-860L
Brand: D-Link Pages: 2
D-Link DIR-850L Resetting Manual preview
DIR-850L
Brand: D-Link Pages: 9
D-Link DIR-850L Setup And Installation Manual preview
DIR-850L
Brand: D-Link Pages: 8
D-Link DIR-865L Specifications preview
DIR-865L
Brand: D-Link Pages: 3
D-Link DIR-867 Quick Install Manual preview
DIR-867
Brand: D-Link Pages: 28
D-Link DIR-X1530 Quick Start Manual preview
DIR-X1530
Brand: D-Link Pages: 2
D-Link DSL-2540B - ADSL2/2+ Modem With EN Router Quick Install Manual preview
DSL-2540B - ADSL2/2+ Modem With EN Router
Brand: D-Link Pages: 12
D-Link DIR-882 Quick Installation Manual preview
DIR-882
Brand: D-Link Pages: 62
Observint NVR4 Firmware User Manual preview
NVR4
Brand: Observint Pages: 117
Riverbed SteelCentral NetExpress Installation Manual preview
SteelCentral NetExpress
Brand: Riverbed Pages: 38
Extron electronics PoleVault System A/V Source Inputs Specification Sheet preview
PoleVault System A/V Source Inputs
Brand: Extron electronics Pages: 4
RAIDAGE DAGE312UTL-NAS User Manual preview
DAGE312UTL-NAS
Brand: RAIDAGE Pages: 60
Westermo LRW-112 Series Manual preview
LRW-112 Series
Brand: Westermo Pages: 28
Tenda W268R User Manual preview
W268R
Brand: Tenda Pages: 74
CHINT NZ7 Series Installation Manual preview
NZ7 Series
Brand: CHINT Pages: 12
Fujitsu PCNA EP OCe14102 Installation Manual preview
PCNA EP OCe14102
Brand: Fujitsu Pages: 20
Fujitsu PR-LN4 Software Manual preview
PR-LN4
Brand: Fujitsu Pages: 34

Brands by name

Popular brands

Load more brands